[Freeipa-users] ipa-getcert list fails to report correctly
Martin Kosek
mkosek at redhat.com
Fri Feb 20 08:51:15 UTC 2015
On 02/20/2015 06:56 AM, Les Stott wrote:
> Hi all,
>
> The following is blocking the ability for me to install a CA replica.
>
> Environment:
>
> RHEL 6.6
>
> IPA 3.0.0-42
>
> PKI 9.0.3-38
>
> On the master the following is happening:
>
> ipa-getcert list
>
> Number of certificates and requests being tracked: 5.
>
> (but it shows no certificate details in the output)
>
> Running “getcert list” shows complete output.
>
> Also, when trying to browse https://master.mydomain.com/ca/ee/ca/getCertChain i
> get a failed response. The apache error logs on the master show….
>
> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL client cannot
> verify your certificate
>
> The reason I am trying to browse that address is because that’s what the
> ipa-ca-install setup is failing at (it complains that the CA certificate is not
> in proper format, in fact it’s not able to get it at all).
>
> I know from another working ipa setup that ….
>
> Browsing to the above address provides valid xml content and ipa-getcert list
> shows certificate details and not just the number of tracked certificates.
>
> Been trying for a long time to figure out the issues without luck.
>
> I would greatly appreciate any help to troubleshoot and resolve the above issues.
>
> Regards,
>
> Les
Endi or JanC, would you have any advise for Les? To me, it looks like the
Apache does not have proper certificate installed.
My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in total of
8 certs tracked:
# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20141111000002':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=vm-086.example.com,O=EXAMPLE.COM
expires: 2016-11-11 00:00:01 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141111000047':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=vm-086.example.com,O=EXAMPLE.COM
expires: 2016-11-11 00:00:46 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141111000302':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=vm-086.example.com,O=EXAMPLE.COM
expires: 2016-11-11 00:03:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
What is actually in your Apache NSS database?
# certutil -L -d /etc/httpd/alias/
Martin
More information about the Freeipa-users
mailing list