Am 09.05.2019 10:01, schrieb Florence Blanc-Renaud via FreeIPA-users:
On 5/7/19 2:54 PM, H. Frenzel via FreeIPA-users wrote:
Am 07.05.2019 08:39, schrieb Florence Blanc-Renaud via
FreeIPA-users:
On 5/3/19 11:47 AM, H. Frenzel via FreeIPA-users wrote:
Am 03.05.2019 10:18, schrieb Florence Blanc-Renaud via
FreeIPA-users:
On 5/2/19 7:08 PM, H. Frenzel via FreeIPA-users wrote:
Hi,
the authentication failure means that PKI tried to authenticate to
the LDAP server but the operation failed.
PKI is using the subsystemcert cert-pki-ca certificate to
authenticate. This can be mimicked with:
Tried it, but it throws an error:
# LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias/
LDAPTLS_CERT='subsystemCert cert-pki-ca' ldapsearch -H
ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL
tlsmc_get_pin: INFO: Please note the extracted key file will not be
protected with a PIN any more, however it will be still protected at
least by file permissions.
Please enter pin, password, or pass phrase for security token 'NSS
Certificate DB':
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca
and here you need to provide the PIN stored in
/etc/pki/pki-tomcat/alias/pwdfile.txt.
Your log seems to indicate that subsystemCert cert-pki-ca was not
found (SSLClientCertificateSelectionCB: returning: null). Can you
check:
- the trust flags with
$ certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca
CTu,Cu,Cu
EXAMPLE.COM IPA CA
CTu,Cu,Cu
- the file permissions for the NSS db:
$ ls -l /etc/pki/pki-tomcat/alias/
insgesamt 104
-rw-------. 1 pkiuser pkiuser 65536 3. Mai 15:16 cert8.db
-rw-------. 1 pkiuser pkiuser 40960 3. Mai 15:16 key3.db
-r--------. 1 pkiuser pkiuser 42 10. Jan 2018 pwdfile.txt
-rw-------. 1 pkiuser pkiuser 16384 10. Jan 2018 secmod.db
Obviousely something was changed on May 3rd.
I restored those both files (cert8.db & key3.db) from a backup, and now
it seems to work again :)
# systemctl status pki-tomcatd@pki-tomcat
● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service;
enabled; vendor preset: disabled)
Active: active (running) since Do 2019-05-09 12:35:05 CEST; 30s
ago
Process: 7959 ExecStop=/usr/libexec/tomcat/server stop
(code=exited, status=0/SUCCESS)
Process: 8001 ExecStartPre=/usr/bin/pkidaemon start %i
(code=exited, status=0/SUCCESS)
Main PID: 8144 (java)
CGroup:
/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service
└─8144 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-agentpath:/usr/lib/abrt-java-connector/libabrt-java-connector.so=abrt=on
-DRESTEASY_LIB=/usr/share/java/resteasy-base
-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/t...
Mai 09 12:35:07 ipa.example.com server[8144]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
find a matching property.
Mai 09 12:35:07 ipa.example.com server[8144]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile'
did not find a matching property.
Mai 09 12:35:07 ipa.example.com server[8144]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
property.
Mai 09 12:35:07 ipa.example.com server[8144]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.
Mai 09 12:35:07 ipa.example.com server[8144]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property.
Mai 09 12:35:12 ipa.example.com server[8144]:
CMSEngine.initializePasswordStore() begins
Mai 09 12:35:12 ipa.example.com server[8144]:
CMSEngine.initializePasswordStore(): tag=internaldb
Mai 09 12:35:12 ipa.example.com server[8144]:
CMSEngine.initializePasswordStore(): tag=replicationdb
Mai 09 12:35:14 ipa.example.com server[8144]: CA is started.
Mai 09 12:35:15 ipa.example.com server[8144]: KRA is started.
Thanks again for your help. I really appreciate it.
H.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org