Hi, On Mon, Apr 17, 2023 at 5:42 AM Justin Sanderson via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> THANKS IN ADVANCE FOR ANY HELP INFO YOU CAN PROVIDE!! > > Greatly Appreciate!! > > > Ok. So after doing a LOT of reading and learning about FreeIPA the past 2 > days (yep, I inherited), I was able to fix my problem of pki-tomcatd > (DogTAG i think its called) so that it would start. > > The pki-tomcatd service wouldn't start due to some cert issues. I was > fortunate enough to figure out how to enable BasicAuth for now to get the > service to start.. so thats a win. > So it means that PKI was not able to authenticate to the LDAP server using the certificate subsystemCert cert-pki-ca and you switched from certificate-based authentication to simple bind using DN/password. There are some troubleshooting hints here for this specific issue: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ HTH, flo > My SETUP: > > I have a single server instance as a VM. There are no replicas. > > The FreeIPA configuration is: > > 1) No DNS BIND server - using external DNS via AD in /etc/resolv.conf > > 2) We ARE running all other services > > 3) Self-Signed CA configuration using DogTag i think its called. there are > not external certs being used. > > > ipactl start has no issues now after I fixed the pki-tomcatd start problem > using BasicAuth (workaround) > > > PROBLEM : > > When i run "getcert list" I have 3 that have status CA_UNREACHABLE and ALL > of them are related to /etc/pki/pki-tomcat/alias NSSDB. > > They are set to expire in a few weeks so I need to figure this out.. > needing some help. > > The getcert list outputs a total of 9 or 10 certs so I don't think I'm > missing anything.. Based off what I was able to find, it's common to have > 8-10 certs in the output...? > > > Below are 2 of 3 certs that are going to expire soon and their CA is in an > UNREACHABLE state. They all use the same NSSDB > > **I have no idea where to start looking to fix this problem... which log > file... how is it supposed to talk to the NSSDB. it's not a socket...? ** > > I'm worried that the certs will expire and I won't know how to fix it. or > where to even look. HELP*!*! > > I've seen several people posting already about certmonger not succesfully > tracking/renewing some certs so Im a bit concerned espicially since the > CA_UNREAHABLE error. > > How do I fix this: > > 1) manually generate new certs and wth do I put them? > > 2) why is the CA_UNREACHABLE on a NSSDB ..? The files are there and > intact. I can view the contents no prob. > > > ============ getcert list output ============================ > > Request ID '20190621200128': > > status: CA_UNREACHABLE > > ca-error: Internal error > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME] > > subject: CN=CA Audit,O=[SANITIZED DNS NAME] > > expires: 2023-05-04 12:52:47 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20190621200129': > > status: CA_UNREACHABLE > > ca-error: Internal error > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME] > > subject: CN=OCSP Subsystem,O=[SANITIZED DNS NAME] > > expires: 2023-05-04 12:53:17 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > > > =================================================================================================================================== > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue