I have a single-server IPA environment in my homelab. I noticed today that I was unable to delete a host from IPA, and found that pki-tomcatd was down and unable to start.
I found that several certificates had expired for some reason. I tried `ipa-cert-fix`, but that failed as pki-tomcat will not start. I attempted to set the server date/time to a date 24 hours before the certificates expired, and was able to get tomcat to start, however the `ipa-cert-fix` now fails with this error: CalledProcessError(Command ['pki-server', 'cert-fix', '--ldapi-socket', '/run/slapd-IPA-DOMAIN-CO.socket', '--agent-uid', 'ipara', '--cert', 'sslserver', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing', '--extra-cert', '16'] returned non-zero exit status 1: "INFO: Loading instance type: pki-tomcatd\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Loading subsystem registry: /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following system certs: ['sslserver', 'subsystem', 'ca_ocsp_signing', 'ca_audit_signing']\nINFO: Renewing the following additional c erts: ['16']\nINFO: Stopping the instance to proceed with system cert renewal\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser password via ldappasswd\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n") I reviewed the blog at https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ (Thanks Flo!) but was still unable to get anything working. The Certificate password test fails with these errors: [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'NSS Certificate DB: subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. Any ideas what I can try? _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
