[Freeipa-users] Re: pki-tomcatd not starting

Omar via FreeIPA-users Tue, 12 Mar 2024 12:28:20 -0700

Hey Rob,

Have you seen this before?:
ipa-server-certinstall -p <password> -d --cert-name=ldap
./ldap.app.uaap.maxar.com.crt
Enter private key unlock password:


*No server certificates found in ./ldap.app.uaap.maxar.com.crt*
The ipa-server-certinstall command failed.

On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden <rcrit...@redhat.com> wrote:

> Omar wrote:
> > roger that.  I thought about doing the:
> > ipa-cacert-manager, but that would be wrong, correct?
>
> Correct, assuming your updated cert is from the same CA.
>
> >
> > if I do the ipa-server-certinstall, do I need to specify either -d / -w
> > / or -k?  Thanks,
>
> You want -d (directory server)
>
> rob
>
> >
> > On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>> wrote:
> >
> >     Omar via FreeIPA-users wrote:
> >     > okay, so I think you found the issue:
> >     >
> >     > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> >     > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> >     > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> >     > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> >     >             Not Before: Fri Jan 06 19:36:22 2023
> >     >             Not After : Sat Jan 06 19:36:22 2024
> >     >
> >     > Where's the actual location of the server certificate?  Thanks,
> >
> >     It is stored in the NSS database at
> /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
> >
> >     You should be able to use ipa-server-certinstall to add a renewed
> >     certificate in a similar way that this one was added.
> >
> >     rob
> >
> >     >
> >     >
> >     > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
> >     <f...@redhat.com <mailto:f...@redhat.com>
> >     > <mailto:f...@redhat.com <mailto:f...@redhat.com>>> wrote:
> >     >
> >     >     Hi,
> >     >
> >     >     On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> >     >     <freeipa-users@lists.fedorahosted.org
> >     <mailto:freeipa-users@lists.fedorahosted.org>
> >     >     <mailto:freeipa-users@lists.fedorahosted.org
> >     <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
> >     >
> >     >         [root @ ldap01]
> >     >         $ openssl x509 -noout -text -in
> /var/lib/ipa/certs/httpd.crt |
> >     >         grep Not
> >     >                     Not Before: Jan 12 15:30:18 2024 GMT
> >     >                     Not After : Jan 11 15:30:18 2025 GMT
> >     >
> >     >     So httpd server cert is still valid.
> >     >
> >     >
> >     >         also, am I looking at the correct one here?:
> >     >         [root @ ldap01]
> >     >         $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> >     >
> >     >         Certificate Nickname
> >     >          Trust Attributes
> >     >
> >     >          SSL,S/MIME,JAR/XPI
> >     >
> >     >         APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> >     <http://APP.UAAP.MAXAR.COM> IPA CA
> >     >                                 CT,C,C
> >     >
> >     >     ^^ this one is IPA CA, not the server certificate for LDAP.
> >     >
> >     >         CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> >       C,,
> >     >         CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> >       C,,
> >     >         CN=Maxar Policy CA East,DC=Maxar,DC=com
> >       C,,
> >     >         CN=Maxar Policy CA West,DC=Maxar,DC=com
> >       C,,
> >     >         CN=Maxar Root CA,CN=Maxar,CN=com
> >        C,,
> >     >         CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com
> >
> >     >         <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar
> Technologies
> >     >         Inc,L=Herndon,ST=Virginia,C=US u,u,u
> >     >
> >     >         [root @ ldap01]
> >     >         $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> >     >         'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> >     <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not
> >     >                     Not Before: Thu Feb 02 14:06:44 2023
> >     >                     Not After : Mon Feb 02 14:06:44 2043
> >     >
> >     >     Based on the nicknames, I would check
> >     'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> >     >     <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> >     >     Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> >     name in
> >     >     /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
> >     in the
> >     >     entry cn=RSA,cn=encryption,cn=configin the attribute
> >     >     nsSSLPersonalitySSL.
> >     >     For instance in my server I have:
> >     >
> >     >     dn: cn=RSA,cn=encryption,cn=config
> >     >     cn: RSA
> >     >     modifiersName: cn=Directory Manager
> >     >     modifyTimestamp: 20220121155703Z
> >     >     nsSSLActivation: on
> >     >     *nsSSLPersonalitySSL: Server-Cert*
> >     >     nsSSLToken: internal (software)
> >     >     objectClass: top
> >     >     objectClass: nsEncryptionModule
> >     >
> >     >     HTH,
> >     >     flo
> >     >
> >     >
> >     >         --
> >     >         _______________________________________________
> >     >         FreeIPA-users mailing list --
> >     >         freeipa-users@lists.fedorahosted.org
> >     <mailto:freeipa-users@lists.fedorahosted.org>
> >     >         <mailto:freeipa-users@lists.fedorahosted.org
> >     <mailto:freeipa-users@lists.fedorahosted.org>>
> >     >         To unsubscribe send an email to
> >     >         freeipa-users-le...@lists.fedorahosted.org
> >     <mailto:freeipa-users-le...@lists.fedorahosted.org>
> >     >         <mailto:freeipa-users-le...@lists.fedorahosted.org
> >     <mailto:freeipa-users-le...@lists.fedorahosted.org>>
> >     >         Fedora Code of Conduct:
> >     >
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >     >         List Guidelines:
> >     >         https://fedoraproject.org/wiki/Mailing_list_guidelines
> >     >         List Archives:
> >     >
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >     >         Do not reply to spam, report it:
> >     >         https://pagure.io/fedora-infrastructure/new_issue
> >     >
> >     >
> >     > --
> >     > _______________________________________________
> >     > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >     <mailto:freeipa-users@lists.fedorahosted.org>
> >     > To unsubscribe send an email to
> >     freeipa-users-le...@lists.fedorahosted.org
> >     <mailto:freeipa-users-le...@lists.fedorahosted.org>
> >     > Fedora Code of Conduct:
> >     https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >     > List Guidelines:
> >     https://fedoraproject.org/wiki/Mailing_list_guidelines
> >     > List Archives:
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >     > Do not reply to spam, report it:
> >     https://pagure.io/fedora-infrastructure/new_issue
> >     >
> >
>
>

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd not starting

Reply via email to