[Freeipa-users] Dogtag not working?

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Thu Nov 28 22:50:58 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the process of prepping a replication host for changing over the CA
I had to use certmonger to generate another certificate on my
secondary IPA server. Unfortunately it seems to fail every single
time. Here is what I am running and here is what I am getting:

ipa-getcert request -k private/ipa2.abaqis.com.key -f
certs/ipa2.abaqis.com.crt -g 2048

The request appears to work, however when checking the list I receive
the following:

ipa-getcert list -r
Number of certificates and requests being tracked: 9.
Request ID '20131128202128':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: FAILURE
(Authentication Error)).
        stuck: yes
        key pair storage:
type=FILE,location='/etc/pki/tls/private/ipa2.abaqis.com.key'
        certificate:
type=FILE,location='/etc/pki/tls/certs/ipa2.abaqis.com.crt'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Fine, I check the http logs and get about the same:
[Thu Nov 28 22:03:06 2013] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE
(Authentication Error)

Now as I understand it ipa-getcert is going to theserver listed in
/etc/ipa/default.conf, which in this case is ipa2.abaqis.com (the
request is coming from the same host). The host principle in
/etc/krb5.keytab is used for authentication.

I have tested against the primary ipa server and everything works as
it should. However, any requests going against ipa2 for certificates
are failing.

At this point I am stuck, so any suggestions are welcome.

- -Erinn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBAgAGBQJSl8jOAAoJENetaK3v/E7Pzr0IAJ78nYZRDAVzKCuzceWR+qdf
sB0VoOyJDPNOOKoQixOhTl01zDPqfIeR7tZBWVpDkg09/KV9HD2J4A5QRfAQHn7F
wISncthoLK5DgtLD1FDlvrVIqV7iRjGva8YDnp0lDRYtASUBignrnHez9t+LGdet
dJmLkpduyufcwZJWaVi1S4SMqjpsAbJGZK3b6D6PO5pe/bVvxuZq6bU+TxF7Jxy/
cnFV0OG7Mhi0O25p0JVMO5j47Wv5KiJRznzlEP3OpsZkNw7x8SzGdrx/1FpsR+OJ
emDP1Cwc1fJfb/pYwXQcNI3dtkMANnrDOlhx7yJbUviHhPFhLz8PF6KSym7nwsU=
=tMYx
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list