[Freeipa-users] Dogtag not working?

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Fri Nov 29 20:35:46 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote:
> In the process of prepping a replication host for changing over the
> CA I had to use certmonger to generate another certificate on my 
> secondary IPA server. Unfortunately it seems to fail every single 
> time. Here is what I am running and here is what I am getting:
> 
> ipa-getcert request -k private/ipa2.abaqis.com.key -f 
> certs/ipa2.abaqis.com.crt -g 2048
> 
> The request appears to work, however when checking the list I
> receive the following:
> 
> ipa-getcert list -r Number of certificates and requests being
> tracked: 9. Request ID '20131128202128': status: CA_UNREACHABLE 
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be completed: FAILURE 
> (Authentication Error)). stuck: yes key pair storage: 
> type=FILE,location='/etc/pki/tls/private/ipa2.abaqis.com.key' 
> certificate: 
> type=FILE,location='/etc/pki/tls/certs/ipa2.abaqis.com.crt' CA:
> IPA issuer: subject: expires: unknown pre-save command: post-save
> command: track: yes auto-renew: yes
> 
> Fine, I check the http logs and get about the same: [Thu Nov 28
> 22:03:06 2013] [error] ipa: ERROR: 
> ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE 
> (Authentication Error)
> 
> Now as I understand it ipa-getcert is going to theserver listed in 
> /etc/ipa/default.conf, which in this case is ipa2.abaqis.com (the 
> request is coming from the same host). The host principle in 
> /etc/krb5.keytab is used for authentication.
> 
> I have tested against the primary ipa server and everything works
> as it should. However, any requests going against ipa2 for
> certificates are failing.
> 
> At this point I am stuck, so any suggestions are welcome.
> 
> -Erinn
> 
> 

Replying to myself here, and narrowing this down a bit further this
seems to be a straight auth problem against my secondary ipa server.
All command work against the primary, all certificate commands against
the secondary fail.

It appears to be confined to dogtag (other commands like ipa user-show
work), but how exactly dogtag handles auth I am not clear on. It
appears as though mod_auth_kerb handles most things and that is
definitely working. However any access against dogtag components is
failing, so dogtag must/should/may be handling auth internally in a
way that is failing.

Anyway, suggestions are still welcome,

- -Erinn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBAgAGBQJSmPqdAAoJENetaK3v/E7PxzkIAIJ6PbRoyZZBz1JBLP/iD20v
L/Knolw1w9ZVUXlqFjsw8ZmSXZ15d6aSB5FBBM3mFeYK4XH/e3PEKAw3H51uxw/p
3WNQ8UmFH9/RowMwkK91DTMvim6KC7rAReQVJQ9PbMb/6Koyqceaiklf+RauTW79
t0Ls8l+ywk+oF/IeAQqk5ZkCS4gLRLJ8UgO/XkoG9vI755TAO9GGii52MDRmnShI
mB+ojJZaKIKkD3Xe37VmiIw51+XeD98Tkzg9Ytommw7LDoYk4QCeaxa8+0jx2i3/
rlFMUtGW3E9gwLbjTGH6xX62lwqWCvjk6lnCl0oSdH/hmEQX78Sfno3XDltTjXs=
=NEc+
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list