Hi Freeipa-users,
I've done some more troubleshooting on my own and I'm still having
issues related to this.
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/CO6C5LOGGIPHCR5M42KSXF3NGUOPCCSF/
I've got all my certificates tracking but I'm stuck and can't get two of
them to renew.
Request ID '20181230160145':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://ipa1.cs.oberlin.edu:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CS.OBERLIN.EDU
subject: CN=CA Audit,O=CS.OBERLIN.EDU
expires: 2018-12-31 13:28:03 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181230160146':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://ipa1.cs.oberlin.edu:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CS.OBERLIN.EDU
subject: CN=OCSP Subsystem,O=CS.OBERLIN.EDU
expires: 2018-12-31 13:26:43 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
I've already set the date back to Dec 30 of 2018 and tried "service
certmonger restart" It doesn't work for these two.
As far as I can tell I can't renew these because I can't contact the CA
renewal master running on the localhost.
I'm inferring that from "ca-error: Error 7 connecting to
http://ipa1.cs.oberlin.edu:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server."
Also I verified that the I'm working on the Renewal master:
[root@ipa1 ca]# ipa config-show| grep "IPA CA renewal master"
IPA CA renewal master: ipa1.cs.oberlin.edu
I think the main cause of this is because I can't get the pki-tomcatd
Service started
[root@ipa1 ca]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: STOPPED
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa: INFO: The ipactl command was successful
When I look at /var/log/pki/pki-tomcat/ca/debug I get the following error:
Internal Database Error encountered: Could not connect to LDAP server
host ipa1.cs.oberlin.edu port 636 Error netscape.ldap.LDAPException:
Unable to create socket: org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-8172) Peer's certificate issuer has been marked as not trusted by the
user. (-1)
I'm not using 3rd party SSL's and never have.
I'm trying to start pki tomcat with this command:
# systemctl start pki-tomcatd@pki-tomcat.service
any suggestions?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
