IPA: pki-tomcatd service start failing with error UNKNOWN CA"

Solution Verified - Updated -

Environment

  • IPA 4.x
  • Red Hat Enterprise Linux 7

Issue

  • Pki-tomcatd service start is failing with below error.
[12/May/2021:15:56:07][localhost-startStop-1]: ldapconn/PKISocketFactory.makeSSLSocket: begins
[12/May/2021:15:56:07][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca
[12/May/2021:15:56:07][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca
[12/May/2021:15:56:07][localhost-startStop-1]: PKIClientSocketListener.alertSent: begins
[12/May/2021:15:56:07][localhost-startStop-1]: PKIClientSocketListener.alertSent: got description:48
[12/May/2021:15:56:07][localhost-startStop-1]: PKIClientSocketListener.alertSent: got reason:UNKNOWN_CA
[12/May/2021:15:56:07][localhost-startStop-1]: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH  
[12/May/2021:15:56:07][localhost-startStop-1]: LogFile: event type not selected: CLIENT_ACCESS_SESSION_ESTABLISH
[12/May/2021:15:56:07][localhost-startStop-1]: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE
[12/May/2021:15:56:07][localhost-startStop-1]: PKIClientSocketListener.alertSent: clientIP=192.168.122.204 serverIP=192.168.122.204 serverPort=31746 
reason=UNKNOWN_CA
[12/May/2021:15:56:07][localhost-startStop-1]: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH
[12/May/2021:15:56:07][localhost-startStop-1]: LogFile: event type not selected: CLIENT_ACCESS_SESSION_ESTABLISH
org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been  
marked as not trusted by the user.
.
.
Could not connect to LDAP server host ipa-x1.pao.mmracks.internal port 636 Error netscape.ldap.LDAPException: Unable to create socket:     
org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been 
marked as not trusted by the user. (-1)

Resolution

1. Login into IPA server as root.

2. Modify trust attribute for certificate as below.

# certutil -M -d /var/lib/pki/pki-tomcat/alia -n "caSigningCert cert-pki-ca" -t "CTu,Cu,Cu"

3. Verify the trust attributes as below.

# certutil -L -d /var/lib/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u
ocspSigningCert cert-pki-ca                                  u,u,u

4. Start Pki-tomcatd service as below.

# systemctl start pki-tomcatd@pki-tomcat.service
# systemctl status pki-tomcatd@pki-tomcat.service

Root Cause

  • The issue was due to wrong trust attribute for certificate caSigningCert cert-pki-ca in path /var/lib/pki/pki-tomcat/alias.
# certutil -L -d /var/lib/pki/pki-tomcat/alias
Certificate Nickname                                  Trust Attributes
                                                      SSL,S/MIME,JAR/XPI
.
.
caSigningCert cert-pki-ca                              u,u,u

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.

Get notified when this content is updated

You'll get an email whenever this content is updated or others comment. You can manage all of your notifications in your profile

Comments