[Freeipa-users] Certificate Issues

Rob Crittenden rcritten at redhat.com
Mon Aug 1 15:18:01 UTC 2016 

Adam Lewis wrote:
> A quick update. We did some digging on the segfault problem and I think
> it was due to having to update the trusts on the CA cert. So we updated
> the certmonger package and certmonger now starts again.
> However we're kind of back to square one where we are still getting the
> AUTH_FAIL messages in the debug log.
> I have verified that the ipara entry's serial number and cert match the
> serial number and cert from the one in /etc/httpd/alias.

How about the certificate PEM? Does it match the usercertificate in the 
dogtag LDAP server?

rob

>
> Any other ideas?
>
> Thanks!
>
> On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis <alewis422 at gmail.com
> <mailto:alewis422 at gmail.com>> wrote:
>
>     Rob,
>     Thanks for pointing me in the right direction. However after
>     following the instructions in the above mentioned doc I noticed a
>     few things that are odd and have a new problem. The first odd thing
>     I noticed is that when I run service pki-cad status it shows that my
>     PKI Subsystem Type is "CA Clone (Security Domain)"
>     Shouldn't that say something like "CA Master"?
>     Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they
>     all produced the same AUTH_FAIL message in the debug log.
>
>     Now the new problem...after pressing on and restarting things
>     certmonger fails to start with a segfault.
>     Starting certmonger: /bin/bash: line 1: 64935 Segmentation
>     fault      /usr/sbin/certmonger -S -p /var/run certmonger.pid
>
>     Thanks!
>
>     On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden <rcritten at redhat.com
>     <mailto:rcritten at redhat.com>> wrote:
>
>         Lewis, Adam M CIV NSWCDD, H11 wrote:
>
>             We are currently dead in the water. Our OCSP, CA Audit, CA
>             Subsystem, and IPA RA certs expired as of 7/23/16. I found
>             and followed the instructions to the letter
>             (http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
>             however the CA Subsystem and IPA RA certs will not renew.
>             I've backdated the server to make sure the system was within
>             the renewal window, but that has not help.
>
>
>         Those are the wrong instructions.
>
>         You want this instead, https://access.redhat.com/solutions/643753
>
>         A bunch of it is for 2.2 but it isn't exactly noted which parts.
>         A general rule is that you don't/shouldn't need to directly
>         tweak the dogtag configuration or do any of the start-tracking
>         work (though you may want to verify that what/if anything you
>         changed from that wrong doc).
>
>             When I run getcert list it reports:
>             Ca-error: Sever at
>             "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1:
>             Authentication Error
>             for both the IPA RA and CA Subsystem certs
>
>             The debug log shows:
>             SignedAuditEventFactory: create()
>             message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>             RA,O=MISS.ION] authentication failure
>             ReviewReqServlet: Invalid Credential.
>
>
>         The place to start is to get the serial # of the ipaCert:
>
>         # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>
>         Now get the user from the dogtag LDAP server:
>
>         # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager'
>         -W -b uid=ipara,ou=People,o=ipaca description
>
>         The format is 2;<serial number>;<issuer subject>;<subject>
>
>         See if the serial # matches ipaCert. I'm guessing it won't.
>         Follow the instructions on the page I cited to update the entry
>         with the current certificate and serial # values. That should
>         get you going.
>
>         rob
>
>
>
>             We are kind of in deep doo-doo until this gets resolved.
>
>             We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>
>             Any thoughts?
>
>             Thanks!
>
>             Adam M. Lewis
>
>
>
>
>         --
>         Manage your subscription for the Freeipa-users mailing list:
>         https://www.redhat.com/mailman/listinfo/freeipa-users
>         Go to http://freeipa.org for more info on the project
>
>
>
>
>     --
>     Adam M. Lewis
>     alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>     10807 Allie Place
>     Fredericksburg, VA 22408
>     540-412-8643 <tel:540-412-8643>
>
>
>
>
>
> --
> Adam M. Lewis
> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
> 10807 Allie Place
> Fredericksburg, VA 22408
> 540-412-8643
>
>
>
>

More information about the Freeipa-users mailing list