stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi
cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate
DB'
CA: IPA
issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>
subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
<http://SAMPLE.NET>
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
<[email protected] <mailto:[email protected]>> wrote:
On Mon, May 2, 2016 at 9:54 AM Rob Crittenden <[email protected]
<mailto:[email protected]>> wrote:
Anthony Cheng wrote:
> On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
<[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>>
wrote:
>
> Anthony Cheng wrote:
> > OK so I made process on my cert renew issue; I was
able to get kinit
> > working so I can follow the rest of the steps here
> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> >
> > However, after using
> >
> > ldapmodify -x -h localhost -p 7389 -D 'cn=directory
manager' -w
> password
> >
> > and restarting apache (/sbin/service httpd restart),
resubmitting 3
> > certs (ipa-getcert resubmit -i <ID>) and restarting
IPA (resubmit
> -i <ID>)
> > (/sbin/service ipa restart), I still see:
> >
> > [root@test ~]# ipa-getcert list | more
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry:
4301 (RPC
> failed
> > at server. Certificate operation cannot be compl
> > eted: Unable to communicate with CMS (Not Found)).
>
> IPA proxies requests to the CA through Apache. This means
that while
> tomcat started ok it didn't load the dogtag CA
application, hence the
> Not Found.
>
> Check the CA debug and selftest logs to see why it failed
to start
> properly.
>
> [ snip ]
>
> Actually after a reboot that error went away and I just get
this error
> instead "ca-error: Server failed request, will retry: -504
(libcurl
> failed to execute the HTTP POST transaction. Peer certificate
cannot be
> auth enticated with known CA certificates)." from "getcert
list"
>
> Result of service ipa restart is interesting since it shows
today's time
> when I already changed date/time/disable NTP so somehow the
system still
> know today's time.
>
> PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
Hard to say. I'd confirm that there is no time syncing service
running,
ntp or otherwise.
I found out why the time kept changing; it was due to the fact that
it has VM tools installed (i didn't configure this box) so it
automatically sync time during bootup.
I did still see this error message:
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found))
I tried the step http://www.freeipa.org/page/Troubleshooting with
certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt
certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
service httpd restart
So that I can get rid of one of the CA cert that is expired (kept
the 1st one) but still getting same error
What exactly is CMS and why is it not found?
I did notice that the selftest log is empty with a different time:
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
/var/log/pki-ca/selftests.log
[root@test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds
Here are some debug log after reboot:
[root@test pki-ca]# tail -n 100 catalina.out
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=1/23config=null
Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1722 ms
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[Timer-0] but has failed to stop it. This is very like
ly to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
t has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
but has failed to stop it. This is very likely to create a memory
leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-6] but has failed t
o stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-8] but has faile
d to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-9] but has fa
iled to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-10] but ha
s failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a
value of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a
value of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
destroy
INFO: Stopping Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
destroy
INFO: Stopping Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
destroy
INFO: Stopping Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
destroy
INFO: Stopping Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
destroy
INFO: Stopping Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:36 PM
org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows
optimal performance in production environments was not found on the
java.library.path:
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9443
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9445
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9444
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2198 ms
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ca
64-bit osutil library loaded
64-bit osutil library loaded
Certificate object not found
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/40config=null
Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2592 ms
[root@test pki-ca]# tail -n 100 debug
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extension
Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User Supplied
Validity Default com.netscape.cms.profile.def.UserValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Default User
Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attributes
Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default
Certificate Version Default
com.netscape.cms.profile.def.CertificateVersionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension Default
Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Extension
Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
noDefaultImpl No Default No Default
com.netscape.cms.profile.def.NoDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default
com.netscape.cms.profile.def.ImageDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extension
Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto Request
Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Default
Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Certificate
Validty Default com.netscape.cms.profile.def.CAValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default User
Supplied Extension Default
com.netscape.cms.profile.def.UserExtensionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Default
com.netscape.cms.profile.def.SubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default User
Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl
nsTokenDeviceKeySubjectNameDefault
nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
Default com.netscape.cms.profile.def.SigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Default
Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
[27/Jan/2016:15:30:43][main]: CertificateAuthority init
[27/Jan/2016:15:30:43][main]: Cert Repot inited
[27/Jan/2016:15:30:43][main]: CRL Repot inited
[27/Jan/2016:15:30:43][main]: Replica Repot inited
[27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
by name
[27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[27/Jan/2016:15:30:43][main]: converted to x509CertImpl
[27/Jan/2016:15:30:43][main]: Got private key from cert
[27/Jan/2016:15:30:43][main]: Got public key from cert
[27/Jan/2016:15:30:43][main]: got signing algorithm
RSASignatureWithSHA256Digest
[27/Jan/2016:15:30:43][main]: CA signing unit inited
[27/Jan/2016:15:30:43][main]: cachainNum= 0
[27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
[27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
by name
[27/Jan/2016:15:30:43][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
>
> > Would really greatly appreciate any help on this.
> >
> > Also I noticed after I do ldapmodify of
usercertificate binary
> data with
> >
> > add: usercertificate;binary
> > usercertificate;binary: !@#$@!#$#@$
>
> You really pasted in binary? Or was this base64-encoded
data?
>
> I wonder if there is a problem in the wiki. If this is
really a binary
> value you should start with a DER-encoded cert and load
it using
> something like:
>
> dn: uid=ipara,ou=people,o=ipaca
> changetype: modify
> add: usercertificate;binary
> usercertificate;binary:< file:///path/to/cert.der
>
> You can use something like openssl x509 to switch between
PEM and DER
> formats.
>
> I have a vague memory that dogtag can deal with a
multi-valued
> usercertificate attribute.
>
> rob
>
>
> Yes the wiki stated binary, the result of:
> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
> uid=ipara,ou=People,o=ipaca -W
>
> shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
>
> But the actual data is from a PEM though.
Ok. So I looked at my CA data and it doesn't use the binary
subtype, so
my entries look like:
userCertificate:: MIID....
It might make a difference if dogtag is looking for the subtype
or not.
rob
>
> >
> > Then I re-run
> >
> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory
manager' -W
> -b uid=ipara,ou=People,o=ipaca
> >
> > I see 2 entries for usercertificate;binary (before
modify there
> was only
> > 1) but they are duplicate and NOT from data that I
added. That seems
> > incorrect to me.
> >
> >
> > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
> > <[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
> <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>> wrote:
> >
> > klist is actually empty; kinit admin fails.
Sounds like then
> > getcert resubmit has a dependency on kerberoes. I
can get a
> backup
> > image that has a valid ticket but it is only good
for 1 day (and
> > dated pasted the cert expire).
> >
> > Also I had asked awhile back about whether there
is dependency on
> > DIRSRV to renew the cert; didn't get any response
but I suspect
> > there is a dependency.
> >
> > Regarding the clock skew, I found out from
/var/log/message that
> > shows me this so it may be from named:
> >
> > Jan 28 14:10:42 test named[2911]: Failed to init
credentials
> (Clock
> > skew too great)
> > Jan 28 14:10:42 test named[2911]: loading
configuration: failure
> > Jan 28 14:10:42 test named[2911]: exiting (due to
fatal error)
> > Jan 28 14:10:44 test ns-slapd: GSSAPI Error:
Unspecified GSS
> > failure. Minor code may provide more information
(Creden
> > tials cache file '/tmp/krb5cc_496' not found)
> >
> > I don't have a krb5cc_496 file (since klist is
empty), so
> sounds to
> > me I need to get a kerberoes ticket before going any
> further. Also
> > is the file /etc/krb5.keytab access/modification
time
> important? I
> > had changed time back to before the cert
expiration date and
> reboot
> > and try renew but the error message about clock
skew is still
> > there. That seems strange.
> >
> > Lastly, as a absolute last resort, can I
regenerate a new cert
> > myself?
> >
>
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
> >
> > [root@test /]# klist
> > klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_0)
> > [root@test /]# service ipa start
> > Starting Directory Service
> > Starting dirsrv:
> > PKI-IPA...
> [ OK ]
> > sample-NET...
> [ OK ]
> > Starting KDC Service
> > Starting Kerberos 5 KDC:
[
> OK ]
> > Starting KPASSWD Service
> > Starting Kerberos 5 Admin Server:
[
> OK ]
> > Starting DNS Service
> > Starting named:
> [FAILED]
> > Failed to start DNS Service
> > Shutting down
> > Stopping Kerberos 5 KDC:
[
> OK ]
> > Stopping Kerberos 5 Admin Server:
[
> OK ]
> > Stopping named:
[
> OK ]
> > Stopping httpd:
[
> OK ]
> > Stopping pki-ca:
[
> OK ]
> > Shutting down dirsrv:
> > PKI-IPA...
> [ OK ]
> > sample-NET...
> [ OK ]
> > Aborting ipactl
> > [root@test /]# klist
> > klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_0)
> > [root@test /]# service ipa status
> > Directory Service: STOPPED
> > Failed to get list of services to probe status:
> > Directory Server is stopped
> >
> > On Thu, Apr 28, 2016 at 3:21 AM David Kupka
> <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>> wrote:
> >
> > On 27/04/16 21:54, Anthony Cheng wrote:
> > > Hi list,
> > >
> > > I am trying to renew expired certificates
following the
> > manual renewal procedure
> > > here
> (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> > but even with
> > > resetting the system/hardware clock to a
time before
> expires,
> > I am getting the
> > > error "ca-error: Error setting up ccache
for local "host"
> > service using default
> > > keytab: Clock skew too great."
> > >
> > > With NTP disable and clock reset why would
it complain
> about
> > clock skew and how
> > > does it even know about the current time?
> > >
> > > [root@test certs]# getcert list
> > > Number of certificates and requests being
tracked: 8.
> > > Request ID '20111214223243':
> > > status: MONITORING
> > > ca-error: Error setting up ccache
for local
> "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
>
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate
> >
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > > certificate:
> > >
> >
>
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate
Authority,O=sample.NET
> > > subject: CN=test.sample.net
<http://test.sample.net>
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:46 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223300':
> > > status: MONITORING
> > > ca-error: Error setting up ccache
for local
> "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > >
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > certificate:
> > >
> >
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > > DB'
> > > CA: IPA
> > > issuer: CN=Certificate
Authority,O=sample.NET
> > > subject: CN=test.sample.net
<http://test.sample.net>
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223316':
> > > status: MONITORING
> > > ca-error: Error setting up ccache
for local
> "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate
Authority,O=sample.NET
> > > subject: CN=test.sample.net
<http://test.sample.net>
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130741':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no
response to
> > >
> >
>
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
> > > stuck: yes
> > > key pair storage:
> > >
> >
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate
Authority,O=sample.NET
> > > subject: CN=CA Audit,O=sample.NET
> > > expires: 2017-10-13 14:10:49 UTC
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "auditSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130742':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no
response to
> > >
> >
>
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
> > > stuck: yes
> > > key pair storage:
> > >
> >
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate
Authority,O=sample.NET
> > > subject: CN=OCSP
Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-OCSPSigning
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "ocspSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130743':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no
response to
> > >
> >
>
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
> > > stuck: yes
> > > key pair storage:
> > >
> >
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate
Authority,O=sample.NET
> > > subject: CN=CA
Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku:
id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "subsystemCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130744':
> > > status: MONITORING
> > > ca-error: Internal error: no
response to
> > >
> >
>
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
> > > stuck: no
> > > key pair storage:
> > >
> >
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate
> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate
Authority,O=sample.NET
> > > subject: CN=RA
Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku:
id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130745':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no
response to
> > >
> >
>
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
> > > stuck: yes
> > > key pair storage:
> > >
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
> > > '
> > > certificate:
> > >
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
