이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 17. Troubleshooting


This chapter covers some of the more common usage problems that are encountered when installing Certificate System.

Q:

The init script returned an OK status, but my CA instance does not respond. Why?

A:

This should not happen. Usually (but not always), this indicates a listener problem with the CA, but it can have many different causes. Check in the catalina.out, system, and debug log files for the instance to see what errors have occurred. This lists a couple of common errors. One situation is when there is a PID for the CA, indicating the process is running, but that no listeners have been opened for the server. This would return Java invocation class errors in the catalina.out file:

Oct 29, 2010 4:15:44 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9080
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav64)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.jav43)
        at java.lang.reflect.Method.invoke(Method.jav615)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.jav243)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.jav408)
Caused by: java.lang.UnsatisfiedLinkError: jss4

This could mean that you have the wrong version of JSS or NSS. The process requires libnss3.so in the path. Check this with this command:

# ldd /usr/lib64/libjss4.so

If libnss3.so is not found, try unsetting the LD_LIBRARY_PATH variable and restart the CA.

# unset LD_LIBRARY_PATH
# pki-server restart <instance_name>
Q:

I can’t open the pkiconsole and I’m seeing Java exceptions in stdout

A:

This probably means that you have the wrong JRE installed or the wrong JRE set as the default. Run alternatives --config java to see what JRE is selected. Red Hat Certificate System requires OpenJDK 1.8.

Q:

I tried to run pkiconsole, and I got "Socket exceptions in stdout". Why?

A:

This means that there is a port problem. Either there are incorrect SSL settings for the administrative port (meaning there is bad configuration in the server.xml) or the wrong port was given to access the admin interface. Port errors will look like the following:

NSS Cipher Supported '0xff04'
java.io.IOException: SocketException cannot read on socket
        at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.jav1006)
        at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.jav70)
        at
com.netscape.admin.certsrv.misc.HttpInputStream.fill(HttpInputStream.jav303)
        at
com.netscape.admin.certsrv.misc.HttpInputStream.readLine(HttpInputStream.jav224)
        at
com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.jav439)
        at
com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.jav430)
        at
com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.jav344)
        at
com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.jav714)
        at
com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.jav623)
        at
com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.jav590)
        at
com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.jav323)
        at
com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.jav113)
        at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.jav499)
        at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.jav548)
        at com.netscape.admin.certsrv.Console.main(Console.jav1655)
Q:

I tried to enroll for a certificate, and I got the error "request is not submitted…​Subject Name Not Found"?

A:

This most often occurs with a custom LDAP directory authentication profile and it shows that the directory operation failed. Particularly, it failed because it could not construct a working DN. The error will be in the CA’s debug log. For example, this profile used a custom attribute (MYATTRIBUTE) that the directory didn’t recognize:

[14/Feb/2011:15:52:25][http-1244-Processor24]: BasicProfile: populate() policy
setid =userCertSet
[14/Feb/2011:15:52:25][http-1244-Processor24]: AuthTokenSubjectNameDefault:
populate start
[14/Feb/2011:15:52:25][http-1244-Processor24]: AuthTokenSubjectNameDefault:
java.io.IOException: Unknown AVA keyword 'MYATTRIBUTE'.
[14/Feb/2011:15:52:25][http-1244-Processor24]: ProfileSubmitServlet: populate
Subject Name Not Found
[14/Feb/2011:15:52:25][http-1244-Processor24]: CMSServlet: curDate=Mon Feb 14
15:52:25 PST 2011 id=caProfileSubmit time=13

Any custom components — attributes, object classes, and unregistered OIDs — which are used in the subject DN can cause a failure. For most cases, the X.509 attributes defined in RHC 2253 should be used in subject DNs instead of custom attributes.

Q:

Why are my enrolled certificates not being published?

A:

This usually indicates that the CA is misconfigured. The main place to look for errors is the debug log, which can indicate where the misconfiguration is. For example, this has a problem with the mappers:

[31/Jul/2010:11:18:29][Thread-29]: LdapSimpleMap: cert subject
dn:UID=me,E=me@example.com,CN=yes
[31/Jul/2010:11:18:29][Thread-29]: Error mapping:
mapper=com.netscape.cms.publish.mappers.LdapSimpleMap@258fdcd0 error=Cannot
find a match in the LDAP server for certificate. netscape.ldap.LDAPException:
error result (32); matchedDN = ou=people,c=test; No such object

Check the publishing configuration in the CA’s CS.cfg file or in the Publishing tab of the CA console. In this example, the problem was in the mapping parameter, which must point to an existing LDAP suffix:

ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,dc=publish
Q:

How do I open the pkiconsole utility from a remote host?

A:

In certain situations, administrators want to open the pkiconsole on the Certificate System server from a remote host. For that, administrators can use a Virtual Network Computing (VNC) connection:

  1. Setup a VNC server, for example, on the Red Hat Certificate System server. For details about remote desktop access, see Accessing the desktop remotely in the Red Hat Enterprise Linux 8 documentation.

    Important

    The pkiconsole utility cannot run on a server with Federal Information Processing Standard (FIPS) mode enabled. Use a different host with Red Hat Enterprise Linux to run the VNC server, if FIPS mode is enabled on your Certificate System server. Note that this utility will be deprecated.

  2. Open the pkiconsole utility in the VNC window. For example:

    # pkiconsole -d nssdb -n 'optional client cert nickname' https://server.example.com:8443/ca
Note

VNC viewers are available for different kind of operating systems. However, Red Hat supports only VNC viewers installed on Red Hat Enterprise Linux from the integrated repositories.

What do I do when the LDAP server is not responding?

If the Red Hat Directory Server instance used for the internal database is not running, a connectivity issue occurred, or a TLS connection failure occurred, then you cannot connect to the subsystem instances which rely on it. The instance debug logs will specifically identify the problem with the LDAP connection. For example, if the LDAP server was not online:

[02/Apr/2019:15:55:41][authorityMonitor]: authorityMonitor: failed to get LDAPConnection. Retrying in 1 second.
[02/Apr/2019:15:55:42][authorityMonitor]: In LdapBoundConnFactory::getConn()
[02/Apr/2019:15:55:42][authorityMonitor]: masterConn is null.
[02/Apr/2019:15:55:42][authorityMonitor]: makeConnection: errorIfDown true
[02/Apr/2019:15:55:42][authorityMonitor]: TCP Keep-Alive: true
java.net.ConnectException: Connection refused (Connection refused)
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.jav350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.jav206)
[02/Apr/2019:15:55:42][authorityMonitor]: Can't create master connection in LdapBoundConnFactory::getConn!
    Could not connect to LDAP server host example911.redhat.com port 389 Error netscape.ldap.LDAPException:
        Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) (-1)

After fixing the underlying network problem, such as an unplugged cable, the Red Hat Directory Server was stopped, significant packet loss occurred, or ensuring that the TLS connection can be recreated, stop and then start the Certificate System instance in question:

# systemctl stop pki-tomcatd-nuxwdog@<instance_name>.service
# systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.