[Freeipa-users] apache to dogtag (error 4301)
Arnold, Paul C CTR USARMY PEO STRI (US)
paul.c.arnold4.ctr at mail.mil
Mon Aug 24 11:00:00 UTC 2015
I have been beating my head against the keyboard for the past 2 weeks
trying to figure this one out. I'm hoping I am missing something simple,
as my next course of action is to completely re-install IPA.
This is the primary error I am receiving:
ipa: DEBUG: Caught fault 4301 from server
https://server.internalfqdn.lab/ipa/session/xml: Certificate operation
cannot be completed: EXCEPTION (You did not provide a valid certificate
for this operation)
It occurs in the IdM UI and from shell. A similar task, ( ~# ipa
user-show admin ) works on the same system. This system is a ipa master
and the only CA, version 3.0.0-47 (initially 3.0.0-42) -- everything
minus certificate tasks works. SELinux is currently in permissive (I am
receiving no related AVCs anyway, even with semodule -BD).
Background on this issue: it started after putting mod_nss (and apache's
nssdb) into FIPS mode. I have since restored the apache NSSdb to a
known-good (non-FIPS) backup, but I am still receiving the same
certificate errors.
The value of 'userCertificate' in
'cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the
same as the value from certutil for ipaCert. The value of
'cACertificate' from 'cn=CAcert,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is
the same value as the '/etc/ipa/ca.crt' and the value from certutil for
INTERNALFQDN.LAB IPA CA.
All logs below were run with a valid admin ticket. It is difficult to
transport logs from this system (isolated network), so there are quite a
lot of logs in this message; I snipped out as much filler as possible.
##
## cert-show from shell
##
[root at server ~]# ipa cert-show
<snip (all python plugins)>
<snip (cookie stuff)>
ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml
ipa: DEBUG: NSSConnection init server.internalfqdn.lab
ipa: DEBUG: Connecting: 256.256.256.256:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
Validity:
Not Before: Mon Jun 22 13:51:40 2015 UTC
Not After: Thu Jun 22 13:51:40 2017 UTC
Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
<snip>
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
<snip>
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for
"CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
<snip (cookie stuff)>
ipa: DEBUG: Created connection context.xmlclient
Serial number: 0xa
ipa: DEBUG: raw: cert_show(u'10')
ipa: DEBUG: cert_show(u'10')
ipa: INFO: Forwarding 'cert_show' to server
u'https://server.internalfqdn.lab/ipa/session/xml'
ipa: DEBUG: NSSConnection init server.internalfqdn.lab
ipa: DEBUG: Connecting: 256.256.256.256:0
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
<snip (cookie stuff)>
ipa: DEBUG: Caught fault 4301 from server
https://server.internalfqdn.lab/ipa/session/xml: Certificate operation
cannot be completed: EXCEPTION (You did not provide a valid certificate
for this operation)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (You
did not provide a valid certificate for this operation)
##
## (successful) user-show from shell
##
[root at server ~]# ipa user-show admin
<snip (all python plugins)>
<snip (cookie stuff)>
ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml
ipa: DEBUG: NSSConnection init server.internalfqdn.lab
ipa: DEBUG: Connecting: 256.256.256.256:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
Validity:
Not Before: Mon Jun 22 13:51:40 2015 UTC
Not After: Thu Jun 22 13:51:40 2017 UTC
Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
<snip>
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
<snip>
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for
"CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
<snip (cookie stuff)>
ipa: DEBUG: Created connection context.xmlclient
ipa: DEBUG: raw: user_show(u'admin', rights=False, all=False, raw=False,
version=u'2.49', no_members=False)
ipa: DEBUG: user_show(u'admin', rights=False, all=False, raw=False,
version=u'2.49', no_members=False)
ipa: INFO: Forwarding 'user_show' to server
u'https://server.internalfqdn.lab/ipa/session/xml'
ipa: DEBUG: NSSConnection init server.internalfqdn.lab
ipa: DEBUG: Connecting: 256.256.256.256:0
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
<snip (cookie stuff)>
ipa: DEBUG: Destroyed connection context.xmlclient
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
UID: 999999999
GID: 999999999
Account disabled: False
Password: True
Member of groups: admins, trust admins
Roles: IPA HBAC Administrator, IPA Workstation Administrator, IPA
Services Administrator, IPA User Manager, IPA Cybersecurity
Administrator, IPA Certificate Administrator
Indirect Member of netgroup: servers
Indirect Member of Sudo rule: ws_allow_all, srv_allow_all
Indirect Member of HBAC rule: console_login, admin_only_login,
admin_allow_su
Kerberos keys available: True
##
## apache error_log
##
[Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received
for child 4 (server server.internalfqdn.lab:443)
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
<snip (session stuff)>
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI xmlserver.__call__:
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Created connection
context.ldap2
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI
WSGIExecutioner.__call__:
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: raw: cert_show(u'10')
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert_show(u'10')
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: IPA: virtual verify
retrieve certificate
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG:
ipaserver.plugins.dogtag.ra.get_certificate()
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request
'https://server.internalfqdn.lab:443/ca/agent/ca/displayBySerial'
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request post
'xml=true&serialNumber=10'
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: NSSConnection init
server.internalfqdn.lab
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Connecting: 256.256.256.256:0
[Mon Aug 24 06:11:11 2015] [info] Connection to child 0 established
(server server.internalfqdn.lab:443, client 256.256.256.256)
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG:
auth_certificate_callback: check_sig=True is_server=False
<snip (cert data, same as above to stdout)>
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: approved_usage = SSL
Server intended_usage = SSL Server
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert valid True for
"CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: handshake complete, peer
= 256.256.256.256:443
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Protocol: TLS1.2
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Cipher:
TLS_RSA_WITH_AES_256_CBC_SHA
[Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received
for child 0 (server server.internalfqdn.lab:443)
[Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(45): proxy: AJP:
canonicalising URL //localhost:9447/ca/agent/ca/displayBySerial
[Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(1524): [client
256.256.256.256] proxy: ajp: found worker ajp://localhost:9447 for
ajp://localhost:9447/ca/agent/ca/displayBySerial
[Mon Aug 24 06:11:11 2015] [debug] mod_proxy.c(1026): Running scheme ajp
handler (attempt 0)
[Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(709): proxy: AJP:
serving URL ajp://localhost:9447/ca/agent/ca/displayBySerial
[Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2094): proxy: AJP: has
acquired connection for (localhost)
[Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2150): proxy: connecting
ajp://localhost:9447/ca/agent/ca/displayBySerial to localhost:9447
[Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2277): proxy: connected
/ca/agent/ca/displayBySerial to localhost:9447
[Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2528): proxy: AJP: fam 2
socket created to connect to localhost
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(224): Into
ajp_marshal_into_msgb
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290):
ajp_marshal_into_msgb: Header[0] [Host] = [server.internalfqdn.lab]
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290):
ajp_marshal_into_msgb: Header[1] [Accept-Encoding] = [identity]
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290):
ajp_marshal_into_msgb: Header[2] [Content-Length] = [24]
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290):
ajp_marshal_into_msgb: Header[3] [Content-type] =
[application/x-www-form-urlencoded]
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290):
ajp_marshal_into_msgb: Header[4] [Accept] = [text/plain]
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(450):
ajp_marshal_into_msgb: Done
[Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(269): proxy:
APR_BUCKET_IS_EOS
[Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(274): proxy: data to
read (max 8186 at 4)
[Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(289): proxy: got 24
bytes of data
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header:
ajp_ilink_received 04
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 04
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(516):
ajp_unmarshal_response: status = 200
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(537):
ajp_unmarshal_response: Number of headers is = 2
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599):
ajp_unmarshal_response: Header[0] [Content-Type] = [application/xml]
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(609):
ajp_unmarshal_response: ap_set_content_type done
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599):
ajp_unmarshal_response: Header[1] [Content-Length] = [274]
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header:
ajp_ilink_received 03
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 03
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header:
ajp_ilink_received 05
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 05
[Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(616): proxy: got
response from (null) (localhost)
[Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2112): proxy: AJP: has
released connection for (localhost)
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: parse_display_cert_xml()
xml_text:
[Mon Aug 24 06:11:11 2015] [error] <?xml version="1.0" encoding="UTF-8"
standalone="no"?><xml><header/><fixed><authorityName>Certificate
Manager</authorityName><unexpectedError>You did not provide a valid
certificate for this
operation</unexpectedError><requestStatus>7</requestStatus></fixed><records/></xml>
[Mon Aug 24 06:11:11 2015] [error] parse_result:
[Mon Aug 24 06:11:11 2015] [error] {'request_status': 7, 'error_string':
u'You did not provide a valid certificate for this operation',
'authority': u'Certificate Manager'}
[Mon Aug 24 06:11:11 2015] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (You did not
provide a valid certificate for this operation)
[Mon Aug 24 06:11:11 2015] [error] ipa: INFO: admin at INTERNALFQDN.LAB:
cert_show(u'10'): CertificateOperationError
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: response:
CertificateOperationError: Certificate operation cannot be completed:
EXCEPTION (You did not provide a valid certificate for this operation)
[Mon Aug 24 06:11:11 2015] [info] Connection to child 0 closed (server
server.internalfqdn.lab:443, client 256.256.256.256)
<snip (session stuff)>
[Mon Aug 24 06:11:11 2015] [info] Connection to child 4 closed (server
server.internalfqdn.lab:443, client 256.256.256.256)
##
## enabled apache modules
##
[root at server ~]# httpd -M
Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
authz_host_module (shared)
authz_user_module (shared)
authz_groupfile_module (shared)
log_config_module (shared)
setenvif_module (shared)
mime_module (shared)
autoindex_module (shared)
negotiation_module (shared)
dir_module (shared)
alias_module (shared)
rewrite_module (shared)
proxy_module (shared)
proxy_ajp_module (shared)
auth_kerb_module (shared)
nss_module (shared)
wsgi_module (shared)
Syntax OK
##
## apache perms (I recently allowed o+r)
##
1442776 4 drwxr-xr-x 6 root apache 4096 Aug 23 14:56
/etc/httpd
1442910 0 lrwxrwxrwx 1 root root 29 Jul 27 08:01
/etc/httpd/modules -> ../../usr/lib64/httpd/modules
1442911 0 lrwxrwxrwx 1 root root 19 Jul 27 08:01
/etc/httpd/run -> ../../var/run/httpd
1442502 4 drwxr-xr-x 2 root apache 4096 Aug 9 08:00
/etc/httpd/alias
1442507 8 -rw------- 1 root root 4684 Jun 21 09:49
/etc/httpd/alias/install.log
1442670 16 -rw-r----- 1 root apache 16384 Aug 5 16:10
/etc/httpd/alias/secmod.db
1442512 16 -rw-r----- 1 root apache 16384 Aug 23 16:40
/etc/httpd/alias/key3.db
1442503 4 -r--r--r-- 1 root root 1307 Jun 22 09:50
/etc/httpd/alias/cacert.asc
1442528 4 -r--r----- 1 root apache 20 Jun 22 09:48
/etc/httpd/alias/pwdfile.txt
1442505 64 -rw-r----- 1 root apache 65536 Aug 23 16:40
/etc/httpd/alias/cert8.db
1442516 0 lrwxrwxrwx 1 root root 33 Aug 23 14:56
/etc/httpd/alias/libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so
1442891 4 drwxr-xr-x 2 root apache 4096 Aug 24 06:01
/etc/httpd/conf.d
1442205 4 -rw-rw---- 1 root apache 1487 Aug 24 06:01
/etc/httpd/conf.d/nss.conf
1442100 4 -rw-rw---- 1 root apache 43 Aug 6 17:54
/etc/httpd/conf.d/wsgi.conf
1442748 12 -rw-r--r-- 1 root apache 9456 Jan 23 2015
/etc/httpd/conf.d/nss.conf.rpmnew
1442149 4 -rw-rw---- 1 root apache 760 Aug 6 17:54
/etc/httpd/conf.d/ipa-rewrite.conf
1442171 4 -rw-rw---- 1 root apache 707 Aug 6 17:54
/etc/httpd/conf.d/auth_kerb.conf
1442038 4 -rw-rw---- 1 root apache 3613 Aug 21 19:29
/etc/httpd/conf.d/ipa.conf
1442148 4 -rw-rw---- 1 root apache 1524 Aug 23 16:12
/etc/httpd/conf.d/ipa-pki-proxy.conf
1442778 4 drwxr-xr-x 2 root apache 4096 Aug 24 06:00
/etc/httpd/conf
1443974 4 -r--r----- 1 root apache 30 Aug 23 13:34
/etc/httpd/conf/password.conf
1442186 8 -rw-rw---- 1 root apache 4989 Aug 24 05:42
/etc/httpd/conf/httpd.conf
1443975 4 -rw-rw---- 1 root apache 314 Jun 22 09:52
/etc/httpd/conf/ipa.keytab
1442908 16 -rw-rw---- 1 root apache 13139 Mar 3 12:06
/etc/httpd/conf/magic
1442909 0 lrwxrwxrwx 1 root root 19 Jul 27 08:01
/etc/httpd/logs -> ../../var/log/httpd
##
## ipara cert serial vs nssdb serial
##
[root at server ~]# ldapsearch -h localhost -p 7389 -D "CN=Directory
Manager" -x -W -b "uid=ipara,ou=People,o=ipaca" description
<snip>
# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=INTERNALFQDN.LAB;CN=IPA
RA,O=INTERNALFQDN.LAB
<snip>
[root at server ~]# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
Serial Number: 7 (0x7)
##
## full getcert list
##
[root at server ~]# getcert list
Number of certificates and requests being tracked: 10.
Request ID '20150622134926':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:48:31 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150622134947':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNALFQDN-LAB/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-22 13:49:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
INTERNALFQDN-LAB
track: yes
auto-renew: yes
Request ID '20150622135035':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-22 13:50:34 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20150623103849':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-23 11:11:18 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150623111624':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-23 11:16:25 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150624145016':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/puppet/ssl/private_keys/server.internalfqdn.lab.pem'
certificate:
type=FILE,location='/var/lib/puppet/ssl/certs/server.internalfqdn.lab.pem'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-24 14:50:17 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150823160608':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=CA Audit,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:48:33 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150823160614':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=OCSP Subsystem,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:48:31 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150823160639':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=CA Subsystem,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:48:32 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150823160643':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=IPA RA,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:49:20 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
##
## getcert list-cas
##
[root at server ~]# getcert list-cas
CA 'SelfSign':
is-default: no
ca-type: INTERNAL:SELF
next-serial-number: 01
CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location:
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/local-submit
CA 'dogtag-ipa-retrieve-agent-submit':
is-default: no
ca-type: EXTERNAL
helper-location:
/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
##
## NSSdbs
##
[root at server ~]# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
IPA CA CT,C,C
DNS-Servername u,u,u
[root at server ~]# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
INTERNALFQDN.LAB IPA CA CT,C,C
ipaCert u,u,u
Signing-Cert u,u,u
Server-Cert u,u,u
[root at server ~]# certutil -d /var/lib/pki-ca/alias -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
##
## pki-ca network processes
##
[root at server ~]# netstat -plnt | grep java
tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN
9352/java
tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN
9352/java
tcp 0 0 127.0.0.1:9701 0.0.0.0:*
LISTEN 9352/java
tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN
9352/java
tcp 0 0 0.0.0.0:9446 0.0.0.0:* LISTEN
9352/java
tcp 0 0 0.0.0.0:9447 0.0.0.0:* LISTEN
9352/java
tcp 0 0 0.0.0.0:9180 0.0.0.0:* LISTEN
9352/java
##
## server.xml
##
(No changes from dist other than ssl3=false in sslOptions)
##
## pki-ca tomcat logs
##
No entries -- request does not seem to get far enough to trigger
anything outside of SignedAudit.
##
## signedAudit
##
9352.TP-Processor1 - [24/Aug/2015:06:11:11 EDT] [14] [6]
[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$]
authentication failure
##
## basic system info
##
[root at server ~]# rpm -q ipa-server pki-ca && uname -a && cat
/etc/redhat-release
ipa-server-3.0.0-47.el6.x86_64
pki-ca-9.0.3-43.el6.noarch
Linux server.internalfqdn.lab 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul
14 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 6.7 (Santiago)
Regards,
--
Paul Arnold
IT Systems Engineer
Cole Engineering Services, Inc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4785 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150824/9ef20f35/attachment.p7s>
More information about the Freeipa-users
mailing list