Hi Rob,
Please see below. Notice "Failed to create jss service:
java.lang.SecurityException: Unable to initialize security library".
# getcert list | grep expires
expires: 2018-10-23 09:34:16 UTC
expires: 2018-10-23 09:33:16 UTC
expires: 2018-10-23 09:33:16 UTC
expires: 2018-10-24 09:33:15 UTC
expires: 2018-10-23 09:33:16 UTC
expires: 2019-03-03 19:54:22 UTC
expires: 2019-03-03 19:54:22 UTC
expires: 2019-03-03 19:54:22 UTC
expires: unknown
root bioldap-p1 /var/log/pki-ca
# ps -ef | grep tomcat
pkiuser 18739 1 0 13:02 ? 00:00:04 /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java
-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory
-classpath
:/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons
-daemon.jar -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6
-Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/cache/tomcat6/temp
-Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
root 20364 14505 0 13:23 pts/3 00:00:00 grep tomcat
root bioldap-p1 /var/log/pki-ca
#
[31/May/2017:13:02:04][main]: ============================================
[31/May/2017:13:02:04][main]: ===== DEBUG SUBSYSTEM INITIALIZED =======
[31/May/2017:13:02:04][main]: ============================================
Failed to create jss service: java.lang.SecurityException: Unable to initialize security
library
at com.netscape.cmscore.security.JssSubsystem.init(JssSubsystem.java:272)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:306)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
# getcert list (notice the last one)
Number of certificates and requests being tracked: 9.
Request ID '20141211093329':
status: CA_UNREACHABLE
ca-error: Error 35 connecting to
https://bioldap-p1.DOMAIN.COM:9443/ca/agent/ca/profileReview: SSL connect
error.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin
set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=DOMAIN.COM
subject: CN=CA
Audit,O=DOMAIN.COM
expires: 2018-10-23 09:34:16 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20141211093330':
status: CA_UNREACHABLE
...
...
Request ID '20161223074657':
status: CA_UNCONFIGURED
ca-error: Unable to determine principal name for signing request.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
# tail -f access
[31/May/2017:12:55:13 -0500] conn=3 op=0 BIND dn="cn=Directory Manager"
method=128 version=2
[31/May/2017:12:55:13 -0500] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn="cn=directory manager"
[31/May/2017:12:55:13 -0500] conn=3 op=1 SRCH base="ou=sessions,ou=Security
Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessi
onEntry)" attrs="cn"
[31/May/2017:12:55:13 -0500] conn=3 op=1 RESULT err=0 tag=101 nentries=0 etime=0
[31/May/2017:12:55:13 -0500] conn=3 op=2 UNBIND
[31/May/2017:12:55:13 -0500] conn=3 op=2 fd=64 closed - U1
[31/May/2017:12:57:03 -0500] conn=4 fd=64 slot=64 connection from 10.106.178.59 to
10.106.178.56
[31/May/2017:12:57:03 -0500] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
[31/May/2017:12:57:03 -0500] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[31/May/2017:12:57:03 -0500] conn=4 op=-1 fd=64 closed - SSL peer cannot verify your
certificate.
# tail -f errors
[31/May/2017:12:48:42 -0500] - slapd started. Listening on All Interfaces port 7389 for
LDAP requests
[31/May/2017:12:48:42 -0500] - Listening on All Interfaces port 7390 for LDAPS requests
[31/May/2017:12:48:42 -0500] slapi_ldap_bind - Error: could not send startTLS request:
error -11 (Connect error) errno 0
[31/May/2017:12:48:42 -0500] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-biogendb-p2.wgap.ibm.com-pki-ca" (biogend
ion bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8054:You are
attempting to import a cert wi
erial as an existing cert, but that is not the same cert.)
[31/May/2017:12:48:45 -0500] slapi_ldap_bind - Error: could not send startTLS request:
error -11 (Connect error) errno 0
[31/May/2017:12:48:51 -0500] slapi_ldap_bind - Error: could not send startTLS request:
error -11 (Connect error) errno 0
[31/May/2017:12:49:03 -0500] slapi_ldap_bind - Error: could not send startTLS request:
error -11 (Connect error) errno 0
[31/May/2017:12:49:27 -0500] slapi_ldap_bind - Error: could not send startTLS request:
error -11 (Connect error) errno 0
[31/May/2017:12:50:15 -0500] slapi_ldap_bind - Error: could not send startTLS request:
error -11 (Connect error) errno 0
[31/May/2017:12:51:51 -0500] slapi_ldap_bind - Error: could not send startTLS request:
error -11 (Connect error) errno 0
^C
From: Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Vinny Del Signore <vdel(a)us.ibm.com>, Rob Crittenden
<rcritten(a)redhat.com>
Date: 05/31/2017 01:07 PM
Subject: [Freeipa-users] Re: cannot connect ...Encountered end of file.
Vinny Del Signore via FreeIPA-users wrote:
Hello all,
Has anyone seen this issue? We've tried to generate a new CA and SSL
Cert.
*IPA v.3.0.0-50 *
# *rpm -qa | grep ipa-server*
ipa-server-selinux-3.0.0-50.el6.1.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
#*ipa-replica-prepare --ip-address=10.10.xx.xx rtlvxl0055.test.local*
Directory Manager (existing master) password:
Preparing replica for rtlvxl0055.test.local from
ldap-srv.domain.com
Creating SSL certificate for the Directory Server
*preparation of replica failed: cannot connect to
'https://ldap-srv.domain..com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.*
*cannot connect to
'https://ldap-srv.domain..com:xxxx/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.*
File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 361, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
raise e
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
#
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-50.el6.1.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# uname -r
2.6.32-642.3.1.el6.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
#
See if your CA is up, look for a running tomcat process, ensure that the
certs aren't expired: getcert list | grep expires, check the debug log
in /var/log/pki/<something>/debug
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org