Hi all,
I'll try my using the link provided. However: what is causing
"CA_UNREACHABLE"?
Request ID '20170129002017':
status: CA_UNREACHABLE
ca-error: Server at
https://ipa.blabla.bla/ipa/xml failed request,
will retry: 4035 (RPC failed at server. Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
stuck: no
Hi Winfried,
certmonger is using the CA 'IPA' for the Server-Cert used by httpd and
ldap. This CA helper is communicating with FreeIPA server, and FreeIPA
in turn communicates with Dogtag.
You will probably find more information in FreeIPA server logs (in
/var/log/httpd/error_log) and in Dogtag logs
(/var/log/pki/pki-tomcat/ca/debug).
Flo
Winfried
Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via FreeIPA-users:
> On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote:
>> CS.cfg was modified so pki-tomcat can login using a password and
>> non-secure LDAP. At least it is working now....:
>>
>> < internaldb.ldapauth.authtype=BasicAuth
>> < internaldb.ldapauth.bindDN=cn=Directory Manager
>> ---
>> > internaldb.ldapauth.authtype=SslClientAuth
>> > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
>> 780,781c780,781
>> < internaldb.ldapconn.port=389
>> < internaldb.ldapconn.secureConn=false
>> ---
>> > internaldb.ldapconn.port=636
>> > internaldb.ldapconn.secureConn=true
>>
>> Reversed to the old config, stop/started ipa, debug shows
>> pki-tomcatd cannot login:
>>
>> 11/Sep/2017:16:51:41][localhost-startStop-1]:
>> SSLClientCertificatSelectionCB: Entering!
>> [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert:
>> subsystemCert cert-pki-ca
>> [11/Sep/2017:16:51:41][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: desired cert found in list:
>> subsystemCert cert-pki-ca
>> [11/Sep/2017:16:51:41][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
>> [11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened
>> Could not connect to LDAP server host ipa.blabla.bla port 636 Error
>> netscape.ldap.LDAPException: Authentication failed (49)
>> at
>>
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
>> at
>>
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
>> at
>>
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
>>
>> Winfried
>>
>> Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users:
>>> Winfried de Heiden via FreeIPA-users wrote:
>>>> Hi All,
>>>>
>>>> Somewhere after an update (I guess) I have issues;
>>>> pki-tomcatd(a)pki-tomcat.service will not start since it cannot
>>>> login to
>>>> LDAP. It seems I have some certificate isues:
>>>>
>>>> getcert list shows:
>>>>
>>>> Request ID '20170129002017':
>>>> status: CA_UNREACHABLE
>>>> ca-error: Server
athttps://ipa.example.com/ipa/xml failed
>>>> request,
>>>> will retry: 4035 (RPC failed at server. Request failed with status
>>>> 500:
>>>> Non-2xx response from CA REST API: 500. Policy Set Not Found).
>>>> stuck: no
>>>> key pair storage:
>>>>
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
>>>>
>>>> Certificate
DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
>>>> certificate:
>>>>
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
>>>>
>>>> Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
>>>> subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
>>>> expires: 2017-09-27 17:26:00 CEST
>>>> key usage:
>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>>> BLABLA-BLA
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20170129002024':
>>>> status: CA_UNREACHABLE
>>>> ca-error: Server
athttps://ipa.example.com/ipa/xml failed
>>>> request,
>>>> will retry: 4035 (RPC failed at server. Request failed with status
>>>> 500:
>>>> Non-2xx response from CA REST API: 500. Policy Set Not Found).
>>>> stuck: no
>>>> key pair storage:
>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>>
>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> certificate:
>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>>
>>>> Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
>>>> subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
>>>> expires: 2017-09-27 17:41:26 CEST
>>>> key usage:
>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>>>> track: yes
>>>> auto-renew: yes
>>>>
>>>> (I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg)
>>>> How to fix this. Something seems wrong with de DIRSRV certificate and
>>>> http....:(
>>> What did you modify?
>>>
>>>> How to fix? What could have caused this issue?
>>> This is likely not a problem with the certificates but with the
>>> certificate profiles. The dogtag debug log may have more information.
>>>
>>> rob
>>> _______________________________________________
>>> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email
>>> tofreeipa-users-leave(a)lists.fedorahosted.org
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>>
>
> Hi Winfried,
>
> the issue is likely to come from the renewal of subsystemCert. You can
> find more info in this blog [1]. If you are running with selinux in
> enforcing mode, the renewal may fail but gets undetected.
>
> You can check if the ldap entry uid=pkidbuser,ou=people,o=ipaca
> contains the same certificate 'subsystemCert cert-pki-ca' as the NSSDB
> /etc/pki/pki-tomcat/alias.
> If it is not the case, simply modify the LDAP entry to contain the
> right userCertificate and description attributes.
>
> HTH,
> Flo
>
> [1]
>
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org