[Freeipa-users] apache to dogtag (error 4301)
Fraser Tweedale
ftweedal at redhat.com
Mon Aug 24 14:20:41 UTC 2015
On Mon, Aug 24, 2015 at 07:00:00AM -0400, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
> I have been beating my head against the keyboard for the past 2 weeks trying
> to figure this one out. I'm hoping I am missing something simple, as my next
> course of action is to completely re-install IPA.
>
>
> This is the primary error I am receiving:
>
> ipa: DEBUG: Caught fault 4301 from server
> https://server.internalfqdn.lab/ipa/session/xml: Certificate operation
> cannot be completed: EXCEPTION (You did not provide a valid certificate for
> this operation)
>
Dogtag raises this exception when it expected but did not receive a
client certificate. The `ipaCert' certificate from /etc/httpd/alias
is the certificate used by FreeIPA to talk to Dogtag.
If `ipaCert' is not expired, there must be some other reason the
client is not sending the cert. Is Dogtag in FIPS mode? Can you
export the certificate and try and connect to the server using,
e.g., `openssl s_client -msg' to debug the handshake?
Thanks,
Fraser
> It occurs in the IdM UI and from shell. A similar task, ( ~# ipa user-show
> admin ) works on the same system. This system is a ipa master and the only
> CA, version 3.0.0-47 (initially 3.0.0-42) -- everything minus certificate
> tasks works. SELinux is currently in permissive (I am receiving no related
> AVCs anyway, even with semodule -BD).
>
> Background on this issue: it started after putting mod_nss (and apache's
> nssdb) into FIPS mode. I have since restored the apache NSSdb to a
> known-good (non-FIPS) backup, but I am still receiving the same certificate
> errors.
>
> The value of 'userCertificate' in
> 'cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same
> as the value from certutil for ipaCert. The value of 'cACertificate' from
> 'cn=CAcert,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same value as the
> '/etc/ipa/ca.crt' and the value from certutil for INTERNALFQDN.LAB IPA CA.
>
> All logs below were run with a valid admin ticket. It is difficult to
> transport logs from this system (isolated network), so there are quite a lot
> of logs in this message; I snipped out as much filler as possible.
>
>
> ##
> ## cert-show from shell
> ##
> [root at server ~]# ipa cert-show
> <snip (all python plugins)>
> <snip (cookie stuff)>
> ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml
> ipa: DEBUG: NSSConnection init server.internalfqdn.lab
> ipa: DEBUG: Connecting: 256.256.256.256:0
> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
> Data:
> Version: 3 (0x2)
> Serial Number: 10 (0xa)
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> Validity:
> Not Before: Mon Jun 22 13:51:40 2015 UTC
> Not After: Thu Jun 22 13:51:40 2017 UTC
> Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> <snip>
> Name: Certificate Key Usage
> Critical: True
> Usages:
> Digital Signature
> Non-Repudiation
> Key Encipherment
> Data Encipherment
>
> Name: Extended Key Usage
> Critical: False
> Usages:
> TLS Web Server Authentication Certificate
> TLS Web Client Authentication Certificate
> <snip>
> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> ipa: DEBUG: cert valid True for
> "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
> ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> <snip (cookie stuff)>
> ipa: DEBUG: Created connection context.xmlclient
> Serial number: 0xa
> ipa: DEBUG: raw: cert_show(u'10')
> ipa: DEBUG: cert_show(u'10')
> ipa: INFO: Forwarding 'cert_show' to server
> u'https://server.internalfqdn.lab/ipa/session/xml'
> ipa: DEBUG: NSSConnection init server.internalfqdn.lab
> ipa: DEBUG: Connecting: 256.256.256.256:0
> ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> <snip (cookie stuff)>
> ipa: DEBUG: Caught fault 4301 from server
> https://server.internalfqdn.lab/ipa/session/xml: Certificate operation
> cannot be completed: EXCEPTION (You did not provide a valid certificate for
> this operation)
> ipa: DEBUG: Destroyed connection context.xmlclient
> ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (You did
> not provide a valid certificate for this operation)
>
>
> ##
> ## (successful) user-show from shell
> ##
> [root at server ~]# ipa user-show admin
> <snip (all python plugins)>
> <snip (cookie stuff)>
> ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml
> ipa: DEBUG: NSSConnection init server.internalfqdn.lab
> ipa: DEBUG: Connecting: 256.256.256.256:0
> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
> Data:
> Version: 3 (0x2)
> Serial Number: 10 (0xa)
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> Validity:
> Not Before: Mon Jun 22 13:51:40 2015 UTC
> Not After: Thu Jun 22 13:51:40 2017 UTC
> Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> <snip>
> Name: Certificate Key Usage
> Critical: True
> Usages:
> Digital Signature
> Non-Repudiation
> Key Encipherment
> Data Encipherment
>
> Name: Extended Key Usage
> Critical: False
> Usages:
> TLS Web Server Authentication Certificate
> TLS Web Client Authentication Certificate
> <snip>
> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> ipa: DEBUG: cert valid True for
> "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
> ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> <snip (cookie stuff)>
> ipa: DEBUG: Created connection context.xmlclient
> ipa: DEBUG: raw: user_show(u'admin', rights=False, all=False, raw=False,
> version=u'2.49', no_members=False)
> ipa: DEBUG: user_show(u'admin', rights=False, all=False, raw=False,
> version=u'2.49', no_members=False)
> ipa: INFO: Forwarding 'user_show' to server
> u'https://server.internalfqdn.lab/ipa/session/xml'
> ipa: DEBUG: NSSConnection init server.internalfqdn.lab
> ipa: DEBUG: Connecting: 256.256.256.256:0
> ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> <snip (cookie stuff)>
> ipa: DEBUG: Destroyed connection context.xmlclient
> User login: admin
> Last name: Administrator
> Home directory: /home/admin
> Login shell: /bin/bash
> UID: 999999999
> GID: 999999999
> Account disabled: False
> Password: True
> Member of groups: admins, trust admins
> Roles: IPA HBAC Administrator, IPA Workstation Administrator, IPA Services
> Administrator, IPA User Manager, IPA Cybersecurity Administrator, IPA
> Certificate Administrator
> Indirect Member of netgroup: servers
> Indirect Member of Sudo rule: ws_allow_all, srv_allow_all
> Indirect Member of HBAC rule: console_login, admin_only_login,
> admin_allow_su
> Kerberos keys available: True
>
>
> ##
> ## apache error_log
> ##
> [Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received for
> child 4 (server server.internalfqdn.lab:443)
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
> <snip (session stuff)>
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI xmlserver.__call__:
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Created connection
> context.ldap2
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI
> WSGIExecutioner.__call__:
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: raw: cert_show(u'10')
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert_show(u'10')
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: IPA: virtual verify retrieve
> certificate
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG:
> ipaserver.plugins.dogtag.ra.get_certificate()
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request
> 'https://server.internalfqdn.lab:443/ca/agent/ca/displayBySerial'
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request post
> 'xml=true&serialNumber=10'
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: NSSConnection init
> server.internalfqdn.lab
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Connecting: 256.256.256.256:0
> [Mon Aug 24 06:11:11 2015] [info] Connection to child 0 established (server
> server.internalfqdn.lab:443, client 256.256.256.256)
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: auth_certificate_callback:
> check_sig=True is_server=False
> <snip (cert data, same as above to stdout)>
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: approved_usage = SSL Server
> intended_usage = SSL Server
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert valid True for
> "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: handshake complete, peer =
> 256.256.256.256:443
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Protocol: TLS1.2
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Cipher:
> TLS_RSA_WITH_AES_256_CBC_SHA
> [Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received for
> child 0 (server server.internalfqdn.lab:443)
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(45): proxy: AJP:
> canonicalising URL //localhost:9447/ca/agent/ca/displayBySerial
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(1524): [client
> 256.256.256.256] proxy: ajp: found worker ajp://localhost:9447 for
> ajp://localhost:9447/ca/agent/ca/displayBySerial
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy.c(1026): Running scheme ajp
> handler (attempt 0)
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(709): proxy: AJP: serving
> URL ajp://localhost:9447/ca/agent/ca/displayBySerial
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2094): proxy: AJP: has
> acquired connection for (localhost)
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2150): proxy: connecting
> ajp://localhost:9447/ca/agent/ca/displayBySerial to localhost:9447
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2277): proxy: connected
> /ca/agent/ca/displayBySerial to localhost:9447
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2528): proxy: AJP: fam 2
> socket created to connect to localhost
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(224): Into
> ajp_marshal_into_msgb
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[0] [Host] = [server.internalfqdn.lab]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[1] [Accept-Encoding] = [identity]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[2] [Content-Length] = [24]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[3] [Content-type] = [application/x-www-form-urlencoded]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[4] [Accept] = [text/plain]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(450): ajp_marshal_into_msgb:
> Done
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(269): proxy:
> APR_BUCKET_IS_EOS
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(274): proxy: data to read
> (max 8186 at 4)
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(289): proxy: got 24 bytes
> of data
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header:
> ajp_ilink_received 04
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 04
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(516):
> ajp_unmarshal_response: status = 200
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(537):
> ajp_unmarshal_response: Number of headers is = 2
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599):
> ajp_unmarshal_response: Header[0] [Content-Type] = [application/xml]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(609):
> ajp_unmarshal_response: ap_set_content_type done
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599):
> ajp_unmarshal_response: Header[1] [Content-Length] = [274]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header:
> ajp_ilink_received 03
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 03
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header:
> ajp_ilink_received 05
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 05
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(616): proxy: got response
> from (null) (localhost)
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2112): proxy: AJP: has
> released connection for (localhost)
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: parse_display_cert_xml()
> xml_text:
> [Mon Aug 24 06:11:11 2015] [error] <?xml version="1.0" encoding="UTF-8"
> standalone="no"?><xml><header/><fixed><authorityName>Certificate
> Manager</authorityName><unexpectedError>You did not provide a valid
> certificate for this operation</unexpectedError><requestStatus>7</requestStatus></fixed><records/></xml>
> [Mon Aug 24 06:11:11 2015] [error] parse_result:
> [Mon Aug 24 06:11:11 2015] [error] {'request_status': 7, 'error_string':
> u'You did not provide a valid certificate for this operation', 'authority':
> u'Certificate Manager'}
> [Mon Aug 24 06:11:11 2015] [error] ipa: ERROR:
> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (You did not
> provide a valid certificate for this operation)
> [Mon Aug 24 06:11:11 2015] [error] ipa: INFO: admin at INTERNALFQDN.LAB:
> cert_show(u'10'): CertificateOperationError
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: response:
> CertificateOperationError: Certificate operation cannot be completed:
> EXCEPTION (You did not provide a valid certificate for this operation)
> [Mon Aug 24 06:11:11 2015] [info] Connection to child 0 closed (server
> server.internalfqdn.lab:443, client 256.256.256.256)
> <snip (session stuff)>
> [Mon Aug 24 06:11:11 2015] [info] Connection to child 4 closed (server
> server.internalfqdn.lab:443, client 256.256.256.256)
>
>
> ##
> ## enabled apache modules
> ##
> [root at server ~]# httpd -M
> Loaded Modules:
> core_module (static)
> mpm_prefork_module (static)
> http_module (static)
> so_module (static)
> authz_host_module (shared)
> authz_user_module (shared)
> authz_groupfile_module (shared)
> log_config_module (shared)
> setenvif_module (shared)
> mime_module (shared)
> autoindex_module (shared)
> negotiation_module (shared)
> dir_module (shared)
> alias_module (shared)
> rewrite_module (shared)
> proxy_module (shared)
> proxy_ajp_module (shared)
> auth_kerb_module (shared)
> nss_module (shared)
> wsgi_module (shared)
> Syntax OK
>
>
> ##
> ## apache perms (I recently allowed o+r)
> ##
> 1442776 4 drwxr-xr-x 6 root apache 4096 Aug 23 14:56
> /etc/httpd
> 1442910 0 lrwxrwxrwx 1 root root 29 Jul 27 08:01
> /etc/httpd/modules -> ../../usr/lib64/httpd/modules
> 1442911 0 lrwxrwxrwx 1 root root 19 Jul 27 08:01
> /etc/httpd/run -> ../../var/run/httpd
> 1442502 4 drwxr-xr-x 2 root apache 4096 Aug 9 08:00
> /etc/httpd/alias
> 1442507 8 -rw------- 1 root root 4684 Jun 21 09:49
> /etc/httpd/alias/install.log
> 1442670 16 -rw-r----- 1 root apache 16384 Aug 5 16:10
> /etc/httpd/alias/secmod.db
> 1442512 16 -rw-r----- 1 root apache 16384 Aug 23 16:40
> /etc/httpd/alias/key3.db
> 1442503 4 -r--r--r-- 1 root root 1307 Jun 22 09:50
> /etc/httpd/alias/cacert.asc
> 1442528 4 -r--r----- 1 root apache 20 Jun 22 09:48
> /etc/httpd/alias/pwdfile.txt
> 1442505 64 -rw-r----- 1 root apache 65536 Aug 23 16:40
> /etc/httpd/alias/cert8.db
> 1442516 0 lrwxrwxrwx 1 root root 33 Aug 23 14:56
> /etc/httpd/alias/libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so
> 1442891 4 drwxr-xr-x 2 root apache 4096 Aug 24 06:01
> /etc/httpd/conf.d
> 1442205 4 -rw-rw---- 1 root apache 1487 Aug 24 06:01
> /etc/httpd/conf.d/nss.conf
> 1442100 4 -rw-rw---- 1 root apache 43 Aug 6 17:54
> /etc/httpd/conf.d/wsgi.conf
> 1442748 12 -rw-r--r-- 1 root apache 9456 Jan 23 2015
> /etc/httpd/conf.d/nss.conf.rpmnew
> 1442149 4 -rw-rw---- 1 root apache 760 Aug 6 17:54
> /etc/httpd/conf.d/ipa-rewrite.conf
> 1442171 4 -rw-rw---- 1 root apache 707 Aug 6 17:54
> /etc/httpd/conf.d/auth_kerb.conf
> 1442038 4 -rw-rw---- 1 root apache 3613 Aug 21 19:29
> /etc/httpd/conf.d/ipa.conf
> 1442148 4 -rw-rw---- 1 root apache 1524 Aug 23 16:12
> /etc/httpd/conf.d/ipa-pki-proxy.conf
> 1442778 4 drwxr-xr-x 2 root apache 4096 Aug 24 06:00
> /etc/httpd/conf
> 1443974 4 -r--r----- 1 root apache 30 Aug 23 13:34
> /etc/httpd/conf/password.conf
> 1442186 8 -rw-rw---- 1 root apache 4989 Aug 24 05:42
> /etc/httpd/conf/httpd.conf
> 1443975 4 -rw-rw---- 1 root apache 314 Jun 22 09:52
> /etc/httpd/conf/ipa.keytab
> 1442908 16 -rw-rw---- 1 root apache 13139 Mar 3 12:06
> /etc/httpd/conf/magic
> 1442909 0 lrwxrwxrwx 1 root root 19 Jul 27 08:01
> /etc/httpd/logs -> ../../var/log/httpd
>
>
> ##
> ## ipara cert serial vs nssdb serial
> ##
> [root at server ~]# ldapsearch -h localhost -p 7389 -D "CN=Directory Manager"
> -x -W -b "uid=ipara,ou=People,o=ipaca" description
> <snip>
> # ipara, people, ipaca
> dn: uid=ipara,ou=people,o=ipaca
> description: 2;7;CN=Certificate Authority,O=INTERNALFQDN.LAB;CN=IPA
> RA,O=INTERNALFQDN.LAB
> <snip>
> [root at server ~]# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
> Serial Number: 7 (0x7)
>
>
> ##
> ## full getcert list
> ##
> [root at server ~]# getcert list
> Number of certificates and requests being tracked: 10.
> Request ID '20150622134926':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> expires: 2017-06-11 13:48:31 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20150622134947':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNALFQDN-LAB/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> expires: 2017-06-22 13:49:46 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> INTERNALFQDN-LAB
> track: yes
> auto-renew: yes
> Request ID '20150622135035':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> expires: 2017-06-22 13:50:34 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> track: yes
> auto-renew: yes
> Request ID '20150623103849':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS
> Certificate DB'
> certificate:
> type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> expires: 2017-06-23 11:11:18 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20150623111624':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS
> Certificate DB'
> certificate:
> type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> expires: 2017-06-23 11:16:25 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20150624145016':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/var/lib/puppet/ssl/private_keys/server.internalfqdn.lab.pem'
> certificate:
> type=FILE,location='/var/lib/puppet/ssl/certs/server.internalfqdn.lab.pem'
> CA: IPA
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> expires: 2017-06-24 14:50:17 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20150823160608':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=CA Audit,O=INTERNALFQDN.LAB
> expires: 2017-06-11 13:48:33 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20150823160614':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=OCSP Subsystem,O=INTERNALFQDN.LAB
> expires: 2017-06-11 13:48:31 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20150823160639':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=CA Subsystem,O=INTERNALFQDN.LAB
> expires: 2017-06-11 13:48:32 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20150823160643':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
> subject: CN=IPA RA,O=INTERNALFQDN.LAB
> expires: 2017-06-11 13:49:20 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
>
> ##
> ## getcert list-cas
> ##
> [root at server ~]# getcert list-cas
> CA 'SelfSign':
> is-default: no
> ca-type: INTERNAL:SELF
> next-serial-number: 01
> CA 'IPA':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/ipa-submit
> CA 'certmaster':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/certmaster-submit
> CA 'dogtag-ipa-renew-agent':
> is-default: no
> ca-type: EXTERNAL
> helper-location:
> /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> CA 'local':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/local-submit
> CA 'dogtag-ipa-retrieve-agent-submit':
> is-default: no
> ca-type: EXTERNAL
> helper-location:
> /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
>
>
> ##
> ## NSSdbs
> ##
> [root at server ~]# certutil -d /etc/pki/nssdb -L
>
> Certificate Nickname Trust
> Attributes
> SSL,S/MIME,JAR/XPI
> IPA CA CT,C,C
> DNS-Servername u,u,u
> [root at server ~]# certutil -d /etc/httpd/alias -L
>
> Certificate Nickname Trust
> Attributes
> SSL,S/MIME,JAR/XPI
> INTERNALFQDN.LAB IPA CA CT,C,C
> ipaCert u,u,u
> Signing-Cert u,u,u
> Server-Cert u,u,u
> [root at server ~]# certutil -d /var/lib/pki-ca/alias -L
>
> Certificate Nickname Trust
> Attributes
> SSL,S/MIME,JAR/XPI
> caSigningCert cert-pki-ca CTu,Cu,Cu
> Server-Cert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
>
>
> ##
> ## pki-ca network processes
> ##
> [root at server ~]# netstat -plnt | grep java
> tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN
> 9352/java
> tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN
> 9352/java
> tcp 0 0 127.0.0.1:9701 0.0.0.0:* LISTEN
> 9352/java
> tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN
> 9352/java
> tcp 0 0 0.0.0.0:9446 0.0.0.0:* LISTEN
> 9352/java
> tcp 0 0 0.0.0.0:9447 0.0.0.0:* LISTEN
> 9352/java
> tcp 0 0 0.0.0.0:9180 0.0.0.0:* LISTEN
> 9352/java
>
>
> ##
> ## server.xml
> ##
> (No changes from dist other than ssl3=false in sslOptions)
>
>
> ##
> ## pki-ca tomcat logs
> ##
> No entries -- request does not seem to get far enough to trigger anything
> outside of SignedAudit.
>
>
> ##
> ## signedAudit
> ##
> 9352.TP-Processor1 - [24/Aug/2015:06:11:11 EDT] [14] [6] [AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$]
> authentication failure
>
>
> ##
> ## basic system info
> ##
>
> [root at server ~]# rpm -q ipa-server pki-ca && uname -a && cat
> /etc/redhat-release
> ipa-server-3.0.0-47.el6.x86_64
> pki-ca-9.0.3-43.el6.noarch
> Linux server.internalfqdn.lab 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14
> 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
> Red Hat Enterprise Linux Server release 6.7 (Santiago)
>
>
>
> Regards,
>
> --
> Paul Arnold
> IT Systems Engineer
> Cole Engineering Services, Inc
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list