On Wed, Jun 12, 2019 at 10:30 PM Miller, Jim <jmiller(a)tkcholdings.com> wrote:
-----Original Message-----
From: Ian Kumlien via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Wednesday, June 12, 2019 3:27 PM
To: Rob Crittenden <rcritten(a)redhat.com>
Cc: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Ian Kumlien
<ian.kumlien(a)gmail.com>
Subject: [Freeipa-users] Re: Issues with pki-tomcat - CA
On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>
> Ian Kumlien via FreeIPA-users wrote:
> > On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden <rcritten(a)redhat.com>
wrote:
> >> Ian Kumlien via FreeIPA-users wrote:
[--8<--]
> > Certificate Nickname Trust Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > Server-Cert cert-pki-ca u,u,u
> > transportCert cert-pki-kra u,u,u
> > storageCert cert-pki-kra u,u,u
> > auditSigningCert cert-pki-kra u,u,Pu
> > XERCES.LAN IPA CA CT,C,C
> > XERCES.LAN IPA CA CT,C,C
> > XERCES.LAN IPA CA CT,C,C
>
>
> You're missing all the CA certificates except the one that tomcat uses!?
> That includes the CA signing cert!
>
> It should look more like (excluding the *kra certs):
>
> caSigningCert cert-pki-ca CTu,Cu,Cu
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> Server-Cert cert-pki-ca u,u,u
>
> Do the keys for those certs exist?
>
> # grep internal /etc/pki/pki-tomcat/password.conf internal=foo #
> certutil -K -d /etc/pki/pki-tomcat/alias/
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
> Private Key and Certificate Services"
> Enter Password or Pin for "NSS Certificate DB": foo
>
> Perhaps a bunch of orphans?
Seems like it, I have three orphans and the keys for subsystemCert, caSigningCert,
ocspSigningCert seems to exists
Any clue of why this happened, I have two more servers that I can look at if you need
clues....
I mainly want to figure this out before my vacation starts ;)
> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__getfedora.org_code-2...
List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
Sorry for butting in on this discussion, but is this an issue where the cert for that
server didn't get renewed and the tomcat-pki service won't start?
I ask because that's an issue we're having and not sure how to address the issue.
Yep, It happened on four servers - I tried to reinstall one and this
fails as well due to the ca server being unavailable...
> --Jim
>