[Freeipa-users] Re: pki-tomcat won't start + expired certificates

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Fri, Apr 19, 2024 at 6:20 PM Basile Pinsard via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi!
>
> Here is the output of ipa-cert-fix on the original instance:
>
> ```
>
> The following certificates will be renewed:
>
> Dogtag sslserver certificate:
>   Subject: CN=ipa.DOMAIN.COM,O=DOMAIN.COM
>   Serial:  3
>   Expires: 2024-03-19 20:36:25
>
> Dogtag subsystem certificate:
>   Subject: CN=CA Subsystem,O=DOMAIN.COM
>   Serial:  4
>   Expires: 2024-03-19 20:36:27
>
> Dogtag ca_ocsp_signing certificate:
>   Subject: CN=OCSP Subsystem,O=DOMAIN.COM
>   Serial:  2
>   Expires: 2024-03-19 20:36:24
>
> Dogtag ca_audit_signing certificate:
>   Subject: CN=CA Audit,O=DOMAIN.COM
>   Serial:  5
>   Expires: 2024-03-19 20:36:30
>
> IPA IPA RA certificate:
>   Subject: CN=IPA RA,O=DOMAIN.COM
>   Serial:  7
>   Expires: 2024-03-19 20:38:19
>
> IPA KDC certificate:
>   Subject: CN=ipa.DOMAIN.COM,O=DOMAIN.COM
>   Serial:  10
>   Expires: 2024-03-30 20:40:27
>
> Enter "yes" to proceed: yes
> Proceeding.
> CalledProcessError(Command ['pki-server', 'cert-fix', '--ldapi-socket',
> '/run/slapd-DOMAIN-COM.socket', '--agent-uid', 'ipara', '--cert',
> 'sslserver'
> , '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert',
> 'ca_audit_signing', '--extra-cert', '7', '--extra-cert', '10'] returned
> non-zero exit stat
> us 1: "INFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat
> config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/et
> c/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nIN
> FO: Loading subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry:
> /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO
> : Loading instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following
> system certs: ['sslserver', 'subsystem', 'ca_ocsp
> _signing', 'ca_audit_signing']\nINFO: Renewing the following additional
> certs: ['7', '10']\nINFO: Stopping the instance to proceed with system cert
> renewa
> l\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser
> password via ldappasswd\nSASL/EXTERNAL authentication started\nSASL
> username: gidNumb
> er=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO:
> Storing subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO:
> Storing regis
> try config: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Storing
> subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Storing
> registry c
> onfig: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Selftests
> disabled for subsystems: ca\nSASL/EXTERNAL authentication started\nSASL
> username: gid
> Number=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO:
> Resetting password for uid=ipara,ou=people,o=ipaca\nSASL/EXTERNAL
> authentication
> started\nSASL username:
> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO:
> Creating a temporary sslserver cert\nINFO: Getting ssl
> server cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS
> database\nINFO: Trying to create a new temp cert for sslserver.\nINFO:
> Generate t
> emp SSL certificate\nINFO: Getting sslserver cert info from CS.cfg\nINFO:
> Getting sslserver cert info from NSS database\nINFO: CSR for sslserver has
> been
> written to /tmp/tmpydx011j8/sslserver.csr\nINFO: Getting signing cert info
> from CS.cfg\nINFO: Getting signing cert info from NSS database\nINFO: CA
> cert w
> ritten to /tmp/tmpydx011j8/ca_certificate.crt\nINFO: AKI:
> 0x7A0D23C6A1283EB899A0E5A4EFA3F92042F7F6D0\nINFO: Storing subsystem config:
> /var/lib/pki/pki-tom
> cat/ca/conf/CS.cfg\nINFO: Storing registry config:
> /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Selftests enabled for
> subsystems: ca\nINFO: Restori
> ng LDAP connection for CA\nINFO: Storing subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Storing registry config:
> /var/lib/pki/pki-tomcat/
> ca/conf/registry.cfg\nERROR: Failed to generate CA-signed temp SSL
> certificate. RC: 255\n")
> The ipa-cert-fix command failed.
>
> ```
>
>
> > If you have a backup of the previous http/ldap certs you can put them
> back
> > in place.
>
> Unfortunately, I don't have these anymore.
>
>
> However, I tried the approach I described above on a copy of the data in
> another container, managed to install temporary certs/CA for the ldap/httpd
> servers, pki-tomcat seems to be able to establish the connection to the
> LDAP but crashes at the following error.
>
> `Certificate not found: caSigningCert cert-pki-ca`
>
Do you have the IPA CA cert in  /etc/pki/pki-tomcat/alias/ and
/etc/ipa/ca.crt ?

>
> Not sure what else needs to be fixed.
>
> On this copy, with the hacked temporary certs, if I run `ipa-cert-fix` I
> get the same error as on the original instance. If I run the `pki-server
> cert-fix` command that crashes, but removing `--cert sslserver`, it goes a
> bit further but is still blocked by `pki-tomcat` not being able to start.
>
You can also try to run the pki-server cert-fix command with the additional
arguments --verbose --debug, it may provide you with more information.
flo


>
> Thanks for all the help.
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue