[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)

Thu, 09 May 2019 03:48:26 -0700 

Am 09.05.2019 10:01, schrieb Florence Blanc-Renaud via FreeIPA-users:

On 5/7/19 2:54 PM, H. Frenzel via FreeIPA-users wrote:
Am 07.05.2019 08:39, schrieb Florence Blanc-Renaud via FreeIPA-users: 
On 5/3/19 11:47 AM, H. Frenzel via FreeIPA-users wrote:
Am 03.05.2019 10:18, schrieb Florence Blanc-Renaud via FreeIPA-users: 
On 5/2/19 7:08 PM, H. Frenzel via FreeIPA-users wrote:





Hi,


the authentication failure means that PKI tried to authenticate to
the LDAP server but the operation failed.
PKI is using the subsystemcert cert-pki-ca certificate to
authenticate. This can be mimicked with:


Tried it, but it throws an error:


  # LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias/ 
LDAPTLS_CERT='subsystemCert cert-pki-ca' ldapsearch -H 
ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL
  tlsmc_get_pin: INFO: Please note the extracted key file will not be 
protected with a PIN any more, however it will be still protected at 
least by file permissions.
  Please enter pin, password, or pass phrase for security token 'NSS 
Certificate DB':

  ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

          additional info: error:14094418:SSL 
routines:ssl3_read_bytes:tlsv1 alert unknown ca



and here you need to provide the PIN stored in
/etc/pki/pki-tomcat/alias/pwdfile.txt.

Your log seems to indicate that subsystemCert cert-pki-ca was not
found (SSLClientCertificateSelectionCB: returning: null). Can you
check:
- the trust flags with
$ certutil -L -d /etc/pki/pki-tomcat/alias



  Certificate Nickname                                         Trust 
Attributes
                                                               
SSL,S/MIME,JAR/XPI


  Server-Cert cert-pki-ca                                      u,u,u
  ocspSigningCert cert-pki-ca                                  u,u,u
  subsystemCert cert-pki-ca                                    u,u,u
  auditSigningCert cert-pki-ca                                 u,u,Pu

  caSigningCert cert-pki-ca                                    
CTu,Cu,Cu
  EXAMPLE.COM IPA CA                                           
CTu,Cu,Cu



- the file permissions for the NSS db:
$ ls -l /etc/pki/pki-tomcat/alias/


  insgesamt 104
  -rw-------. 1 pkiuser pkiuser 65536  3. Mai 15:16 cert8.db
  -rw-------. 1 pkiuser pkiuser 40960  3. Mai 15:16 key3.db
  -r--------. 1 pkiuser pkiuser    42 10. Jan 2018  pwdfile.txt
  -rw-------. 1 pkiuser pkiuser 16384 10. Jan 2018  secmod.db

Obviousely something was changed on May 3rd.

I restored those both files (cert8.db & key3.db) from a backup, and now 
it seems to work again :)


  # systemctl status pki-tomcatd@pki-tomcat
  ● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat

     Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; 
enabled; vendor preset: disabled)
     Active: active (running) since Do 2019-05-09 12:35:05 CEST; 30s 
ago
    Process: 7959 ExecStop=/usr/libexec/tomcat/server stop 
(code=exited, status=0/SUCCESS)
    Process: 8001 ExecStartPre=/usr/bin/pkidaemon start %i 
(code=exited, status=0/SUCCESS)

   Main PID: 8144 (java)

     CGroup: 
/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service
             └─8144 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java 
-agentpath:/usr/lib/abrt-java-connector/libabrt-java-connector.so=abrt=on 
-DRESTEASY_LIB=/usr/share/java/resteasy-base 
-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/t...



  Mai 09 12:35:07 ipa.example.com server[8144]: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not 
find a matching property.
  Mai 09 12:35:07 ipa.example.com server[8144]: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' 
did not find a matching property.
  Mai 09 12:35:07 ipa.example.com server[8144]: WARNING: 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching 
property.
  Mai 09 12:35:07 ipa.example.com server[8144]: WARNING: 
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property 
'xmlValidation' to 'false' did not find a matching property.
  Mai 09 12:35:07 ipa.example.com server[8144]: WARNING: 
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property 
'xmlNamespaceAware' to 'false' did not find a matching property.
  Mai 09 12:35:12 ipa.example.com server[8144]: 
CMSEngine.initializePasswordStore() begins
  Mai 09 12:35:12 ipa.example.com server[8144]: 
CMSEngine.initializePasswordStore(): tag=internaldb
  Mai 09 12:35:12 ipa.example.com server[8144]: 
CMSEngine.initializePasswordStore(): tag=replicationdb

  Mai 09 12:35:14 ipa.example.com server[8144]: CA is started.
  Mai 09 12:35:15 ipa.example.com server[8144]: KRA is started.

Thanks again for your help. I really appreciate it.
H.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to