Open pki-bot opened 4 years ago
Comment from edewata (@edewata) at 2016-01-28 23:19:40
This would be useful to address this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1294287
Comment from msauton (@msauton) at 2016-02-01 21:03:52
there is a feature in 8.1: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/managing-ca-related-profiles.html#ca-validity-default in pki-common CAValidityDefault.java
Comment from mharmsen (@mharmsen) at 2016-02-01 21:50:47
Per discussions in CS/DS meeting of 02/01/2016: 10.4 major
Comment from mharmsen (@mharmsen) at 2016-02-15 23:45:31
Per CS/DS meeting of 02/15/2016: Future
NOTE: As a stopgap measure, PKI TRAC Ticket 1962 - Create Job Notification Plug-in to monitor and warn of an expiring CA Certificate was filed.
Comment from edewata (@edewata) at 2016-02-23 16:31:16
Debug log provided by Tomasz Torcz (tomek@pipebreaker.pl):
[08/Jan/2016:18:49:36][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca Could not connect to LDAP server host okda.pipebreaker.pl port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:651) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1167) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1073) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1594) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1219) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1144) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1031) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4914) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5201) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:586) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1750) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Internal Database Error encountered: Could not connect to LDAP server host okda.pipebreaker.pl port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1167) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1073) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1594) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1219) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1144) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1031) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4914) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5201) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:586) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1750) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
Comment from edewata (@edewata) at 2016-06-11 06:29:41
Another case that could be helped by this enhancement: https://bugzilla.redhat.com/show_bug.cgi?id=1330800
Comment from edewata (@edewata) at 2016-08-07 23:27:18
https://www.redhat.com/archives/freeipa-users/2016-July/msg00500.html
Comment from edewata (@edewata) at 2016-12-07 02:32:14
See also http://pki.fedoraproject.org/wiki/System_Certificate_Renewal.
Comment from edewata (@edewata) at 2017-02-27 14:09:37
Metadata Update from @edewata:
Comment from edewata (@edewata) at 2017-04-07 23:14:29
Metadata Update from @edewata:
This issue was migrated from Pagure Issue #1752. Originally filed by edewata (@edewata) on 2016-01-28 18:56:22:
Currently if the CA certificate has already expired, the client cannot connect to the CA, and the CA subsystem will fail if restarted, so the admin may not be able to access the CA subsystem to do the renewal itself.
The usual solution is to change the system date back to the period where the cert is still valid. However, this is not very user-friendly. It affects the whole system, and timestamps in the log files will not be accurate anymore.
Another option is to add support of Unix Domain Socket to Tomcat, so the PKI client can still connect to the CA without valid certificate.
The other option is to have offline tools to renew the CA certificate. This might include refactoring the profile processor to run outside the server.
See also: