Actually, I'm replying to my own post. I think I was using some incomplete options on the certutil command for listing the keys without realizing it. This might be similar to some other issues I've briefly skimmed from the past on this list.
I'll post more when I spend more time reading if I'm still having trouble. I do think I may end up confused about how to the fix the actual problem once I identify it, but at least I'm making some type of progress. I apologize for anyone's time wasted here. On Mon, Dec 3, 2018 at 2:55 PM Christopher Young <mexigaba...@gmail.com> wrote: > > So, I did alot of reading after noticing that one of my IPA servers > was not starting correctly. I was working from the guide here: > > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ > > (Honestly, THANK YOU to the people contributing to that guide because > it really has been helpful) > > I didn't get very far down the guide before testing my NSSDB password > and noticing that it does NOT appear to work. I have no idea how that > may have happened or when but this obviously puts me in a weird spot > with this particular server. > > [root@XXXX-prod-ipaXX ca]# cat > /var/lib/pki/pki-tomcat/conf/password.conf | grep internal > internal=<numericstuffs> > > I tried using the password there to open the /etc/pki/pki-tomcat/alias > NSS DB with no success. Though, I think my problem is something else. > I get the following error: > > ---- > [root@XXXXX-prod-ipaXX alias]# certutil -K -d > /etc/pki/pki-tomcat/alias -n -r /tmp/pwdfile.txt > certutil: Checking token "NSS Certificate DB" in slot "NSS User > Private Key and Certificate Services" > Enter Password or Pin for "NSS Certificate DB": > certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: > Unrecognized Object Identifier. > ---- > > I'm just getting into this, but I feel like MAYBE this is part of my > problem. If anyone has any ideas here, I'd be grateful for the help! > > ADDED NOTE: > I actually notice that I have this same issue on BOTH IPA servers > which makes me ever more nervous about the situation. > ---- > [root@XXXXX-prod-ipaXx ~]# sudo certutil -K -d > /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert > cert-pki-ca' > certutil: Checking token "NSS Certificate DB" in slot "NSS User > Private Key and Certificate Services" > certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: > Unrecognized Object Identifier. > ---- > > Any thoughts? Many thanks in advance! > > -- Chris _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
