I followed some of the steps outlined in the blog post you liked to and when I got to the part where make sure that the private key can be read using the password found in /var/lib/pki/pki-tomcat/conf/password.conf using: sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'RESULT:certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier.So it looks like things aren't associated properly anymore. Not sure what my next steps would be though.On Fri, Oct 27, 2017 at 10:27 AM, Florence Blanc-Renaud <flo@redhat.com> wrote:On 10/27/2017 12:55 AM, Kristian Petersen via FreeIPA-users wrote:
I checked the logs that turned up after running the find command suggested by Jochen and only a couple of them turned up anything that mention pki or pki-tomcat:Hi,
from /var/log/audit/audit.log:
type=SERVICE_START msg=audit(1508873851.623:163448): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t: s0 msg='unit=pki-tomcatd@pki-tomc at comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
from /var/log/messages:
Oct 26 16:01:58 ipa1 ns-slapd: [26/Oct/2017:16:01:58.077129423 -0600] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.chem.byu. edu-pki-tomcat,ou=csusers,cn=c onfig] authentication mechanism [SIMPLE]: error 32 (No such object)
Oct 26 16:01:58 ipa1 named-pkcs11[16463]: client 192.168.105.11#37937: request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure (BADKEY)
just a wild guess, but we saw issues during update related either to certificates or IPv6.
- Is IPv6 enabled on your server? The server doesn't need an IPv6 address but IPv6 should not be disabled.
- If selinux is in enforcing mode, there were known issues during certificate renewals that could lead to pki-tomcat not able to start any more. You can refer to this blog post [1] to check that the certificate 'subsystemCert cert-pki-ca' is properly associated to the user uid=pkidbuser,ou=people,o=ipaca. The certificate is stored in multiple places (ldap server, nss dbs) and must be consistent.
Flo
[1] https://floblanc.wordpress.com/2017/09/11/troubleshooting-fr eeipa-pki-tomcatd-fails-to-sta rt/
On Thu, Oct 26, 2017 at 2:32 PM, Jochen Hein <jochen@jochen.org <mailto:jochen@jochen.org>> wrote:
Kristian Petersen via FreeIPA-users
<freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org >> writes:
> The dirsrv log just shows a bunch of the following:
> [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - Error: ______________________________
> could not bind id [cn=Replication Manager cloneAgreement1-ipa
> 2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] authentication mechanism
> [SIMPLE]: error 32 (No such object)
>
> That makes sense though since pki-tomcat won't start. Rob was asking what
> was in the logs located at /var/log/pki/pki-tomcat/ca/debug, but that path
> doesn't exist on any of my IPA servers. He said that would normally be the
> first place to look. Hence, I am looking for other solutions.
Brute force: reproduce the error and run "find /var/log -mmin -1
-type f -ls".
This finds the files changed in the last minute - one of these might
help.
Jochen
--
This space is intentionally left blank.
--
Kristian Petersen
System Administrator
Dept. of Chemistry and Biochemistry
_________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
--Kristian PetersenSystem AdministratorDept. of Chemistry and Biochemistry