Hi Flo,
I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and
/var/log/pki/pki-tomcat/ca/debug reads:
[08/Aug/2018:10:12:02][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED
=======
java.lang.Exception: Certificate ocspSigningCert cert-pki-ca is invalid: Invalid
certificate: (-8181) Peer's Certificate has expired.
at
com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:844)
at
com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:936)
at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1053)
at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1803)
at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1402)
at
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193)
at
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:858)
at
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1808)
at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1914)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1355)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1617)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.cert.CertificateException: Invalid certificate: (-8181)
Peer's Certificate has expired.
at org.mozilla.jss.CryptoManager.verifyCertificateNowNative(Native Method)
at org.mozilla.jss.CryptoManager.verifyCertificate(CryptoManager.java:1554)
at
com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:842)
... 44 more
Invalid class name repositorytop
at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485)
at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167)
at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137)
at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125)
at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244)
at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1371)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1617)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
############ end of debug ##############
## I worry now that I am not making progress with cert renewal. With stopped ntp and back
in time /var/log/ipa/renew.log reads:
2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG Initializing principal
host/ca-ldap01.domain.com(a)DOMAIN.COM using keytab /etc/krb5.keytab
2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-M09nld/ccache
2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG Attempt 1/1: success
2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-08-07T17:12:35Z 4375 MainThread ipa DEBUG Could not connect to the
Directory Server on
ca-ldap01.domain.com: Insufficient access: Invalid credentials
## OKAY, so need to enable NTPD and back in time again, now renew.log reads:
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing all plugin
modules in ipaserver.plugins...
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG
ipaserver.plugins.baseldap is not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.hbac is
not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.otp is
not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG Starting external
process
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG args=klist -V
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG Process finished, return
code=0
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG stdout=Kerberos 5 version
1.14.1
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG stderr=
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing plugin module
ipaserver.plugins.rabase
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing plugin module
ipaserver.plugins.sudo
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.sudo is
not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.virtual
is not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing plugin module
ipaserver.plugins.xmlserver
2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG Initializing principal
host/ca-ldap01.domain.com(a)domain.com using keytab /etc/krb5.keytab
2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-5bCOl7/ccache
2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG Attempt 1/1: success
2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-08-07T17:11:35Z 6773 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG flushing ldap://ca-ldap01.domain.com:389 from SchemaCache
2018-08-07T17:11:35Z 6773 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache url=ldap://ca-ldap01.domain.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x5a69320>
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG Starting external
process
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG
args=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -vv
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG Process finished, return
code=2
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG stdout=
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG stderr=* About to
connect() to
ca-ldap01.domain.com port 8080 (#0)
* Trying 10.211.9.58...
* Connected to
ca-ldap01.domain.com (10.211.9.58) port 8080 (#0)
> GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true
HTTP/1.1
Host: ca-ldap01.domain.com:8080
Accept: */*
< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 995
< Date: Thu, 25 Oct 2018 05:42:30 GMT
<
* Connection #0 to host
ca-ldap01.domain.com left intact
GET
"http://ca-ldap01.domain.com:8080/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true"
code = 0
code_text = "No error"
results = "<html><head><title>Apache Tomcat/7.0.69 - Error
report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>HTTP Status 404 -
/ca/ee/ca/profileSubmit</h1><HR size="1"
noshade="noshade"><p><b>type</b> Status
report</p><p><b>message</b>
<u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b>
<u>The requested resource is not available.</u></p><HR
size="1" noshade="noshade"><h3>Apache
Tomcat/7.0.69</h3></body
></html>"
Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and body
able.</u></p><HR size="1"
noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body>
^
Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and html
Entity: line 1: parser error : Premature end of data in tag body line 1
Entity: line 1: parser error : Premature end of data in tag html line 1
Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and body
able.</u></p><HR size="1"
noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body>
^
## And status of certmonger service reads:
Aug 07 10:12:45
ca-ldap01.domain.com dogtag-ipa-renew-agent-submit[6998]: GET
http://ca-ldap01.domain.com:8080/ca/ee/ca/profileSubmit?profileId=caServe...
Aug 07 10:12:45
ca-ldap01.domain.com dogtag-ipa-renew-agent-submit[6998]:
<html><head><title>Apache Tomcat/7.0.69 - Error
report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>HTTP Status 404 -
/ca/ee/ca/profileSubmit</h1><HR size="1"
noshade="noshade"><p><b>type</b> Status
report</p><p><b>message</b>
<u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b>
<u>The requested resource is not available.</u></p><HR
size="1" noshade="noshade"><h3>Apache
Tomcat/7.0.69</h3></body></html>
Aug 07 10:12:45
ca-ldap01.domain.com dogtag-ipa-ca-renew-agent-submit[6884]:
dogtag-ipa-renew-agent returned 2
Thanks in advance for any sugestion on next step.
Hi,
when the date is moved back to when the certs are valid, can you check
if the CA component is running?
curl http://`hostname`:8080/ca/ee/ca/getCertChain
If not, have a look at the logs from /var/log/pki/pki-tomcat to find the
reason.
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...