On 09/04/2018 11:27 AM, Stuart McRobert wrote:
Hi,
I wonder if you might be able to help me with hopefully a quick FreeIPA
startup problem that I've not been able to work out how to fix, or point
me to further information to help get this resolved? Many thanks.
I found your useful guide "Troubleshooting FreeIPA: pki-tomcatd fails to
start" and reach:
+ Then make sure that the private key can be read using the password found
in /var/lib/pki/pki-tomcat/conf/password.conf (with the tag internal=…)
There is a value stored in /tmp/pwdfile.txt
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'NSS
Certificate DB: subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
Object Identifier.
I thought better see what is in there (and Xed out the hex values):
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt certutil:
Checking token "NSS Certificate DB" in slot "NSS User Private Key and
Certificate Services"
< 0> rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX caSigningCert
cert-pki-ca
< 1> rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (orphan)
< 2> rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX NSS Certificate
DB:subsystemCert cert-pki-ca
< 3> rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX NSS Certificate
DB:auditSigningCert cert-pki-ca
< 4> rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX NSS Certificate
DB:Server-Cert cert-pki-ca
< 5> rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX NSS Certificate
DB:ocspSigningCert cert-pki-ca
Try without the space:
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'NSS
Certificate DB:subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
Object Identifier.
But not sure of the next step. Looking at the directory
ls -la /etc/pki/pki-tomcat/alias
total 100
drwxrwx---. 2 pkiuser pkiuser 4096 Sep 8 2016 .
drwxrwx---. 5 pkiuser pkiuser 4096 Aug 21 2017 ..
-rw-------. 1 pkiuser pkiuser 65536 Sep 3 15:06 cert8.db
-rw-------. 1 pkiuser pkiuser 28672 Sep 3 15:06 key3.db
-rw-------. 1 pkiuser pkiuser 16384 Sep 8 2016 secmod.db
the modification time could relate to my reboot yesterday and manual
attempts to restart ipa.
In short I know something has gone wrong but struggling to work out how
to recover and without causing disruption to the department. Kerberos
logins are thankfully currently working.
Thanks
Best wishes
Stuart
Hi,
I'm cc'ing the users mailing list, you may get more help there.
As the output of certutil -K correctly displays an entry for
subsystemCert cert-pki-ca, we can assume that the password is OK. I
would try to check the next steps detailed in
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
and ensure that uid=pkidbuser,ou=people,o=ipaca contains the same
certificate as /etc/pki/pki-tomcat/alias, as it is one of the most
frequent root causes for authentication issues between PKI and the LDAP
server after an upgrade.
HTH,
flo