[Freeipa-users] CA setup and ipa-gertcert questions

Sun Jan 12 23:01:53 UTC 2014

On 01/11/2014 09:20 AM, Charlie Derwent wrote:
> Hi
>
> I'm experiencing an issue trying to use ipa-getcert on my IPA clients.
>
> When I run a command similar to this
> ipa-getcert request -K principal/`hostname` -D `hostname` \
> | ||-k /var/lib/ssl/private_keys/`hostname`.pem \|
> | ||-f /var/lib/ssl/certs/`hostname`.pem|
>
> Sometimes it will work, but 9 times out of 10 an "ipa-getcert list"
> will show the request failed with a status of CA_UNREACHABLE. I'm
> fairly certain it's not a time related issue as I tend to run the
> command just after enrolment and our NTP servers are rock solid.
>
> Now please correct me if I'm wrong (because it feels like I
> am wrong) but I think this is happening because not all of my replicas
> are Certificate Authorities but the clients are still trying to
> validate their certificate signing requests with them.
>
> Am I mistaken? Have I misconfigured something? If my theory is
> correct is there a way to force the client to only talk to the
> replica(s) running the CA service for these types of tasks?
>
> Anyway to try and get round the issue I decided to try and make all my
> IPA replicas Certificate Authorities and ran into the issue linked below
>
> Bug 905064 - ipa install error Unable to find preop.pin
> https://bugzilla.redhat.com/show_bug.cgi?id=905064
>
> This has stopped me from rolling out the CA functionality across all
> of my replicas (and I almost trashed a replica in the process of
> trying to work around it).
>
> I'm not really bothered which way I go about solving the problem but
> would really appreciate some assistance as it feels like I'm stuck
> between a rock and a hard place.
>
> Thanks,
> Charlie
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Even if the replica does not have CA it has code to turn around and
proxy request to the corresponding replica that has CA.
The first thing to check is the logs on the certmonger side that does
the certificate request to see which replica it is trying to connect and
httpd logs from the replica it tries to hit. If the requests do not hit
(which I suspect the case since the client returned CA_UNREACHABLE) then
it might be a firewall issue between the client and the replica. If it
hits the server but server fails to proxy and returns CA_UNREACHABLE to
the client then it is probably a FW issue between replicas.

At least this is where I would dig.

Also the bug you mentioned is a race condition and seems like a rare one
so there is a chance it would not happen all the time if you try more
than once or may be choose a different system.
Do you hit every time you try?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140112/144ae8ad/attachment.htm>