Winfried de Heiden wrote:Hi all, Yes, there was a discrepancy in de certificates and was fixed by using https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/. Thanks for that! Now, getcert ist still shows errors. The certmonger logs shows: De certmonger log shows: Sep 12 14:05:35 ipa.blabla.bla certmonger[11551]: 2017-09-12 14:05:35 [11551] Server at https://ipa.blabla.bla/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. *Policy Set Not Found*). Sep 12 14:05:59 ipa.blabla.bla certmonger[11551]: 2017-09-12 14:05:59 [11551] Server at https://ipa.blabla.bla/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. *Policy Set Not Found*). It looks like 2 certificates cannot be renewed but are about to expire.... What's happening and how to fix?Look at the dogtag debug log for more information on why it is failing the request. You'll want to restart certmonger or resubmit the request manually while watching the debug log to get the times correlated. robWinfried Op 12-09-17 om 10:04 schreef Florence Blanc-Renaud via FreeIPA-users:On 09/12/2017 09:10 AM, Winfried de Heiden via FreeIPA-users wrote:Hi all, I'll try my using the link provided. However: what is causing "CA_UNREACHABLE"? Request ID '20170129002017': status: CA_UNREACHABLE ca-error: Server at https://ipa.blabla.bla/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). stuck: noHi Winfried, certmonger is using the CA 'IPA' for the Server-Cert used by httpd and ldap. This CA helper is communicating with FreeIPA server, and FreeIPA in turn communicates with Dogtag. You will probably find more information in FreeIPA server logs (in /var/log/httpd/error_log) and in Dogtag logs (/var/log/pki/pki-tomcat/ca/debug). FloWinfried Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via FreeIPA-users:On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote:CS.cfg was modified so pki-tomcat can login using a password and non-secure LDAP. At least it is working now....: < internaldb.ldapauth.authtype=BasicAuth < internaldb.ldapauth.bindDN=cn=Directory Manager --- > internaldb.ldapauth.authtype=SslClientAuth > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca 780,781c780,781 < internaldb.ldapconn.port=389 < internaldb.ldapconn.secureConn=false --- > internaldb.ldapconn.port=636 > internaldb.ldapconn.secureConn=true Reversed to the old config, stop/started ipa, debug shows pki-tomcatd cannot login: 11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca [11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host ipa.blabla.bla port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570) at com.netscape.certsrv.apps.CMS.init(CMS.java:188) at com.netscape.certsrv.apps.CMS.start(CMS.java:1621) Winfried Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users:Winfried de Heiden via FreeIPA-users wrote:Hi All, Somewhere after an update (I guess) I have issues; pki-tomcatd@pki-tomcat.service will not start since it cannot login to LDAP. It seems I have some certificate isues: getcert list shows: Request ID '20170129002017': status: CA_UNREACHABLE ca-error: Server athttps://ipa.example.com/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650 subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650 expires: 2017-09-27 17:26:00 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA track: yes auto-renew: yes Request ID '20170129002024': status: CA_UNREACHABLE ca-error: Server athttps://ipa.example.com/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650 subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650 expires: 2017-09-27 17:41:26 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes (I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg) How to fix this. Something seems wrong with de DIRSRV certificate and http....:(What did you modify?How to fix? What could have caused this issue?This is likely not a problem with the certificates but with the certificate profiles. The dogtag debug log may have more information. rob _______________________________________________ FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgHi Winfried, the issue is likely to come from the renewal of subsystemCert. You can find more info in this blog [1]. If you are running with selinux in enforcing mode, the renewal may fail but gets undetected. You can check if the ldap entry uid=pkidbuser,ou=people,o=ipaca contains the same certificate 'subsystemCert cert-pki-ca' as the NSSDB /etc/pki/pki-tomcat/alias. If it is not the case, simply modify the LDAP entry to contain the right userCertificate and description attributes. HTH, Flo [1] https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org