[Freeipa-users] pki-tomcat won't start after CA certs updated, getcert still shows a lot of expired certs

Wed, 18 Jun 2025 08:32:24 -0700 

Our FreeIPA CA cert (externally signed via a Microsoft AD CA) recently expired. 
 Unfortunately, I didn't notice it until after it expired.  After jumping 
through some hoops and some help from Florence's blog, I was able to get new 
certificates installed successfully (at least according to the 
ipa-cacert-manage and ipa-certupdate  commands).  However, at this point, 
pki-tomcat will not start and ipa-getcert and getcert don't really show what I 
would expect...

Oh - also, I should point out that I'm running on Oracle Linux 7.9 and FreeIPA 
VERSION: 4.6.8, API_VERSION: 2.237 - yes, I know I'm far from the latest out 
there, but until I can upgrade this server to a new OS, I'm kind of stuck... 
and unfortunately, my situation here is making upgrading the OS difficult, so 
please forgive me that I'm asking for assistance on such an old setup, but know 
that the goal is to upgrade, but that's not possible at this exact moment, so 
if I can fix this current setup to see me through until I can upgrade, that 
would be really good.

Any suggestions so we can get these certs installed properly and get pki-tomcat 
started would be appreciated!

When I run ipa-getcert list, I get the following (which is still showing the 
old cert):
# ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20210201172924':
        status: NEED_TO_SUBMIT
        ca-error: Server at https://[hostname]/ipa/xml failed request, will 
retry: 907 (RPC failed at server.  cannot connect to 
'https://[hostname]:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] 
ssl handshake failure (_ssl.c:1826)).
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=[DOMAIN]
        subject: CN=[hostname],O=[DOMAIN]
        expires: 2025-05-31 15:41:32 UTC
        principal name: 
krbtgt/[DOMAIN@DOMAIN]<mailto:krbtgt/[email protected]>
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes

And running getcert list returns mostly the old expired cert, but with one 
entry with the new cert:
# getcert list | egrep "Request ID|status:|CA:|expires:"
Request ID '20210201172746':
        status: CA_UNREACHABLE
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172819':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172820':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172821':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172822':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2027-06-09 13:26:26 UTC
Request ID '20210201172823':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172924':
        status: CA_UNREACHABLE
        CA: IPA
        expires: 2025-05-31 15:41:32 UTC

I do see the following in /var/log/pki/pki-tomcat/ca/debug:
Could not connect to LDAP server host [hostname] port 636 Error 
netscape.ldap.LDAPException: Authentication failed (48)
Internal Database Error encountered: Could not connect to LDAP server host 
[hostname] port 636 Error netscape.ldap.LDAPException: Authentication failed 
(48)

And /var/log/pki/pki-tomcat/localhost.[date].log gets tons of these:
SEVERE: Exception Processing /ca/admin/ca/getStatus
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
        at 
com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
        at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:750)

SEVERE: Exception Processing /ca/ee/ca/profileSubmit
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
        at 
com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
        at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:750)


-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
  • [Freeipa-users] pki-tomcat... Schrier, William (Contractor) via FreeIPA-users
    • [Freeipa-users] Re: p... Florence Blanc-Renaud via FreeIPA-users
      • [Freeipa-users] R... Schrier, William (Contractor) via FreeIPA-users
        • [Freeipa-user... Rob Crittenden via FreeIPA-users
          • [Freeipa-... Schrier, William (Contractor) via FreeIPA-users
            • [Fre... Florence Blanc-Renaud via FreeIPA-users
              • ... Schrier, William (Contractor) via FreeIPA-users
                • ... Rob Crittenden via FreeIPA-users
                • ... Schrier, William (Contractor) via FreeIPA-users
                • ... Rob Crittenden via FreeIPA-users
                • ... Schrier, William (Contractor) via FreeIPA-users

Reply via email to