Hi all,
I'll try my using the link provided. However: what is causing
"CA_UNREACHABLE"?
Request ID '20170129002017':
status: CA_UNREACHABLE
ca-error: Server at https://ipa.blabla.bla/ipa/xml failed
request, will retry: 4035 (RPC failed at server. Request failed
with status 500: Non-2xx response from CA REST API: 500. Policy
Set Not Found).
stuck: no
Winfried
Op 11-09-17 om 17:12 schreef Florence
Blanc-Renaud via FreeIPA-users:
On
09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote:
CS.cfg was modified so pki-tomcat can
login using a password and non-secure LDAP. At least it is
working now....:
< internaldb.ldapauth.authtype=BasicAuth
< internaldb.ldapauth.bindDN=cn=Directory Manager
---
> internaldb.ldapauth.authtype=SslClientAuth
>
internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
780,781c780,781
< internaldb.ldapconn.port=389
< internaldb.ldapconn.secureConn=false
---
> internaldb.ldapconn.port=636
> internaldb.ldapconn.secureConn=true
Reversed to the old config, stop/started ipa, debug shows
pki-tomcatd cannot login:
11/Sep/2017:16:51:41][localhost-startStop-1]:
SSLClientCertificatSelectionCB: Entering!
[11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert:
subsystemCert cert-pki-ca
[11/Sep/2017:16:51:41][localhost-startStop-1]:
SSLClientCertificateSelectionCB: desired cert found in list:
subsystemCert cert-pki-ca
[11/Sep/2017:16:51:41][localhost-startStop-1]:
SSLClientCertificateSelectionCB: returning: subsystemCert
cert-pki-ca
[11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake
happened
Could not connect to LDAP server host ipa.blabla.bla port 636
Error netscape.ldap.LDAPException: Authentication failed (49)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
at
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
at
com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
Winfried
Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users:
Winfried de Heiden via FreeIPA-users
wrote:
Hi All,
Somewhere after an update (I guess) I have issues;
pki-tomcatd@pki-tomcat.service will not start since it
cannot login to
LDAP. It seems I have some certificate isues:
getcert list shows:
Request ID '20170129002017':
status: CA_UNREACHABLE
ca-error: Server athttps://ipa.example.com/ipa/xml
failed request,
will retry: 4035 (RPC failed at server. Request failed with
status 500:
Non-2xx response from CA REST API: 500. Policy Set Not
Found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.LOCAL
201509271650
subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
expires: 2017-09-27 17:26:00 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA
track: yes
auto-renew: yes
Request ID '20170129002024':
status: CA_UNREACHABLE
ca-error: Server athttps://ipa.example.com/ipa/xml
failed request,
will retry: 4035 (RPC failed at server. Request failed with
status 500:
Non-2xx response from CA REST API: 500. Policy Set Not
Found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.LOCAL
201509271650
subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
expires: 2017-09-27 17:41:26 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
(I managed to start IPA by modifying
/etc/pki/pki-tomcat/ca/CS.cfg)
How to fix this. Something seems wrong with de DIRSRV
certificate and
http....:(
What did you modify?
How to fix? What could have caused
this issue?
This is likely not a problem with the certificates but with
the
certificate profiles. The dogtag debug log may have more
information.
rob
_______________________________________________
FreeIPA-users mailing list
--freeipa-users@lists.fedorahosted.org
To unsubscribe send an email
tofreeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Hi Winfried,
the issue is likely to come from the renewal of subsystemCert. You
can find more info in this blog [1]. If you are running with
selinux in enforcing mode, the renewal may fail but gets
undetected.
You can check if the ldap entry uid=pkidbuser,ou=people,o=ipaca
contains the same certificate 'subsystemCert cert-pki-ca' as the
NSSDB /etc/pki/pki-tomcat/alias.
If it is not the case, simply modify the LDAP entry to contain the
right userCertificate and description attributes.
HTH,
Flo
[1]
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
|