IT Guy via FreeIPA-users wrote:
Hi Florence,
Thank you for your response. What does it mean if I run the ipa certprofile-show command as outlined above and it just hangs? I don't think there is any other way to see the settings you mentioned unless this command is able to run right?
I can't explain why it would hang but you can get the profile directly from LDAP:
$ ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=directory manager' -W -b cn=caIPAserviceCert,ou=certificateProfiles,ou=ca,o=ipaca certProfileConfig > /tmp/profile
Edit this file and remove the dn value and 'certProfileConfig:: ' then base64-decode the result.
The final really huge string should look something like:
YXV0aC5pbnN0YW5jZV9pZ...=
I used the coreutils base64 program to decode it:
$ base64 -d /tmp/profile
rob
Many thanks,
Evan
On Fri, Sep 15, 2023 at 3:19 AM Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
Hi, it seems that PKI is not happy with the subject name of the certificates. The failing certs are for KDC, dirsrv and httpd and they all use the same subject name constraint in their profile. 1. Was any certificate profile modified (caIPAserviceCert or KDCs_PKINIT_Certs)? You can use ipa certprofile-show <name> --out /dev/stdout And then check the part related to Subject Name Constraint. In my default installation, I have policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name <http://policyset.serverCertSet.1.constraint.name>=Subject Name Constraint policyset.serverCertSet.1.constraint.params.accept=true policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl policyset.serverCertSet.1.default.name <http://policyset.serverCertSet.1.default.name>=Subject Name Default policyset.serverCertSet.1.default.params.name <http://policyset.serverCertSet.1.default.params.name>=CN=$request.req_subject_name.cn <http://request.req_subject_name.cn>$, O=IPA.TEST which means that the subject name should match CN= followed by (anything except a comma) multiple times then a comma and any char multiple times. 2. If the profile wasn't changed, can you check in /var/log/pki/pki-tomcat/ca/debug.$DATE.log the received certificate request? Does its subject match the pattern? The error messagejava.lang.StringIndexOutOfBoundsException: String index out of range: -1 hints that an expected pattern was not found. flo On Thu, Sep 14, 2023 at 4:11 PM Evan G via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Rob, When we start tomcat with the date rolled back, we are not seeing any errors at all. All of the ipa services start up without issue. The problem is in actually renewing the certs, when we do so we have seen many different errors as we've been troubleshooting -- mostly this one: `ca-error: Server at https://<HOSTNAME>/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. String index out of range: -1).[02/Aug/2023:00:00:31][ajp-bio-127.0.0.1-8009-exec-2]: EnrollProfile: populate: begins` When I restart certmonger after all services up, these are the errors that I am seeing in the tomcat debug logs: ``` [02/Aug/2023:00:00:31][ajp-bio-127.0.0.1-8009-exec-2]: BasicProfile: populate: policy setid =serverCertSet [02/Aug/2023:00:00:31][ajp-bio-127.0.0.1-8009-exec-2]: EnrollDefault: populate: SubjectNameDefault: start java.lang.StringIndexOutOfBoundsException: String index out of range: -1 at java.lang.String.substring(String.java:1967) at com.netscape.certsrv.pattern.Pattern.substitute2(Pattern.java:132) at com.netscape.cms.profile.def.EnrollDefault.mapPattern(EnrollDefault.java:815) at com.netscape.cms.profile.def.SubjectNameDefault.populate(SubjectNameDefault.java:160) at com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:226) at com.netscape.cms.profile.common.BasicProfile.populate(BasicProfile.java:1114) at com.netscape.cms.profile.common.EnrollProfile.populate(EnrollProfile.java:2626) at com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:379) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96) at com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:197) at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:155) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net <http://org.apache.tomcat.util.net>.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:750) ``` This is what we see when we run `getcert list` and `ipa-getcert list` respectively: ``` Number of certificates and requests being tracked: 9. Request ID '20190920201259': status: CA_UNREACHABLE ca-error: Server at https://<HOSTNAME>/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. String index out of range: -1). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=<OU> subject: CN=<HOSTNAME>,O=<OU> expires: 2023-08-25 18:05:07 UTC principal name: krbtgt/<OU>@<OU> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20210908000050': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<OU> subject: CN=CA Audit,O=<OU> expires: 2025-07-21 02:36:57 UTC key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210908000051': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<OU> subject: CN=OCSP Subsystem,O=<OU> expires: 2025-07-21 02:36:17 UTC key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210908000052': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<OU> subject: CN=CA Subsystem,O=<OU> expires: 2025-07-21 02:37:17 UTC key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210908000053': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<OU> subject: CN=Certificate Authority,O=<OU> expires: 2039-09-20 20:11:25 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210908000054': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<OU> subject: CN=IPA RA,O=<OU> expires: 2025-06-26 02:36:15 UTC key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20210908000055': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<OU> subject: CN=<HOSTNAME>,O=<OU> expires: 2025-07-21 02:36:37 UTC dns: <HOSTNAME> key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20210908000056': status: CA_UNREACHABLE ca-error: Server at https://<HOSTNAME>/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. String index out of range: -1). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS FIPS 140-2 Certificate DB',pinfile='/etc/dirsrv/slapd-<OU>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS FIPS 140-2 Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<OU> subject: CN=<HOSTNAME>,O=<OU> expires: 2023-09-03 18:30:48 UTC dns: <HOSTNAME> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv <OU> track: yes auto-renew: yes Request ID '20210908000057': status: CA_UNREACHABLE ca-error: Server at https://<HOSTNAME>/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. String index out of range: -1). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS FIPS 140-2 Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS FIPS 140-2 Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<OU> subject: CN=<HOSTNAME>,O=<OU> expires: 2023-09-03 18:30:48 UTC dns: <HOSTNAME> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes ``` ``` Number of certificates and requests being tracked: 9. Request ID '20190920201259': status: CA_UNREACHABLE ca-error: Server at https://<HOSTNAME>/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. String index out of range: -1). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=<OU> subject: CN=<HOSTNAME>,O=<OU> expires: 2023-08-25 18:05:07 UTC principal name: krbtgt/<OU>@<OU> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20210908000056': status: CA_UNREACHABLE ca-error: Server at https://<HOSTNAME>/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. String index out of range: -1). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS FIPS 140-2 Certificate DB',pinfile='/etc/dirsrv/slapd-<OU>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS FIPS 140-2 Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<OU> subject: CN=<HOSTNAME>,O=<OU> expires: 2023-09-03 18:30:48 UTC dns: <HOSTNAME> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv <OU> track: yes auto-renew: yes Request ID '20210908000057': status: CA_UNREACHABLE ca-error: Server at https://<HOSTNAME>/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. String index out of range: -1). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS FIPS 140-2 Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS FIPS 140-2 Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<OU> subject: CN=<HOSTNAME>,O=<OU> expires: 2023-09-03 18:30:48 UTC dns: <HOSTNAME> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes ``` _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue