On 7/16/20 4:54 PM, Lorenz Braun wrote:
On 16.07.20 15:50, Florence Blanc-Renaud wrote:
On 7/16/20 3:00 PM, Lorenz Braun via FreeIPA-users wrote:
I was thinking something similar. I tried
```
[root@ipa01 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20200716071025', please check
the request manually
The ipa-cacert-manage command failed.
```
Hi,
this command is used to renew IPA CA certificate and not applicable to
the current situation. IPA CA has ~20 years validity and this cert is
unlikely to be expired.
Good to know, thanks!
```
[root@ipa01 ~]# getcert list
Number of certificates and requests being tracked: 9.
[...]
Request ID '20200716071025':
status: CA_UNREACHABLE
This is expected in your case as pki is down, and won't be able to
manage the certificate renewal request.
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2040-07-16 07:08:27 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
[...]
```
The other one are all MONITORING and expire at 2022. Since i tried to
force a new cert maybe this is still okay and the problem lies
somewhere else?
Then the problem is different. Since the new certs will expire 2022
(in 2 years), I suspect that they were renewed recently but the
renewal failed in the middle.
You can refer to [1] in order to ensure that this is the root cause
and fix the current situation.
HTH,
flo
[1]
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
I have checked and the certificate from /etc/pki/pki-tomcat/alias and
ldap are the exactly the same. I attached
/var/log/pki/pki-tomcat/ca/debug. The error message there is different:
```
[16/Jul/2020:16:24:57][profileChangeMonitor]: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:607)
at java.net.Socket.connect(Socket.java:556)
at java.net.Socket.<init>(Socket.java:452)
at java.net.Socket.<init>(Socket.java:262)
at
com.netscape.cmscore.ldapconn.PKISocketFactory.makeSSLSocket(PKISocketFactory.java:120)
at
com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:159)
at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source)
at netscape.ldap.LDAPConnThread.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at
com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:82)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory$BoundConnection.<init>(LdapBoundConnFactory.java:531)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:187)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:332)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:295)
at
com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:426)
at java.lang.Thread.run(Thread.java:748)
[...]
[16/Jul/2020:16:24:57][profileChangeMonitor]: Can't create master
connection in LdapBoundConnFactory::getConn! Could not connect to LDAP
server host ipa01.example.com port 636 Error
netscape.ldap.LDAPException: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused) (-1)
[16/Jul/2020:16:24:57][authorityMonitor]: Can't create master connection
in LdapBoundConnFactory::getConn! Could not connect to LDAP server host
ipa01.example.com port 636 Error netscape.ldap.LDAPException: Unable to
create socket: java.net.ConnectException: Connection refused (Connection
refused) (-1)
```
Firewall is not restricting this and i am a bit puzzled on why the
connection fails. If the service is not running or the port not open
ldapsearch should also not work, right?
I might test a fresh ipa install without restoring any data. Maybe
something with my OS or network is wrong.
You can check with
# netstat -tunpl | grep 636
if the ldap server is listening on this port. It's possible that the
LDAP server is up but only listening to 389.
To see if port 636 is enabled in the server config:
# ldapsearch -x -D "cn=directory manager" -W -b cn=config -s base
nsslapd-security
The attribute value should be "nsslapd-security: on".
flo
Best Regards
Lorenz
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
