6:17 p.m.
Hello,
I came back from vacation and noticed that the pki-tomcatd was not running. All other
services are running fine, I can kinit admin and search for users, I can also log into the
UI and see everything. When I try to start the service I see the following errors:
Mar 11 20:44:44 ldap01.app.uaap.maxar.com ipa-pki-wait-running[7903]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 11 20:44:44 ldap01.app.uaap.maxar.com systemd[1]: pki-tomcatd(a)pki-tomcat.service:
Start-post operation timed out. Stopping.
I have checked all the certs and everything is in order:
$ getcert list | grep expire
expires: 2025-01-22 14:07:35 UTC
expires: 2025-01-22 14:06:46 UTC
expires: 2025-01-22 14:06:45 UTC
expires: 2025-01-22 14:06:45 UTC
expires: 2043-02-02 14:06:44 UTC
expires: 2025-01-22 14:06:45 UTC
expires: 2025-02-02 14:08:10 UTC
I also have checked this:
$ klist -ekt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(aes256-cts-hmac-sha1-96)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(aes128-cts-hmac-sha1-96)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(aes128-cts-hmac-sha256-128)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(aes256-cts-hmac-sha384-192)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(camellia128-cts-cmac)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(camellia256-cts-cmac)
not sure if that's correct or not. Please help, I don't see why pki-tomcatd would
just die on me for no reason. I haven't run any updates / upgrades on the system and
it was working fine before I left. Thanks
9:02 p.m.
Omar Pagan via FreeIPA-users wrote:
Hello,
I came back from vacation and noticed that the pki-tomcatd was not running. All other
services are running fine, I can kinit admin and search for users, I can also log into the
UI and see everything. When I try to start the service I see the following errors:
Mar 11 20:44:44 ldap01.app.uaap.maxar.com ipa-pki-wait-running[7903]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 11 20:44:44 ldap01.app.uaap.maxar.com systemd[1]: pki-tomcatd(a)pki-tomcat.service:
Start-post operation timed out. Stopping.
I have checked all the certs and everything is in order:
$ getcert list | grep expire
expires: 2025-01-22 14:07:35 UTC
expires: 2025-01-22 14:06:46 UTC
expires: 2025-01-22 14:06:45 UTC
expires: 2025-01-22 14:06:45 UTC
expires: 2043-02-02 14:06:44 UTC
expires: 2025-01-22 14:06:45 UTC
expires: 2025-02-02 14:08:10 UTC
I also have checked this:
$ klist -ekt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(aes256-cts-hmac-sha1-96)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(aes128-cts-hmac-sha1-96)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(aes128-cts-hmac-sha256-128)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(aes256-cts-hmac-sha384-192)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(camellia128-cts-cmac)
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com(a)APP.UAAP.MAXAR.COM
(camellia256-cts-cmac)
not sure if that's correct or not. Please help, I don't see why pki-tomcatd
would just die on me for no reason. I haven't run any updates / upgrades on the
system and it was working fine before I left. Thanks
The keytab is unrelated.
I'd start with: ipactl status
Confirm that it isn't running. Then try ipactl start and it will try to
restart it. Maybe it was reaped by the OOM killer. The journal should
tell you.
If it starts then ipa cert-find --sizelimit 10 is a pretty lightweight
way to confirm that it is reachable and at least sort of working.
Otherwise PKI runs as a webapp so a 404 means it wasn't loaded by
tomcat. I'd suggest checking the logs in /var/log/pki. There may be
something in catalina or in ca/debug-<date>. The latter most likely. Be
wary that there be dragons. PKI often charges on after hitting an error
so the last one is often a red herring.
rob
9:11 p.m.
[root @ ldap01] /home/rocky
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
1 service(s) are not running
starting ipa is failing for the pki-tomcatd, here are the errors I'm seeing:
Mar 12 02:10:02 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:03 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:04 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:05 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:06 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:07 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:08 ldap01.app.uaap.maxar.com systemd[1]: pki-tomcatd(a)pki-tomcat.service:
Start-post operation timed out. Stopping.
Mar 12 02:10:08 ldap01.app.uaap.maxar.com systemd[1]: pki-tomcatd(a)pki-tomcat.service:
Failed with result 'timeout'.
Mar 12 02:10:08 ldap01.app.uaap.maxar.com systemd[1]: Failed to start PKI Tomcat Server
pki-tomcat.
$ ipa cert-find --sizelimit 10
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS
(503)
The catalina logs are empty, but when I run the 'ipactl start' I see port 8080
running, not sure why it can't connect. Thoughts?
9:15 p.m.
also, here is more in the journal:
-- Logs begin at Mon 2024-03-11 19:39:50 UTC, end at Tue 2024-03-12 02:11:21 UTC. --
Mar 11 19:40:19 ldap01.app.uaap.maxar.com systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: Java virtual machine used:
/usr/lib/jvm/jre-1.8.0-openjdk/bin/java
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: main class used:
org.apache.catalina.startup.Bootstrap
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: flags used:
-Dcom.redhat.fips=false
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Dj>
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: arguments used: start
Mar 11 19:40:22 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: pki.client:
/usr/libexec/ipa/ipa-pki-wait-running:64: The subsystem in PKIConnection.__init__() has
been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Mar 11 19:40:22 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]:
ipa-pki-wait-running: Created connection http://ldap01.app.uaap.maxar.com:8080/ca
Mar 11 19:40:22 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]:
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='ldap01.app.uaap.maxar.com', port=8080): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection>
Mar 11 19:40:23 ldap01.app.uaap.maxar.com server[1937]: WARNING: Some of the specified
[protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]]
Mar 11 19:40:24 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]:
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='ldap01.app.uaap.maxar.com', port=8080): Read timed out.
(read timeout=1.0)
Mar 11 19:40:26 ldap01.app.uaap.maxar.com server[1937]: SEVERE: One or more listeners
failed to start. Full details will be found in the appropriate container log file
Mar 11 19:40:26 ldap01.app.uaap.maxar.com server[1937]: SEVERE: Context [/ca] startup
failed due to previous errors
Mar 11 19:40:26 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]:
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='ldap01.app.uaap.maxar.com', port=8080): Read timed out.
(read timeout=1.0)
Mar 11 19:40:27 ldap01.app.uaap.maxar.com server[1937]: SEVERE: One or more listeners
failed to start. Full details will be found in the appropriate container log file
Mar 11 19:40:27 ldap01.app.uaap.maxar.com server[1937]: SEVERE: Context [/acme] startup
failed due to previous errors
Mar 11 19:40:27 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStatus
Mar 11 19:40:28 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]:
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url:
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStatus
9:26 p.m.
and this is from the ca/debug file:
2024-03-12 02:18:41 [main] SEVERE: Unable to start CA engine: Unable to connect to LDAP
server: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) Peer's
Certificate has expired.
Unable to connect to LDAP server: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException:
SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired.
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:305)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:263)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:226)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:195)
at org.dogtagpki.server.ca.CAEngine.initDatabase(CAEngine.java:199)
at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1105)
at com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1688)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Caused by: netscape.ldap.LDAPException: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException:
SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired. (-1)
at com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:202)
at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source)
at netscape.ldap.LDAPConnThread.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at
com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:108)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:287)
... 51 more
2024-03-12 02:18:41 [main] INFO: Shutting down CA subsystem
2024-03-12 02:18:41 [main] SEVERE: Exception sending context initialized event to listener
instance of class [org.dogtagpki.server.ca.CAEngine]
java.lang.NullPointerException
at com.netscape.cmscore.apps.CMSEngine.shutdownAuthSubsystem(CMSEngine.java:1291)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1368)
at org.dogtagpki.server.ca.CAEngine.shutdown(CAEngine.java:1741)
at com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1692)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
2024-03-12 02:18:41 [main] INFO: Shutting down CA subsystem
2024-03-12 02:18:41 [main] SEVERE: Exception sending context destroyed event to listener
instance of class [org.dogtagpki.server.ca.CAEngine]
java.lang.NullPointerException
at com.netscape.cmscore.apps.CMSEngine.shutdownAuthSubsystem(CMSEngine.java:1291)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1368)
at org.dogtagpki.server.ca.CAEngine.shutdown(CAEngine.java:1741)
at com.netscape.cmscore.apps.CMSEngine.contextDestroyed(CMSEngine.java:1699)
at org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4732)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5396)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:257)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:187)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
2:49 a.m.
Hi,
in your first email you pasted the output of getcert list, and it's
reporting only 7 certificates. It's likely that your server is using
certmonger for the pkinit cert, the 5 certs for PKI and the RA cert,
meaning that the HTTP and LDAP server certificates are externally signed
and not tracked by certmonger.
You need to check the LDAP server cert:
certutil -L -d /etc/dirsrv/slapd-YOUR-DOMAIN -n 'Server-Cert'
and the HTTP server cert:
openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
If they are expired they need to be renewed with your external CA and
replaced.
flo
On Tue, Mar 12, 2024 at 3:27 AM Omar Pagan via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
and this is from the ca/debug file:
2024-03-12 02:18:41 [main] SEVERE: Unable to start CA engine: Unable to
connect to LDAP server: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181)
Peer's Certificate has expired.
Unable to connect to LDAP server: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181)
Peer's Certificate has expired.
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:305)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:263)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:226)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:195)
at org.dogtagpki.server.ca
.CAEngine.initDatabase(CAEngine.java:199)
at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1105)
at
com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1688)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Caused by: netscape.ldap.LDAPException: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181)
Peer's Certificate has expired. (-1)
at
com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:202)
at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source)
at netscape.ldap.LDAPConnThread.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at
com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:108)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:287)
... 51 more
2024-03-12 02:18:41 [main] INFO: Shutting down CA subsystem
2024-03-12 02:18:41 [main] SEVERE: Exception sending context initialized
event to listener instance of class [org.dogtagpki.server.ca.CAEngine]
java.lang.NullPointerException
at
com.netscape.cmscore.apps.CMSEngine.shutdownAuthSubsystem(CMSEngine.java:1291)
at
com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1368)
at org.dogtagpki.server.ca.CAEngine.shutdown(CAEngine.java:1741)
at
com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1692)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
2024-03-12 02:18:41 [main] INFO: Shutting down CA subsystem
2024-03-12 02:18:41 [main] SEVERE: Exception sending context destroyed
event to listener instance of class [org.dogtagpki.server.ca.CAEngine]
java.lang.NullPointerException
at
com.netscape.cmscore.apps.CMSEngine.shutdownAuthSubsystem(CMSEngine.java:1291)
at
com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1368)
at org.dogtagpki.server.ca.CAEngine.shutdown(CAEngine.java:1741)
at
com.netscape.cmscore.apps.CMSEngine.contextDestroyed(CMSEngine.java:1699)
at
org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4732)
at
org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5396)
at
org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:257)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:187)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
7:49 a.m.
[root @ ldap01]
$ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not
Not Before: Jan 12 15:30:18 2024 GMT
Not After : Jan 11 15:30:18 2025 GMT
also, am I looking at the correct one here?:
[root @ ldap01]
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
APP.UAAP.MAXAR.COM IPA CA CT,C,C
CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar Policy CA East,DC=Maxar,DC=com C,,
CN=Maxar Policy CA West,DC=Maxar,DC=com C,,
CN=Maxar Root CA,CN=Maxar,CN=com C,,
CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US
u,u,u
[root @ ldap01]
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'APP.UAAP.MAXAR.COM IPA
CA' | grep Not
Not Before: Thu Feb 02 14:06:44 2023
Not After : Mon Feb 02 14:06:44 2043
12:47 p.m.
Hi,
On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
[root @ ldap01]
$ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not
Not Before: Jan 12 15:30:18 2024 GMT
Not After : Jan 11 15:30:18 2025 GMT
So httpd server cert is still valid.
also, am I looking at the correct one here?:
[root @ ldap01]
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
APP.UAAP.MAXAR.COM IPA CA CT,C,C
^^ this one is IPA CA, not the server certificate for LDAP.
CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar Policy CA East,DC=Maxar,DC=com C,,
CN=Maxar Policy CA West,DC=Maxar,DC=com C,,
CN=Maxar Root CA,CN=Maxar,CN=com C,,
CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US u,u,u
[root @ ldap01]
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n '
APP.UAAP.MAXAR.COM IPA CA' | grep Not
Not Before: Thu Feb 02 14:06:44 2023
Not After : Mon Feb 02 14:06:44 2043
Based on the nicknames, I would check
'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
Technologies Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
name in /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in
the entry cn=RSA,cn=encryption,cn=config in the attribute
nsSSLPersonalitySSL.
For instance in my server I have:
dn: cn=RSA,cn=encryption,cn=config
cn: RSA
modifiersName: cn=Directory Manager
modifyTimestamp: 20220121155703Z
nsSSLActivation: on
*nsSSLPersonalitySSL: Server-Cert*
nsSSLToken: internal (software)
objectClass: top
objectClass: nsEncryptionModule
HTH,
flo
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
1:31 p.m.
okay, so I think you found the issue:
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'CN=
ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US' | grep Not
Not Before: Fri Jan 06 19:36:22 2023
Not After : Sat Jan 06 19:36:22 2024
Where's the actual location of the server certificate? Thanks,
On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
Hi,
On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> [root @ ldap01]
> $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not
> Not Before: Jan 12 15:30:18 2024 GMT
> Not After : Jan 11 15:30:18 2025 GMT
>
So httpd server cert is still valid.
> also, am I looking at the correct one here?:
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> APP.UAAP.MAXAR.COM IPA CA CT,C,C
>
^^ this one is IPA CA, not the server certificate for LDAP.
CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,,
> CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,,
> CN=Maxar Policy CA East,DC=Maxar,DC=com C,,
> CN=Maxar Policy CA West,DC=Maxar,DC=com C,,
> CN=Maxar Root CA,CN=Maxar,CN=com C,,
> CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US u,u,u
>
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n '
> APP.UAAP.MAXAR.COM IPA CA' | grep Not
> Not Before: Thu Feb 02 14:06:44 2023
> Not After : Mon Feb 02 14:06:44 2043
>
Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
Technologies Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
name in /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in
the entry cn=RSA,cn=encryption,cn=config in the attribute
nsSSLPersonalitySSL.
For instance in my server I have:
dn: cn=RSA,cn=encryption,cn=config
cn: RSA
modifiersName: cn=Directory Manager
modifyTimestamp: 20220121155703Z
nsSSLActivation: on
*nsSSLPersonalitySSL: Server-Cert*
nsSSLToken: internal (software)
objectClass: top
objectClass: nsEncryptionModule
HTH,
flo
--
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
1:41 p.m.
Omar via FreeIPA-users wrote:
okay, so I think you found the issue:
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
'CN=ldap.app.uaap.maxar.com
<http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US' | grep Not
Not Before: Fri Jan 06 19:36:22 2023
Not After : Sat Jan 06 19:36:22 2024
Where's the actual location of the server certificate? Thanks,
It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
You should be able to use ipa-server-certinstall to add a renewed
certificate in a similar way that this one was added.
rob
On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
Hi,
On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
[root @ ldap01]
$ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt |
grep Not
Not Before: Jan 12 15:30:18 2024 GMT
Not After : Jan 11 15:30:18 2025 GMT
So httpd server cert is still valid.
also, am I looking at the correct one here?:
[root @ ldap01]
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI
APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> IPA CA
CT,C,C
^^ this one is IPA CA, not the server certificate for LDAP.
CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar Policy CA East,DC=Maxar,DC=com C,,
CN=Maxar Policy CA West,DC=Maxar,DC=com C,,
CN=Maxar Root CA,CN=Maxar,CN=com C,,
CN=ldap.app.uaap.maxar.com
<http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US u,u,u
[root @ ldap01]
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not
Not Before: Thu Feb 02 14:06:44 2023
Not After : Mon Feb 02 14:06:44 2043
Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com
<http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in
/etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the
entry cn=RSA,cn=encryption,cn=configin the attribute
nsSSLPersonalitySSL.
For instance in my server I have:
dn: cn=RSA,cn=encryption,cn=config
cn: RSA
modifiersName: cn=Directory Manager
modifyTimestamp: 20220121155703Z
nsSSLActivation: on
*nsSSLPersonalitySSL: Server-Cert*
nsSSLToken: internal (software)
objectClass: top
objectClass: nsEncryptionModule
HTH,
flo
--
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
1:48 p.m.
roger that. I thought about doing the:
ipa-cacert-manager, but that would be wrong, correct?
if I do the ipa-server-certinstall, do I need to specify either -d / -w /
or -k? Thanks,
On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Omar via FreeIPA-users wrote:
> okay, so I think you found the issue:
>
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> 'CN=ldap.app.uaap.maxar.com
> <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> Not Before: Fri Jan 06 19:36:22 2023
> Not After : Sat Jan 06 19:36:22 2024
>
> Where's the actual location of the server certificate? Thanks,
It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
You should be able to use ipa-server-certinstall to add a renewed
certificate in a similar way that this one was added.
rob
>
>
> On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo(a)redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> Hi,
>
> On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> [root @ ldap01]
> $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt |
> grep Not
> Not Before: Jan 12 15:30:18 2024 GMT
> Not After : Jan 11 15:30:18 2025 GMT
>
> So httpd server cert is still valid.
>
>
> also, am I looking at the correct one here?:
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
>
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> IPA CA
> CT,C,C
>
> ^^ this one is IPA CA, not the server certificate for LDAP.
>
> CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,,
> CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,,
> CN=Maxar Policy CA East,DC=Maxar,DC=com C,,
> CN=Maxar Policy CA West,DC=Maxar,DC=com C,,
> CN=Maxar Root CA,CN=Maxar,CN=com C,,
> CN=ldap.app.uaap.maxar.com
> <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US u,u,u
>
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> IPA CA' |
grep
Not
> Not Before: Thu Feb 02 14:06:44 2023
> Not After : Mon Feb 02 14:06:44 2043
>
> Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com
> <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in
> /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the
> entry cn=RSA,cn=encryption,cn=configin the attribute
> nsSSLPersonalitySSL.
> For instance in my server I have:
>
> dn: cn=RSA,cn=encryption,cn=config
> cn: RSA
> modifiersName: cn=Directory Manager
> modifyTimestamp: 20220121155703Z
> nsSSLActivation: on
> *nsSSLPersonalitySSL: Server-Cert*
> nsSSLToken: internal (software)
> objectClass: top
> objectClass: nsEncryptionModule
>
> HTH,
> flo
>
>
> --
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
>
1:56 p.m.
Omar wrote:
roger that. I thought about doing the:
ipa-cacert-manager, but that would be wrong, correct?
Correct, assuming your updated cert is from the same CA.
if I do the ipa-server-certinstall, do I need to specify either -d / -w
/ or -k? Thanks,
You want -d (directory server)
rob
On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Omar via FreeIPA-users wrote:
> okay, so I think you found the issue:
>
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> Not Before: Fri Jan 06 19:36:22 2023
> Not After : Sat Jan 06 19:36:22 2024
>
> Where's the actual location of the server certificate? Thanks,
It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
You should be able to use ipa-server-certinstall to add a renewed
certificate in a similar way that this one was added.
rob
>
>
> On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
<flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
>
> Hi,
>
> On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
>
> [root @ ldap01]
> $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt |
> grep Not
> Not Before: Jan 12 15:30:18 2024 GMT
> Not After : Jan 11 15:30:18 2025 GMT
>
> So httpd server cert is still valid.
>
>
> also, am I looking at the correct one here?:
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
>
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
<http://APP.UAAP.MAXAR.COM> IPA CA
> CT,C,C
>
> ^^ this one is IPA CA, not the server certificate for LDAP.
>
> CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
C,,
> CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
C,,
> CN=Maxar Policy CA East,DC=Maxar,DC=com
C,,
> CN=Maxar Policy CA West,DC=Maxar,DC=com
C,,
> CN=Maxar Root CA,CN=Maxar,CN=com
C,,
> CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US u,u,u
>
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
<http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not
> Not Before: Thu Feb 02 14:06:44 2023
> Not After : Mon Feb 02 14:06:44 2043
>
> Based on the nicknames, I would check
'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
name in
> /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
in the
> entry cn=RSA,cn=encryption,cn=configin the attribute
> nsSSLPersonalitySSL.
> For instance in my server I have:
>
> dn: cn=RSA,cn=encryption,cn=config
> cn: RSA
> modifiersName: cn=Directory Manager
> modifyTimestamp: 20220121155703Z
> nsSSLActivation: on
> *nsSSLPersonalitySSL: Server-Cert*
> nsSSLToken: internal (software)
> objectClass: top
> objectClass: nsEncryptionModule
>
> HTH,
> flo
>
>
> --
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
>
2:26 p.m.
Hey Rob,
Have you seen this before?:
ipa-server-certinstall -p <password> -d --cert-name=ldap
./ldap.app.uaap.maxar.com.crt
Enter private key unlock password:
*No server certificates found in ./ldap.app.uaap.maxar.com.crt*
The ipa-server-certinstall command failed.
On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Omar wrote:
> roger that. I thought about doing the:
> ipa-cacert-manager, but that would be wrong, correct?
Correct, assuming your updated cert is from the same CA.
>
> if I do the ipa-server-certinstall, do I need to specify either -d / -w
> / or -k? Thanks,
You want -d (directory server)
rob
>
> On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Omar via FreeIPA-users wrote:
> > okay, so I think you found the issue:
> >
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> > Not Before: Fri Jan 06 19:36:22 2023
> > Not After : Sat Jan 06 19:36:22 2024
> >
> > Where's the actual location of the server certificate? Thanks,
>
> It is stored in the NSS database at
/etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
>
> You should be able to use ipa-server-certinstall to add a renewed
> certificate in a similar way that this one was added.
>
> rob
>
> >
> >
> > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
> >
> > Hi,
> >
> > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> > <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
> >
> > [root @ ldap01]
> > $ openssl x509 -noout -text -in
/var/lib/ipa/certs/httpd.crt |
> > grep Not
> > Not Before: Jan 12 15:30:18 2024 GMT
> > Not After : Jan 11 15:30:18 2025 GMT
> >
> > So httpd server cert is still valid.
> >
> >
> > also, am I looking at the correct one here?:
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> >
> > Certificate Nickname
> > Trust Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> <http://APP.UAAP.MAXAR.COM> IPA CA
> > CT,C,C
> >
> > ^^ this one is IPA CA, not the server certificate for LDAP.
> >
> > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> C,,
> > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> C,,
> > CN=Maxar Policy CA East,DC=Maxar,DC=com
> C,,
> > CN=Maxar Policy CA West,DC=Maxar,DC=com
> C,,
> > CN=Maxar Root CA,CN=Maxar,CN=com
> C,,
> > CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com
>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar
Technologies
> > Inc,L=Herndon,ST=Virginia,C=US u,u,u
> >
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not
> > Not Before: Thu Feb 02 14:06:44 2023
> > Not After : Mon Feb 02 14:06:44 2043
> >
> > Based on the nicknames, I would check
> 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> name in
> > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
> in the
> > entry cn=RSA,cn=encryption,cn=configin the attribute
> > nsSSLPersonalitySSL.
> > For instance in my server I have:
> >
> > dn: cn=RSA,cn=encryption,cn=config
> > cn: RSA
> > modifiersName: cn=Directory Manager
> > modifyTimestamp: 20220121155703Z
> > nsSSLActivation: on
> > *nsSSLPersonalitySSL: Server-Cert*
> > nsSSLToken: internal (software)
> > objectClass: top
> > objectClass: nsEncryptionModule
> >
> > HTH,
> > flo
> >
> >
> > --
> > _______________________________________________
> > FreeIPA-users mailing list --
> > freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
> >
> >
> > --
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
>
2:49 p.m.
What flag should I use to specify the cert.key file?
On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Omar wrote:
> roger that. I thought about doing the:
> ipa-cacert-manager, but that would be wrong, correct?
Correct, assuming your updated cert is from the same CA.
>
> if I do the ipa-server-certinstall, do I need to specify either -d / -w
> / or -k? Thanks,
You want -d (directory server)
rob
>
> On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Omar via FreeIPA-users wrote:
> > okay, so I think you found the issue:
> >
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> > Not Before: Fri Jan 06 19:36:22 2023
> > Not After : Sat Jan 06 19:36:22 2024
> >
> > Where's the actual location of the server certificate? Thanks,
>
> It is stored in the NSS database at
/etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
>
> You should be able to use ipa-server-certinstall to add a renewed
> certificate in a similar way that this one was added.
>
> rob
>
> >
> >
> > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
> >
> > Hi,
> >
> > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> > <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
> >
> > [root @ ldap01]
> > $ openssl x509 -noout -text -in
/var/lib/ipa/certs/httpd.crt |
> > grep Not
> > Not Before: Jan 12 15:30:18 2024 GMT
> > Not After : Jan 11 15:30:18 2025 GMT
> >
> > So httpd server cert is still valid.
> >
> >
> > also, am I looking at the correct one here?:
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> >
> > Certificate Nickname
> > Trust Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> <http://APP.UAAP.MAXAR.COM> IPA CA
> > CT,C,C
> >
> > ^^ this one is IPA CA, not the server certificate for LDAP.
> >
> > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> C,,
> > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> C,,
> > CN=Maxar Policy CA East,DC=Maxar,DC=com
> C,,
> > CN=Maxar Policy CA West,DC=Maxar,DC=com
> C,,
> > CN=Maxar Root CA,CN=Maxar,CN=com
> C,,
> > CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com
>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar
Technologies
> > Inc,L=Herndon,ST=Virginia,C=US u,u,u
> >
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not
> > Not Before: Thu Feb 02 14:06:44 2023
> > Not After : Mon Feb 02 14:06:44 2043
> >
> > Based on the nicknames, I would check
> 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> name in
> > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
> in the
> > entry cn=RSA,cn=encryption,cn=configin the attribute
> > nsSSLPersonalitySSL.
> > For instance in my server I have:
> >
> > dn: cn=RSA,cn=encryption,cn=config
> > cn: RSA
> > modifiersName: cn=Directory Manager
> > modifyTimestamp: 20220121155703Z
> > nsSSLActivation: on
> > *nsSSLPersonalitySSL: Server-Cert*
> > nsSSLToken: internal (software)
> > objectClass: top
> > objectClass: nsEncryptionModule
> >
> > HTH,
> > flo
> >
> >
> > --
> > _______________________________________________
> > FreeIPA-users mailing list --
> > freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
> >
> >
> > --
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
>
3:02 p.m.
Rob and Flo,
I got it working now, I had to convert my crt to a pkcs12 cert in order to
add. All good now. Thanks,
//omar
On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Omar wrote:
> roger that. I thought about doing the:
> ipa-cacert-manager, but that would be wrong, correct?
Correct, assuming your updated cert is from the same CA.
>
> if I do the ipa-server-certinstall, do I need to specify either -d / -w
> / or -k? Thanks,
You want -d (directory server)
rob
>
> On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Omar via FreeIPA-users wrote:
> > okay, so I think you found the issue:
> >
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> > Not Before: Fri Jan 06 19:36:22 2023
> > Not After : Sat Jan 06 19:36:22 2024
> >
> > Where's the actual location of the server certificate? Thanks,
>
> It is stored in the NSS database at
/etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
>
> You should be able to use ipa-server-certinstall to add a renewed
> certificate in a similar way that this one was added.
>
> rob
>
> >
> >
> > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
> >
> > Hi,
> >
> > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> > <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
> >
> > [root @ ldap01]
> > $ openssl x509 -noout -text -in
/var/lib/ipa/certs/httpd.crt |
> > grep Not
> > Not Before: Jan 12 15:30:18 2024 GMT
> > Not After : Jan 11 15:30:18 2025 GMT
> >
> > So httpd server cert is still valid.
> >
> >
> > also, am I looking at the correct one here?:
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> >
> > Certificate Nickname
> > Trust Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> <http://APP.UAAP.MAXAR.COM> IPA CA
> > CT,C,C
> >
> > ^^ this one is IPA CA, not the server certificate for LDAP.
> >
> > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> C,,
> > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> C,,
> > CN=Maxar Policy CA East,DC=Maxar,DC=com
> C,,
> > CN=Maxar Policy CA West,DC=Maxar,DC=com
> C,,
> > CN=Maxar Root CA,CN=Maxar,CN=com
> C,,
> > CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com
>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar
Technologies
> > Inc,L=Herndon,ST=Virginia,C=US u,u,u
> >
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not
> > Not Before: Thu Feb 02 14:06:44 2023
> > Not After : Mon Feb 02 14:06:44 2043
> >
> > Based on the nicknames, I would check
> 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> name in
> > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
> in the
> > entry cn=RSA,cn=encryption,cn=configin the attribute
> > nsSSLPersonalitySSL.
> > For instance in my server I have:
> >
> > dn: cn=RSA,cn=encryption,cn=config
> > cn: RSA
> > modifiersName: cn=Directory Manager
> > modifyTimestamp: 20220121155703Z
> > nsSSLActivation: on
> > *nsSSLPersonalitySSL: Server-Cert*
> > nsSSLToken: internal (software)
> > objectClass: top
> > objectClass: nsEncryptionModule
> >
> > HTH,
> > flo
> >
> >
> > --
> > _______________________________________________
> > FreeIPA-users mailing list --
> > freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
> >
> >
> > --
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
>
68
days inactive
69
days old
freeipa-users@lists.fedorahosted.org
14 comments
4 participants
participants (4)
-
Florence Blanc-Renaud -
Omar -
Omar Pagan
-
Rob Crittenden