[Freeipa-users] Certificate Issues
Adam Lewis
alewis422 at gmail.com
Mon Aug 1 13:17:05 UTC 2016
Rob,
Thanks for pointing me in the right direction. However after following the
instructions in the above mentioned doc I noticed a few things that are odd
and have a new problem. The first odd thing I noticed is that when I run
service pki-cad status it shows that my PKI Subsystem Type is "CA Clone
(Security Domain)"
Shouldn't that say something like "CA Master"?
Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they all
produced the same AUTH_FAIL message in the debug log.
Now the new problem...after pressing on and restarting things certmonger
fails to start with a segfault.
Starting certmonger: /bin/bash: line 1: 64935 Segmentation fault
/usr/sbin/certmonger -S -p /var/run certmonger.pid
Thanks!
On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Lewis, Adam M CIV NSWCDD, H11 wrote:
>
>> We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and
>> IPA RA certs expired as of 7/23/16. I found and followed the instructions
>> to the letter (
>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
>> however the CA Subsystem and IPA RA certs will not renew. I've backdated
>> the server to make sure the system was within the renewal window, but that
>> has not help.
>>
>
> Those are the wrong instructions.
>
> You want this instead, https://access.redhat.com/solutions/643753
>
> A bunch of it is for 2.2 but it isn't exactly noted which parts. A general
> rule is that you don't/shouldn't need to directly tweak the dogtag
> configuration or do any of the start-tracking work (though you may want to
> verify that what/if anything you changed from that wrong doc).
>
> When I run getcert list it reports:
>> Ca-error: Sever at "https://<fqdn>:9443/ca/agent/ca/profileProcess"
>> replied: 1: Authentication Error
>> for both the IPA RA and CA Subsystem certs
>>
>> The debug log shows:
>> SignedAuditEventFactory: create()
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=MISS.ION] authentication failure
>> ReviewReqServlet: Invalid Credential.
>>
>
> The place to start is to get the serial # of the ipaCert:
>
> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>
> Now get the user from the dogtag LDAP server:
>
> # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b
> uid=ipara,ou=People,o=ipaca description
>
> The format is 2;<serial number>;<issuer subject>;<subject>
>
> See if the serial # matches ipaCert. I'm guessing it won't. Follow the
> instructions on the page I cited to update the entry with the current
> certificate and serial # values. That should get you going.
>
> rob
>
>
>
>> We are kind of in deep doo-doo until this gets resolved.
>>
>> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>>
>> Any thoughts?
>>
>> Thanks!
>>
>> Adam M. Lewis
>>
>>
>>
>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Adam M. Lewis
alewis422 at gmail.com
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160801/814a22c8/attachment.htm>
More information about the Freeipa-users
mailing list