On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Ian Kumlien via FreeIPA-users wrote:
> Hi,
>
> I've been confused by this a while... But from talking to people on
> #freeipa@freenode this might be the real issue:
>
> certutil -d /etc/pki/pki-tomcat/alias/ -L |grep cert-pki-ca
> Server-Cert cert-pki-ca u,u,u
> ---
>
> I have been trying ipa-.cert-fix, which seems to look at most
> certificates but not these.
>
> Also:
> ipa-cacert-manage renew
> 'NoneType' object has no attribute 'is_self_signed'
> The ipa-cacert-manage command failed.
You absolutely do NOT want this. This renews the CA certificate, NOT the
subsystem certificates. Doing this this will only add to the confusion.
Much too late for that =)
I mainly kept it in the email to inform you about this - it queues
cert work for the
non-running CA
That said it shouldn't error out in this way.
Agreed =)
Some background, it started with the web certificates expiring for
some unknown reason and continued like this...
Been trying to switch the pki-tomcat part from certs to passwords but
it hasn't worked for some reason...
> Running:
> b3a160b70566ba1703a184f07b493246630829a8
>
> From ipa-4.7
> (Needed ipa-cert-fix)
>
> Any clues of how to proceed, I'm still trying to understand this thing =)
I still don't know what isn't working. We need:
- the output of getcert list
getcert list
Number of certificates and requests being tracked: 12.
Request ID '20180612111401':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=XERCES.LAN
subject: CN=freeipa-4.xerces.lan,O=XERCES.LAN
expires: 2020-06-12 13:14:24 CEST
principal name: krbtgt/XERCES.LAN(a)XERCES.LAN
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180612120010':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-kra',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-kra',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XERCES.LAN
subject: CN=KRA Audit,O=XERCES.LAN
expires: 2020-06-01 13:59:29 CEST
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-kra"
track: yes
auto-renew: yes
Request ID '20180612120011':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='transportCert
cert-pki-kra',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='transportCert
cert-pki-kra',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XERCES.LAN
subject: CN=KRA Transport Certificate,O=XERCES.LAN
expires: 2020-06-01 13:59:26 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"transportCert cert-pki-kra"
track: yes
auto-renew: yes
Request ID '20180612120012':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XERCES.LAN
subject: CN=KRA Storage Certificate,O=XERCES.LAN
expires: 2020-06-01 13:59:27 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"storageCert cert-pki-kra"
track: yes
auto-renew: yes
Request ID '20190611092138':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190611092143':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190611092146':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190611092148':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190611092149':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XERCES.LAN
subject: CN=IPA RA,O=XERCES.LAN
expires: 2021-03-10 12:23:19 CET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20190611092150':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XERCES.LAN
subject: CN=freeipa-4.xerces.lan,O=XERCES.LAN
expires: 2020-06-01 13:24:51 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190611092152':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-XERCES-LAN',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-XERCES-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-XERCES-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=XERCES.LAN
subject: CN=freeipa-4.xerces.lan,O=XERCES.LAN
expires: 2020-06-12 13:11:51 CEST
dns: freeipa-4.xerces.lan
principal name: ldap/freeipa-4.xerces.lan(a)XERCES.LAN
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv XERCES-LAN
track: yes
auto-renew: yes
Request ID '20190611092155':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=XERCES.LAN
subject: CN=freeipa-4.xerces.lan,O=XERCES.LAN
expires: 2020-06-12 13:12:30 CEST
dns: freeipa-4.xerces.lan
principal name: HTTP/freeipa-4.xerces.lan(a)XERCES.LAN
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
- the CA debug log (or the last bit from startup to failure).
2019-06-11 11:02:54 [main] FINE: SSL handshake happened
2019-06-11 11:02:54 [main] SEVERE: LdapBoundConnFactory: Unable to
connect to LDAP server: Authentication failed
netscape.ldap.LDAPException: Authentication failed (48)
at netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown Source)
at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
...
And then
019-06-11 11:02:54 [main] FINE: CMSEngine: stopping profile
2019-06-11 11:02:54 [main] SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
at
com.netscape.cmscore.profile.LDAPProfileSubsystem.forgetAllProfiles(LDAPProfileSubsystem.java:380)
at
com.netscape.cmscore.profile.LDAPProfileSubsystem.shutdown(LDAPProfileSubsystem.java:374)
at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1773)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1649)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:158)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
- certutil -L -d /etc/pki/pki-tomcat/alias/ might be handy too
certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
transportCert cert-pki-kra u,u,u
storageCert cert-pki-kra u,u,u
auditSigningCert cert-pki-kra u,u,Pu
XERCES.LAN IPA CA CT,C,C
XERCES.LAN IPA CA CT,C,C
XERCES.LAN IPA CA CT,C,C
> rob