Winfried de Heiden wrote: > Hi all, > > Yes, there was a discrepancy in de certificates and was fixed by using > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/. > > Thanks for that! > > Now, getcert ist still shows errors. The certmonger logs shows: > > De certmonger log shows: > > Sep 12 14:05:35 ipa.blabla.bla certmonger[11551]: 2017-09-12 14:05:35 > [11551] Server at https://ipa.blabla.bla/ipa/xml failed request, will > retry: 4035 (RPC failed at server. Request failed with status 500: > Non-2xx response from CA REST API: 500. *Policy Set Not Found*). > > Sep 12 14:05:59 ipa.blabla.bla certmonger[11551]: 2017-09-12 14:05:59 > [11551] Server at https://ipa.blabla.bla/ipa/xml failed request, will > retry: 4035 (RPC failed at server. Request failed with status 500: > Non-2xx response from CA REST API: 500. *Policy Set Not Found*). > > It looks like 2 certificates cannot be renewed but are about to > expire.... What's happening and how to fix?
Look at the dogtag debug log for more information on why it is failing the request. You'll want to restart certmonger or resubmit the request manually while watching the debug log to get the times correlated. rob > > Winfried > > > Op 12-09-17 om 10:04 schreef Florence Blanc-Renaud via FreeIPA-users: >> On 09/12/2017 09:10 AM, Winfried de Heiden via FreeIPA-users wrote: >>> Hi all, >>> >>> I'll try my using the link provided. However: what is causing >>> "CA_UNREACHABLE"? >>> >>> Request ID '20170129002017': >>> status: CA_UNREACHABLE >>> ca-error: Server at https://ipa.blabla.bla/ipa/xml failed >>> request, will retry: 4035 (RPC failed at server. Request failed with >>> status 500: Non-2xx response from CA REST API: 500. Policy Set Not >>> Found). >>> stuck: no >>> >> Hi Winfried, >> >> certmonger is using the CA 'IPA' for the Server-Cert used by httpd and >> ldap. This CA helper is communicating with FreeIPA server, and FreeIPA >> in turn communicates with Dogtag. >> You will probably find more information in FreeIPA server logs (in >> /var/log/httpd/error_log) and in Dogtag logs >> (/var/log/pki/pki-tomcat/ca/debug). >> >> Flo >> >>> Winfried >>> >>> Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via FreeIPA-users: >>>> On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote: >>>>> CS.cfg was modified so pki-tomcat can login using a password and >>>>> non-secure LDAP. At least it is working now....: >>>>> >>>>> < internaldb.ldapauth.authtype=BasicAuth >>>>> < internaldb.ldapauth.bindDN=cn=Directory Manager >>>>> --- >>>>> > internaldb.ldapauth.authtype=SslClientAuth >>>>> > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca >>>>> 780,781c780,781 >>>>> < internaldb.ldapconn.port=389 >>>>> < internaldb.ldapconn.secureConn=false >>>>> --- >>>>> > internaldb.ldapconn.port=636 >>>>> > internaldb.ldapconn.secureConn=true >>>>> >>>>> Reversed to the old config, stop/started ipa, debug shows >>>>> pki-tomcatd cannot login: >>>>> >>>>> 11/Sep/2017:16:51:41][localhost-startStop-1]: >>>>> SSLClientCertificatSelectionCB: Entering! >>>>> [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: >>>>> subsystemCert cert-pki-ca >>>>> [11/Sep/2017:16:51:41][localhost-startStop-1]: >>>>> SSLClientCertificateSelectionCB: desired cert found in list: >>>>> subsystemCert cert-pki-ca >>>>> [11/Sep/2017:16:51:41][localhost-startStop-1]: >>>>> SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca >>>>> [11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened >>>>> Could not connect to LDAP server host ipa.blabla.bla port 636 Error >>>>> netscape.ldap.LDAPException: Authentication failed (49) >>>>> at >>>>> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) >>>>> at >>>>> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) >>>>> at >>>>> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) >>>>> at >>>>> com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) >>>>> at >>>>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172) >>>>> at >>>>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078) >>>>> >>>>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570) >>>>> at com.netscape.certsrv.apps.CMS.init(CMS.java:188) >>>>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1621) >>>>> >>>>> Winfried >>>>> >>>>> Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users: >>>>>> Winfried de Heiden via FreeIPA-users wrote: >>>>>>> Hi All, >>>>>>> >>>>>>> Somewhere after an update (I guess) I have issues; >>>>>>> pki-tomcatd@pki-tomcat.service will not start since it cannot >>>>>>> login to >>>>>>> LDAP. It seems I have some certificate isues: >>>>>>> >>>>>>> getcert list shows: >>>>>>> >>>>>>> Request ID '20170129002017': >>>>>>> status: CA_UNREACHABLE >>>>>>> ca-error: Server athttps://ipa.example.com/ipa/xml failed >>>>>>> request, >>>>>>> will retry: 4035 (RPC failed at server. Request failed with >>>>>>> status 500: >>>>>>> Non-2xx response from CA REST API: 500. Policy Set Not Found). >>>>>>> stuck: no >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS >>>>>>> >>>>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt' >>>>>>> certificate: >>>>>>> type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS >>>>>>> >>>>>>> Certificate DB' >>>>>>> CA: IPA >>>>>>> issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650 >>>>>>> subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650 >>>>>>> expires: 2017-09-27 17:26:00 CEST >>>>>>> key usage: >>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>> pre-save command: >>>>>>> post-save command: >>>>>>> /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA >>>>>>> track: yes >>>>>>> auto-renew: yes >>>>>>> Request ID '20170129002024': >>>>>>> status: CA_UNREACHABLE >>>>>>> ca-error: Server athttps://ipa.example.com/ipa/xml failed >>>>>>> request, >>>>>>> will retry: 4035 (RPC failed at server. Request failed with >>>>>>> status 500: >>>>>>> Non-2xx response from CA REST API: 500. Policy Set Not Found). >>>>>>> stuck: no >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>>>>> >>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>> certificate: >>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>>>>> >>>>>>> Certificate DB' >>>>>>> CA: IPA >>>>>>> issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650 >>>>>>> subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650 >>>>>>> expires: 2017-09-27 17:41:26 CEST >>>>>>> key usage: >>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>> pre-save command: >>>>>>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >>>>>>> track: yes >>>>>>> auto-renew: yes >>>>>>> >>>>>>> (I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg) >>>>>>> How to fix this. Something seems wrong with de DIRSRV certificate >>>>>>> and >>>>>>> http....:( >>>>>> What did you modify? >>>>>> >>>>>>> How to fix? What could have caused this issue? >>>>>> This is likely not a problem with the certificates but with the >>>>>> certificate profiles. The dogtag debug log may have more information. >>>>>> >>>>>> rob >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org >>>>>> To unsubscribe send an email >>>>>> tofreeipa-users-le...@lists.fedorahosted.org >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to >>>>> freeipa-users-le...@lists.fedorahosted.org >>>>> >>>> >>>> Hi Winfried, >>>> >>>> the issue is likely to come from the renewal of subsystemCert. You >>>> can find more info in this blog [1]. If you are running with selinux >>>> in enforcing mode, the renewal may fail but gets undetected. >>>> >>>> You can check if the ldap entry uid=pkidbuser,ou=people,o=ipaca >>>> contains the same certificate 'subsystemCert cert-pki-ca' as the >>>> NSSDB /etc/pki/pki-tomcat/alias. >>>> If it is not the case, simply modify the LDAP entry to contain the >>>> right userCertificate and description attributes. >>>> >>>> HTH, >>>> Flo >>>> >>>> [1] >>>> https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>> >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
