Any other advice here? I have also tried setting system back to when certificates were
valid, restarting certmonger and pki-tomcatd, and running getcert resubmit on the affected
certs, this moves them to a "Monitoring" status, but they still never renew when
in present day or when the system is back in time.
When the system is back in time to when certs are valid, if I startup certmonger in debug
mode and submit the getcert resubmit, I get this:
2023-08-25 00:29:24 [106919] Certificate submission attempt complete.
2023-08-25 00:29:24 [106919] Child status = 2.
2023-08-25 00:29:24 [106919] Child output:
"Server at "http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit"
replied: Request 1 - Server Internal Error
"
2023-08-25 00:29:24 [106919] Server at
"http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit" replied: Request 1 -
Server Internal Error
2023-08-25 00:29:24 [106919] Certificate not (yet?) issued.
2023-08-25 00:29:24 [106919] Request2('20230825040038') already had a certificate,
going back to monitoring it
2023-08-25 00:29:24 [106919] Request2('20230825040038') moved to state
'MONITORING'
2023-08-25 00:29:24 [106919] Wrote to /var/lib/certmonger/requests/20230825040039
2023-08-25 00:29:24 [106919] Will revisit Request2('20230825040038') soonish.
2023-08-25 00:29:54 [106919] Will revisit Request2('20230825040038') in 41876
seconds.
Digging further on this, pki-tomcat logs show an LDAP error:
2023-08-25 00:29:23 [http-nio-8080-exec-3] WARNING: Unable to update certificate request:
Unable to modify LDAP record: Object class violation
Unable to modify LDAP record: Object class violation
at com.netscape.cmscore.dbs.LDAPSession.modify(LDAPSession.java:276)
at
com.netscape.cmscore.request.RequestRepository.modifyRequest(RequestRepository.java:322)
at
com.netscape.cmscore.request.RequestRepository.updateRequest(RequestRepository.java:290)
at com.netscape.cms.servlet.cert.CertProcessor.submitRequests(CertProcessor.java:323)
at
com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:207)
at
com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
at
com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:278)
at
com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:131)
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:487)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:207)
at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)
at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
at
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: netscape.ldap.LDAPException: Object class violation (65); unknown object class
"request"
at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
at netscape.ldap.LDAPConnection.modify(Unknown Source)
at netscape.ldap.LDAPConnection.modify(Unknown Source)
at netscape.ldap.LDAPConnection.modify(Unknown Source)
at netscape.ldap.LDAPConnection.modify(Unknown Source)
at com.netscape.cmscore.dbs.LDAPSession.modify(LDAPSession.java:264)
... 54 more
I really have no idea where to go from here with this.
Thanks in advance,
Russ