Russ Long via FreeIPA-users wrote:
Any other advice here? I have also tried setting system back to when
certificates were valid, restarting certmonger and pki-tomcatd, and running getcert
resubmit on the affected certs, this moves them to a "Monitoring" status, but
they still never renew when in present day or when the system is back in time.
When the system is back in time to when certs are valid, if I startup certmonger in debug
mode and submit the getcert resubmit, I get this:
2023-08-25 00:29:24 [106919] Certificate submission attempt complete.
2023-08-25 00:29:24 [106919] Child status = 2.
2023-08-25 00:29:24 [106919] Child output:
"Server at "http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit"
replied: Request 1 - Server Internal Error
"
2023-08-25 00:29:24 [106919] Server at
"http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit" replied: Request 1 -
Server Internal Error
2023-08-25 00:29:24 [106919] Certificate not (yet?) issued.
2023-08-25 00:29:24 [106919] Request2('20230825040038') already had a
certificate, going back to monitoring it
2023-08-25 00:29:24 [106919] Request2('20230825040038') moved to state
'MONITORING'
2023-08-25 00:29:24 [106919] Wrote to /var/lib/certmonger/requests/20230825040039
2023-08-25 00:29:24 [106919] Will revisit Request2('20230825040038') soonish.
2023-08-25 00:29:54 [106919] Will revisit Request2('20230825040038') in 41876
seconds.
Digging further on this, pki-tomcat logs show an LDAP error:
2023-08-25 00:29:23 [http-nio-8080-exec-3] WARNING: Unable to update certificate request:
Unable to modify LDAP record: Object class violation
Unable to modify LDAP record: Object class violation
at com.netscape.cmscore.dbs.LDAPSession.modify(LDAPSession.java:276)
at
com.netscape.cmscore.request.RequestRepository.modifyRequest(RequestRepository.java:322)
at
com.netscape.cmscore.request.RequestRepository.updateRequest(RequestRepository.java:290)
at com.netscape.cms.servlet.cert.CertProcessor.submitRequests(CertProcessor.java:323)
at
com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:207)
at
com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
at
com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:278)
at
com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:131)
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:487)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:207)
at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)
at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
at
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: netscape.ldap.LDAPException: Object class violation (65); unknown object class
"request"
at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
at netscape.ldap.LDAPConnection.modify(Unknown Source)
at netscape.ldap.LDAPConnection.modify(Unknown Source)
at netscape.ldap.LDAPConnection.modify(Unknown Source)
at netscape.ldap.LDAPConnection.modify(Unknown Source)
at com.netscape.cmscore.dbs.LDAPSession.modify(LDAPSession.java:264)
... 54 more
I really have no idea where to go from here with this.
It means you are missing at least one objectclass definition in schema
that the CA adds. How this can happen I have no idea.
You can add missing schema with:
ldapadd -c -D 'cn=directory manager' -W -f
/usr/share/pki/server/database/ds/schema.ldif
The -c means it will continue loading the ldif on errors (like the
schema already exists).
rob