Hi Rob,
Please see below. Notice "Failed to create jss service: java.lang.SecurityException: Unable to initialize security library".
# getcert list | grep expires expires: 2018-10-23 09:34:16 UTC expires: 2018-10-23 09:33:16 UTC expires: 2018-10-23 09:33:16 UTC expires: 2018-10-24 09:33:15 UTC expires: 2018-10-23 09:33:16 UTC expires: 2019-03-03 19:54:22 UTC expires: 2019-03-03 19:54:22 UTC expires: 2019-03-03 19:54:22 UTC expires: unknown root bioldap-p1 /var/log/pki-ca
# ps -ef | grep tomcat pkiuser 18739 1 0 13:02 ? 00:00:04 /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons -daemon.jar -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start root 20364 14505 0 13:23 pts/3 00:00:00 grep tomcat root bioldap-p1 /var/log/pki-ca #
[31/May/2017:13:02:04][main]: ============================================ [31/May/2017:13:02:04][main]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [31/May/2017:13:02:04][main]: ============================================ Failed to create jss service: java.lang.SecurityException: Unable to initialize security library at com.netscape.cmscore.security.JssSubsystem.init(JssSubsystem.java:272) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:306) at com.netscape.certsrv.apps.CMS.init(CMS.java:153) at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4738) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
# getcert list (notice the last one) Number of certificates and requests being tracked: 9. Request ID '20141211093329': status: CA_UNREACHABLE ca-error: Error 35 connecting to https://bioldap-p1.DOMAIN.COM:9443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Audit,O=DOMAIN.COM expires: 2018-10-23 09:34:16 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141211093330': status: CA_UNREACHABLE ... ... Request ID '20161223074657': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert' CA: IPA issuer: subject: expires: unknown pre-save command:
# tail -f access [31/May/2017:12:55:13 -0500] conn=3 op=0 BIND dn="cn=Directory Manager" method=128 version=2 [31/May/2017:12:55:13 -0500] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [31/May/2017:12:55:13 -0500] conn=3 op=1 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessi onEntry)" attrs="cn" [31/May/2017:12:55:13 -0500] conn=3 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [31/May/2017:12:55:13 -0500] conn=3 op=2 UNBIND [31/May/2017:12:55:13 -0500] conn=3 op=2 fd=64 closed - U1 [31/May/2017:12:57:03 -0500] conn=4 fd=64 slot=64 connection from 10.106.178.59 to 10.106.178.56 [31/May/2017:12:57:03 -0500] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [31/May/2017:12:57:03 -0500] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [31/May/2017:12:57:03 -0500] conn=4 op=-1 fd=64 closed - SSL peer cannot verify your certificate.
# tail -f errors [31/May/2017:12:48:42 -0500] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [31/May/2017:12:48:42 -0500] - Listening on All Interfaces port 7390 for LDAPS requests [31/May/2017:12:48:42 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:48:42 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-biogendb-p2.wgap.ibm.com-pki-ca" (biogend ion bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8054:You are attempting to import a cert wi erial as an existing cert, but that is not the same cert.) [31/May/2017:12:48:45 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:48:51 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:49:03 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:49:27 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:50:15 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:51:51 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 ^C
From: Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Vinny Del Signore vdel@us.ibm.com, Rob Crittenden rcritten@redhat.com Date: 05/31/2017 01:07 PM Subject: [Freeipa-users] Re: cannot connect ...Encountered end of file.
Vinny Del Signore via FreeIPA-users wrote:
Hello all,
Has anyone seen this issue? We've tried to generate a new CA and SSL
Cert.
*IPA v.3.0.0-50 *
# *rpm -qa | grep ipa-server* ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM #*ipa-replica-prepare --ip-address=10.10.xx.xx rtlvxl0055.test.local* Directory Manager (existing master) password:
Preparing replica for rtlvxl0055.test.local from ldap-srv.domain.com Creating SSL certificate for the Directory Server *preparation of replica failed: cannot connect to 'https://ldap-srv.domain..com:9444/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file.* *cannot connect to 'https://ldap-srv.domain..com:xxxx/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file.* File "/usr/sbin/ipa-replica-prepare", line 490, in <module> main()
File "/usr/sbin/ipa-replica-prepare", line 361, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb raise e
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # uname -r 2.6.32-642.3.1.el6.x86_64 root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM #
See if your CA is up, look for a running tomcat process, ensure that the certs aren't expired: getcert list | grep expires, check the debug log in /var/log/pki/<something>/debug
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org