Ricardo Mendes wrote:
You're totally right. I feel dumb.
Ok so I did the following:
I edited the renew-le.sh and replaced the cert name but the line that
adds the cert again
"certutil -A -d ... -n Server-Cert"
Edited /etc/httpd/conf.d/nss.conf and changed the NSSNickname
But I still can't start pki-tomcatd:
# systemctl status pki-tomcatd@pki-tomcat -l
● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled;
vendor preset: disabled)
Active: active (running) since Wed 2020-06-17 17:24:46 WEST; 19s ago
Process: 4750 ExecStop=/usr/libexec/tomcat/server stop (code=exited,
status=0/SUCCESS)
Process: 4788 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
status=0/SUCCESS)
Main PID: 4916 (java)
CGroup:
/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
└─4916 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy-base
-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
org.apache.catalina.startup.Bootstrap start
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'serverCertNickFile' to
'/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
matching property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
find a matching property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile'
did not find a matching property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property.
Jun 17 17:24:56 main.domain.io server[4916]:
CMSEngine.initializePasswordStore() begins
Jun 17 17:24:56 main.domain.io server[4916]:
CMSEngine.initializePasswordStore(): tag=internaldb
Jun 17 17:24:56 main.domain.io server[4916]:
CMSEngine.initializePasswordStore(): tag=replicationdb
Jun 17 17:24:56 main.domain.io server[4916]: Internal Database Error
encountered: Could not connect to LDAP server host main.domain.io port
636 Error netscape.ldap.LDAPException: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused) (-1)
Currently all other services appear to be ok. Do I have to install it
manually here now?
My guess is that the LE CA certificates are not trusted by the NSS
database that dogtag uses. Assuming you've added those CA certificates
to IPA using ipa-cacert-manage install then running ipa-certupdate
should fix things for you.
rob
> You must have restored your git repo to HEAD. As I said before, the
> current HEAD does not work against anything < IPA 4.7.something.
>
> You need to get to the commit before "Move from mod_nss to mod_ssl"
>
> Then you'll see Server-Cert in renew-le.sh.
>
> ---
>
> We don't normally just dump code but it's a specific script for the
> demo. It seemed generally useful so it was shared.
>
> It has no branches and only supports that latest release of IPA that the
> demo runs.
>
> There are no plans to generalize or package it. You're free to tackle it
> if you'd like and include it in EPEL, for example.
>
> rob
>
I'm not skilled to do that, but maybe it is a fun project to learn how
somewhere in the future :)
Thanks for all the help so far!
Ricardo