Russ Long via FreeIPA-users wrote: > Any other advice here? I have also tried setting system back to when > certificates were valid, restarting certmonger and pki-tomcatd, and running > getcert resubmit on the affected certs, this moves them to a "Monitoring" > status, but they still never renew when in present day or when the system is > back in time. > > When the system is back in time to when certs are valid, if I startup > certmonger in debug mode and submit the getcert resubmit, I get this: > 2023-08-25 00:29:24 [106919] Certificate submission attempt complete. > 2023-08-25 00:29:24 [106919] Child status = 2. > 2023-08-25 00:29:24 [106919] Child output: > "Server at "http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit"; > replied: Request 1 - Server Internal Error > " > 2023-08-25 00:29:24 [106919] Server at > "http://master.ipa.example.co:8080/ca/ee/ca/profileSubmit"; replied: Request 1 > - Server Internal Error > 2023-08-25 00:29:24 [106919] Certificate not (yet?) issued. > 2023-08-25 00:29:24 [106919] Request2('20230825040038') already had a > certificate, going back to monitoring it > 2023-08-25 00:29:24 [106919] Request2('20230825040038') moved to state > 'MONITORING' > 2023-08-25 00:29:24 [106919] Wrote to > /var/lib/certmonger/requests/20230825040039 > 2023-08-25 00:29:24 [106919] Will revisit Request2('20230825040038') soonish. > 2023-08-25 00:29:54 [106919] Will revisit Request2('20230825040038') in 41876 > seconds. > > > Digging further on this, pki-tomcat logs show an LDAP error: > 2023-08-25 00:29:23 [http-nio-8080-exec-3] WARNING: Unable to update > certificate request: Unable to modify LDAP record: Object class violation > Unable to modify LDAP record: Object class violation > at com.netscape.cmscore.dbs.LDAPSession.modify(LDAPSession.java:276) > at > com.netscape.cmscore.request.RequestRepository.modifyRequest(RequestRepository.java:322) > at > com.netscape.cmscore.request.RequestRepository.updateRequest(RequestRepository.java:290) > at > com.netscape.cms.servlet.cert.CertProcessor.submitRequests(CertProcessor.java:323) > at > com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:207) > at > com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97) > at > com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:278) > at > com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:131) > at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:487) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:568) > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:712) > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:207) > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137) > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:569) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:568) > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:712) > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176) > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137) > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:569) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) > at > com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) > at > org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) > at > org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.base/java.lang.Thread.run(Thread.java:833) > Caused by: netscape.ldap.LDAPException: Object class violation (65); unknown > object class "request" > > at netscape.ldap.LDAPConnection.checkMsg(Unknown Source) > at netscape.ldap.LDAPConnection.modify(Unknown Source) > at netscape.ldap.LDAPConnection.modify(Unknown Source) > at netscape.ldap.LDAPConnection.modify(Unknown Source) > at netscape.ldap.LDAPConnection.modify(Unknown Source) > at com.netscape.cmscore.dbs.LDAPSession.modify(LDAPSession.java:264) > ... 54 more > > I really have no idea where to go from here with this.
It means you are missing at least one objectclass definition in schema that the CA adds. How this can happen I have no idea. You can add missing schema with: ldapadd -c -D 'cn=directory manager' -W -f /usr/share/pki/server/database/ds/schema.ldif The -c means it will continue loading the ldif on errors (like the schema already exists). rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
