On Wed, Jun 27, 2018 at 06:22:31PM -0700, Thomas Letherby via FreeIPA-users wrote:
Hello Florence,
It was the Signing-Cert and the
I.domain.NET IPA CA cert. By setting the
clock back I managed to get those to renew, now it seems I just need to get
tomcat-pki to start.
The error is:
Internal Database Error encountered: Could not connect to LDAP server host
xipa1.i.xrs444.net port 636 Error netscape.ldap.LDAPException: Unable to
create socket: org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12195)
Peer does not recognize and trust the CA that issued your certificate. (-1)
certutil -d /etc/pki/pki-tomcat/alias -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
O=domain,ST=Arizona,C=US CT,C,C
auditSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
These are all set to expire in 2020 or beyond.
certutil -d /etc/httpd/alias -L Server-Cert
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
O=xrs444,ST=Arizona,C=US CT,C,C
I.XRS444.NET IPA CA CT,C,C
Server-Cert u,u,u
I.XRS444.NET IPA CA and Signing-Cert are the expired certs here.
Thomas
Hi Thomas,
It looks like Directory Server is not accepting the subsystemCert,
which Dogtag uses to authenticate to the DS.
What is the output of `certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -L` ?
Please also check that the 'userCertificate' attribute of
'uid=pkidbuser,ou=people,o=ipaca' is an exact match for the
subsystemCert in the /etc/pki/pki-tomcat/alias NSSDB.
Thanks,
Fraser
On Wed, Jun 27, 2018 at 12:20 AM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
> On 06/27/2018 07:02 AM, Thomas Letherby via FreeIPA-users wrote:
> > After some fiddling with dates some more I seem to have the HTTPD cert
> > in sync, however it appears the cert signing cert is expired.
> >
> > named also says it's starting, but doesn't seem to want to respond.
> >
> > I don't have time to dig into it more tonight, but let me know what
> > other information or tests I can run and I'll get them posted tomorrow.
> >
> > Thanks all.
> >
> > Thomas
> >
> > On Mon, Jun 25, 2018 at 5:11 PM Thomas Letherby <xrs444(a)xrs444.net
> > <mailto:xrs444@xrs444.net>> wrote:
> >
> > Hello,
> >
> > I think this is everything (domain name changed to protect the
> > guilty!):
> >
> >
https://pastebin.com/bF1KR7VJ
> >
> Hi Thomas,
>
> in the provided pastebin, the error 'certutil: function failed:
> SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old,
> unsupported format' can be easily explained: there is a typo in the
> directory path.
> You can try with certutil -d /etc/pki/pki-tomcat/alias -L -n <nickname>
> (note the pki-tomcat instead of pki-tomcat*d*).
>
> You mention that the cert signing cert is expired, can you clarify which
> certificate this is? Please provide the subject name, certificate
> nickname and location.
>
> Flo
> > I pulled the same on the replica, which appears to be playing up too
> > in a similar fashion.
> >
> > I did just notice the date on the replica is out, I never set it
> > back when I was trying to get the cert to renew.
> >
> > Let me know if you need anything else.
> >
> > Thanks,
> >
> > Thomas
> >
> > On Sun, Jun 24, 2018 at 8:43 PM Fraser Tweedale <ftweedal(a)redhat.com
> > <mailto:ftweedal@redhat.com>> wrote:
> >
> > On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via
> > FreeIPA-users wrote:
> > > Hello all,
> > > I had an issue a short while ago with a replica which turned
> > out to be an
> > > expired certificate which I renewed and all seemed good.
> > >
> > > Seemed...
> > >
> > > It now appears that although the certificate renewed as seen
> > by getcert
> > > -list, it didn't update /etc/httpd/alias and so the httpd
and
> > tomcat-pki
> > > services won't start unless I set the date to before the
> > certificate
> > > expired, and even then sometimes the httpd error_log shows:
> > > Unable to verify certificate 'Server-Cert'. Add
> > "NSSEnforceValidCerts off"
> > > to nss.conf so the server can start until the problem can be
> > resolved.
> > > and the service fails to start.
> > >
> > Hi Thomas,
> >
> > Can you please show `getcert list` output on the server in
> question,
> > as well as the output of
> >
> > certutil -d /etc/httpd/alias -L Server-Cert
> >
> > and
> >
> > certutil -d /etc/pki/pki-tomcatd/alias -L <nickname>
> >
> > for each nickname in the /etc/pki/pki-tomcatd/alias NSSDB.
> >
> > And Certmonger journal output. And pki debug log
> > /var/log/pki/pki-tomcat/ca/debug.
> >
> > It is strange that `getcert list' shows an up to date certificate
> > while the actual certificate that is being tracked is expired...
> >
> > Thanks,
> > Fraser
> >
> > > I've tried resubmitting the certificate, and it doesn't
seem
> > to throw an
> > > error, but it doesn't update /alias either.
> > > Trying to access the server via the web page shows the old
> > certificate
> > > still in use.
> > > I see the same certificate error with the replica server,
> > which was freshly
> > > rebuilt and added last week.
> > > I've doubtless dug further into the hole trying to
> > troubleshoot this, so I
> > > probably need to start from the beginning again, and a
> > pointer in the right
> > > direction would be a great help!
> > >
> > > A getcert list shows all the certificates expiry dates well
> > into the future.
> > >
> > > How can I get the certs back in sync? I've found a few
guides
> > and most seem
> > > to be for earlier versions, and I'm not sure if they're
still
> > current.
> > >
> > > I can post whatever logs you think will help, I'm afraid
I'm
> > not familiar
> > > enough with them all to tell which are the most relevant. Is
> > there a guide
> > > for the logs?
> > >
> > > Thanks for any help you can give,
> > >
> > > Thomas
> >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> > freeipa-users(a)lists.fedorahosted.org
> > <mailto:freeipa-users@lists.fedorahosted.org>
> > > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> > <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > > Fedora Code of Conduct:
> >
https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
> >
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...