Hello,
I came back from vacation and noticed that the pki-tomcatd was not running. All other services are running fine, I can kinit admin and search for users, I can also log into the UI and see everything. When I try to start the service I see the following errors: Mar 11 20:44:44 ldap01.app.uaap.maxar.com ipa-pki-wait-running[7903]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat%3E Mar 11 20:44:44 ldap01.app.uaap.maxar.com systemd[1]: pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping.
I have checked all the certs and everything is in order: $ getcert list | grep expire expires: 2025-01-22 14:07:35 UTC expires: 2025-01-22 14:06:46 UTC expires: 2025-01-22 14:06:45 UTC expires: 2025-01-22 14:06:45 UTC expires: 2043-02-02 14:06:44 UTC expires: 2025-01-22 14:06:45 UTC expires: 2025-02-02 14:08:10 UTC
I also have checked this: $ klist -ekt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes256-cts-hmac-sha1-96) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes128-cts-hmac-sha1-96) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes128-cts-hmac-sha256-128) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes256-cts-hmac-sha384-192) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (camellia128-cts-cmac) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (camellia256-cts-cmac)
not sure if that's correct or not. Please help, I don't see why pki-tomcatd would just die on me for no reason. I haven't run any updates / upgrades on the system and it was working fine before I left. Thanks
Omar Pagan via FreeIPA-users wrote:
Hello,
I came back from vacation and noticed that the pki-tomcatd was not running. All other services are running fine, I can kinit admin and search for users, I can also log into the UI and see everything. When I try to start the service I see the following errors: Mar 11 20:44:44 ldap01.app.uaap.maxar.com ipa-pki-wait-running[7903]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat%3E Mar 11 20:44:44 ldap01.app.uaap.maxar.com systemd[1]: pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping.
I have checked all the certs and everything is in order: $ getcert list | grep expire expires: 2025-01-22 14:07:35 UTC expires: 2025-01-22 14:06:46 UTC expires: 2025-01-22 14:06:45 UTC expires: 2025-01-22 14:06:45 UTC expires: 2043-02-02 14:06:44 UTC expires: 2025-01-22 14:06:45 UTC expires: 2025-02-02 14:08:10 UTC
I also have checked this: $ klist -ekt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes256-cts-hmac-sha1-96) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes128-cts-hmac-sha1-96) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes128-cts-hmac-sha256-128) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes256-cts-hmac-sha384-192) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (camellia128-cts-cmac) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (camellia256-cts-cmac)
not sure if that's correct or not. Please help, I don't see why pki-tomcatd would just die on me for no reason. I haven't run any updates / upgrades on the system and it was working fine before I left. Thanks
The keytab is unrelated.
I'd start with: ipactl status
Confirm that it isn't running. Then try ipactl start and it will try to restart it. Maybe it was reaped by the OOM killer. The journal should tell you.
If it starts then ipa cert-find --sizelimit 10 is a pretty lightweight way to confirm that it is reachable and at least sort of working.
Otherwise PKI runs as a webapp so a 404 means it wasn't loaded by tomcat. I'd suggest checking the logs in /var/log/pki. There may be something in catalina or in ca/debug-<date>. The latter most likely. Be wary that there be dragons. PKI often charges on after hitting an error so the last one is often a red herring.
rob
[root @ ldap01] /home/rocky $ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING 1 service(s) are not running
starting ipa is failing for the pki-tomcatd, here are the errors I'm seeing: Mar 12 02:10:02 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat%3E Mar 12 02:10:03 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat%3E Mar 12 02:10:04 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat%3E Mar 12 02:10:05 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat%3E Mar 12 02:10:06 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat%3E Mar 12 02:10:07 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat%3E Mar 12 02:10:08 ldap01.app.uaap.maxar.com systemd[1]: pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping. Mar 12 02:10:08 ldap01.app.uaap.maxar.com systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'. Mar 12 02:10:08 ldap01.app.uaap.maxar.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
$ ipa cert-find --sizelimit 10 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (503)
The catalina logs are empty, but when I run the 'ipactl start' I see port 8080 running, not sure why it can't connect. Thoughts?
also, here is more in the journal:
-- Logs begin at Mon 2024-03-11 19:39:50 UTC, end at Tue 2024-03-12 02:11:21 UTC. -- Mar 11 19:40:19 ldap01.app.uaap.maxar.com systemd[1]: Starting PKI Tomcat Server pki-tomcat... Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: main class used: org.apache.catalina.startup.Bootstrap Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: flags used: -Dcom.redhat.fips=false Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Dj> Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: arguments used: start Mar 11 19:40:22 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:64: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). Mar 11 19:40:22 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: ipa-pki-wait-running: Created connection http://ldap01.app.uaap.maxar.com:8080/ca Mar 11 19:40:22 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ldap01.app.uaap.maxar.com', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection> Mar 11 19:40:23 ldap01.app.uaap.maxar.com server[1937]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] Mar 11 19:40:24 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ldap01.app.uaap.maxar.com', port=8080): Read timed out. (read timeout=1.0) Mar 11 19:40:26 ldap01.app.uaap.maxar.com server[1937]: SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file Mar 11 19:40:26 ldap01.app.uaap.maxar.com server[1937]: SEVERE: Context [/ca] startup failed due to previous errors Mar 11 19:40:26 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ldap01.app.uaap.maxar.com', port=8080): Read timed out. (read timeout=1.0) Mar 11 19:40:27 ldap01.app.uaap.maxar.com server[1937]: SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file Mar 11 19:40:27 ldap01.app.uaap.maxar.com server[1937]: SEVERE: Context [/acme] startup failed due to previous errors Mar 11 19:40:27 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStatus Mar 11 19:40:28 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStatus
and this is from the ca/debug file: 2024-03-12 02:18:41 [main] SEVERE: Unable to start CA engine: Unable to connect to LDAP server: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired. Unable to connect to LDAP server: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired. at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:305) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:263) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:226) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:195) at org.dogtagpki.server.ca.CAEngine.initDatabase(CAEngine.java:199) at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1105) at com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1688) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:633) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) Caused by: netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired. (-1) at com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:202) at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source) at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source) at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source) at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source) at netscape.ldap.LDAPConnThread.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:108) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:287) ... 51 more
2024-03-12 02:18:41 [main] INFO: Shutting down CA subsystem 2024-03-12 02:18:41 [main] SEVERE: Exception sending context initialized event to listener instance of class [org.dogtagpki.server.ca.CAEngine] java.lang.NullPointerException at com.netscape.cmscore.apps.CMSEngine.shutdownAuthSubsystem(CMSEngine.java:1291) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1368) at org.dogtagpki.server.ca.CAEngine.shutdown(CAEngine.java:1741) at com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1692) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:633) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
2024-03-12 02:18:41 [main] INFO: Shutting down CA subsystem 2024-03-12 02:18:41 [main] SEVERE: Exception sending context destroyed event to listener instance of class [org.dogtagpki.server.ca.CAEngine] java.lang.NullPointerException at com.netscape.cmscore.apps.CMSEngine.shutdownAuthSubsystem(CMSEngine.java:1291) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1368) at org.dogtagpki.server.ca.CAEngine.shutdown(CAEngine.java:1741) at com.netscape.cmscore.apps.CMSEngine.contextDestroyed(CMSEngine.java:1699) at org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4732) at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5396) at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:257) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:187) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:633) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Hi,
in your first email you pasted the output of getcert list, and it's reporting only 7 certificates. It's likely that your server is using certmonger for the pkinit cert, the 5 certs for PKI and the RA cert, meaning that the HTTP and LDAP server certificates are externally signed and not tracked by certmonger.
You need to check the LDAP server cert: certutil -L -d /etc/dirsrv/slapd-YOUR-DOMAIN -n 'Server-Cert' and the HTTP server cert: openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
If they are expired they need to be renewed with your external CA and replaced. flo
On Tue, Mar 12, 2024 at 3:27 AM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
and this is from the ca/debug file: 2024-03-12 02:18:41 [main] SEVERE: Unable to start CA engine: Unable to connect to LDAP server: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired. Unable to connect to LDAP server: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired. at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:305) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:263) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:226) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:195) at org.dogtagpki.server.ca .CAEngine.initDatabase(CAEngine.java:199) at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1105) at com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1688) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:633) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) Caused by: netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired. (-1) at com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:202) at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source) at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source) at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source) at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source) at netscape.ldap.LDAPConnThread.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:108) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:287) ... 51 more
2024-03-12 02:18:41 [main] INFO: Shutting down CA subsystem 2024-03-12 02:18:41 [main] SEVERE: Exception sending context initialized event to listener instance of class [org.dogtagpki.server.ca.CAEngine] java.lang.NullPointerException at com.netscape.cmscore.apps.CMSEngine.shutdownAuthSubsystem(CMSEngine.java:1291) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1368) at org.dogtagpki.server.ca.CAEngine.shutdown(CAEngine.java:1741) at com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1692) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:633) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
2024-03-12 02:18:41 [main] INFO: Shutting down CA subsystem 2024-03-12 02:18:41 [main] SEVERE: Exception sending context destroyed event to listener instance of class [org.dogtagpki.server.ca.CAEngine] java.lang.NullPointerException at com.netscape.cmscore.apps.CMSEngine.shutdownAuthSubsystem(CMSEngine.java:1291) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1368) at org.dogtagpki.server.ca.CAEngine.shutdown(CAEngine.java:1741) at com.netscape.cmscore.apps.CMSEngine.contextDestroyed(CMSEngine.java:1699) at org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4732) at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5396) at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:257) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:187) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:633) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[root @ ldap01] $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not Not Before: Jan 12 15:30:18 2024 GMT Not After : Jan 11 15:30:18 2025 GMT
also, am I looking at the correct one here?: [root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
APP.UAAP.MAXAR.COM IPA CA CT,C,C CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,, CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,, CN=Maxar Policy CA East,DC=Maxar,DC=com C,, CN=Maxar Policy CA West,DC=Maxar,DC=com C,, CN=Maxar Root CA,CN=Maxar,CN=com C,, CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US u,u,u
[root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'APP.UAAP.MAXAR.COM IPA CA' | grep Not Not Before: Thu Feb 02 14:06:44 2023 Not After : Mon Feb 02 14:06:44 2043
Hi,
On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
[root @ ldap01] $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not Not Before: Jan 12 15:30:18 2024 GMT Not After : Jan 11 15:30:18 2025 GMT
So httpd server cert is still valid.
also, am I looking at the correct one here?: [root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
APP.UAAP.MAXAR.COM IPA CA CT,C,C
^^ this one is IPA CA, not the server certificate for LDAP.
CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,, CN=Maxar Policy CA East,DC=Maxar,DC=com C,, CN=Maxar Policy CA West,DC=Maxar,DC=com C,, CN=Maxar Root CA,CN=Maxar,CN=com C,, CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US u,u,u
[root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n ' APP.UAAP.MAXAR.COM IPA CA' | grep Not Not Before: Thu Feb 02 14:06:44 2023 Not After : Mon Feb 02 14:06:44 2043
Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the entry cn=RSA,cn=encryption,cn=config in the attribute nsSSLPersonalitySSL. For instance in my server I have:
dn: cn=RSA,cn=encryption,cn=config cn: RSA modifiersName: cn=Directory Manager modifyTimestamp: 20220121155703Z nsSSLActivation: on *nsSSLPersonalitySSL: Server-Cert* nsSSLToken: internal (software) objectClass: top objectClass: nsEncryptionModule
HTH, flo
--
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
okay, so I think you found the issue:
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'CN= ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US' | grep Not Not Before: Fri Jan 06 19:36:22 2023 Not After : Sat Jan 06 19:36:22 2024
Where's the actual location of the server certificate? Thanks,
On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud flo@redhat.com wrote:
Hi,
On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
[root @ ldap01] $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not Not Before: Jan 12 15:30:18 2024 GMT Not After : Jan 11 15:30:18 2025 GMT
So httpd server cert is still valid.
also, am I looking at the correct one here?: [root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
APP.UAAP.MAXAR.COM IPA CA CT,C,C
^^ this one is IPA CA, not the server certificate for LDAP.
CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,, CN=Maxar Policy CA East,DC=Maxar,DC=com C,, CN=Maxar Policy CA West,DC=Maxar,DC=com C,, CN=Maxar Root CA,CN=Maxar,CN=com C,, CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US u,u,u
[root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n ' APP.UAAP.MAXAR.COM IPA CA' | grep Not Not Before: Thu Feb 02 14:06:44 2023 Not After : Mon Feb 02 14:06:44 2043
Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the entry cn=RSA,cn=encryption,cn=config in the attribute nsSSLPersonalitySSL. For instance in my server I have:
dn: cn=RSA,cn=encryption,cn=config cn: RSA modifiersName: cn=Directory Manager modifyTimestamp: 20220121155703Z nsSSLActivation: on *nsSSLPersonalitySSL: Server-Cert* nsSSLToken: internal (software) objectClass: top objectClass: nsEncryptionModule
HTH, flo
--
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Omar via FreeIPA-users wrote:
okay, so I think you found the issue:
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'CN=ldap.app.uaap.maxar.com http://ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US' | grep Not Not Before: Fri Jan 06 19:36:22 2023 Not After : Sat Jan 06 19:36:22 2024
Where's the actual location of the server certificate? Thanks,
It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
You should be able to use ipa-server-certinstall to add a renewed certificate in a similar way that this one was added.
rob
On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
Hi, On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: [root @ ldap01] $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not Not Before: Jan 12 15:30:18 2024 GMT Not After : Jan 11 15:30:18 2025 GMT So httpd server cert is still valid. also, am I looking at the correct one here?: [root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> IPA CA CT,C,C ^^ this one is IPA CA, not the server certificate for LDAP. CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,, CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,, CN=Maxar Policy CA East,DC=Maxar,DC=com C,, CN=Maxar Policy CA West,DC=Maxar,DC=com C,, CN=Maxar Root CA,CN=Maxar,CN=com C,, CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US u,u,u [root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not Not Before: Thu Feb 02 14:06:44 2023 Not After : Mon Feb 02 14:06:44 2043 Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the entry cn=RSA,cn=encryption,cn=configin the attribute nsSSLPersonalitySSL. For instance in my server I have: dn: cn=RSA,cn=encryption,cn=config cn: RSA modifiersName: cn=Directory Manager modifyTimestamp: 20220121155703Z nsSSLActivation: on *nsSSLPersonalitySSL: Server-Cert* nsSSLToken: internal (software) objectClass: top objectClass: nsEncryptionModule HTH, flo -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
roger that. I thought about doing the: ipa-cacert-manager, but that would be wrong, correct?
if I do the ipa-server-certinstall, do I need to specify either -d / -w / or -k? Thanks,
On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden rcritten@redhat.com wrote:
Omar via FreeIPA-users wrote:
okay, so I think you found the issue:
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'CN=ldap.app.uaap.maxar.com http://ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US' | grep Not Not Before: Fri Jan 06 19:36:22 2023 Not After : Sat Jan 06 19:36:22 2024
Where's the actual location of the server certificate? Thanks,
It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
You should be able to use ipa-server-certinstall to add a renewed certificate in a similar way that this one was added.
rob
On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
Hi, On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: [root @ ldap01] $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not Not Before: Jan 12 15:30:18 2024 GMT Not After : Jan 11 15:30:18 2025 GMT So httpd server cert is still valid. also, am I looking at the correct one here?: [root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> IPA CA CT,C,C ^^ this one is IPA CA, not the server certificate for LDAP. CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,, CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,, CN=Maxar Policy CA East,DC=Maxar,DC=com C,, CN=Maxar Policy CA West,DC=Maxar,DC=com C,, CN=Maxar Root CA,CN=Maxar,CN=com C,, CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US u,u,u [root @ ldap01] $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> IPA CA' | grepNot
Not Before: Thu Feb 02 14:06:44 2023 Not After : Mon Feb 02 14:06:44 2043 Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the entry cn=RSA,cn=encryption,cn=configin the attribute nsSSLPersonalitySSL. For instance in my server I have: dn: cn=RSA,cn=encryption,cn=config cn: RSA modifiersName: cn=Directory Manager modifyTimestamp: 20220121155703Z nsSSLActivation: on *nsSSLPersonalitySSL: Server-Cert* nsSSLToken: internal (software) objectClass: top objectClass: nsEncryptionModule HTH, flo -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
Omar wrote:
roger that. I thought about doing the: ipa-cacert-manager, but that would be wrong, correct?
Correct, assuming your updated cert is from the same CA.
if I do the ipa-server-certinstall, do I need to specify either -d / -w / or -k? Thanks,
You want -d (directory server)
rob
On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Omar via FreeIPA-users wrote: > okay, so I think you found the issue: > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US' | grep Not > Not Before: Fri Jan 06 19:36:22 2023 > Not After : Sat Jan 06 19:36:22 2024 > > Where's the actual location of the server certificate? Thanks, It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM You should be able to use ipa-server-certinstall to add a renewed certificate in a similar way that this one was added. rob > > > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > Hi, > > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > [root @ ldap01] > $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | > grep Not > Not Before: Jan 12 15:30:18 2024 GMT > Not After : Jan 11 15:30:18 2025 GMT > > So httpd server cert is still valid. > > > also, am I looking at the correct one here?: > [root @ ldap01] > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/ > > Certificate Nickname > Trust Attributes > > SSL,S/MIME,JAR/XPI > > APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> <http://APP.UAAP.MAXAR.COM> IPA CA > CT,C,C > > ^^ this one is IPA CA, not the server certificate for LDAP. > > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,, > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,, > CN=Maxar Policy CA East,DC=Maxar,DC=com C,, > CN=Maxar Policy CA West,DC=Maxar,DC=com C,, > CN=Maxar Root CA,CN=Maxar,CN=com C,, > CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US u,u,u > > [root @ ldap01] > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not > Not Before: Thu Feb 02 14:06:44 2023 > Not After : Mon Feb 02 14:06:44 2043 > > Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the > entry cn=RSA,cn=encryption,cn=configin the attribute > nsSSLPersonalitySSL. > For instance in my server I have: > > dn: cn=RSA,cn=encryption,cn=config > cn: RSA > modifiersName: cn=Directory Manager > modifyTimestamp: 20220121155703Z > nsSSLActivation: on > *nsSSLPersonalitySSL: Server-Cert* > nsSSLToken: internal (software) > objectClass: top > objectClass: nsEncryptionModule > > HTH, > flo > > > -- > _______________________________________________ > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >
Hey Rob,
Have you seen this before?: ipa-server-certinstall -p <password> -d --cert-name=ldap ./ldap.app.uaap.maxar.com.crt Enter private key unlock password:
*No server certificates found in ./ldap.app.uaap.maxar.com.crt* The ipa-server-certinstall command failed.
On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden rcritten@redhat.com wrote:
Omar wrote:
roger that. I thought about doing the: ipa-cacert-manager, but that would be wrong, correct?
Correct, assuming your updated cert is from the same CA.
if I do the ipa-server-certinstall, do I need to specify either -d / -w / or -k? Thanks,
You want -d (directory server)
rob
On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Omar via FreeIPA-users wrote: > okay, so I think you found the issue: > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US' | grep Not > Not Before: Fri Jan 06 19:36:22 2023 > Not After : Sat Jan 06 19:36:22 2024 > > Where's the actual location of the server certificate? Thanks, It is stored in the NSS database at/etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
You should be able to use ipa-server-certinstall to add a renewed certificate in a similar way that this one was added. rob > > > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > Hi, > > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > [root @ ldap01] > $ openssl x509 -noout -text -in/var/lib/ipa/certs/httpd.crt |
> grep Not > Not Before: Jan 12 15:30:18 2024 GMT > Not After : Jan 11 15:30:18 2025 GMT > > So httpd server cert is still valid. > > > also, am I looking at the correct one here?: > [root @ ldap01] > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/ > > Certificate Nickname > Trust Attributes > > SSL,S/MIME,JAR/XPI > > APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> <http://APP.UAAP.MAXAR.COM> IPA CA > CT,C,C > > ^^ this one is IPA CA, not the server certificate for LDAP. > > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,, > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,, > CN=Maxar Policy CA East,DC=Maxar,DC=com C,, > CN=Maxar Policy CA West,DC=Maxar,DC=com C,, > CN=Maxar Root CA,CN=Maxar,CN=com C,, > CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=MaxarTechnologies
> Inc,L=Herndon,ST=Virginia,C=US u,u,u > > [root @ ldap01] > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not > Not Before: Thu Feb 02 14:06:44 2023 > Not After : Mon Feb 02 14:06:44 2043 > > Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the > entry cn=RSA,cn=encryption,cn=configin the attribute > nsSSLPersonalitySSL. > For instance in my server I have: > > dn: cn=RSA,cn=encryption,cn=config > cn: RSA > modifiersName: cn=Directory Manager > modifyTimestamp: 20220121155703Z > nsSSLActivation: on > *nsSSLPersonalitySSL: Server-Cert* > nsSSLToken: internal (software) > objectClass: top > objectClass: nsEncryptionModule > > HTH, > flo > > > -- > _______________________________________________ > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > Fedora Code of Conduct: >https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: >https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >
What flag should I use to specify the cert.key file?
On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden rcritten@redhat.com wrote:
Omar wrote:
roger that. I thought about doing the: ipa-cacert-manager, but that would be wrong, correct?
Correct, assuming your updated cert is from the same CA.
if I do the ipa-server-certinstall, do I need to specify either -d / -w / or -k? Thanks,
You want -d (directory server)
rob
On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Omar via FreeIPA-users wrote: > okay, so I think you found the issue: > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US' | grep Not > Not Before: Fri Jan 06 19:36:22 2023 > Not After : Sat Jan 06 19:36:22 2024 > > Where's the actual location of the server certificate? Thanks, It is stored in the NSS database at/etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
You should be able to use ipa-server-certinstall to add a renewed certificate in a similar way that this one was added. rob > > > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > Hi, > > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > [root @ ldap01] > $ openssl x509 -noout -text -in/var/lib/ipa/certs/httpd.crt |
> grep Not > Not Before: Jan 12 15:30:18 2024 GMT > Not After : Jan 11 15:30:18 2025 GMT > > So httpd server cert is still valid. > > > also, am I looking at the correct one here?: > [root @ ldap01] > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/ > > Certificate Nickname > Trust Attributes > > SSL,S/MIME,JAR/XPI > > APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> <http://APP.UAAP.MAXAR.COM> IPA CA > CT,C,C > > ^^ this one is IPA CA, not the server certificate for LDAP. > > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,, > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,, > CN=Maxar Policy CA East,DC=Maxar,DC=com C,, > CN=Maxar Policy CA West,DC=Maxar,DC=com C,, > CN=Maxar Root CA,CN=Maxar,CN=com C,, > CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=MaxarTechnologies
> Inc,L=Herndon,ST=Virginia,C=US u,u,u > > [root @ ldap01] > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not > Not Before: Thu Feb 02 14:06:44 2023 > Not After : Mon Feb 02 14:06:44 2043 > > Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the > entry cn=RSA,cn=encryption,cn=configin the attribute > nsSSLPersonalitySSL. > For instance in my server I have: > > dn: cn=RSA,cn=encryption,cn=config > cn: RSA > modifiersName: cn=Directory Manager > modifyTimestamp: 20220121155703Z > nsSSLActivation: on > *nsSSLPersonalitySSL: Server-Cert* > nsSSLToken: internal (software) > objectClass: top > objectClass: nsEncryptionModule > > HTH, > flo > > > -- > _______________________________________________ > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > Fedora Code of Conduct: >https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: >https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >
Rob and Flo,
I got it working now, I had to convert my crt to a pkcs12 cert in order to add. All good now. Thanks,
//omar
On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden rcritten@redhat.com wrote:
Omar wrote:
roger that. I thought about doing the: ipa-cacert-manager, but that would be wrong, correct?
Correct, assuming your updated cert is from the same CA.
if I do the ipa-server-certinstall, do I need to specify either -d / -w / or -k? Thanks,
You want -d (directory server)
rob
On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Omar via FreeIPA-users wrote: > okay, so I think you found the issue: > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US' | grep Not > Not Before: Fri Jan 06 19:36:22 2023 > Not After : Sat Jan 06 19:36:22 2024 > > Where's the actual location of the server certificate? Thanks, It is stored in the NSS database at/etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
You should be able to use ipa-server-certinstall to add a renewed certificate in a similar way that this one was added. rob > > > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > Hi, > > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > [root @ ldap01] > $ openssl x509 -noout -text -in/var/lib/ipa/certs/httpd.crt |
> grep Not > Not Before: Jan 12 15:30:18 2024 GMT > Not After : Jan 11 15:30:18 2025 GMT > > So httpd server cert is still valid. > > > also, am I looking at the correct one here?: > [root @ ldap01] > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/ > > Certificate Nickname > Trust Attributes > > SSL,S/MIME,JAR/XPI > > APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> <http://APP.UAAP.MAXAR.COM> IPA CA > CT,C,C > > ^^ this one is IPA CA, not the server certificate for LDAP. > > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,, > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,, > CN=Maxar Policy CA East,DC=Maxar,DC=com C,, > CN=Maxar Policy CA West,DC=Maxar,DC=com C,, > CN=Maxar Root CA,CN=Maxar,CN=com C,, > CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=MaxarTechnologies
> Inc,L=Herndon,ST=Virginia,C=US u,u,u > > [root @ ldap01] > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not > Not Before: Thu Feb 02 14:06:44 2023 > Not After : Mon Feb 02 14:06:44 2043 > > Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the > entry cn=RSA,cn=encryption,cn=configin the attribute > nsSSLPersonalitySSL. > For instance in my server I have: > > dn: cn=RSA,cn=encryption,cn=config > cn: RSA > modifiersName: cn=Directory Manager > modifyTimestamp: 20220121155703Z > nsSSLActivation: on > *nsSSLPersonalitySSL: Server-Cert* > nsSSLToken: internal (software) > objectClass: top > objectClass: nsEncryptionModule > > HTH, > flo > > > -- > _______________________________________________ > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > Fedora Code of Conduct: >https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: >https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >
Hi Omar,
can you help with me with simialar issue ?
My httpd.crt is expired, i have new one ready, but my tomcatd is working if i change back in time, and current date it's failing.
Regards,
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
girish f -
Omar -
Omar Pagan
-
Rob Crittenden