[Freeipa-users] Dogtag not working?
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Thu Nov 28 22:50:58 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In the process of prepping a replication host for changing over the CA
I had to use certmonger to generate another certificate on my
secondary IPA server. Unfortunately it seems to fail every single
time. Here is what I am running and here is what I am getting:
ipa-getcert request -k private/ipa2.abaqis.com.key -f
certs/ipa2.abaqis.com.crt -g 2048
The request appears to work, however when checking the list I receive
the following:
ipa-getcert list -r
Number of certificates and requests being tracked: 9.
Request ID '20131128202128':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed
at server. Certificate operation cannot be completed: FAILURE
(Authentication Error)).
stuck: yes
key pair storage:
type=FILE,location='/etc/pki/tls/private/ipa2.abaqis.com.key'
certificate:
type=FILE,location='/etc/pki/tls/certs/ipa2.abaqis.com.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Fine, I check the http logs and get about the same:
[Thu Nov 28 22:03:06 2013] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE
(Authentication Error)
Now as I understand it ipa-getcert is going to theserver listed in
/etc/ipa/default.conf, which in this case is ipa2.abaqis.com (the
request is coming from the same host). The host principle in
/etc/krb5.keytab is used for authentication.
I have tested against the primary ipa server and everything works as
it should. However, any requests going against ipa2 for certificates
are failing.
At this point I am stuck, so any suggestions are welcome.
- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQEcBAEBAgAGBQJSl8jOAAoJENetaK3v/E7Pzr0IAJ78nYZRDAVzKCuzceWR+qdf
sB0VoOyJDPNOOKoQixOhTl01zDPqfIeR7tZBWVpDkg09/KV9HD2J4A5QRfAQHn7F
wISncthoLK5DgtLD1FDlvrVIqV7iRjGva8YDnp0lDRYtASUBignrnHez9t+LGdet
dJmLkpduyufcwZJWaVi1S4SMqjpsAbJGZK3b6D6PO5pe/bVvxuZq6bU+TxF7Jxy/
cnFV0OG7Mhi0O25p0JVMO5j47Wv5KiJRznzlEP3OpsZkNw7x8SzGdrx/1FpsR+OJ
emDP1Cwc1fJfb/pYwXQcNI3dtkMANnrDOlhx7yJbUviHhPFhLz8PF6KSym7nwsU=
=tMYx
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list