Re-sending this as I forgot to send to the list itself, sorry. On Mon, Sep 18, 2023 at 6:55 AM Florence Blanc-Renaud <f...@redhat.com> wrote:
> Hi, > > On Fri, Sep 15, 2023 at 7:43 PM Russ Long via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> I have a single-server IPA environment in my homelab. I noticed today >> that I was unable to delete a host from IPA, and found that pki-tomcatd was >> down and unable to start. >> >> I found that several certificates had expired for some reason. I tried >> `ipa-cert-fix`, but that failed as pki-tomcat will not start. >> >> I attempted to set the server date/time to a date 24 hours before the >> certificates expired, and was able to get tomcat to start, however the >> `ipa-cert-fix` now fails with this error: >> >> CalledProcessError(Command ['pki-server', 'cert-fix', '--ldapi-socket', >> '/run/slapd-IPA-DOMAIN-CO.socket', '--agent-uid', 'ipara', '--cert', >> 'sslserver', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', >> 'ca_audit_signing', '--extra-cert', '16'] returned non-zero exit status 1: >> "INFO: Loading instance type: pki-tomcatd\nINFO: Loading instance: >> pki-tomcat\nINFO: Loading global Tomcat config: >> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: >> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: >> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: >> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: >> /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Loading subsystem registry: >> /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Loading instance registry: >> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following >> system certs: ['sslserver', 'subsystem', 'ca_ocsp_signing', >> 'ca_audit_signing']\nINFO: Renewing the following additional c >> erts: ['16']\nINFO: Stopping the instance to proceed with system cert >> renewal\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser >> password via ldappasswd\nSASL/EXTERNAL authentication started\nSASL >> username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL >> SSF: 0\n") >> >> > mixing ipa-cert-fix method with the date manipulation often leads to more > issues if ipa-cert-fix was able to fix some of the certs but not all of > them (the first execution creates a cert valid from present date only, and > as soon as you go in the past this cert is not considered valid yet). > > To provide any advice we would need to have an exact description of the > current situation. Can you provide the output of "getcert list" executed as > root? This will show the "valid from" and "valid to" dates for each > certificate. Is your system still in the past or did you move back to > current date? > Getcert list: Number of certificates and requests being tracked: 7. Request ID '20220906145805': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <http://ipa.example.co/> subject: CN=CA Audit,O=IPA.EXAMPLE.CO <http://ipa.example.co/> issued: 2021-09-06 12:07:45 EDT expires: 2023-08-27 12:07:45 EDT key usage: digitalSignature,nonRepudiation profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20220906145806': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <http://ipa.example.co/> subject: CN=OCSP Subsystem,O=IPA.EXAMPLE.CO <http://ipa.example.co/> issued: 2021-09-06 12:07:52 EDT expires: 2023-08-27 12:07:52 EDT eku: id-kp-OCSPSigning profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20220906145807': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <http://ipa.example.co/> subject: CN=CA Subsystem,O=IPA.EXAMPLE.CO <http://ipa.example.co/> issued: 2021-09-06 12:07:43 EDT expires: 2023-08-27 12:07:43 EDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20220906145808': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <http://ipa.example.co/> subject: CN=Certificate Authority,O=IPA.EXAMPLE.CO <http://ipa.example.co/> issued: 2019-10-15 12:07:28 EDT expires: 2039-10-15 12:07:28 EDT key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20220906145809': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <http://ipa.example.co/> subject: CN=master.ipa.example.co,O=IPA.EXAMPLE.CO <http://ipa.example.co/> issued: 2021-09-06 12:07:42 EDT expires: 2023-08-27 12:07:42 EDT dns: master.ipa.example.co key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20220906145810': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <http://ipa.example.co/> subject: CN=IPA RA,O=IPA.EXAMPLE.CO <http://ipa.example.co/> issued: 2021-09-06 12:08:40 EDT expires: 2023-08-27 12:08:40 EDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20220906145820': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=master.ipa.example.co,O=IPA.EXAMPLE.CO <http://ipa.example.co/> subject: CN=master.ipa.example.co,O=IPA.EXAMPLE.CO <http://ipa.example.co/> issued: 2023-08-31 10:10:23 EDT expires: 2024-08-31 10:10:23 EDT dns: master.ipa.example.co principal name: krbtgt/ipa.example...@ipa.example.co key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc certificate template/profile: KDCs_PKINIT_Certs profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes System is back to present day, but pki-tomcat will not start in present day, so I can move back to the past. I moved it back to present day as most things still work. > > I reviewed the blog at >> https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ >> (Thanks Flo!) but was still unable to get anything working. The >> Certificate password test fails with these errors: >> >> [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f >> /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' >> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private >> Key and Certificate Services" >> certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: >> invalid arguments. >> [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f >> /tmp/pwdfile.txt -n 'NSS Certificate DB: subsystemCert cert-pki-ca' >> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private >> Key and Certificate Services" >> certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: >> invalid arguments. >> >> If you run the same command without -n <alias>, you should be able to see > all the keys stored in the NSS database: > # certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt > Is there an entry for something like 'subsystemCert cert-pki-ca'? > flo > Here's the certutil: [root@master ~]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa redacted NSS Certificate DB:Server-Cert cert-pki-ca < 1> rsa redacted NSS Certificate DB:caSigningCert cert-pki-ca < 2> rsa redacted NSS Certificate DB:ocspSigningCert cert-pki-ca < 3> rsa redacted NSS Certificate DB:subsystemCert cert-pki-ca < 4> rsa redacted NSS Certificate DB:auditSigningCert cert-pki-ca (Redactions are mine) > > Any ideas what I can try? >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
