5:13 p.m.
Went onto my IPA server today to discover the certificate had not been automatically
renewed. It's a self-signed cert.
I set the date back before the expiry and tried:
ipa-cacert-manage renew
which results in:
'NoneType' object has no attribute 'is_self_signed'
The ipa-cacert-manage command failed.
adding '--self-signed' just punts the same error to another attribute:
Renewing CA certificate, please wait
'NoneType' object has no attribute 'issuer'
The ipa-cacert-manage command failed.
I assume the same thing caused the autorenewal to not happen. Any recommendations? IPA
version is 4.6.90.pre1+git20180411, API_VERSION: 2.229 which I know is old. It's on an
old Ubuntu distro that I can't upgrade without destroying and I've have tried many
times to replicate the thing to a different VM but have yet to successfully do so.
10:05 p.m.
Sean McLennan via FreeIPA-users wrote:
Went onto my IPA server today to discover the certificate had not
been automatically renewed. It's a self-signed cert.
I set the date back before the expiry and tried:
ipa-cacert-manage renew
which results in:
'NoneType' object has no attribute 'is_self_signed'
The ipa-cacert-manage command failed.
adding '--self-signed' just punts the same error to another attribute:
Renewing CA certificate, please wait
'NoneType' object has no attribute 'issuer'
The ipa-cacert-manage command failed.
I assume the same thing caused the autorenewal to not happen. Any recommendations? IPA
version is 4.6.90.pre1+git20180411, API_VERSION: 2.229 which I know is old. It's on an
old Ubuntu distro that I can't upgrade without destroying and I've have tried many
times to replicate the thing to a different VM but have yet to successfully do so.
What certificate had not been renewed? This command renews the CA
certificate itself which by default is good for 20 years. This is likely
not the command you need.
rob
11:09 a.m.
Oh. :P Well isn't that embarrassing.
I guess it's the server certificate then?
ipa: ERROR: cannot connect to 'https://ipa01.<domain>/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
11:22 a.m.
Mm. Actually, I'm not so sure. Am I not interpreting the "getcert list"
results correctly? When it says CA_UNREACHABLE because the cert expired, isn't that
the CA Cert?
Number of certificates and requests being tracked: 9.
Request ID '20201114211025':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=IPA RA,O=[domain.com]
expires: 2022-11-04 14:10:27 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20201114211106':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:49 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211107':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:53 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211108':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-04 14:11:32 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211109':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:50 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211110':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-04 14:11:40 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211316':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate
problem: certificate has expired).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-SIMPLYWS-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=ipa01.[domain.com],O=[domain.com]
expires: 2022-11-15 14:13:16 MST
dns: ipa01.[domain.com]
principal name: ldap/ipa01.[domain.com](a)[domain.com]
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv SIMPLYWS-COM
track: yes
auto-renew: yes
Request ID '20201114211418':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate
problem: certificate has expired).
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.[domain.com]-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=ipa01.[domain.com],O=[domain.com]
expires: 2022-11-15 14:14:22 MST
dns: ipa01.[domain.com]
principal name: HTTP/ipa01.[domain.com](a)[domain.com]
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20201114211427':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate
problem: certificate has expired).
stuck: no
key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=ipa01.[domain.com],O=[domain.com]
expires: 2022-11-15 14:14:27 MST
principal name: krbtgt/[domain.com](a)[domain.com]
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
11:32 a.m.
Hi,
On Thu, Nov 17, 2022 at 6:22 PM Sean McLennan via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Mm. Actually, I'm not so sure. Am I not interpreting the
"getcert list"
results correctly? When it says CA_UNREACHABLE because the cert expired,
isn't that the CA Cert?
Number of certificates and requests being tracked: 9.
Request ID '20201114211025':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=IPA RA,O=[domain.com]
expires: 2022-11-04 14:10:27 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20201114211106':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:49 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211107':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:53 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211108':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-04 14:11:32 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211109':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:50 MST
^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 but
it definitely looks wrong, unless IPA was installed with custom (and
puzzlin) options: subject CN=localhost.
How was IPA installed? The default settings would install a self-signed CA
with subject CN=Certificate Authority,O=IPA.TEST for instance.
What is the content of /etc/ipa/ca.crt? You should see the original IPA CA
in this file.
flo
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211110':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-04 14:11:40 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211316':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed
request, will retry: -504 (libcurl failed to execute the HTTP POST
transaction, explaining: SSL certificate problem: certificate has expired).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-SIMPLYWS-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=ipa01.[domain.com],O=[domain.com]
expires: 2022-11-15 14:13:16 MST
dns: ipa01.[domain.com]
principal name: ldap/ipa01.[domain.com](a)[domain.com]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
SIMPLYWS-COM
track: yes
auto-renew: yes
Request ID '20201114211418':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed
request, will retry: -504 (libcurl failed to execute the HTTP POST
transaction, explaining: SSL certificate problem: certificate has expired).
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.[
domain.com]-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=ipa01.[domain.com],O=[domain.com]
expires: 2022-11-15 14:14:22 MST
dns: ipa01.[domain.com]
principal name: HTTP/ipa01.[domain.com](a)[domain.com]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20201114211427':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed
request, will retry: -504 (libcurl failed to execute the HTTP POST
transaction, explaining: SSL certificate problem: certificate has expired).
stuck: no
key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=ipa01.[domain.com],O=[domain.com]
expires: 2022-11-15 14:14:27 MST
principal name: krbtgt/[domain.com](a)[domain.com]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
12:21 p.m.
^ This one (caSigningCert cert-pki-ca) is IPA CA and expires
2022-11-11 but
it definitely looks wrong, unless IPA was installed with custom (and
puzzlin) options: subject CN=localhost.
How was IPA installed? The default settings would install a self-signed CA
with subject CN=Certificate Authority,O=IPA.TEST for instance.
What is the content of /etc/ipa/ca.crt? You should see the original IPA CA
in this file.
Yeah, I just used 'ipa-server-install' and as much default as possible. Definitely
wasn't trying anything fancy. I do still have the original install log (and my entire
command history) if there's something worth looking for in there.
/etc/ipa/ca.crt is just "-----BEGIN CERTIFICATE-----[text]-----END
CERTIFICATE-----"; should there be something more informative in there?
Any thoughts on what I can try to renew these?
As an aside: Honestly, I would love nothing more than to get IPA off of this damn server
and onto one that is actually supported and can, you know, but updated. :[ My impression
is that the only way I can do that though is through replicating it to another instance
and promoting the new one/retiring the old one... but like I said, I have tried many times
to add another and have been unsuccessful. Is there a way to restore the data from a
backup into a new install?
PS. Thank you for replying; I appreciate the help.
3:36 a.m.
Hi,
On Thu, Nov 17, 2022 at 7:59 PM Sean McLennan via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> ^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11
but
> it definitely looks wrong, unless IPA was installed with custom (and
> puzzlin) options: subject CN=localhost.
>
> How was IPA installed? The default settings would install a self-signed
CA
> with subject CN=Certificate Authority,O=IPA.TEST for instance.
> What is the content of /etc/ipa/ca.crt? You should see the original IPA
CA
> in this file.
Yeah, I just used 'ipa-server-install' and as much default as possible.
Definitely wasn't trying anything fancy. I do still have the original
install log (and my entire command history) if there's something worth
looking for in there.
/etc/ipa/ca.crt is just "-----BEGIN CERTIFICATE-----[text]-----END
CERTIFICATE-----"; should there be something more informative in there?
You can compare the CA cert that is stored in this file and the one that is
stored in the /etc/pki/pki-tomcat/alias database.
To compare the PEM content:
# cat /etc/ipa/ca.crt
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
-a
You should see the same content.
Or if you want to see the certificate details:
# openssl x509 -noout -text -in /etc/ipa/ca.crt
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
You should see the same values (subject, issuers, validity, serial
number...)
I'm asking you to compare because it's unexpected to see a subject
CN=localhost for the IPA CA. Someone has probably messed up with some
commands and replaced the original IPA CA with a wrong one in the
/etc/pki/pki-tomcat/alias database. If that's the case, we can put the
right CA back with certutil commands but we need to be sure what to put
there.
flo
Any thoughts on what I can try to renew these?
As an aside: Honestly, I would love nothing more than to get IPA off of
this damn server and onto one that is actually supported and can, you know,
but updated. :[ My impression is that the only way I can do that though is
through replicating it to another instance and promoting the new
one/retiring the old one... but like I said, I have tried many times to add
another and have been unsuccessful. Is there a way to restore the data from
a backup into a new install?
PS. Thank you for replying; I appreciate the help.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
10:52 a.m.
I'm asking you to compare because it's unexpected to see a
subject
CN=localhost for the IPA CA. Someone has probably messed up with some
commands and replaced the original IPA CA with a wrong one in the
/etc/pki/pki-tomcat/alias database. If that's the case, we can put the
right CA back with certutil commands but we need to be sure what to put
there.
Good call—they are completely different:
/etc/ipa/ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = SIMPLYWS.COM, CN = Certificate Authority
Validity
Not Before: Nov 14 21:09:26 2020 GMT
Not After : Nov 14 21:09:26 2040 GMT
Subject: O = <domain>, CN = Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
and the one in the pki-tomcat/alias db is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = SIMPLYWS.COM, CN = Certificate Authority
Validity
Not Before: Nov 21 21:11:50 2020 GMT
Not After : Nov 11 21:11:50 2022 GMT
Subject: CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
How do we replace that one?
2:19 p.m.
Hi,
I would start by doing a backup of the NSS database (save the directory and files from
/etc/pki/pki-tomcat/alias).
Then remove the wrong cert using:
certutil -D -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
and install the good one using
certutil -A -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' -I
/etc/ipa/ca.crt -t Ct,C,C
and try to restart the whole stack with ipactl restart.
I’m not sure this will work, it really depends whether the original key is still in the
nss database. There may also be other places where the CA cert has to be replaced.
flo
10:07 p.m.
I'm asking you to compare because it's unexpected to see a
subject
CN=localhost for the IPA CA. Someone has probably messed up with some
commands and replaced the original IPA CA with a wrong one in the
/etc/pki/pki-tomcat/alias database. If that's the case, we can put the
right CA back with certutil commands but we need to be sure what to put
there.
So, I believe that I successfully managed to replace the cert in the database with
/etc/pki/ca.crt; however, still nothing is working. It appears that although "ipactrl
status" (and systemctl status) shows pki-tomcatd as running, there are no services
listening. I.e. there is nothing listening on *any* 80xx port—I gather pki-tomcatd is
supposed to be something on 8009?
catalina.out has this:
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Valve} Setting property
'resolveHosts' to 'false' did not find a matching property.
WARNING: The JSSE TLS 1.3 implementation does not support authentication after the initial
handshake and is therefore incompatible with optional client authentication
SEVERE: Catalina.start
org.apache.catalina.LifecycleException: Failed to initialize component
[StandardServer[8005]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.lang.RuntimeException: java.lang.SecurityException: Unable to initialize
security library
at com.netscape.cms.tomcat.PKIListener.lifecycleEvent(PKIListener.java:64)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:94)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:395)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:108)
... 8 more
Caused by: java.lang.SecurityException: Unable to initialize security library
at org.mozilla.jss.CryptoManager.initializeAllNative2(Native Method)
at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:956)
at org.apache.tomcat.util.net.jss.TomcatJSS.init(TomcatJSS.java:322)
at com.netscape.cms.tomcat.PKIListener.lifecycleEvent(PKIListener.java:62)
... 11 more
SEVERE: The required Server component failed to start so Tomcat is unable to start.
org.apache.catalina.LifecycleException: Failed to stop component [StandardServer[8005]]
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:238)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:142)
at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:353)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:497)
Caused by: org.apache.catalina.LifecycleException: An invalid Lifecycle transition was
attempted ([before_stop]) for component [StandardService[Catalina]] in state
[INITIALIZED]
at
org.apache.catalina.util.LifecycleBase.invalidTransition(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:213)
at org.apache.catalina.core.StandardServer.stopInternal(StandardServer.java:814)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:226)
... 8 more
and
debug complains about two missing jar files:
[localhost-startStop-1] WARNING: Failed to scan [file:/usr/share/java/oscache.jar] from
classloader hierarchy
[localhost-startStop-1] WARNING: Failed to scan [file:/usr/share/java/stax-api.jar] from
classloader hierarchy
I suspect that that it's never been running properly—because of the problems I had
before, I treated this server with kid-gloves and never updated it. I suspect that this is
the reason I was never able to get a replica of it running either.
Any suggestions on how to deal with this? Is there anyway to get my data out of it and
into a different server without using replication? Like I said, I would love nothing more
than to get it off of this broken broken distro.
3:09 p.m.
I feel like this output from "ipa-certupdate -v" is relevant:
ipapython.ipautil: DEBUG: stderr=
ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request
'20201114211109'
ipalib.install.certmonger: DEBUG: certmonger request is in state
dbus.String(u'GENERATING_CSR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state
dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state
dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state
dbus.String(u'MONITORING', variant_level=1)
ipaclient.install.ipa_certupdate: DEBUG: modifying certmonger request
'20201114211109'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
'dbm:/etc/ipa/nssdb', '-L', '-n', 'IPA CA', '-a',
'-f', u'/etc/ipa/nssdb/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
519
days inactive
527
days old
freeipa-users@lists.fedorahosted.org
10 comments
4 participants
participants (4)
-
Florence Blanc-Renaud -
Florence Blanc-Renaud -
Rob Crittenden -
Sean McLennan