Hello, we hit similar issue (although due to different conditions - we rotated root CA cert and then newly issued certificates were wrongly signed), we were also unable to start tomcat. If I remember correctly, we switched dogtag to use simple binds instead of TLS to connect to LDAP this way.
1. systemctl stop pki-tomcatd@pki-tomcat.service 2. backup /etc/pki/pki-tomcat/ca/CS.cfg and /etc/pki/pki-tomcat/password.conf 3. add directory manager password into password.conf file, it should be line like internaldb=my_directory_manager_password 4. tune CS.cfg a little, take this diff as an example +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=internaldb -internaldb.ldapauth.authtype=SslClientAuth -internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipaca internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca internaldb.ldapconn.cloneReplicationPort=389 internaldb.ldapconn.masterReplicationPort=7389 +internaldb.ldapconn.port=389 -internaldb.ldapconn.port=636 internaldb.ldapconn.replicationSecurity=TLS +internaldb.ldapconn.secureConn=false -internaldb.ldapconn.secureConn=true 5. systemctl start pki-tomcatd@pki-tomcat.service Now tomcat should run correctly and you should be able to resubmit expired certs and you can start to experiment with switch dogtag back to TLS auth. Hope this helps you. Regards, Adam On Tue, Jan 10, 2017 at 07:27:04PM +0000, Bob Hinton wrote: > Hi, > > The pki-tomcatd services on our IPA servers seem to have stopped working. > > This seems to be related to the expiry of several certificates - > > [root@ipa001 ~]# getcert list | more > Number of certificates and requests being tracked: 8. > Request ID '20161230150048': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=LOCAL.COM > subject: CN=CA Audit,O=LOCAL.COM > expires: 2017-01-09 08:21:45 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161230150049': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=LOCAL.COM > subject: CN=OCSP Subsystem,O=LOCAL.COM > expires: 2017-01-09 08:21:45 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > > These were originally in CA_WORKING state, but I moved the clock back > and restarted certmonger to try to renew them. > > > /var/log/pki/pki-tomcat/ca/debug contains > > [10/Jan/2017:18:35:37][localhost-startStop-1]: makeConnection: > errorIfDown true > [10/Jan/2017:18:35:37][localhost-startStop-1]: > SSLClientCertificateSelectionCB: Setting desired cert nickname to: > subsystemCert cert-pki-ca > [10/Jan/2017:18:35:37][localhost-startStop-1]: LdapJssSSLSocket: set > client auth cert nickname subsystemCert cert-pki-ca > [10/Jan/2017:18:35:37][localhost-startStop-1]: > SSLClientCertificatSelectionCB: Entering! > [10/Jan/2017:18:35:37][localhost-startStop-1]: Candidate cert: > caSigningCert cert-pki-ca > [10/Jan/2017:18:35:37][localhost-startStop-1]: Candidate cert: > Server-Cert cert-pki-ca > [10/Jan/2017:18:35:37][localhost-startStop-1]: > SSLClientCertificateSelectionCB: returning: null > [10/Jan/2017:18:35:37][localhost-startStop-1]: SSL handshake happened > Could not connect to LDAP server host ipa001.mgmt.local.com port 636 > Error netscape.ldap.LDAPException: Authentication failed (48) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Internal Database Error encountered: Could not connect to LDAP server > host ipa001.mgmt.local.com port 636 Error netscape.ldap.LDAPException: > Authentication failed (48) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > > The only connection attempt I can find relating to err=48 in the slapd > access log is - > > > [10/Jan/2017:18:21:08.884446519 +0000] conn=59668 fd=83 slot=83 SSL > connection from 10.220.6.250 to 10.220.6.250 > [10/Jan/2017:18:21:08.898844561 +0000] conn=59668 TLS1.2 256-bit AES > [10/Jan/2017:18:21:08.917314723 +0000] conn=59668 op=0 BIND dn="" > method=sasl version=3 mech=EXTERNAL > [10/Jan/2017:18:21:08.919725280 +0000] conn=59668 op=0 RESULT err=48 > tag=97 nentries=0 etime=0 > [10/Jan/2017:18:21:09.590236408 +0000] conn=59637 op=88 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > > We recent upgraded ipa from 4.2 to 4.4 and I wonder if that broke something. > > ipa --version > VERSION: 4.4.0, API_VERSION: 2.213 > > The /etc/ca.crt cert was originally created on an ipa 3.3 server that no > longer exists, I don't know if that's relevant. > > Anyway, I'm stumped on how to fix this so could anyone please help. > > Many thanks > > Bob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Adam Tkac -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
