[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)

Tue, 07 May 2019 05:55:07 -0700 

Am 07.05.2019 08:39, schrieb Florence Blanc-Renaud via FreeIPA-users:

On 5/3/19 11:47 AM, H. Frenzel via FreeIPA-users wrote:
Am 03.05.2019 10:18, schrieb Florence Blanc-Renaud via FreeIPA-users: 
On 5/2/19 7:08 PM, H. Frenzel via FreeIPA-users wrote:


What next? Can those other two certificates been removed?
Hi,


it's not a problem if the previous certs are still present in LDAP,
you can keep them here. It looks like the content of the NSSDB and
LDAP are consistent.

A few other things to check:


- Are there any replication conflicts (if you have multiple CA 
masters)?

$ ldapsearch -D "cn=Directory Manager" -W -b o=ipaca
"(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \*
nsds5ReplConflict


It seems there are no conflicts:

  # search result
  search: 2
  result: 0 Success


The multiple CA masters setup didn't work (s. 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/TPYKB7LW6GGIHDPNX4MFDZOUCA7MLUSH/)




- In /etc/pki/pki-tomcat/ca/CS.cfg, the line starting with
'ca.subsystem.cert=' must contain the same cert as 'subsystemCert
cert-pki-ca' in /etc/pki/pki-tomcat/alias


It is as expected.



- Are there any specific errors in /var/log/pki/pki-tomcat/ca/debug?
When the CA subsystem properly starts, you should see lines about
'subsystemCert cert-pki-ca' and SSL handshake like the following:

[date][localhost-startStop-1]:
ldapconn/PKISocketFactory.makeSSLSocket: begins
[date][localhost-startStop-1]: SSLClientCertificateSelectionCB:
Setting desired cert nickname to: subsystemCert cert-pki-ca
[date][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert
nickname subsystemCert cert-pki-ca

[date][localhost-startStop-1]: SSLClientCertificatSelectionCB: 
Entering!
[date][localhost-startStop-1]: Candidate cert: subsystemCert 
cert-pki-ca

[date][localhost-startStop-1]: SSLClientCertificateSelectionCB:
desired cert found in list: subsystemCert cert-pki-ca
[date][localhost-startStop-1]: SSLClientCertificateSelectionCB:
returning: subsystemCert cert-pki-ca
[date][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted: begins
[date][localhost-startStop-1]: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
[date][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted:
CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
[date][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted: clientIP=<local IP>
serverIP=<local IP> serverPort=31746
[date][localhost-startStop-1]: SSL handshake happened
[date][localhost-startStop-1]: Established LDAP connection with SSL
client auth to <local hostname>:636


so any error related to subsystemCert cert-pki-ca may help us 
diagnose.



  [07/May/2019:14:19:33][localhost-startStop-1]: 
ldapconn/PKISocketFactory.makeSSLSocket: begins
  [07/May/2019:14:19:33][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: Setting desired cert nickname to: 
subsystemCert cert-pki-ca
  [07/May/2019:14:19:33][localhost-startStop-1]: LdapJssSSLSocket: set 
client auth cert nickname subsystemCert cert-pki-ca
  [07/May/2019:14:19:33][localhost-startStop-1]: 
SSLClientCertificatSelectionCB: Entering!
  [07/May/2019:14:19:33][localhost-startStop-1]: Candidate cert: 
EXAMPLE.COM IPA CA
  [07/May/2019:14:19:33][localhost-startStop-1]: Candidate cert: 
Server-Cert cert-pki-ca
  [07/May/2019:14:19:33][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: returning: null
  [07/May/2019:14:19:33][localhost-startStop-1]: 
PKIClientSocketListener.handshakeCompleted: begins
  [07/May/2019:14:19:33][localhost-startStop-1]: SignedAuditLogger: 
event CLIENT_ACCESS_SESSION_ESTABLISH
  [07/May/2019:14:19:33][localhost-startStop-1]: LogFile: event type 
not selected: CLIENT_ACCESS_SESSION_ESTABLISH
  [07/May/2019:14:19:33][localhost-startStop-1]: 
PKIClientSocketListener.handshakeCompleted: 
CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
  [07/May/2019:14:19:33][localhost-startStop-1]: 
PKIClientSocketListener.handshakeCompleted: clientIP=10.1.1.101 
serverIP=10.1.1.101 serverPort=31746

  [07/May/2019:14:19:33][localhost-startStop-1]: SSL handshake happened

  Could not connect to LDAP server host ipa.example.com port 636 Error 
netscape.ldap.LDAPException: Authentication failed (48)



There are even no errors within /var/log/dirsrv/slapd-EXAMPLE-COM/error 
of this try.
But I found some warnings within /var/log/messages, might be those are 
related somehow?



  2019-05-07T14:19:28.494819+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'enableOCSP' to 'false' did not find a matching property.
  2019-05-07T14:19:28.495201+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ocspResponderURL' to 'http://ipa.example.com:8080/ca/ocsp' did not find 
a matching property.
  2019-05-07T14:19:28.495495+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not 
find a matching property.
  2019-05-07T14:19:28.495775+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ocspCacheSize' to '1000' did not find a matching property.
  2019-05-07T14:19:28.496412+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ocspMinCacheEntryDuration' to '60' did not find a matching property.
  2019-05-07T14:19:28.497308+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
  2019-05-07T14:19:28.498213+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ocspTimeout' to '10' did not find a matching property.
  2019-05-07T14:19:28.499134+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'strictCiphers' to 'true' did not find a matching property.
  2019-05-07T14:19:28.500062+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching 
property.
  2019-05-07T14:19:28.500918+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ssl2Ciphers' to 
'-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' 
did not find a matching property.
  2019-05-07T14:19:28.502491+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ssl3Ciphers' to 
'-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' 
did not find a matching property.
  2019-05-07T14:19:28.504300+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'tlsCiphers' to 
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' 
did not find a matching property.
  2019-05-07T14:19:28.505563+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching 
property.
  2019-05-07T14:19:28.506169+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching 
property.
  2019-05-07T14:19:28.506856+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'sslRangeCiphers' to 
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA
_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA' 
did not find a matching property.
  2019-05-07T14:19:28.508160+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'serverCertNickFile' to 
'/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a 
matching property.
  2019-05-07T14:19:28.508811+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not 
find a matching property.
  2019-05-07T14:19:28.509434+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' 
did not find a matching property.
  2019-05-07T14:19:28.510180+02:00 ipa server: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching 
property.
  2019-05-07T14:19:28.537648+02:00 ipa server: WARNING: 
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property 
'xmlValidation' to 'false' did not find a matching property.
  2019-05-07T14:19:28.538024+02:00 ipa server: WARNING: 
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property 
'xmlNamespaceAware' to 'false' did not find a matching property.
  2019-05-07T14:19:33.518554+02:00 ipa server: 
CMSEngine.initializePasswordStore() begins
  2019-05-07T14:19:33.520758+02:00 ipa server: 
CMSEngine.initializePasswordStore(): tag=internaldb
  2019-05-07T14:19:33.521107+02:00 ipa server: 
CMSEngine.initializePasswordStore(): tag=replicationdb
  2019-05-07T14:19:33.882875+02:00 ipa server: Internal Database Error 
encountered: Could not connect to LDAP server host ipa.example.com port 
636 Error netscape.ldap.LDAPException: Authentication failed (48)



Thanks for your help
H.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to