Language and Page Formatting Options
Chapter 20. Troubleshooting
This chapter covers some of the more common usage problems that are encountered when installing Certificate System.
- Q: The init script returned an OK status, but my CA instance does not respond. Why?
- Q: I can't open the pkiconsole and I'm seeing Java exceptions in stdout.
- Q: I tried to run pkiconsole, and I got Socket exceptions in stdout. Why?
- Q: I tried to enroll for a certificate, and I got the error "request is not submitted...Subject Name Not Found"?
- Q: Why are my enrolled certificates not being published?
- Q: How do I open the pkiconsole utility from a remote host?
- Q: What do I do when the LDAP server is not responding?
The init script returned an OK status, but my CA instance does not respond. Why?
This should not happen. Usually (but not always), this indicates a listener problem with the CA, but it can have many different causes. Check in the
debuglog files for the instance to see what errors have occurred. This lists a couple of common errors.
One situation is when there is a PID for the CA, indicating the process is running, but that no listeners have been opened for the server. This would return Java invocation class errors in the
Oct 29, 2010 4:15:44 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9080 java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:615) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:243) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:408) Caused by: java.lang.UnsatisfiedLinkError: jss4
This could mean that you have the wrong version of JSS or NSS. The process requires
libnss3.soin the path. Check this with this command:
libnss3.sois not found, try unsetting the
LD_LIBRARY_PATHvariable and restart the CA.
unset LD_LIBRARY_PATH systemctl restart pki-tomcatd@instance_name.service
I can't open the
pkiconsoleand I'm seeing Java exceptions in stdout.
This probably means that you have the wrong JRE installed or the wrong JRE set as the default. Run
alternatives --config javato see what JRE is selected. Red Hat Certificate System requires OpenJDK 1.8.
I tried to run
pkiconsole, and I got Socket exceptions in stdout. Why?
This means that there is a port problem. Either there are incorrect SSL settings for the administrative port (meaning there is bad configuration in the
server.xml) or the wrong port was given to access the admin interface.
Port errors will look like the following:
NSS Cipher Supported '0xff04' java.io.IOException: SocketException cannot read on socket at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1006) at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:70) at com.netscape.admin.certsrv.misc.HttpInputStream.fill(HttpInputStream.java:303) at com.netscape.admin.certsrv.misc.HttpInputStream.readLine(HttpInputStream.java:224) at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:439) at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:430) at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:344) at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:714) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:623) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:590) at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:323) at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:113) at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.java:499) at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.java:548) at com.netscape.admin.certsrv.Console.main(Console.java:1655)
I tried to enroll for a certificate, and I got the error "request is not submitted...Subject Name Not Found"?
This most often occurs with a custom LDAP directory authentication profile and it shows that the directory operation failed. Particularly, it failed because it could not construct a working DN. The error will be in the CA's
debuglog. For example, this profile used a custom attribute (
MYATTRIBUTE) that the directory didn't recognize:
[14/Feb/2011:15:52:25][http-1244-Processor24]: BasicProfile: populate() policy setid =userCertSet [14/Feb/2011:15:52:25][http-1244-Processor24]: AuthTokenSubjectNameDefault: populate start [14/Feb/2011:15:52:25][http-1244-Processor24]: AuthTokenSubjectNameDefault: java.io.IOException: Unknown AVA keyword 'MYATTRIBUTE'. [14/Feb/2011:15:52:25][http-1244-Processor24]: ProfileSubmitServlet: populate Subject Name Not Found [14/Feb/2011:15:52:25][http-1244-Processor24]: CMSServlet: curDate=Mon Feb 14 15:52:25 PST 2011 id=caProfileSubmit time=13
Any custom components — attributes, object classes, and unregistered OIDs — which are used in the subject DN can cause a failure. For most cases, the X.509 attributes defined in RHC 2253 should be used in subject DNs instead of custom attributes.
Why are my enrolled certificates not being published?
This usually indicates that the CA is misconfigured. The main place to look for errors is the
debuglog, which can indicate where the misconfiguration is. For example, this has a problem with the mappers:
[31/Jul/2010:11:18:29][Thread-29]: LdapSimpleMap: cert subject dn:UID=me,Efirstname.lastname@example.org,CN=yes [31/Jul/2010:11:18:29][Thread-29]: Error mapping: mapper=com.netscape.cms.publish.mappers.LdapSimpleMap@258fdcd0 error=Cannot find a match in the LDAP server for certificate. netscape.ldap.LDAPException: error result (32); matchedDN = ou=people,c=test; No such object
Check the publishing configuration in the CA's
CS.cfgfile or in the Publishing tab of the CA console. In this example, the problem was in the mapping parameter, which must point to an existing LDAP suffix:
How do I open the
pkiconsoleutility from a remote host?
In certain situations, administrators want to open the
pkiconsoleon the Certificate System server from a remote host. For that, administrators can use a Virtual Network Computing (VNC) connection:
- Setup a VNC server, for example, on the Red Hat Certificate System server.
pkiconsoleutility cannot run on a server with Federal Information Processing Standard (FIPS) mode enabled. Use a different host with Red Hat Enterprise Linux to run the VNC server, if FIPS mode is enabled on your Certificate System server.For details about installing a VNC server, see the VNC Server section in the Red Hat System Administrator's Guide.
- Use a VNC viewer to connect to the host running the VNC server. For details, see the VNC Viewer section in the Red Hat System Administrator's Guide.
- Open the
pkiconsoleutility in the VNC window. For example:
# pkiconsole https://server.example.com:8443/ca
VNC viewers are available for different kind of operating systems. However, Red Hat supports only VNC viewers installed on Red Hat Enterprise Linux from the integrated repositories.
What do I do when the LDAP server is not responding?
If the Red Hat Directory Server instance used for the internal database is not running, a connectivity issue occurred, or a TLS connection failure occurred, then you cannot connect to the subsystem instances which rely on it. The instance debug logs will specifically identify the problem with the LDAP connection. For example, if the LDAP server was not online:
[02/Apr/2019:15:55:41][authorityMonitor]: authorityMonitor: failed to get LDAPConnection. Retrying in 1 second. [02/Apr/2019:15:55:42][authorityMonitor]: In LdapBoundConnFactory::getConn() [02/Apr/2019:15:55:42][authorityMonitor]: masterConn is null. [02/Apr/2019:15:55:42][authorityMonitor]: makeConnection: errorIfDown true [02/Apr/2019:15:55:42][authorityMonitor]: TCP Keep-Alive: true java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) [02/Apr/2019:15:55:42][authorityMonitor]: Can't create master connection in LdapBoundConnFactory::getConn! Could not connect to LDAP server host example911.redhat.com port 389 Error netscape.ldap.LDAPException: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) (-1)
After fixing the underlying network problem, such as a cable was unplugged, the Red Hat Directory Server was stopped, significant packet loss occurred, or ensuring that the TLS connection can be recreated, stop and then start the Certificate System instance in question:
# systemctl stop pki-tomcatd-nuxwdog@instance_name.service
# systemctl start pki-tomcatd-nuxwdog@instance_name.service