at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)
at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Internal Database Error encountered: Could not connect to LDAP server
host ipa1.corp.endurance.com <http://ipa1.corp.endurance.com> port 636
Error netscape.ldap.LDAPException: Authentication failed (49)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)
at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
[24/Oct/2019:16:29:50][localhost-startStop-1]: CMS.start(): shutdown server
[24/Oct/2019:16:29:50][localhost-startStop-1]: CMSEngine.shutdown()
-------------------------------------------------------------------------------------------
sybsystemCert is still valid.
Request ID '20171024201555':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CORP.ENDURANCE.COM
<http://CORP.ENDURANCE.COM>
subject: CN=CA Subsystem,O=CORP.ENDURANCE.COM <http://CORP.ENDURANCE.COM>
expires: 2021-09-06 03:25:48 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
-------------------------------------------------------------
[root@ipa1 ~]# cat /etc/pki/pki-tomcat/ca/CS.cfg| grep subsystem.cert
ca.cert.subsystem.certusage=SSLClient
ca.subsystem.cert=MIIDhjCCAm6gAwIBAgIBOTANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJDT1JQLkVORFVSQU5DRS5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTcwMzI1NDhaFw0yMTA5MDYwMzI1NDhaMDQxGzAZBgNVBAoMEkNPUlAuRU5EVVJBTkNFLkNPTTEVMBMGA1UEAwwMQ0EgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwuicP62ZiJBTVqE+6zMdq5HHHjtGCfJTz8qqB58F7efRRWgbYHGSwsjUiOPQOknZlVZsuocLYU+zKxDmJ1w7IpAW4W/4RM/fN4rxKMvA4PP4Lcikld12eAOhuepjOzgaetu2Q5DF7rZEpTviZLiUTQJMDM8wQM+cZBVp3LPWi8D/CViXQKc/SjeWzWL6sQNTxnWhJR0OjvprmKeJB6oAEN/T5cLqr5rxnNCsn2MtXbQAXq1jwRuHYkpbwD64N+aAKbYGR03VHWWgP1MSbbp3XYWudM34h0+clZeTeomNSTVuxvE0n9JCpAGpeSDHIGbmvTG5+O9Lu7dZTe/UHS54nQIDAQABo4GZMIGWMB8GA1UdIwQYMBaAFGLd+5wtR3MapBd2R/ufY++/vtulMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2lwYS1jYS5jb3JwLmVuZHVyYW5jZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAf00fJv2cjjVeZr7FYdHZZRB7RoaZNIY+SjsKkfxGP8KCFFOleKE6CXlqtXlDD0BKYnqvDv+3C27G1UIjTXmUpbJS/TKciemZYBZC7yDNs0F1K04VV00c1Ceag+f43kaR+oIZFoEGnHwSLKNyoSwsodpKPWnGfyrXAt0oj6nh+J6ADup3uJMxLXLp8Xrl7FxRt8PKgZypLn52RF9DzPZH+f7kDVAay3fqy8P/DZJMRTokYUjDDVBg2Mq7B99KHPV6TXHbgc/b7I9TdEz5aZ0ZA4mSkWLNw/ZwVPbx22drhErpvIs5h3RjRbPqB7fNsNWtF3GFZBn3vjR9fugo1ZyUS
ca.subsystem.certreq=MIICeTCCAWECAQAwNDEbMBkGA1UECgwSQ09SUC5FTkRVUkFOQ0UuQ09NMRUwEwYDVQQDDAxDQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC6Jw/rZmIkFNWoT7rMx2rkcceO0YJ8lPPyqoHnwXt59FFaBtgcZLCyNSI49A6SdmVVmy6hwthT7MrEOYnXDsikBbhb/hEz983ivEoy8Dg8/gtyKSV3XZ4A6G56mM7OBp627ZDkMXutkSlO+JkuJRNAkwMzzBAz5xkFWncs9aLwP8JWJdApz9KN5bNYvqxA1PGdaElHQ6O+muYp4kHqgAQ39PlwuqvmvGc0KyfYy1dtABerWPBG4diSlvAPrg35oAptgZHTdUdZaA/UxJtunddha50zfiHT5yVl5N6iY1JNW7G8TSf0kKkAal5IMcgZua9Mbn470u7t1lN79QdLnidAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEABl3uxfntEZZFeoB1eIjd774MSxK2itaj6B1VyXV0qxcp/SHF1sfJnUHjDpNIB0J/Bpk/sc/+Y2Gxar3zcwyORjF+ojCBc8lP6QZ7mB9H3m9XEuA+H1qmgGz+h2FhnQy5/EmgJnTAn8fNpZCQwQmSZLtnbmd++yK9y+YXCAvaHx+Wsz5c/GhyNxoHGADcmir+iFVltO3jpQ06ThVBb0bD4D6ZzaimkM1vnAqseKdqXvLJI1/ZfIVj6QDcdnnTryt24zOZoxzeOcc2X5HKOtR/5pXilmCS/7zpujXTd1iZi8nfRkpurUdMgC7FLK+B3Dq03G61RPJUwJZvsKlXbwBghg==
[root@ipa1 ~]# cat /tmp/subsystemCert\ cert-pki-ca.pem
MIIDhjCCAm6gAwIBAgIBOTANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJDT1JQLkVORFVSQU5DRS5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTcwMzI1NDhaFw0yMTA5MDYwMzI1NDhaMDQxGzAZBgNVBAoMEkNPUlAuRU5EVVJBTkNFLkNPTTEVMBMGA1UEAwwMQ0EgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwuicP62ZiJBTVqE+6zMdq5HHHjtGCfJTz8qqB58F7efRRWgbYHGSwsjUiOPQOknZlVZsuocLYU+zKxDmJ1w7IpAW4W/4RM/fN4rxKMvA4PP4Lcikld12eAOhuepjOzgaetu2Q5DF7rZEpTviZLiUTQJMDM8wQM+cZBVp3LPWi8D/CViXQKc/SjeWzWL6sQNTxnWhJR0OjvprmKeJB6oAEN/T5cLqr5rxnNCsn2MtXbQAXq1jwRuHYkpbwD64N+aAKbYGR03VHWWgP1MSbbp3XYWudM34h0+clZeTeomNSTVuxvE0n9JCpAGpeSDHIGbmvTG5+O9Lu7dZTe/UHS54nQIDAQABo4GZMIGWMB8GA1UdIwQYMBaAFGLd+5wtR3MapBd2R/ufY++/vtulMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2lwYS1jYS5jb3JwLmVuZHVyYW5jZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAf00fJv2cjjVeZr7FYdHZZRB7RoaZNIY+SjsKkfxGP8KCFFOleKE6CXlqtXlDD0BKYnqvDv+3C27G1UIjTXmUpbJS/TKciemZYBZC7yDNs0F1K04VV00c1Ceag+f43kaR+oIZFoEGnHwSLKNyoSwsodpKPWnGfyrXAt0oj6nh+J6ADup3uJMxLXLp8Xrl7FxRt8PKgZypLn52RF9DzPZH+f7kDVAay3fqy8P/DZJMRTokYUjDDVBg2Mq7B99KHPV6TXHbgc/b7I9TdEz5aZ0ZA4mSkWLNw/ZwVPbx22drhErpvIs5h3RjRbPqB7fNsNWtF3GFZBn3vjR9fugo1ZyUS
I had a few queries on this
1. Is there any way we take the backup of the current setup and create a
new IPA instance without changing any parameter in the client servers
2. If we upgrade the IPA version we can fix this issue?
Regards
Nikita S
On Fri, Nov 8, 2019 at 4:29 PM Nikita Deeksha <nikit...@endurance.com
<mailto:nikit...@endurance.com>> wrote:
Thanks, Florence and Alexander.
@Alexander Bokovoy <mailto:aboko...@redhat.com> ,
While we were debugging in one of a blog we came across a scenario
where NSS DB had got corrupted during a certificate renewal, so
wanted to eliminate that issue.
We see all the private key.
[root@ipa1 nikita.d]# certutil -K -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa b8763cec560cf751cdafa5b0006af9405bdfabf0 NSS
Certificate DB:subsystemCert cert-pki-ca
< 1> rsa c7d8b4bf5f7d60de906444744a3b512c801676d2 (orphan)
< 2> rsa 49ddc4aff2ae7a59ed5c3a939217d006d059fea2 NSS
Certificate DB:Server-Cert cert-pki-ca
< 3> rsa 12717b4e7fec1f408c947015b069e94838198947 NSS
Certificate DB:auditSigningCert cert-pki-ca
< 4> rsa 249cfa8ef238a902bd45ce397eda0a8ce8dda01d
caSigningCert cert-pki-ca
< 5> rsa 079bf91860780244f89ee9509853ed3e975ca11d NSS
Certificate DB:ocspSigningCert cert-pki-ca
We will try renewing the HTTP cert in our environment, will let you
know once the cert is updated successfully.
https://access.redhat.com/solutions/3357261
Regards
Nikita S
On Fri, Nov 8, 2019 at 3:42 PM Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:
On 11/7/19 11:16 AM, Nikita Deeksha via FreeIPA-users wrote:
> Thanks for the update Alexander will check this and get back
to you,
> wanted to check on another thing as well.
>
> Can you please help us to understand this error that we see
for the cert
> in pki
>
> [root@ipa1 nikita.d]# for i in $(certutil -d
/etc/pki/pki-tomcat/alias
> -L | grep cert-pki-ca | awk'{print $1}');do certutil -K -d
> /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n "$i
cert-pki-ca";done
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized
> Object Identifier.
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized
> Object Identifier.
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> < 0> rsa 249cfa8ef238a902bd45ce397eda0a8ce8dda01d
caSigningCert
> cert-pki-ca
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized
> Object Identifier.
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized
> Object Identifier.
>
Hi,
If you use "certutil -K -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt" (without the -n alias option), you will see
all the
keys present in the database and notice that some of them have a
prefixed nickname, for instance:
'NSS Certificate DB:Server-Cert cert-pki-ca'
instead of 'Server-Cert cert-pki-ca'.
You need to provide this prefixed name with -K -n nickname.
HTH,
flo
>
> These are the cert which is present /etc/pki/pki-tomcat/alias
>
> [root@ipa1 nikita.d]# certutil -L -d /etc/pki/pki-tomcat/alias
>
> Certificate Nickname
Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> COMODO CA BUNDLE
CT,C,C
> ocspSigningCert cert-pki-ca
u,u,u
> auditSigningCert cert-pki-ca
u,u,Pu
> caSigningCert cert-pki-ca
CTu,Cu,Cu
> subsystemCert cert-pki-ca
u,u,u
> Server-Cert cert-pki-ca
u,u,u
>
>
>
> Regards
>
> Nikita S
>
>
> On Wed, Nov 6, 2019 at 9:52 PM Alexander Bokovoy
<aboko...@redhat.com <mailto:aboko...@redhat.com>
> <mailto:aboko...@redhat.com <mailto:aboko...@redhat.com>>> wrote:
>
> On ke, 06 marras 2019, Nikita Deeksha via FreeIPA-users
wrote:
> >2.
> >
> >Status SUBMITTING means the renewal is not yet
completed. It will not
> >complete until you get Dogtag working.
> >
> >But now the status says CA_UNEACHABLE
> >
> >Request ID '20180412150739':
> >status: CA_UNREACHABLE
> >ca-error: Server at https://ipa1.xxx.xxxx.com/ipa/xml
failed
> request, will
> >retry: -504 (libcurl failed to execute the HTTP POST
transaction,
> >explaining: Peer's Certificate has expired.).
>
> This is exactly an issue with expired HTTP certificate.
> I guess you'd need to roll back time to when the
certificate was valid
> (before 2019-10-25) and restart certmonger.
>
> See discussion in this thread:
>
https://www.redhat.com/archives/freeipa-users/2016-July/msg00270.html
>
> In newer RHEL version (RHEL 7.7) there is a special tool,
ipa-cert-fix,
> that can help with fixing these issues. However, since
you are on the
> version before it, you need to do manual renewal.
>
> >stuck: no
> >key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='CN=
> >ipa1.xxx.xxxx.com <http://ipa1.xxx.xxxx.com>
<http://ipa1.xxx.xxxx.com>,O=CORP.ENDURANCE.COM
<http://CORP.ENDURANCE.COM>
> <http://CORP.ENDURANCE.COM>',token='NSS Certificate
> >DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='CN=
> >ipa1.xxx.xxxx.com <http://ipa1.xxx.xxxx.com>
<http://ipa1.xxx.xxxx.com>,O=CORP.ENDURANCE.COM
<http://CORP.ENDURANCE.COM>
> <http://CORP.ENDURANCE.COM>',token='NSS Certificate DB'
> >CA: IPA
> >issuer: CN=Certificate Authority,O=xxx.xxxx.COM
<http://xxx.xxxx.COM> <http://xxx.xxxx.COM>
> >subject: CN=ipa1.xxxx.xxxxx.com
<http://ipa1.xxxx.xxxxx.com>
> <http://ipa1.xxxx.xxxxx.com>,O=xxx.xxxx.COM
<http://xxx.xxxx.COM> <http://xxx.xxxx.COM>
> >expires: 2019-10-25 20:16:38 UTC
> >principal name: krbtgt/xxx.xxxxx....@xxx.xxxx.com
<mailto:xxx.xxxxx....@xxx.xxxx.com>
> <mailto:xxx.xxxxx....@xxx.xxxx.com
<mailto:xxx.xxxxx....@xxx.xxxx.com>>
> >key usage:
>
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >eku: id-kp-serverAuth,id-pkinit-KPKdc
> >pre-save command:
> >post-save command:
/usr/libexec/ipa/certmonger/restart_httpd
> >track: yes
> >
> >
> >
> >
> >*Issue2:*
> >
> >We are getting this alert while we log in to UI in
httpd error logs
> >
> >
> >#ipa: INFO: 401 Unauthorized: kinit: Preauthentication
failed
> while getting
> >initial credentials
> >
> >and PKINIT was disabled
> >
> >[root@ipa2 httpd]# ipa-pkinit-manage status
> >PKINIT is disabled
> >
> >While I tried to enable this
> >
> >[root@ipa2 httpd]# ipa-pkinit-manage enable
> >Configuring Kerberos KDC (krb5kdc)
> > [1/1]: installing X509 Certificate for PKINIT
> >
> >the process was getting stuck, so I had to terminate it
manually.
> After
> >trying to enable, I'm getting "Login failed due to an
unknown reason."
> >error in web UI when I try to login
> >
> >*Error in httpd:*
> >
> >[Wed Nov 06 10:13:37.465318 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] mod_wsgi (pid=24416):
> Exception occurred processing WSGI
> >script '/usr/share/ipa/wsgi.py'.
> >[Wed Nov 06 10:13:37.465433 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] Traceback (most recent
> call last):
> >[Wed Nov 06 10:13:37.468706 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] File
> "/usr/share/ipa/wsgi.py", line 59, in application
> >[Wed Nov 06 10:13:37.470083 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] return
> api.Backend.wsgi_dispatch(environ,
> >start_response)
> >[Wed Nov 06 10:13:37.470146 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
> 267, in
> >__call__
> >[Wed Nov 06 10:13:37.473376 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] return
> self.route(environ, start_response)
> >[Wed Nov 06 10:13:37.473437 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
> 279, in
> >route
> >[Wed Nov 06 10:13:37.473462 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] return app(environ,
> start_response)
> >[Wed Nov 06 10:13:37.473475 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
> 937, in
> >__call__
> >[Wed Nov 06 10:13:37.476093 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>]
> self.kinit(user_principal, password, ipa_ccache_name)
> >[Wed Nov 06 10:13:37.478843 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
> 973, in
> >kinit
> >[Wed Nov 06 10:13:37.478864 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>]
> pkinit_anchors=[paths.KDC_CERT,
> >paths.KDC_CA_BUNDLE_PEM],
> >[Wed Nov 06 10:13:37.478878 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line
> 127, in
> >kinit_armor
> >[Wed Nov 06 10:13:37.484351 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] run(args, env=env,
> raiseonerr=True, capture_error=True)
> >[Wed Nov 06 10:13:37.484381 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562,
> in run
> >[Wed Nov 06 10:13:37.487470 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] raise
> CalledProcessError(p.returncode, arg_string,
> >str(output))
> >[Wed Nov 06 10:13:37.488932 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <http://172.27.10.113:0>
<http://172.27.10.113:0>] CalledProcessError:
> Command '/usr/bin/kinit -n -c
> >/var/run/ipa/ccaches/armor_24416 -X
> >X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>
>X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'
returned
> >non-zero exit status 1
> >
> >And when I try to list the certificates using *getcert
list,*
> there is a
> >new cert which was added
> >
> >Request ID '20191106100258':
> >status: CA_UNREACHABLE
> >ca-error: Server at https://ipa2.xxx.xxxxx.com/ipa/xml
failed
> request, will
> >retry: 907 (RPC failed at server. cannot connect to '
> >https://ipa1.xxx.xxxxx.com:443/ca/rest/account/login':
[SSL:
> >CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:618)).
> >stuck: no
> >key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> >certificate:
type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> >CA: IPA
> >issuer:
> >subject:
> >expires: unknown
> >pre-save command:
> >post-save command:
/usr/libexec/ipa/certmonger/renew_kdc_cert
> >track: yes
> >auto-renew: yes
> >
> >
> >Regards
> >Nikita S
> >
> >When
> >On Wed, Nov 6, 2019 at 6:39 PM Alexander Bokovoy
> <aboko...@redhat.com <mailto:aboko...@redhat.com>
<mailto:aboko...@redhat.com <mailto:aboko...@redhat.com>>>
> >wrote:
> >
> >> On ti, 05 marras 2019, Nikita Deeksha via
FreeIPA-users wrote:
> >> >Hi Team,
> >> >We have 2 IPA servers in Mater-Master setup are we
facing the
> below issue
> >> >on these servers.
> >> >
> >> >Isuue1:
> >> >Our httpd certificate has expired because of which
our IPA1 UI
> wasn't
> >> >working, we are getting “*loging failed due to an
unknown
> reason*” error
> >> >while we log in to the UI
> >> >
> >> >
> >> >1. First, the IPA console was not working as httpd
service was
> stopped,
> >> >httpd was not starting as HTTP certificate is
expired. Added
> >> >*NSSEnforceValidCerts
> >> >off* line in nss.conf to start the service.
> >> >
> >> >2. After the change IPA console was loading we are
not able to
> login to
> >> the
> >> >console as pki-tomcatd service was not running,
> >> >[root@ipa1 ca]# ipactl status
> >> >Directory Service: RUNNING
> >> >krb5kdc Service: RUNNING
> >> >kadmin Service: RUNNING
> >> >httpd Service: RUNNING
> >> >ipa-custodia Service: RUNNING
> >> >ntpd Service: RUNNING
> >> >pki-tomcatd Service: STOPPED
> >> >ipa-otpd Service: RUNNING
> >> >
> >> ># systemctl status pki-tomcatd@pki-tomcat.service -l
> >> >● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server
pki-tomcat
> >> > Loaded: loaded
(/lib/systemd/system/pki-tomcatd@.service;
> enabled;
> >> >vendor preset: disabled)
> >> > Active: active (running) since Tue 2019-11-05
10:16:50 GMT;
> 31min ago
> >> > Process: 97068 ExecStartPre=/usr/bin/pkidaemon
start %i
> (code=exited,
> >> >status=0/SUCCESS)
> >> > Main PID: 97233 (java)
> >> > CGroup:
> >>
>
>/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service
> >> > └─97233
/usr/lib/jvm/jre-1.8.0-openjdk/bin/java
> >> >-DRESTEASY_LIB=/usr/share/java/resteasy-base
> >> >-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath
> >>
> >>
>
>/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
> >> >-Dcatalina.base=/var/lib/pki/pki-tomcat
> -Dcatalina.home=/usr/share/tomcat
> >> >-Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
> >>
> >>
>
>-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
> >>
>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> >> >-Djava.security.manager
> >>
>
>-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
> >> >org.apache.catalina.startup.Bootstrap start
> >> >
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]: WARNING: Exception
> >> >processing realm
com.netscape.cms.tomcat.ProxyRealm@1896e072
> background
> >> >process
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]:
> >> >javax.ws.rs <http://javax.ws.rs>
<http://javax.ws.rs>.ServiceUnavailableException:
> Subsystem unavailable
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
>
>com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
> >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com
<http://ipa1.xxx.xxxxx.com> <http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >> >java.lang.Thread.run(Thread.java:748)
> >> >
> >> >
> >> >This service wasn’t starting with this error
> >> >
> >> ># less /var/log/pki/pki-tomcat/ca/debug
> >> >31/Oct/2019:13:24:23][localhost-startStop-1]:
> >> >SSLClientCertificateSelectionCB: desired cert found
in list:
> subsystemCert
> >> >cert-pki-ca
> >> >[31/Oct/2019:13:24:23][localhost-startStop-1]:
> >> >SSLClientCertificateSelectionCB: returning:
subsystemCert
> cert-pki-ca
> >> >[31/Oct/2019:13:24:23][localhost-startStop-1]: SSL
handshake
> happened
> >> >Could not connect to LDAP server host
ipa1.xxx.xxxx.com <http://ipa1.xxx.xxxx.com>
> <http://ipa1.xxx.xxxx.com> port 636 Error
> >> >netscape.ldap.LDAPException: Authentication failed (49)
> >>
> >> Authentication failed means the RA agent certificate
dogtag uses to
> >> authenticate to LDAP server is not the same as the
one mentioned
> in the
> >> LDAP entry for RA agent.
> >>
> >> I think there was some procedure to fix it but I
don't have
> links handy.
> >> Also, you did not specify what versions of FreeIPA
you run.
> >>
> >>
> >> >at
> >>
> >>
>
>com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
> >> > at
> >>
> >>
>
>com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
> >> > at
> >>
> >>
>
>com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
> >> > at
>
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
> >> > at
> >>
>
>com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
> >> > at
> >>
>
>com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
> >> > at
> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)
> >> > at
com.netscape.certsrv.apps.CMS.init(CMS.java:189)
> >> > at
com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
> >> > at
> >>
> >>
>
>com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
> >> > at
> javax.servlet.GenericServlet.init(GenericServlet.java:158)
> >> > at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> >> > at
> >>
> >>
>
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >> > at
> >>
> >>
>
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> > at
java.lang.reflect.Method.invoke(Method.java:498)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> >> > at
java.security.AccessController.doPrivileged(Native
> Method)
> >> > at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> >> > at
> >>
> >>
>
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> >> > at
> >>
> >>
>
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
> >> > at
> >>
>
>org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
> >> > at
> >>
>
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> >> > at
> >>
>
>org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> >> > at
java.security.AccessController.doPrivileged(Native
> Method)
> >> > at
> >>
>
>org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> >> > at
> >>
>
>org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> >> > at
> >>
> >>
>
>org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> >> > at
> >>
> >>
>
>org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> >> > at
> >>
>
>java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> >> > at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >> > at
> >>
> >>
>
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >> > at
> >>
> >>
>
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> >> > at java.lang.Thread.run(Thread.java:748)
> >> >Internal Database Error encountered: Could not
connect to LDAP
> server host
> >> >ipa1.xxx.xxx.com <http://ipa1.xxx.xxx.com>
<http://ipa1.xxx.xxx.com> port 636 Error
> netscape.ldap.LDAPException:
> >> Authentication
> >> >failed (49)
> >> > at
>
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
> >> > at
> >>
>
>com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
> >> > at
> >>
>
>com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
> >> > at
> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)
> >> > at
com.netscape.certsrv.apps.CMS.init(CMS.java:189)
> >> > at
com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
> >> > at
> >>
> >>
>
>com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
> >> > at
> javax.servlet.GenericServlet.init(GenericServlet.java:158)
> >> > at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> >> > at
> >>
> >>
>
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >> > at
> >>
> >>
>
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> > at
java.lang.reflect.Method.invoke(Method.java:498)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> >> > at
java.security.AccessController.doPrivileged(Native
> Method)
> >> > at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> >> > at
> >>
> >>
>
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> >> > at
> >>
> >>
>
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
> >> > at
> >>
>
>org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
> >> > at
> >>
>
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> >> > at
> >>
>
>org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> >> > at
java.security.AccessController.doPrivileged(Native
> Method)
> >> > at
> >>
>
>org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> >> > at
> >>
>
>org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> >> > at
> >>
> >>
>
>org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> >> > at
> >>
> >>
>
>org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> >> > at
> >>
>
>java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> >> > at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >> > at
> >>
> >>
>
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >> > at
> >>
> >>
>
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> >> > at java.lang.Thread.run(Thread.java:748)
> >> >
> >> ># getcert list
> >> >Request ID '20180412150739':
> >> >status: SUBMITTING
> >> >stuck: no
> >> >key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='CN=
> >> >ipa1.xxxx.xxxxx.com <http://ipa1.xxxx.xxxxx.com>
<http://ipa1.xxxx.xxxxx.com>,O=xxx.xxxx.COM <http://xxx.xxxx.COM>
> <http://xxx.xxxx.COM>',token='NSS Certificate
> >> >DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >> >certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='CN=
> >> >ipa1.xxxx.xxxxx.com <http://ipa1.xxxx.xxxxx.com>
> <http://ipa1.xxxx.xxxxx.com>,O=xxx.xxxxx.COM
<http://xxx.xxxxx.COM>
> <http://xxx.xxxxx.COM>',token='NSS Certificate DB'
> >> >CA: IPA
> >> >issuer: CN=Certificate Authority,O=xxx.xxxxx.COM
<http://xxx.xxxxx.COM>
> <http://xxx.xxxxx.COM>
> >> >subject: CN=ipa1.xxxx.xxxx.com
<http://ipa1.xxxx.xxxx.com>
> <http://ipa1.xxxx.xxxx.com>,O=xxx.xxxxx.COM
<http://xxx.xxxxx.COM> <http://xxx.xxxxx.COM>
> >> >expires: 2019-10-25 20:16:38 UTC
> >> >principal name: krbtgt/xxxx.xxxx....@xxxx.xxxx.com
<mailto:xxxx.xxxx....@xxxx.xxxx.com>
> <mailto:xxxx.xxxx....@xxxx.xxxx.com
<mailto:xxxx.xxxx....@xxxx.xxxx.com>>
> >> >key usage:
> >>
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >> >eku: id-kp-serverAuth,id-pkinit-KPKdc
> >> >pre-save command:
> >> >post-save command:
/usr/libexec/ipa/certmonger/restart_httpd
> >> >track: yes
> >> >auto-renew: yes
> >>
> >> Status SUBMITTING means the renewal is not yet
completed. It
> will not
> >> complete until you get Dogtag working.
> >>
> >> >
> >> >Issue2:
> >> >
> >> >On the IPA2 server, we are unable to login with the
admin user
> credentials
> >> >without OTP, but when an AD user is trying to login
with 2FA (i.e,
> >> >password and OTP) we are getting this error *"The
password you
> entered is
> >> >incorrect."*
> >>
> >> AD users cannot use multifactor authentication
defined in IPA.
> >>
> >>
> >> ># [root@ipa2 log]# ipactl status
> >> >Directory Service: RUNNING
> >> >krb5kdc Service: RUNNING
> >> >kadmin Service: RUNNING
> >> >httpd Service: RUNNING
> >> >ipa-custodia Service: RUNNING
> >> >ntpd Service: RUNNING
> >> >ipa-otpd Service: STOPPED
> >> >ipa: INFO: The ipactl command was successful
> >> >
> >> ># systemctl status ipa-otpd.socket -l
> >> >● ipa-otpd.socket - ipa-otpd socket
> >> > Loaded: loaded
(/usr/lib/systemd/system/ipa-otpd.socket;
> disabled;
> >> >vendor preset: disabled)
> >> > Active: failed (Result: resources) since Tue
2019-11-05
> 08:19:04 GMT;
> >> 1h
> >> >31min ago
> >> > Listen: /var/run/krb5kdc/DEFAULT.socket (Stream)
> >> > Accepted: 2; Connected: 0
> >> >
> >> >Nov 05 07:42:53 ipa2.xxxx.xxxx.com
<http://ipa2.xxxx.xxxx.com> <http://ipa2.xxxx.xxxx.com>
> systemd[1]: Listening on ipa-otpd
> >> socket.
> >> >Nov 05 08:19:04 ipa2.xxxx.xxxx.com
<http://ipa2.xxxx.xxxx.com> <http://ipa2.xxxx.xxxx.com>
> systemd[1]: ipa-otpd.socket failed to
> >> >queue service startup job (Maybe the service file is
missing or
> not a
> >> >template unit?): Resource temporarily unavailable
> >> >Nov 05 08:19:04 ipa2.xxxx.xxxx.com
<http://ipa2.xxxx.xxxx.com> <http://ipa2.xxxx.xxxx.com>
> systemd[1]: Unit ipa-otpd.socket
> >> entered
> >> >failed state.
> >> >
> >> ># cat /usr/lib/systemd/system/ipa-otpd.socket
> >> >[Unit]
> >> >Description=ipa-otpd socket
> >> >
> >> >[Socket]
> >> >ListenStream=/var/run/krb5kdc/DEFAULT.socket
> >> >RemoveOnStop=true
> >> >SocketMode=0600
> >> >Accept=true
> >> >
> >> >[Install]
> >> >WantedBy=krb5kdc.service
> >> >
> >> >
> >> >
> >> >We see that data replication is broken between the 2 IPA
> servers, as the
> >> >changes made on IPA2 is not reflecting on IPA1
> >> This is most likely because your LDAP server
certificate expired as
> >> well.
> >>
> >>
> >> >We the below errors as well.
> >> >
> >> >IPA1
> >> >Nov 05 10:09:23 ipa1.xxx.xxxx.com
<http://ipa1.xxx.xxxx.com> <http://ipa1.xxx.xxxx.com>
> krb5kdc[28021](info): TGS_REQ (8 etypes
> >> >{18 17 20 19 16 23 25 26}) x.x.x.x: ISSUE: authtime
1572948563,
> etypes
> >> >{rep=18 tkt=18 ses=18},
ldap/ipa1.xxxxx.xxxx....@xxxx.xxxxx.com
<mailto:ipa1.xxxxx.xxxx....@xxxx.xxxxx.com>
> <mailto:ipa1.xxxxx.xxxx....@xxxx.xxxxx.com
<mailto:ipa1.xxxxx.xxxx....@xxxx.xxxxx.com>> for ldap/
> >> >ipa2.xxxx.xxxx....@xxxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxxx.xxxx.com>
> <mailto:ipa2.xxxx.xxxx....@xxxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxxx.xxxx.com>>
> >> >Nov 05 10:14:24 ipa1.corp.endurance.com
<http://ipa1.corp.endurance.com>
> <http://ipa1.corp.endurance.com> krb5kdc[28021](info):
TGS_REQ (8
> >> >etypes {18 17 20 19 16 23 25 26}) x.x.x.x: ISSUE:
authtime
> 1572948863,
> >> >etypes {rep=18 tkt=18 ses=18},
> ldap/ipa1.xxxx.xxx....@xxxx.xxxx.com
<mailto:ipa1.xxxx.xxx....@xxxx.xxxx.com>
> <mailto:ipa1.xxxx.xxx....@xxxx.xxxx.com
<mailto:ipa1.xxxx.xxx....@xxxx.xxxx.com>> for
> >> >ldap/ipa2.xxxx.xxxx....@xxxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxxx.xxxx.com>
> <mailto:ipa2.xxxx.xxxx....@xxxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxxx.xxxx.com>>
> >>
> >> These aren't errors. They are normal operations:
ldap/ipa1
> service (LDAP
> >> server on IPA1) asked for a Kerberos service ticket
to LDAP
> service on
> >> IPA2 and was granted it. This is just as it should be for
> replication.
> >>
> >> >
> >> >IPA2
> >> ># tailf krb5kdc.log
> >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com
<http://ipa2.xxxx.xxxx.com> <http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): AS_REQ (8 etypes
> >> >{18 17 20 19 16 23 25 26}) y.y.y.y: NEEDED_PREAUTH:
ldap/
> >> >ipa2.xxxx.xxxx....@xxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxx.xxxx.com>
> <mailto:ipa2.xxxx.xxxx....@xxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxx.xxxx.com>> for
> krbtgt/xxxx.xxxx....@xxxx.xxxx.com
<mailto:xxxx.xxxx....@xxxx.xxxx.com>
<mailto:xxxx.xxxx....@xxxx.xxxx.com
<mailto:xxxx.xxxx....@xxxx.xxxx.com>>,
> >> >Additional pre-authentication required
> >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com
<http://ipa2.xxxx.xxxx.com> <http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): closing down fd
> >> 11
> >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com
<http://ipa2.xxxx.xxxx.com> <http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): AS_REQ (8 etypes
> >> >{18 17 20 19 16 23 25 26}) y.y.y.y: ISSUE: authtime
1572947965,
> etypes
> >> >{rep=18 tkt=18 ses=18},
ldap/ipa2.xxxx.xxxx....@xxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxx.xxxx.com>
> <mailto:ipa2.xxxx.xxxx....@xxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxx.xxxx.com>> for krbtgt/
> >> >xxx.xxxx....@xxx.xxxx.com
<mailto:xxx.xxxx....@xxx.xxxx.com>
<mailto:xxx.xxxx....@xxx.xxxx.com
<mailto:xxx.xxxx....@xxx.xxxx.com>>
> >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com
<http://ipa2.xxxx.xxxx.com> <http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): closing down fd
> >> 11
> >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com
<http://ipa2.xxxx.xxxx.com> <http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): TGS_REQ (8 etypes
> >> >{18 17 20 19 16 23 25 26}) y.y.y.y: ISSUE: authtime
1572947965,
> etypes
> >> >{rep=18 tkt=18 ses=18},
ldap/ipa2.xxxx.xxxx....@xxxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxxx.xxxx.com>
> <mailto:ipa2.xxxx.xxxx....@xxxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxxx.xxxx.com>> for ldap/
> >> >ipa2.xxxx.xxxx....@xxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxx.xxxx.com>
> <mailto:ipa2.xxxx.xxxx....@xxx.xxxx.com
<mailto:ipa2.xxxx.xxxx....@xxx.xxxx.com>>
> >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com
<http://ipa2.xxxx.xxxx.com> <http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): closing down fd
> >> 11
> >>
> >> Same here. LDAP server on IPA2 operated against
itself here.
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
> >>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
> _______________________________________________
> FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
