After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to
start.
I see this (repeated many times) in the journal:
WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyRealm@383171f8 background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1357)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1543)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1521)
at java.lang.Thread.run(Thread.java:748)
getcert list shows a number of expired certificates (which is EXTREMELY
frustrating, as I thought that certmonger, which is running, was
supposed to take care of these renewals):
Request ID '20170306100908':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PENURIO.US
subject: CN=CA Audit,O=PENURIO.US
expires: 2017-06-19 16:27:30 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170306100911':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS
Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PENURIO.US
subject: CN=OCSP Subsystem,O=PENURIO.US
expires: 2017-06-19 16:26:30 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170306100914':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PENURIO.US
subject: CN=CA Subsystem,O=PENURIO.US
expires: 2017-06-19 16:26:30 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
I have tried setting the clock back 48 hours, but certmonger is still
unable to renew the certificates -- still with the same error.
I have checked the certificates returned when connecting to
asterisk.penurio.us:8443, and they look correct. The CA certificate
doesn't expire until 2033, and the server certificate (whose CN is
asterisk.penurio.us) expires in 2019.
Are these three the only expired certs?
What version of IPA?
Did you restart IPA after going back in time? If not, try that, then
restart certmonger and it should renew the certs.
Given certmonger didn't fire in the very recent past can you check the
syslog for any certmonger-related messages? I assume it renewed some,
but not all of the certs?
rob