[root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias [root@wocfreeipa ~]#
[root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert cert-pki-ca' [root@wocfreeipa ~]# grep internal /etc/pki/pki-tomcat/password.conf internal=3Tm~ofzwXXXXXXXXXXXX [root@wocfreeipa ~]# ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL Please enter pin, password, or pass phrase for security token 'ldap(0)': SASL/EXTERNAL authentication started SASL username: cn=CA Subsystem,o=SAP.WINGON.HK SASL SSF: 0 # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top namingContexts: cn=changelog namingContexts: dc=sap,dc=wingon,dc=hk namingContexts: o=ipaca supportedExtension: 1.3.6.1.4.1.4203.1.11.3 。。。。。。 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 It seems the connection established by Dogtag to 389 DS is correct. But why dogtag complained " *Peer's certificate issuer has been marked as not trusted by the user.* ? Weird. On Thu, Jun 18, 2020 at 9:31 AM luckydog xf <[email protected]> wrote: > The sad thing is that CA is expired on May 30, 2020. My IPA cannot login > in. > > So I used certutil to remove old CAs. Here are steps I used. > Unfortunately, I didn't try the step you mentioned. > > 1. certutil -d /etc/http/alias -D -n Server-Cert > certutil -d /etc/http/alias -D -n < Other CAs of Comodo> > > 2. Do the same thing against /etc/dirsrv/slapd-xxx > > 3. Add new certs and CAs by: > > cat server.key server.crt > server.all > > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all -out > Server-Cert.p12 -name "Server-Cert" > > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert > > 4. iptacl restart -f -d shows pki-tomcatd cannot start. > --------- > Internal Database Error encountered:* Could not connect to LDAP server > host wocfreeipa.sap.wingon.hk <http://wocfreeipa.sap.wingon.hk> port 636 > *Error > netscape.ldap.LDAPException: Unable to create socket: > org.mozilla.jss.ssl.SSLSocketException: > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) > *Peer's > certificate issuer has been marked as not trusted by the user.* (-1) > > So what's wrong ? > > > ------------- > > > > On Wed, Jun 17, 2020 at 10:34 PM Florence Blanc-Renaud <[email protected]> > wrote: > >> On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote: >> > Hi, As state in >> https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 >> > >> > I cannot login in FreeIPA web page. >> > >> > So I update CA by : >> > >> > # delete everything except IPA CA of httpd and dirsrv >> > >> > certutil -d /etc/http/alias -D -n 'xxx' >> > >> > # ca-bundle.crt is 3 files named USERTrust, .etc. >> > >> > # server.all is an combination of my certificate signed by Sectigo( >> fomerly named Comodo). >> > >> > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all >> -out Server-Cert.p12 -name "Server-Cert" >> > >> > # add to httpd and dirsrv. >> > >> > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert >> > >> > I restart all services by ipactl restart. But it seems pki-tomcat fails >> to startup. >> > >> > #### log of ipactcl start #### >> > >> > Starting pki-tomcatd Service >> > ipa: DEBUG: Starting external process >> > ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target >> > ipa: DEBUG: Process finished, return code=0 >> > ipa: DEBUG: request POST >> http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus >> > ipa: DEBUG: request body '' >> > ipa: DEBUG: response status 500 >> > ipa: DEBUG: response headers Server: Apache-Coyote/1.1 >> > Content-Type: text/html;charset=utf-8 >> > Content-Language: en >> > Content-Length: 2208 >> > Date: Wed, 17 Jun 2020 09:13:19 GMT >> > Connection: close >> > >> > ipa: DEBUG: response body '<html><head><title>Apache Tomcat/7.0.76 - >> Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-s >> > ...... >> > >> > ipa: DEBUG: Failed to check CA status: Retrieving CA status failed with >> status 500 >> > ipa: DEBUG: Waiting until the CA is running >> > >> > #### END of log ##### >> > >> > >> > Here is log of pki-tomcat >> > >> > ### >> > Internal Database Error encountered: Could not connect to LDAP server >> host wocfreeipa.sap.wingon.hk port 636 Error >> netscape.ldap.LDAPException: Unable to create socket: >> org.mozilla.jss.ssl.SSLSocketException: >> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) >> Peer's certificate issuer has been marked as not trusted by the user. (-1) >> > >> > ### >> > >> > The point is ' Peer's certificate issuer has been marked as not trusted >> by the user.' As far as I know pki-tomcat needs a certificate to bind to >> 389 DS and store information. >> > >> > But I didn't touch CA named 'IPA CA', so basically pki-tomcatd could >> use its own certificate named 'substemCert cert-pki-ca' to bind to 389 DS. >> > >> > Please help. >> Hi, >> >> the new CA certs from Sectigo need to be installed with >> ipa-cacert-manage install (the command uploads the certs in the LDAP >> database). For more information, please refer to "Installing a CA >> Certificate Manually" [1]. >> As the chain contains multiple certs, you need to start from the root >> cert then go down the chain. When all the certs have been added, don't >> forget to run ipa-certupdate on all the IPA hosts (the command downloads >> the certs from LDAP and puts them in all the NSSDBs that need them). >> >> HTH, >> flo >> >> [1] >> >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/manual-cert-install >> >> > >> > Thanks a lot. >> > >> > >> > _______________________________________________ >> > FreeIPA-users mailing list -- [email protected] >> > To unsubscribe send an email to >> [email protected] >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > >> >>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
