Anthony Joseph Messina via FreeIPA-users wrote:
> I am running into trouble with certmonger renewal of KRA subsystem certs on 
> the renewal master, and CA/KRA subsystem certs on the replica.  Any help is 
> appreciated as my renewal window ends in 8 days.
> 
> This is Fedora 31 with freeipa-server-4.8.4-2.fc31.x86_64 on both master and 
> replica.  These systems have been upgraded using the recommended method of 
> creating new replicas since 4.6.3.
> 
> ## The renewal master... The cert is renewed, but the ca-error below is 
> concerning (the same for "CN=KRA Transport Certificate" and "CN=KRA Storage 
> Certificate")
> Request ID '20191117031707':
>         status: MONITORING
>         ca-error: Server at 
> "http://ipa482a.example.com:8080/ca/ee/ca/profileSubmit"; replied: Missing 
> credential: sessionID
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-kra',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-kra',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>         subject: CN=KRA Audit,O=EXAMPLE.COM
>         expires: 2022-01-01 12:37:19 CST
>         key usage: digitalSignature,nonRepudiation

I've cc'd one of the CA developers.

> ## The replica... The cert is not renewed and the ca-error is different.  
> Request ID '20191117040017':
>         status: MONITORING
>         ca-error: Invalid cookie: ''
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-kra',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-kra',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=MESSINET.COM
>         subject: CN=KRA Audit,O=MESSINET.COM
>         expires: 2020-01-21 20:22:24 CST
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "auditSigningCert cert-pki-kra"
>         track: yes
>         auto-renew: yes

The invalid cookie is BZ https://bugzilla.redhat.com/show_bug.cgi?id=1788907

Once the renewal master is able to renew the cert run `getcert resubmit
-i 20191117040017` on the replica to pull in the updated cert.

rob

> 
> ## The pki-tomcat debug log on the renewal master...
> 2020-01-12 15:03:21 [http-nio-8080-exec-13] SEVERE: CAProcessor: 
> authentication error: Missing credential: sessionID
> Missing credential: sessionID
>         at 
> com.netscape.cms.servlet.common.AuthCredentials.set(AuthCredentials.java:57)
>         at 
> com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:416)
>         at 
> com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:471)
>         at 
> com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:179)
>         at 
> com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:98)
>         at 
> com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:242)
>         at 
> com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128)
>         at 
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:496)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
>         at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         at 
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
>         at 
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
>         at 
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
>         at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         at 
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
>         at 
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>         at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
>         at 
> com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
>         at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
>         at 
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
>         at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
>         at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
>         at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
>         at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:748)
> 
> 2020-01-12 15:03:21 [http-nio-8080-exec-13] SEVERE: ProfileSubmitServlet: 
> authentication error in processing request: Missing credential: sessionID
> Missing credential: sessionID
>         at 
> com.netscape.cms.servlet.common.AuthCredentials.set(AuthCredentials.java:57)
>         at 
> com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:416)
>         at 
> com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:471)
>         at 
> com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:179)
>         at 
> com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:98)
>         at 
> com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:242)
>         at 
> com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128)
>         at 
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:496)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
>         at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         at 
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
>         at 
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
>         at 
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
>         at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         at 
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
>         at 
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>         at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
>         at 
> com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
>         at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
>         at 
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
>         at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
>         at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
>         at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
>         at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:748)
> 
> 
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to