Went onto my IPA server today to discover the certificate had not been automatically renewed. It's a self-signed cert.
I set the date back before the expiry and tried: ipa-cacert-manage renew
which results in:
'NoneType' object has no attribute 'is_self_signed' The ipa-cacert-manage command failed.
adding '--self-signed' just punts the same error to another attribute: Renewing CA certificate, please wait 'NoneType' object has no attribute 'issuer' The ipa-cacert-manage command failed.
I assume the same thing caused the autorenewal to not happen. Any recommendations? IPA version is 4.6.90.pre1+git20180411, API_VERSION: 2.229 which I know is old. It's on an old Ubuntu distro that I can't upgrade without destroying and I've have tried many times to replicate the thing to a different VM but have yet to successfully do so.
Sean McLennan via FreeIPA-users wrote:
Went onto my IPA server today to discover the certificate had not been automatically renewed. It's a self-signed cert.
I set the date back before the expiry and tried: ipa-cacert-manage renew
which results in:
'NoneType' object has no attribute 'is_self_signed' The ipa-cacert-manage command failed.
adding '--self-signed' just punts the same error to another attribute: Renewing CA certificate, please wait 'NoneType' object has no attribute 'issuer' The ipa-cacert-manage command failed.
I assume the same thing caused the autorenewal to not happen. Any recommendations? IPA version is 4.6.90.pre1+git20180411, API_VERSION: 2.229 which I know is old. It's on an old Ubuntu distro that I can't upgrade without destroying and I've have tried many times to replicate the thing to a different VM but have yet to successfully do so.
What certificate had not been renewed? This command renews the CA certificate itself which by default is good for 20 years. This is likely not the command you need.
rob
Oh. :P Well isn't that embarrassing.
I guess it's the server certificate then?
ipa: ERROR: cannot connect to 'https://ipa01.<domain>/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
Mm. Actually, I'm not so sure. Am I not interpreting the "getcert list" results correctly? When it says CA_UNREACHABLE because the cert expired, isn't that the CA Cert?
Number of certificates and requests being tracked: 9. Request ID '20201114211025': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=IPA RA,O=[domain.com] expires: 2022-11-04 14:10:27 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20201114211106': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-11 14:11:49 MST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211107': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-11 14:11:53 MST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211108': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-04 14:11:32 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211109': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-11 14:11:50 MST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211110': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-04 14:11:40 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211316': status: CA_UNREACHABLE ca-error: Server at https://ipa01.%5Bdomain.com%5D/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-SIMPLYWS-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=[domain.com] subject: CN=ipa01.[domain.com],O=[domain.com] expires: 2022-11-15 14:13:16 MST dns: ipa01.[domain.com] principal name: ldap/ipa01.[domain.com]@[domain.com] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv SIMPLYWS-COM track: yes auto-renew: yes Request ID '20201114211418': status: CA_UNREACHABLE ca-error: Server at https://ipa01.%5Bdomain.com%5D/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.[domain.com]-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=[domain.com] subject: CN=ipa01.[domain.com],O=[domain.com] expires: 2022-11-15 14:14:22 MST dns: ipa01.[domain.com] principal name: HTTP/ipa01.[domain.com]@[domain.com] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20201114211427': status: CA_UNREACHABLE ca-error: Server at https://ipa01.%5Bdomain.com%5D/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key' certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=[domain.com] subject: CN=ipa01.[domain.com],O=[domain.com] expires: 2022-11-15 14:14:27 MST principal name: krbtgt/[domain.com]@[domain.com] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
Hi,
On Thu, Nov 17, 2022 at 6:22 PM Sean McLennan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Mm. Actually, I'm not so sure. Am I not interpreting the "getcert list" results correctly? When it says CA_UNREACHABLE because the cert expired, isn't that the CA Cert?
Number of certificates and requests being tracked: 9. Request ID '20201114211025': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=IPA RA,O=[domain.com] expires: 2022-11-04 14:10:27 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20201114211106': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-11 14:11:49 MST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211107': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-11 14:11:53 MST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211108': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-04 14:11:32 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211109': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-11 14:11:50 MST
^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 but it definitely looks wrong, unless IPA was installed with custom (and puzzlin) options: subject CN=localhost.
How was IPA installed? The default settings would install a self-signed CA with subject CN=Certificate Authority,O=IPA.TEST for instance. What is the content of /etc/ipa/ca.crt? You should see the original IPA CA in this file.
flo
key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211110': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-04 14:11:40 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211316': status: CA_UNREACHABLE ca-error: Server at https://ipa01.%5Bdomain.com%5D/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-SIMPLYWS-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=[domain.com] subject: CN=ipa01.[domain.com],O=[domain.com] expires: 2022-11-15 14:13:16 MST dns: ipa01.[domain.com] principal name: ldap/ipa01.[domain.com]@[domain.com] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv SIMPLYWS-COM track: yes auto-renew: yes Request ID '20201114211418': status: CA_UNREACHABLE ca-error: Server at https://ipa01.%5Bdomain.com%5D/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.[ domain.com]-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=[domain.com] subject: CN=ipa01.[domain.com],O=[domain.com] expires: 2022-11-15 14:14:22 MST dns: ipa01.[domain.com] principal name: HTTP/ipa01.[domain.com]@[domain.com] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20201114211427': status: CA_UNREACHABLE ca-error: Server at https://ipa01.%5Bdomain.com%5D/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key' certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=[domain.com] subject: CN=ipa01.[domain.com],O=[domain.com] expires: 2022-11-15 14:14:27 MST principal name: krbtgt/[domain.com]@[domain.com] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 but it definitely looks wrong, unless IPA was installed with custom (and puzzlin) options: subject CN=localhost.
How was IPA installed? The default settings would install a self-signed CA with subject CN=Certificate Authority,O=IPA.TEST for instance. What is the content of /etc/ipa/ca.crt? You should see the original IPA CA in this file.
Yeah, I just used 'ipa-server-install' and as much default as possible. Definitely wasn't trying anything fancy. I do still have the original install log (and my entire command history) if there's something worth looking for in there.
/etc/ipa/ca.crt is just "-----BEGIN CERTIFICATE-----[text]-----END CERTIFICATE-----"; should there be something more informative in there?
Any thoughts on what I can try to renew these?
As an aside: Honestly, I would love nothing more than to get IPA off of this damn server and onto one that is actually supported and can, you know, but updated. :[ My impression is that the only way I can do that though is through replicating it to another instance and promoting the new one/retiring the old one... but like I said, I have tried many times to add another and have been unsuccessful. Is there a way to restore the data from a backup into a new install?
PS. Thank you for replying; I appreciate the help.
Hi,
On Thu, Nov 17, 2022 at 7:59 PM Sean McLennan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11
but
it definitely looks wrong, unless IPA was installed with custom (and puzzlin) options: subject CN=localhost.
How was IPA installed? The default settings would install a self-signed
CA
with subject CN=Certificate Authority,O=IPA.TEST for instance. What is the content of /etc/ipa/ca.crt? You should see the original IPA
CA
in this file.
Yeah, I just used 'ipa-server-install' and as much default as possible. Definitely wasn't trying anything fancy. I do still have the original install log (and my entire command history) if there's something worth looking for in there.
/etc/ipa/ca.crt is just "-----BEGIN CERTIFICATE-----[text]-----END CERTIFICATE-----"; should there be something more informative in there?
You can compare the CA cert that is stored in this file and the one that is stored in the /etc/pki/pki-tomcat/alias database. To compare the PEM content: # cat /etc/ipa/ca.crt # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' -a You should see the same content.
Or if you want to see the certificate details: # openssl x509 -noout -text -in /etc/ipa/ca.crt # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' You should see the same values (subject, issuers, validity, serial number...)
I'm asking you to compare because it's unexpected to see a subject CN=localhost for the IPA CA. Someone has probably messed up with some commands and replaced the original IPA CA with a wrong one in the /etc/pki/pki-tomcat/alias database. If that's the case, we can put the right CA back with certutil commands but we need to be sure what to put there.
flo
Any thoughts on what I can try to renew these?
As an aside: Honestly, I would love nothing more than to get IPA off of this damn server and onto one that is actually supported and can, you know, but updated. :[ My impression is that the only way I can do that though is through replicating it to another instance and promoting the new one/retiring the old one... but like I said, I have tried many times to add another and have been unsuccessful. Is there a way to restore the data from a backup into a new install?
PS. Thank you for replying; I appreciate the help. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I'm asking you to compare because it's unexpected to see a subject CN=localhost for the IPA CA. Someone has probably messed up with some commands and replaced the original IPA CA with a wrong one in the /etc/pki/pki-tomcat/alias database. If that's the case, we can put the right CA back with certutil commands but we need to be sure what to put there.
Good call—they are completely different:
/etc/ipa/ca.crt
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O = SIMPLYWS.COM, CN = Certificate Authority Validity Not Before: Nov 14 21:09:26 2020 GMT Not After : Nov 14 21:09:26 2040 GMT Subject: O = <domain>, CN = Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit)
and the one in the pki-tomcat/alias db is:
Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: sha256WithRSAEncryption Issuer: O = SIMPLYWS.COM, CN = Certificate Authority Validity Not Before: Nov 21 21:11:50 2020 GMT Not After : Nov 11 21:11:50 2022 GMT Subject: CN = localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit)
How do we replace that one?
Hi,
I would start by doing a backup of the NSS database (save the directory and files from /etc/pki/pki-tomcat/alias). Then remove the wrong cert using: certutil -D -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
and install the good one using certutil -A -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' -I /etc/ipa/ca.crt -t Ct,C,C
and try to restart the whole stack with ipactl restart.
I’m not sure this will work, it really depends whether the original key is still in the nss database. There may also be other places where the CA cert has to be replaced. flo
I'm asking you to compare because it's unexpected to see a subject CN=localhost for the IPA CA. Someone has probably messed up with some commands and replaced the original IPA CA with a wrong one in the /etc/pki/pki-tomcat/alias database. If that's the case, we can put the right CA back with certutil commands but we need to be sure what to put there.
So, I believe that I successfully managed to replace the cert in the database with /etc/pki/ca.crt; however, still nothing is working. It appears that although "ipactrl status" (and systemctl status) shows pki-tomcatd as running, there are no services listening. I.e. there is nothing listening on *any* 80xx port—I gather pki-tomcatd is supposed to be something on 8009?
catalina.out has this:
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Valve} Setting property 'resolveHosts' to 'false' did not find a matching property. WARNING: The JSSE TLS 1.3 implementation does not support authentication after the initial handshake and is therefore incompatible with optional client authentication SEVERE: Catalina.start org.apache.catalina.LifecycleException: Failed to initialize component [StandardServer[8005]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113) at org.apache.catalina.startup.Catalina.load(Catalina.java:639) at org.apache.catalina.startup.Catalina.load(Catalina.java:662) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) Caused by: java.lang.RuntimeException: java.lang.SecurityException: Unable to initialize security library at com.netscape.cms.tomcat.PKIListener.lifecycleEvent(PKIListener.java:64) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:94) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:395) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:108) ... 8 more Caused by: java.lang.SecurityException: Unable to initialize security library at org.mozilla.jss.CryptoManager.initializeAllNative2(Native Method) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:956) at org.apache.tomcat.util.net.jss.TomcatJSS.init(TomcatJSS.java:322) at com.netscape.cms.tomcat.PKIListener.lifecycleEvent(PKIListener.java:62) ... 11 more
SEVERE: The required Server component failed to start so Tomcat is unable to start. org.apache.catalina.LifecycleException: Failed to stop component [StandardServer[8005]] at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:238) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:142) at org.apache.catalina.startup.Catalina.start(Catalina.java:688) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:353) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:497) Caused by: org.apache.catalina.LifecycleException: An invalid Lifecycle transition was attempted ([before_stop]) for component [StandardService[Catalina]] in state [INITIALIZED] at org.apache.catalina.util.LifecycleBase.invalidTransition(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:213) at org.apache.catalina.core.StandardServer.stopInternal(StandardServer.java:814) at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:226) ... 8 more
and
debug complains about two missing jar files:
[localhost-startStop-1] WARNING: Failed to scan [file:/usr/share/java/oscache.jar] from classloader hierarchy
[localhost-startStop-1] WARNING: Failed to scan [file:/usr/share/java/stax-api.jar] from classloader hierarchy
I suspect that that it's never been running properly—because of the problems I had before, I treated this server with kid-gloves and never updated it. I suspect that this is the reason I was never able to get a replica of it running either.
Any suggestions on how to deal with this? Is there anyway to get my data out of it and into a different server without using replication? Like I said, I would love nothing more than to get it off of this broken broken distro.
I feel like this output from "ipa-certupdate -v" is relevant:
ipapython.ipautil: DEBUG: stderr= ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request '20201114211109' ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1) ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1) ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1) ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1) ipaclient.install.ipa_certupdate: DEBUG: modifying certmonger request '20201114211109' ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'dbm:/etc/ipa/nssdb', '-L', '-n', 'IPA CA', '-a', '-f', u'/etc/ipa/nssdb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found
freeipa-users@lists.fedorahosted.org