[Freeipa-users] Dogtag not working?

Rob Crittenden rcritten at redhat.com
Mon Dec 2 16:03:50 UTC 2013 

Erinn Looney-Triggs wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/02/2013 07:40 AM, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote:
>>>> In the process of prepping a replication host for changing over
>>>> the CA I had to use certmonger to generate another certificate
>>>> on my secondary IPA server. Unfortunately it seems to fail
>>>> every single time. Here is what I am running and here is what I
>>>> am getting:
>>>>
>>>> ipa-getcert request -k private/ipa2.abaqis.com.key -f
>>>> certs/ipa2.abaqis.com.crt -g 2048
>>>>
>>>> The request appears to work, however when checking the list I
>>>> receive the following:
>>>>
>>>> ipa-getcert list -r Number of certificates and requests being
>>>> tracked: 9. Request ID '20131128202128': status:
>>>> CA_UNREACHABLE ca-error: Server failed request, will retry:
>>>> 4301 (RPC failed at server.  Certificate operation cannot be
>>>> completed: FAILURE (Authentication Error)). stuck: yes key pair
>>>> storage:
>>>> type=FILE,location='/etc/pki/tls/private/ipa2.abaqis.com.key'
>>>> certificate:
>>>> type=FILE,location='/etc/pki/tls/certs/ipa2.abaqis.com.crt'
>>>> CA: IPA issuer: subject: expires: unknown pre-save command:
>>>> post-save command: track: yes auto-renew: yes
>>>>
>>>> Fine, I check the http logs and get about the same: [Thu Nov
>>>> 28 22:03:06 2013] [error] ipa: ERROR:
>>>> ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE
>>>> (Authentication Error)
>>>>
>>>> Now as I understand it ipa-getcert is going to theserver listed
>>>> in /etc/ipa/default.conf, which in this case is ipa2.abaqis.com
>>>> (the request is coming from the same host). The host principle
>>>> in /etc/krb5.keytab is used for authentication.
>>>>
>>>> I have tested against the primary ipa server and everything
>>>> works as it should. However, any requests going against ipa2
>>>> for certificates are failing.
>>>>
>>>> At this point I am stuck, so any suggestions are welcome.
>>>>
>>>> -Erinn
>>>>
>>>>
>>>
>>> Replying to myself here, and narrowing this down a bit further
>>> this seems to be a straight auth problem against my secondary ipa
>>> server. All command work against the primary, all certificate
>>> commands against the secondary fail.
>>>
>>> It appears to be confined to dogtag (other commands like ipa
>>> user-show work), but how exactly dogtag handles auth I am not
>>> clear on. It appears as though mod_auth_kerb handles most things
>>> and that is definitely working. However any access against dogtag
>>> components is failing, so dogtag must/should/may be handling auth
>>> internally in a way that is failing.
>>>
>>> Anyway, suggestions are still welcome,
>>
>> Run this on the replica and see if it is being tracked by
>> certmonger
>>
>> # getcert list -d /etc/httpd/alias -n ipaCert
>>
>> If not, see if the a cert with the nickname ipaCert is in
>> /etc/httpd/alias:
>>
>> # certutil -L -d /etc/httpd/alias -n ipaCert
>>
>> If so, see if you have the key:
>>
>> # certutil -K -d /etc/httpd/alias -n ipaCert -f
>> /etc/httpd/alias/pwdfile.txt
>>
>> This is the RA agent certificate that IPA uses to authenticate to
>> dogtag. If it doesn't exist, or is expired, or is the wrong one,
>> then authentication will fail.
>>
>> The cert is shared amongst all the IPA masters, so if it is working
>> on one master then fixing the replica should be straightforward
>> assuming it already has the key.
>>
>> rob
>
> getcert list -d /etc/httpd/alias -n ipaCert
> Number of certificates and requests being tracked: 9.
> Request ID '20130221171049':
>          status: MONITORING
>          stuck: no
>          key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>          certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
>          CA: dogtag-ipa-retrieve-agent-submit
>          issuer: CN=Certificate Authority,O=ABAQIS.COM
>          subject: CN=IPA RA,O=ABAQIS.COM
>          expires: 2013-12-10 03:23:26 UTC
>          eku: id-kp-serverAuth,id-kp-clientAuth
>          pre-save command:
>          post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>          track: yes
>          auto-renew: yes
>
> All the components appear to be there, the certificate is valid until
> the 10th as you can see about. The other two commands worked fine as
> well and everything appears to me to be valid.
>
> However, I am still getting the auth errors, and I note in the log,
> what I assume to be the first ipa server attempting to connect and
> getting auth errors as well.

Ok, I'm a little unclear on something. Can any of your IPA masters 
communicate with dogtag? I thought that one master could and one couldn't.

A simple way to find out is:

# ipa cert-show 1

This shows some random cert. If you get cert output then things are 
working. If not the logs will probably confirm the auth failure.

Next step is to run this on each master:

# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial

The serial numbers should be the same. I wonder if you'll find the to be 
different.

The serial number should match this value:

# ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca 
description

The second integer in description is the serial number.

rob

More information about the Freeipa-users mailing list