Hi All,
Somewhere after an update (I guess) I have issues;
pki-tomcatd@pki-tomcat.service will not start since it cannot login to
LDAP. It seems I have some certificate isues:
getcert list shows:
Request ID '20170129002017':
status: CA_UNREACHABLE
ca-error: Server at https://ipa.example.com/ipa/xml failed request,
will retry: 4035 (RPC failed at server. Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
expires: 2017-09-27 17:26:00 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA
track: yes
auto-renew: yes
Request ID '20170129002024':
status: CA_UNREACHABLE
ca-error: Server at https://ipa.example.com/ipa/xml failed request,
will retry: 4035 (RPC failed at server. Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
expires: 2017-09-27 17:41:26 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
(I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg)
How to fix this. Something seems wrong with de DIRSRV certificate and
http....:(