[Freeipa-users] Dogtag not working?

Rob Crittenden rcritten at redhat.com
Mon Dec 2 15:40:48 UTC 2013 

Erinn Looney-Triggs wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote:
>> In the process of prepping a replication host for changing over the
>> CA I had to use certmonger to generate another certificate on my
>> secondary IPA server. Unfortunately it seems to fail every single
>> time. Here is what I am running and here is what I am getting:
>>
>> ipa-getcert request -k private/ipa2.abaqis.com.key -f
>> certs/ipa2.abaqis.com.crt -g 2048
>>
>> The request appears to work, however when checking the list I
>> receive the following:
>>
>> ipa-getcert list -r Number of certificates and requests being
>> tracked: 9. Request ID '20131128202128': status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server.  Certificate operation cannot be completed: FAILURE
>> (Authentication Error)). stuck: yes key pair storage:
>> type=FILE,location='/etc/pki/tls/private/ipa2.abaqis.com.key'
>> certificate:
>> type=FILE,location='/etc/pki/tls/certs/ipa2.abaqis.com.crt' CA:
>> IPA issuer: subject: expires: unknown pre-save command: post-save
>> command: track: yes auto-renew: yes
>>
>> Fine, I check the http logs and get about the same: [Thu Nov 28
>> 22:03:06 2013] [error] ipa: ERROR:
>> ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE
>> (Authentication Error)
>>
>> Now as I understand it ipa-getcert is going to theserver listed in
>> /etc/ipa/default.conf, which in this case is ipa2.abaqis.com (the
>> request is coming from the same host). The host principle in
>> /etc/krb5.keytab is used for authentication.
>>
>> I have tested against the primary ipa server and everything works
>> as it should. However, any requests going against ipa2 for
>> certificates are failing.
>>
>> At this point I am stuck, so any suggestions are welcome.
>>
>> -Erinn
>>
>>
>
> Replying to myself here, and narrowing this down a bit further this
> seems to be a straight auth problem against my secondary ipa server.
> All command work against the primary, all certificate commands against
> the secondary fail.
>
> It appears to be confined to dogtag (other commands like ipa user-show
> work), but how exactly dogtag handles auth I am not clear on. It
> appears as though mod_auth_kerb handles most things and that is
> definitely working. However any access against dogtag components is
> failing, so dogtag must/should/may be handling auth internally in a
> way that is failing.
>
> Anyway, suggestions are still welcome,

Run this on the replica and see if it is being tracked by certmonger

# getcert list -d /etc/httpd/alias -n ipaCert

If not, see if the a cert with the nickname ipaCert is in /etc/httpd/alias:

# certutil -L -d /etc/httpd/alias -n ipaCert

If so, see if you have the key:

# certutil -K -d /etc/httpd/alias -n ipaCert -f /etc/httpd/alias/pwdfile.txt

This is the RA agent certificate that IPA uses to authenticate to 
dogtag. If it doesn't exist, or is expired, or is the wrong one, then 
authentication will fail.

The cert is shared amongst all the IPA masters, so if it is working on 
one master then fixing the replica should be straightforward assuming it 
already has the key.

rob

More information about the Freeipa-users mailing list