On 16.07.20 15:50, Florence Blanc-Renaud wrote:
> On 7/16/20 3:00 PM, Lorenz Braun via FreeIPA-users wrote:
>> I was thinking something similar. I tried
>> ```
>> [root@ipa01 ~]# ipa-cacert-manage renew
>> Renewing CA certificate, please wait
>> Error resubmitting certmonger request '20200716071025', please check
>> the request manually
>> The ipa-cacert-manage command failed.
>> ```
>
> Hi,
> this command is used to renew IPA CA certificate and not applicable to
> the current situation. IPA CA has ~20 years validity and this cert is
> unlikely to be expired.
Good to know, thanks!
>> ```
>> [root@ipa01 ~]# getcert list
>> Number of certificates and requests being tracked: 9.
>> [...]
>> Request ID '20200716071025':
>> status: CA_UNREACHABLE
> This is expected in your case as pki is down, and won't be able to
> manage the certificate renewal request.
>
>> ca-error: Internal error
>> stuck: no
>> key pair storage:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
>> subject: CN=Certificate
Authority,O=EXAMPLE.COM
>> expires: 2040-07-16 07:08:27 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> [...]
>> ```
>>
>> The other one are all MONITORING and expire at 2022. Since i tried to
>> force a new cert maybe this is still okay and the problem lies
>> somewhere else?
>
> Then the problem is different. Since the new certs will expire 2022
> (in 2 years), I suspect that they were renewed recently but the
> renewal failed in the middle.
>
> You can refer to [1] in order to ensure that this is the root cause
> and fix the current situation.
>
> HTH,
> flo
>
> [1]
>
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
>
I have checked and the certificate from /etc/pki/pki-tomcat/alias and
ldap are the exactly the same. I attached
/var/log/pki/pki-tomcat/ca/debug. The error message there is different:
```
[16/Jul/2020:16:24:57][profileChangeMonitor]: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:607)
at java.net.Socket.connect(Socket.java:556)
at java.net.Socket.<init>(Socket.java:452)
at java.net.Socket.<init>(Socket.java:262)
at
com.netscape.cmscore.ldapconn.PKISocketFactory.makeSSLSocket(PKISocketFactory.java:120)
at
com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:159)
at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source)
at netscape.ldap.LDAPConnThread.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at
com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:82)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory$BoundConnection.<init>(LdapBoundConnFactory.java:531)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:187)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:332)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:295)
at
com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:426)
at java.lang.Thread.run(Thread.java:748)
[...]
[16/Jul/2020:16:24:57][profileChangeMonitor]: Can't create master
connection in LdapBoundConnFactory::getConn! Could not connect to LDAP
server host
ipa01.example.com port 636 Error
netscape.ldap.LDAPException: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused) (-1)
[16/Jul/2020:16:24:57][authorityMonitor]: Can't create master connection
in LdapBoundConnFactory::getConn! Could not connect to LDAP server host
ipa01.example.com port 636 Error netscape.ldap.LDAPException: Unable to
create socket: java.net.ConnectException: Connection refused (Connection
refused) (-1)
```
Firewall is not restricting this and i am a bit puzzled on why the
connection fails. If the service is not running or the port not open
ldapsearch should also not work, right?
I might test a fresh ipa install without restoring any data. Maybe
something with my OS or network is wrong.
You can check with
# netstat -tunpl | grep 636
if the ldap server is listening on this port. It's possible that the
LDAP server is up but only listening to 389.
To see if port 636 is enabled in the server config:
# ldapsearch -x -D "cn=directory manager" -W -b cn=config -s base
nsslapd-security
The attribute value should be "nsslapd-security: on".
flo