6:35 a.m.
I have a freeipa with two nodes. I have no problem with one of them but on the other one
pki-tomcat can't start.
ipacts starts with --ignore-service-failure
and
pki-tomcatd Service: STOPPED
The first thing I found a certificate expired and I changed date back in time before
expiration date. ipa-cacert-manage renew says ok but certificate for pki-tomcat
doesn't work.
getcert list shows all certificates are well but this one no:
Request ID '20171110140549':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://ipa0.domain.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be
authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ipa0.domain.com,O=DOMAIN.COM
expires: 2019-10-31 14:05:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
[root@ipa0 pki-tomcat]# curl https://ipa0.domain.com:8443/ca/agent/ca/profileReview
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 - Error
report</title><style type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border:
none;}</style> </head><body><h1>HTTP Status 404 -
/ca/agent/ca/profileReview</h1><div
class="line"></div><p><b>type</b> Status
report</p><p><b>message</b>
<u>/ca/agent/ca/profileReview</u></p><p><b>description</b>
<u>The requested resource is not available.</u></p><hr
class="lin
e"><h3>Apache Tomcat/8.0.46</h3></bod
What can I do to make pki-tomcat work? How to repair the certificate?
7:57 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
On 1/28/20 1:35 PM, Serge Barkov via FreeIPA-users wrote:
I have a freeipa with two nodes. I have no problem with one of them
but on the other one pki-tomcat can't start.
ipacts starts with --ignore-service-failure
and
pki-tomcatd Service: STOPPED
The first thing I found a certificate expired and I changed date back in time before
expiration date. ipa-cacert-manage renew says ok but certificate for pki-tomcat
doesn't work.
Hi,
"ipa-cacert-manage renew" is used to renew IPA CA certificate, but in
your case the expired cert is probably a different one.
On the working node, are all the certificates valid?
On the non-working node, which certificate is expired? Please provide
the whole output of getcert list for both nodes, and the output of
$ ipa config-show | grep "CA renewal"
Debugging tips can also be found in this blog post:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
flo
getcert list shows all certificates are well but this one no:
Request ID '20171110140549':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://ipa0.domain.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be
authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ipa0.domain.com,O=DOMAIN.COM
expires: 2019-10-31 14:05:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
[root@ipa0 pki-tomcat]# curl https://ipa0.domain.com:8443/ca/agent/ca/profileReview
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 - Error
report</title><style type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border:
none;}</style> </head><body><h1>HTTP Status 404 -
/ca/agent/ca/profileReview</h1><div
class="line"></div><p><b>type</b> Status
report</p><p><b>message</b>
<u>/ca/agent/ca/profileReview</u></p><p><b>description</b>
<u>The requested resource is not available.</u></p><hr
class="lin
e"><h3>Apache Tomcat/8.0.46</h3></bod
What can I do to make pki-tomcat work? How to repair the certificate?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
8:16 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
Hi Florence,
Thank you very much for your answer. I followed the link for debugging and I found a
problem:
[root@ipa0 pki-tomcat]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n
'subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object
Identifier.
It seems that pki-tomcat is not able to access the certificate and the private key. But I
still don't know how to repai it:(
The whole output of the getcert list is below. I change my domain name to domain.com.
ipa0, problem node:
[root@ipa0 pki-tomcat]# getcert list
Number of certificates and requests being tracked: 6.
Request ID '20171110140122':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=IPA RA,O=DOMAIN.COM
expires: 2021-09-21 11:05:05 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20171110140545':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Audit,O=DOMAIN.COM
expires: 2021-09-21 11:04:55 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171110140546':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=OCSP Subsystem,O=DOMAIN.COM
expires: 2021-09-21 11:02:47 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171110140547':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Subsystem,O=DOMAIN.COM
expires: 2021-09-21 11:03:55 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171110140548':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=Certificate Authority,O=DOMAIN.COM
expires: 2037-11-09 11:00:43 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171110140549':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://ipa0.domain.com:8443/ca/agent/ca/profileReview:
Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ipa0.domain.com,O=DOMAIN.COM
expires: 2019-10-31 14:05:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
[root@ipa0 pki-tomcat]#
The good node:
[root@ipa1 ~]# getcert list
Number of certificates and requests being tracked: 6.
Request ID '20171109110125':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Audit,O=DOMAIN.COM
expires: 2021-09-21 11:04:55 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171109110126':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=OCSP Subsystem,O=DOMAIN.COM
expires: 2021-09-21 11:02:47 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171109110127':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Subsystem,O=DOMAIN.COM
expires: 2021-09-21 11:03:55 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171109110128':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=Certificate Authority,O=DOMAIN.COM
expires: 2037-11-09 11:00:43 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171109110129':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=IPA RA,O=DOMAIN.COM
expires: 2021-09-21 11:05:05 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20171109110130':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ipa1.domain.com,O=DOMAIN.COM
expires: 2021-09-21 11:02:07 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
[root@ipa1 ~]#
[root@ipa0 pki-tomcat]# ipa config-show | grep "CA renewal"
ipa: ERROR: Major (851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529638945): Ticket not yet valid
8:22 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
Sorry, the last command I did without kinit admin. After that it's so:
[root@ipa0 pki-tomcat]# ipa config-show | grep "CA renewal"
IPA CA renewal master: ipa0.domain.com
9:06 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
I assume this is running RHEL 6?
On both masters I'd compare the output of
$ ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 7389
-b uid=ipara,ou=people,o=ipaca description
What date did you go back to? Are the new certificates still valid on
that date?
rob
9:18 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
The OS is "Fedora release 25 (Twenty Five)".
I compared the output from "ldapsearch -LLL...", it differs. But in order to
make ipa0 work I temporarily broke connection between nodes (with iptables) so it's
normal.
Yhe date is
[root@ipa0 ~]# date
Sun Oct 20 19:46:18 MSK 2019
All the other certificates are valid. I use Let's Encrypt certificates and I rolled
them back to the ones valid in October.
9:26 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
Serge Barkov via FreeIPA-users wrote:
The OS is "Fedora release 25 (Twenty Five)".
I compared the output from "ldapsearch -LLL...", it differs. But in order to
make ipa0 work I temporarily broke connection between nodes (with iptables) so it's
normal.
Yhe date is
[root@ipa0 ~]# date
Sun Oct 20 19:46:18 MSK 2019
That difference is likely the reason for the failure. What does the
output look like?
rob
9:41 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
The output of
ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389
(there is nothing on port 7389 so I beleive it must be 389)
looks so:
dn: cn=compat,dc=domain,dc=com
objectClass: extensibleObject
cn: compat
dn: cn=users,cn=compat,dc=domain,dc=com
objectClass: extensibleObject
cn: users
dn: uid=f.second,cn=users,cn=compat,dc=domain,dc=com
and so on - full description of all my users
9:47 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
Serge Barkov via FreeIPA-users wrote:
The output of
ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389
(there is nothing on port 7389 so I beleive it must be 389)
looks so:
Ok, I was guessing the release you were using.
You are missing part of the command, add:
-b uid=ipara,ou=people,o=ipaca description
rob
10:15 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
Oh, I'm sorry.
freeipa version is 4.4.4-1.fc25
I don't see any difference:
The problem node:
[root@ipa0 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p
389 -b uid=ipara,ou=people,o=ipaca description
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
The normal one:
[root@ipa1 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p
389 -b uid=ipara,ou=people,o=ipaca description
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
1:03 p.m.
New subject: pki-tomcat doesn't start, it can't update certificate
Serge Barkov via FreeIPA-users wrote:
Oh, I'm sorry.
freeipa version is 4.4.4-1.fc25
I don't see any difference:
The problem node:
[root@ipa0 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p
389 -b uid=ipara,ou=people,o=ipaca description
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
The normal one:
[root@ipa1 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p
389 -b uid=ipara,ou=people,o=ipaca description
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
IIRC the CA uses the subsystem cert to authenticate to itself. You might
try comparing the ca.subsystem.cert value in
/etc/pki/pki-tomcat/ca/CS.cfg between the two servers.
rob
2:17 p.m.
New subject: pki-tomcat doesn't start, it can't update certificate
I compared, it's the same on both nodes
2:05 a.m.
New subject: pki-tomcat doesn't start, it can't update certificate
It seems that the reason of the problem is in
"404...The requested resource is not available" when ipa tryies to renew the
certificate with request
https://ipa0.domain.com:8443/ca/agent/ca/profileReview
When I try it certificate is good but the result is 404...
Are there any ideas where to look?
4:30 p.m.
New subject: pki-tomcat doesn't start, it can't update certificate
Serge Barkov via FreeIPA-users wrote:
It seems that the reason of the problem is in
"404...The requested resource is not available" when ipa tryies to renew the
certificate with request
https://ipa0.domain.com:8443/ca/agent/ca/profileReview
When I try it certificate is good but the result is 404...
Are there any ideas where to look?
The CA is a deployed WAR file in tomcat. A 404 suggests the CA hasn't
started at all. Check the logs.
rob
1540
days inactive
1547
days old
freeipa-users@lists.fedorahosted.org
13 comments
3 participants
participants (3)
-
Florence Blanc-Renaud -
Rob Crittenden -
Serge Barkov