[Freeipa-users] Certificate Issues
Rob Crittenden
rcritten at redhat.com
Mon Aug 1 19:00:15 UTC 2016
Adam Lewis wrote:
> If you mean the usercertificate value from the ldapsearch command, then
> yes. That value matches the value from the certutil output.
The usercertificate in LDAP had the BEGIN/END stripped, right?
I'll cc a couple of the dogtag developers to see what they think.
rob
>
> Thanks
>
> On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Adam Lewis wrote:
>
> A quick update. We did some digging on the segfault problem and
> I think
> it was due to having to update the trusts on the CA cert. So we
> updated
> the certmonger package and certmonger now starts again.
> However we're kind of back to square one where we are still
> getting the
> AUTH_FAIL messages in the debug log.
> I have verified that the ipara entry's serial number and cert
> match the
> serial number and cert from the one in /etc/httpd/alias.
>
>
> How about the certificate PEM? Does it match the usercertificate in
> the dogtag LDAP server?
>
> rob
>
>
> Any other ideas?
>
> Thanks!
>
> On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis <alewis422 at gmail.com
> <mailto:alewis422 at gmail.com>
> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>> wrote:
>
> Rob,
> Thanks for pointing me in the right direction. However after
> following the instructions in the above mentioned doc I
> noticed a
> few things that are odd and have a new problem. The first
> odd thing
> I noticed is that when I run service pki-cad status it
> shows that my
> PKI Subsystem Type is "CA Clone (Security Domain)"
> Shouldn't that say something like "CA Master"?
> Second, when I ran the "ipa-getcert resubmit -I [ID]"
> commands they
> all produced the same AUTH_FAIL message in the debug log.
>
> Now the new problem...after pressing on and restarting things
> certmonger fails to start with a segfault.
> Starting certmonger: /bin/bash: line 1: 64935 Segmentation
> fault /usr/sbin/certmonger -S -p /var/run certmonger.pid
>
> Thanks!
>
> On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
> wrote:
>
> Lewis, Adam M CIV NSWCDD, H11 wrote:
>
> We are currently dead in the water. Our OCSP, CA
> Audit, CA
> Subsystem, and IPA RA certs expired as of 7/23/16.
> I found
> and followed the instructions to the letter
>
> (http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
> however the CA Subsystem and IPA RA certs will not
> renew.
> I've backdated the server to make sure the system
> was within
> the renewal window, but that has not help.
>
>
> Those are the wrong instructions.
>
> You want this instead,
> https://access.redhat.com/solutions/643753
>
> A bunch of it is for 2.2 but it isn't exactly noted
> which parts.
> A general rule is that you don't/shouldn't need to directly
> tweak the dogtag configuration or do any of the
> start-tracking
> work (though you may want to verify that what/if
> anything you
> changed from that wrong doc).
>
> When I run getcert list it reports:
> Ca-error: Sever at
> "https://<fqdn>:9443/ca/agent/ca/profileProcess"
> replied: 1:
> Authentication Error
> for both the IPA RA and CA Subsystem certs
>
> The debug log shows:
> SignedAuditEventFactory: create()
>
> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
> RA,O=MISS.ION] authentication failure
> ReviewReqServlet: Invalid Credential.
>
>
> The place to start is to get the serial # of the ipaCert:
>
> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>
> Now get the user from the dogtag LDAP server:
>
> # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory
> manager'
> -W -b uid=ipara,ou=People,o=ipaca description
>
> The format is 2;<serial number>;<issuer subject>;<subject>
>
> See if the serial # matches ipaCert. I'm guessing it won't.
> Follow the instructions on the page I cited to update
> the entry
> with the current certificate and serial # values. That
> should
> get you going.
>
> rob
>
>
>
> We are kind of in deep doo-doo until this gets
> resolved.
>
> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>
> Any thoughts?
>
> Thanks!
>
> Adam M. Lewis
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing
> list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
> --
> Adam M. Lewis
> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>
> 10807 Allie Place
> Fredericksburg, VA 22408
> 540-412-8643 <tel:540-412-8643> <tel:540-412-8643
> <tel:540-412-8643>>
>
>
>
>
>
> --
> Adam M. Lewis
> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>
> 10807 Allie Place
> Fredericksburg, VA 22408
> 540-412-8643 <tel:540-412-8643>
>
>
>
>
>
>
>
>
> --
> Adam M. Lewis
> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
> 10807 Allie Place
> Fredericksburg, VA 22408
> 540-412-8643
>
>
More information about the Freeipa-users
mailing list