One more questions, In this thread ( https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/) you mentioned that
subsystemCert cert-pki-ca would map to pkidbuser. So the process is that dog-tag uses cert-pki-ca to establish a connection to 389 DS , and 389 DS would use pkidbuser to bind and do LDAP queries and other thing. ? Thanks for your help. On Thu, Jun 18, 2020 at 4:26 PM luckydog xf <luckydo...@gmail.com> wrote: > Got it, thanks! > > I add CA certs of Sectigo one by one to /etc/pki/pki-tomcat/alias/, now it > works. > > Another thing, please confirm my statement below correct or not > > ------- > > I changed Server-Cert to Sectigo's signed one (NOT Self-signed), so when > dog-tag tries to connect to 389 DS, it would check 389 DS certificate > (Server-Cert), meanwhile it also needs a CA to verify server-Cert. > > My problem is that when dog-tat check its NSSDB( > /etc/pki/pki-tomcat/alias/ ), there is no CA of Sectigo available to > verify. So it complains: > > *Peer's certificate issuer has been marked as not trusted by the user.* > > ------ > > Does my understanding correct or not ? > > Appreciate your help. > > > On Thu, Jun 18, 2020 at 3:37 PM Florence Blanc-Renaud <f...@redhat.com> > wrote: > >> On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote: >> > [root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias >> > >> > [root@wocfreeipa ~]# >> > >> > [root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert cert-pki-ca' >> > >> > [root@wocfreeipa ~]# grep internal /etc/pki/pki-tomcat/password.conf >> > internal=3Tm~ofzwXXXXXXXXXXXX >> > >> > [root@wocfreeipa ~]# ldapsearch -H ldaps://`hostname`:636 -b "" -s >> base >> > -Y EXTERNAL >> > Please enter pin, password, or pass phrase for security token 'ldap(0)': >> > >> > SASL/EXTERNAL authentication started >> > SASL username: cn=CA Subsystem,o=SAP.WINGON.HK <http://SAP.WINGON.HK> >> > SASL SSF: 0 >> > # extended LDIF >> > # >> > # LDAPv3 >> > # base <> with scope baseObject >> > # filter: (objectclass=*) >> > # requesting: ALL >> > # >> > >> > # >> > dn: >> > objectClass: top >> > namingContexts: cn=changelog >> > namingContexts: dc=sap,dc=wingon,dc=hk >> > namingContexts: o=ipaca >> > supportedExtension: 1.3.6.1.4.1.4203.1.11.3 >> > 。。。。。。 >> > # search result >> > search: 2 >> > result: 0 Success >> > >> > # numResponses: 2 >> > # numEntries: 1 >> > >> > It seems the connection established by Dogtag to 389 DS is correct. >> > But why dogtag complained " >> > >> > */Peer's certificate issuer has been marked as not trusted by the >> user./* >> > ? >> > Weird. >> Hi, >> Dogtag has its own NSSDB and each of the sectigo CA certs need to be >> present there, too: >> $ certutil -A -d /etc/pki/pki-tomcat/alias -n <nick> -t CT,C,C -a -i >> cert.pem >> >> HTH, >> flo >> > >> > On Thu, Jun 18, 2020 at 9:31 AM luckydog xf <luckydo...@gmail.com >> > <mailto:luckydo...@gmail.com>> wrote: >> > >> > The sad thing is that CA is expired on May 30, 2020. My IPA cannot >> > login in. >> > >> > So I used certutil to remove old CAs. Here are steps I used. >> > Unfortunately, I didn't try the step you mentioned. >> > >> > 1. certutil -d /etc/http/alias -D -n Server-Cert >> > certutil -d /etc/http/alias -D -n < Other CAs of Comodo> >> > >> > 2. Do the same thing against /etc/dirsrv/slapd-xxx >> > >> > 3. Add new certs and CAs by: >> > >> > cat server.key server.crt > server.all >> > >> > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all >> > -out Server-Cert.p12 -name "Server-Cert" >> > >> > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert >> > >> > 4. iptacl restart -f -d shows pki-tomcatd cannot start. >> > --------- >> > Internal Database Error encountered:_Could not connect to LDAP >> > server host wocfreeipa.sap.wingon.hk >> > <http://wocfreeipa.sap.wingon.hk> port 636 _Error >> > netscape.ldap.LDAPException: Unable to create socket: >> > org.mozilla.jss.ssl.SSLSocketException: >> > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: >> > (-8172) */Peer's certificate issuer has been marked as not trusted >> > by the user./* (-1) >> > >> > So what's wrong ? >> > >> > >> > ------------- >> > >> > >> > >> > On Wed, Jun 17, 2020 at 10:34 PM Florence Blanc-Renaud >> > <f...@redhat.com <mailto:f...@redhat.com>> wrote: >> > >> > On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote: >> > > Hi, As state in >> > >> https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 >> > > >> > > I cannot login in FreeIPA web page. >> > > >> > > So I update CA by : >> > > >> > > # delete everything except IPA CA of httpd and dirsrv >> > > >> > > certutil -d /etc/http/alias -D -n 'xxx' >> > > >> > > # ca-bundle.crt is 3 files named USERTrust, .etc. >> > > >> > > # server.all is an combination of my certificate signed by >> > Sectigo( fomerly named Comodo). >> > > >> > > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in >> > server.all -out Server-Cert.p12 -name "Server-Cert" >> > > >> > > # add to httpd and dirsrv. >> > > >> > > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n >> Server-Cert >> > > >> > > I restart all services by ipactl restart. But it seems >> > pki-tomcat fails to startup. >> > > >> > > #### log of ipactcl start #### >> > > >> > > Starting pki-tomcatd Service >> > > ipa: DEBUG: Starting external process >> > > ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target >> > > ipa: DEBUG: Process finished, return code=0 >> > > ipa: DEBUG: request POST >> > http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus >> > > ipa: DEBUG: request body '' >> > > ipa: DEBUG: response status 500 >> > > ipa: DEBUG: response headers Server: Apache-Coyote/1.1 >> > > Content-Type: text/html;charset=utf-8 >> > > Content-Language: en >> > > Content-Length: 2208 >> > > Date: Wed, 17 Jun 2020 09:13:19 GMT >> > > Connection: close >> > > >> > > ipa: DEBUG: response body '<html><head><title>Apache >> > Tomcat/7.0.76 - Error report</title><style><!--H1 >> > {font-family:Tahoma,Arial,sans-s >> > > ...... >> > > >> > > ipa: DEBUG: Failed to check CA status: Retrieving CA status >> > failed with status 500 >> > > ipa: DEBUG: Waiting until the CA is running >> > > >> > > #### END of log ##### >> > > >> > > >> > > Here is log of pki-tomcat >> > > >> > > ### >> > > Internal Database Error encountered: Could not connect to >> > LDAP server host wocfreeipa.sap.wingon.hk >> > <http://wocfreeipa.sap.wingon.hk> port 636 Error >> > netscape.ldap.LDAPException: Unable to create socket: >> > org.mozilla.jss.ssl.SSLSocketException: >> > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake >> > failed: (-8172) Peer's certificate issuer has been marked as not >> > trusted by the user. (-1) >> > > >> > > ### >> > > >> > > The point is ' Peer's certificate issuer has been marked as >> > not trusted by the user.' As far as I know pki-tomcat needs a >> > certificate to bind to 389 DS and store information. >> > > >> > > But I didn't touch CA named 'IPA CA', so basically >> > pki-tomcatd could use its own certificate named 'substemCert >> > cert-pki-ca' to bind to 389 DS. >> > > >> > > Please help. >> > Hi, >> > >> > the new CA certs from Sectigo need to be installed with >> > ipa-cacert-manage install (the command uploads the certs in the >> > LDAP >> > database). For more information, please refer to "Installing a >> CA >> > Certificate Manually" [1]. >> > As the chain contains multiple certs, you need to start from the >> > root >> > cert then go down the chain. When all the certs have been added, >> > don't >> > forget to run ipa-certupdate on all the IPA hosts (the command >> > downloads >> > the certs from LDAP and puts them in all the NSSDBs that need >> them). >> > >> > HTH, >> > flo >> > >> > [1] >> > >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/manual-cert-install >> > >> > > >> > > Thanks a lot. >> > > >> > > >> > > _______________________________________________ >> > > FreeIPA-users mailing list -- >> > freeipa-users@lists.fedorahosted.org >> > <mailto:freeipa-users@lists.fedorahosted.org> >> > > To unsubscribe send an email to >> > freeipa-users-le...@lists.fedorahosted.org >> > <mailto:freeipa-users-le...@lists.fedorahosted.org> >> > > Fedora Code of Conduct: >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > > List Guidelines: >> > https://fedoraproject.org/wiki/Mailing_list_guidelines >> > > List Archives: >> > >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> > > >> > >> > >> > _______________________________________________ >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> > To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> > >> >>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
