sipazzo wrote:
I have seen many threads on this so sorry to bring it up again but I
have a freeipa domain, with 4 ipa servers running on redhat 6 version
3.0.0-50. The certificates are expired/expiring and will not renew and
it is causing many issues for us. I have tried the many suggestions I
have see in the archives such as changing the time to prior to
expiration and attempting renew by resubmitting the requests but they
never renew. An example of getcert list from the first server that expired:
Number of certificates and requests being tracked: 8.
[snip]
localhost log in /var/log/pki-ca have errors like:
tail localhost.2016-07-29.log
Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet caProfileSubmit threw exception
java.io.IOException: CS server is not ready to serve.
at
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.
Debug log in /var/log/pki-cacd
tail debug
[29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized before.
[29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized.
[29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
netscape.ldap.LDAPException: error result (49)
[29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to
query sessionIds: java.io.IOException: Failed to connect to the internal
database.
[29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable:
getSessionIds: Error in disconnecting from database:
java.lang.NullPointerException
[29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized before.
[29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized.
[29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
netscape.ldap.LDAPException: error result (49)
[29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to
query sessionIds: java.io.IOException: Failed to connect to the internal
database.
[29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable:
getSessionIds: Error in disconnecting from database:
java.lang.NullPointerException
Performing most IPA commands results in errors such as ipa: ERROR: cert
validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
Not sure if it is related but we lost our first IPA server some time ago
and had to promote another to the CA master. Also, due to someone
leaving the company at the beginning of the year we had to change the
directory manager password. I followed all the directions to do so but
it does not seem like it was a completely smooth transaction.
It is related. Your CA can't connect to its database. You must have
missed a step when updating the DM password.
As a goof I just tried it on my RHEL 6 install and it seems to work,
this is what I did:
# service dirsrv stop
# /usr/bin/pwdhash password
edit both /etc/dirsrv/slapd-REALM/dse.ldif and
/etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw
# service dirsrv start
Check both of the new passwords:
# ldapsearch -x -D "cn=directory manager" -W -s base -b ""
"objectclass=*"
# ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s
base -b "" "objectclass=*"
Update internaldb value in /etc/pki-ca/password.conf with the new password.
Update and test the admin user password:
# ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S
uid=admin,ou=people,o=ipaca
# ldapsearch -h localhost -ZZ -p 7389 -x -D
"uid=admin,ou=people,o=ipaca" -W -b "" -s base
Restart the CA
# service pki-cad restart
Note that things _still_ aren't going to work so hot with all the
expired certs but if you go back in time you will at least have a chance
of renewing things.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
