[Freeipa-users] Certificate Issues
Rob Crittenden
rcritten at redhat.com
Mon Aug 1 15:18:01 UTC 2016
Adam Lewis wrote:
> A quick update. We did some digging on the segfault problem and I think
> it was due to having to update the trusts on the CA cert. So we updated
> the certmonger package and certmonger now starts again.
> However we're kind of back to square one where we are still getting the
> AUTH_FAIL messages in the debug log.
> I have verified that the ipara entry's serial number and cert match the
> serial number and cert from the one in /etc/httpd/alias.
How about the certificate PEM? Does it match the usercertificate in the
dogtag LDAP server?
rob
>
> Any other ideas?
>
> Thanks!
>
> On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis <alewis422 at gmail.com
> <mailto:alewis422 at gmail.com>> wrote:
>
> Rob,
> Thanks for pointing me in the right direction. However after
> following the instructions in the above mentioned doc I noticed a
> few things that are odd and have a new problem. The first odd thing
> I noticed is that when I run service pki-cad status it shows that my
> PKI Subsystem Type is "CA Clone (Security Domain)"
> Shouldn't that say something like "CA Master"?
> Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they
> all produced the same AUTH_FAIL message in the debug log.
>
> Now the new problem...after pressing on and restarting things
> certmonger fails to start with a segfault.
> Starting certmonger: /bin/bash: line 1: 64935 Segmentation
> fault /usr/sbin/certmonger -S -p /var/run certmonger.pid
>
> Thanks!
>
> On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Lewis, Adam M CIV NSWCDD, H11 wrote:
>
> We are currently dead in the water. Our OCSP, CA Audit, CA
> Subsystem, and IPA RA certs expired as of 7/23/16. I found
> and followed the instructions to the letter
> (http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
> however the CA Subsystem and IPA RA certs will not renew.
> I've backdated the server to make sure the system was within
> the renewal window, but that has not help.
>
>
> Those are the wrong instructions.
>
> You want this instead, https://access.redhat.com/solutions/643753
>
> A bunch of it is for 2.2 but it isn't exactly noted which parts.
> A general rule is that you don't/shouldn't need to directly
> tweak the dogtag configuration or do any of the start-tracking
> work (though you may want to verify that what/if anything you
> changed from that wrong doc).
>
> When I run getcert list it reports:
> Ca-error: Sever at
> "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1:
> Authentication Error
> for both the IPA RA and CA Subsystem certs
>
> The debug log shows:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
> RA,O=MISS.ION] authentication failure
> ReviewReqServlet: Invalid Credential.
>
>
> The place to start is to get the serial # of the ipaCert:
>
> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>
> Now get the user from the dogtag LDAP server:
>
> # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager'
> -W -b uid=ipara,ou=People,o=ipaca description
>
> The format is 2;<serial number>;<issuer subject>;<subject>
>
> See if the serial # matches ipaCert. I'm guessing it won't.
> Follow the instructions on the page I cited to update the entry
> with the current certificate and serial # values. That should
> get you going.
>
> rob
>
>
>
> We are kind of in deep doo-doo until this gets resolved.
>
> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>
> Any thoughts?
>
> Thanks!
>
> Adam M. Lewis
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
> --
> Adam M. Lewis
> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
> 10807 Allie Place
> Fredericksburg, VA 22408
> 540-412-8643 <tel:540-412-8643>
>
>
>
>
>
> --
> Adam M. Lewis
> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
> 10807 Allie Place
> Fredericksburg, VA 22408
> 540-412-8643
>
>
>
>
More information about the Freeipa-users
mailing list