THANKS IN ADVANCE FOR ANY HELP INFO YOU CAN PROVIDE!!
Greatly Appreciate!!
Ok. So after doing a LOT of reading and learning about FreeIPA the past
2 days (yep, I inherited), I was able to fix my problem of pki-tomcatd
(DogTAG i think its called) so that it would start.
The pki-tomcatd service wouldn't start due to some cert issues. I was
fortunate enough to figure out how to enable BasicAuth for now to get
the service to start.. so thats a win.
My SETUP:
I have a single server instance as a VM. There are no replicas.
The FreeIPA configuration is:
1) No DNS BIND server - using external DNS via AD in /etc/resolv.conf
2) We ARE running all other services
3) Self-Signed CA configuration using DogTag i think its called. there
are not external certs being used.
ipactl start has no issues now after I fixed the pki-tomcatd start
problem using BasicAuth (workaround)
PROBLEM :
When i run "getcert list" I have 3 that have status CA_UNREACHABLE and
ALL of them are related to /etc/pki/pki-tomcat/alias NSSDB.
They are set to expire in a few weeks so I need to figure this out..
needing some help.
The getcert list outputs a total of 9 or 10 certs so I don't think I'm
missing anything.. Based off what I was able to find, it's common to
have 8-10 certs in the output...?
Below are 2 of 3 certs that are going to expire soon and their CA is in
an UNREACHABLE state. They all use the same NSSDB
**I have no idea where to start looking to fix this problem... which log
file... how is it supposed to talk to the NSSDB. it's not a socket...? **
I'm worried that the certs will expire and I won't know how to fix it.
or where to even look. HELP*!*!
I've seen several people posting already about certmonger not
succesfully tracking/renewing some certs so Im a bit concerned
espicially since the CA_UNREAHABLE error.
How do I fix this:
1) manually generate new certs and wth do I put them?
2) why is the CA_UNREACHABLE on a NSSDB ..? The files are there and
intact. I can view the contents no prob.
============ getcert list output ============================
Request ID '20190621200128':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME]
subject: CN=CA Audit,O=[SANITIZED DNS NAME]
expires: 2023-05-04 12:52:47 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190621200129':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME]
subject: CN=OCSP Subsystem,O=[SANITIZED DNS NAME]
expires: 2023-05-04 12:53:17 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
===================================================================================================================================
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue