On 5/2/19 7:08 PM, H. Frenzel via FreeIPA-users wrote:
Hi,
trying to delete a host failed with "Unable to communicate with CMS (500)"
# ipa host-del foo.bar.local
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (500)
Checking the pki logs shows "Subsystem unavailable"
# /var/log/pki/pki-tomcat/localhost.YYYY-MM-DD.log
SEVERE: Exception Processing /ca/rest/certs/search
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Trying to troubleshoot it with help of
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
shows an authentication error on LDAP
(/var/log/pki/pki-tomcat/ca/debug), but debug it further failed in the
part "Check the subsystemCert cert-pki-ca"
The 1st command works:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
cert-pki-ca'
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:9f:ff:01:6c
...
# grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | cut -d=
-f2 > /tmp/pwdfile.txt
But then the private key can't been read:
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n
'subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n
'NSS Certificate DB: subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
It looks as it's there:
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa f7eXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX79c Server-Cert
cert-pki-ca
< 1> rsa 7e4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX164 NSS
Certificate DB:caSigningCert cert-pki-ca
< 2> rsa f40XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX978 Server-Cert
cert-pki-ca
< 3> rsa 097XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXcca NSS
Certificate DB:subsystemCert cert-pki-ca
< 4> rsa 28cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8f9 (orphan)
< 5> rsa 602XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX400 NSS
Certificate DB:ocspSigningCert cert-pki-ca
< 6> rsa b28XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9fe NSS
Certificate DB:auditSigningCert cert-pki-ca
< 7> rsa 91cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXb13 (orphan)
What could be wrong here?
Hi,
the key is present, its name is just "NSS Certificate DB:subsystemCert
cert-pki-ca" without any space after the colon. You can check the next
steps, i.e. is the "subsystemCert cert-pki-ca" certificate consistent
with the content of the LDAP entry uid=pkidbuser,ou=people,o=ipaca.
flo
Thanks in advance & b/r
H.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
