CS.cfg was modified so pki-tomcat can login using a password and non-secure LDAP. At least it is working now....:

< internaldb.ldapauth.authtype=BasicAuth
< internaldb.ldapauth.bindDN=cn=Directory Manager
---
> internaldb.ldapauth.authtype=SslClientAuth
> internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
780,781c780,781
< internaldb.ldapconn.port=389
< internaldb.ldapconn.secureConn=false
---
> internaldb.ldapconn.port=636
> internaldb.ldapconn.secureConn=true

Reversed to the old config, stop/started ipa, debug  shows pki-tomcatd cannot login:

11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering!
[11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca
[11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca
[11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
[11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host ipa.blabla.bla port 636 Error netscape.ldap.LDAPException: Authentication failed (49)
    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
    at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
    at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
    at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
    at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)

Winfried

Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users:
Winfried de Heiden via FreeIPA-users wrote:

Hi All,

Somewhere after an update (I guess) I have issues;
pki-tomcatd@pki-tomcat.service will not start since it cannot login to
LDAP. It seems I have some certificate isues:

getcert list shows:

Request ID '20170129002017':
    status: CA_UNREACHABLE
    ca-error: Server at https://ipa.example.com/ipa/xml failed request,
will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
    subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
    expires: 2017-09-27 17:26:00 CEST
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA
    track: yes
    auto-renew: yes
Request ID '20170129002024':
    status: CA_UNREACHABLE
    ca-error: Server at https://ipa.example.com/ipa/xml failed request,
will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
    subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
    expires: 2017-09-27 17:41:26 CEST
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/libexec/ipa/certmonger/restart_httpd
    track: yes
    auto-renew: yes

(I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg)
How to fix this. Something seems wrong with de DIRSRV certificate and
http....:(

What did you modify?


How to fix? What could have caused this issue?

This is likely not a problem with the certificates but with the
certificate profiles. The dogtag debug log may have more information.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org