Re-sending this as I forgot to send to the list itself, sorry.
On Mon, Sep 18, 2023 at 6:55 AM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
Hi,
On Fri, Sep 15, 2023 at 7:43 PM Russ Long via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> I have a single-server IPA environment in my homelab. I noticed today
> that I was unable to delete a host from IPA, and found that pki-tomcatd was
> down and unable to start.
>
> I found that several certificates had expired for some reason. I tried
> `ipa-cert-fix`, but that failed as pki-tomcat will not start.
>
> I attempted to set the server date/time to a date 24 hours before the
> certificates expired, and was able to get tomcat to start, however the
> `ipa-cert-fix` now fails with this error:
>
> CalledProcessError(Command ['pki-server', 'cert-fix',
'--ldapi-socket',
> '/run/slapd-IPA-DOMAIN-CO.socket', '--agent-uid', 'ipara',
'--cert',
> 'sslserver', '--cert', 'subsystem', '--cert',
'ca_ocsp_signing', '--cert',
> 'ca_audit_signing', '--extra-cert', '16'] returned non-zero
exit status 1:
> "INFO: Loading instance type: pki-tomcatd\nINFO: Loading instance:
> pki-tomcat\nINFO: Loading global Tomcat config:
> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
> /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Loading subsystem registry:
> /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Loading instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following
> system certs: ['sslserver', 'subsystem', 'ca_ocsp_signing',
> 'ca_audit_signing']\nINFO: Renewing the following additional c
> erts: ['16']\nINFO: Stopping the instance to proceed with system cert
> renewal\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser
> password via ldappasswd\nSASL/EXTERNAL authentication started\nSASL
> username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL
> SSF: 0\n")
>
>
mixing ipa-cert-fix method with the date manipulation often leads to more
issues if ipa-cert-fix was able to fix some of the certs but not all of
them (the first execution creates a cert valid from present date only, and
as soon as you go in the past this cert is not considered valid yet).
To provide any advice we would need to have an exact description of the
current situation. Can you provide the output of "getcert list" executed as
root? This will show the "valid from" and "valid to" dates for each
certificate. Is your system still in the past or did you move back to
current date?
Getcert list:
Number of certificates and requests being tracked: 7.
Request ID '20220906145805':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
subject: CN=CA Audit,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
issued: 2021-09-06 12:07:45 EDT
expires: 2023-08-27 12:07:45 EDT
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20220906145806':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
subject: CN=OCSP Subsystem,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
issued: 2021-09-06 12:07:52 EDT
expires: 2023-08-27 12:07:52 EDT
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20220906145807':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
subject: CN=CA Subsystem,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
issued: 2021-09-06 12:07:43 EDT
expires: 2023-08-27 12:07:43 EDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20220906145808':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
subject: CN=Certificate Authority,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
issued: 2019-10-15 12:07:28 EDT
expires: 2039-10-15 12:07:28 EDT
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20220906145809':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
subject: CN=master.ipa.example.co,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
issued: 2021-09-06 12:07:42 EDT
expires: 2023-08-27 12:07:42 EDT
dns: master.ipa.example.co
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20220906145810':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
subject: CN=IPA RA,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
issued: 2021-09-06 12:08:40 EDT
expires: 2023-08-27 12:08:40 EDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20220906145820':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=master.ipa.example.co,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
subject: CN=master.ipa.example.co,O=IPA.EXAMPLE.CO <
http://ipa.example.co/>
issued: 2023-08-31 10:10:23 EDT
expires: 2024-08-31 10:10:23 EDT
dns: master.ipa.example.co
principal name: krbtgt/IPA.EXAMPLE.CO(a)IPA.EXAMPLE.CO
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
certificate template/profile: KDCs_PKINIT_Certs
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
System is back to present day, but pki-tomcat will not start in present
day, so I can move back to the past. I moved it back to present day as
most things still work.
I reviewed the blog at
>
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
> (Thanks Flo!) but was still unable to get anything working. The
> Certificate password test fails with these errors:
>
> [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f
> /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private
> Key and Certificate Services"
> certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library:
> invalid arguments.
> [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f
> /tmp/pwdfile.txt -n 'NSS Certificate DB: subsystemCert cert-pki-ca'
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private
> Key and Certificate Services"
> certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library:
> invalid arguments.
>
> If you run the same command without -n <alias>, you should be able to see
all the keys stored in the NSS database:
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt
Is there an entry for something like 'subsystemCert cert-pki-ca'?
flo
Here's the certutil:
[root@master ~]# certutil -K -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key
and Certificate Services"
< 0> rsa redacted NSS Certificate DB:Server-Cert cert-pki-ca
< 1> rsa redacted NSS Certificate DB:caSigningCert cert-pki-ca
< 2> rsa redacted NSS Certificate DB:ocspSigningCert cert-pki-ca
< 3> rsa redacted NSS Certificate DB:subsystemCert cert-pki-ca
< 4> rsa redacted NSS Certificate DB:auditSigningCert cert-pki-ca
(Redactions are mine)
Any ideas what I can try?
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
>
https://pagure.io/fedora-infrastructure/new_issue
>