[Freeipa-users] Certificate Issues

Adam Lewis alewis422 at gmail.com
Mon Aug 1 19:02:43 UTC 2016 

Yup, It's just the text string. I don't know how much this matters but when
I ran the start-tracking for the ipaCert it didn't generate a new
certificate. I'm still working off of serial number 7, which is what it's
been since we installed IPA. Is there some way/reason for me to generate a
whole new ipaCert?

Thanks

On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Adam Lewis wrote:
>
>> If you mean the usercertificate value from the ldapsearch command, then
>> yes. That value matches the value from the certutil output.
>>
>
> The usercertificate in LDAP had the BEGIN/END stripped, right?
>
> I'll cc a couple of the dogtag developers to see what they think.
>
> rob
>
>
>> Thanks
>>
>> On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>>     Adam Lewis wrote:
>>
>>         A quick update. We did some digging on the segfault problem and
>>         I think
>>         it was due to having to update the trusts on the CA cert. So we
>>         updated
>>         the certmonger package and certmonger now starts again.
>>         However we're kind of back to square one where we are still
>>         getting the
>>         AUTH_FAIL messages in the debug log.
>>         I have verified that the ipara entry's serial number and cert
>>         match the
>>         serial number and cert from the one in /etc/httpd/alias.
>>
>>
>>     How about the certificate PEM? Does it match the usercertificate in
>>     the dogtag LDAP server?
>>
>>     rob
>>
>>
>>         Any other ideas?
>>
>>         Thanks!
>>
>>         On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis <alewis422 at gmail.com
>>         <mailto:alewis422 at gmail.com>
>>         <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>> wrote:
>>
>>              Rob,
>>              Thanks for pointing me in the right direction. However after
>>              following the instructions in the above mentioned doc I
>>         noticed a
>>              few things that are odd and have a new problem. The first
>>         odd thing
>>              I noticed is that when I run service pki-cad status it
>>         shows that my
>>              PKI Subsystem Type is "CA Clone (Security Domain)"
>>              Shouldn't that say something like "CA Master"?
>>              Second, when I ran the "ipa-getcert resubmit -I [ID]"
>>         commands they
>>              all produced the same AUTH_FAIL message in the debug log.
>>
>>              Now the new problem...after pressing on and restarting things
>>              certmonger fails to start with a segfault.
>>              Starting certmonger: /bin/bash: line 1: 64935 Segmentation
>>              fault      /usr/sbin/certmonger -S -p /var/run certmonger.pid
>>
>>              Thanks!
>>
>>              On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden
>>         <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>              <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>>
>>         wrote:
>>
>>                  Lewis, Adam M CIV NSWCDD, H11 wrote:
>>
>>                      We are currently dead in the water. Our OCSP, CA
>>         Audit, CA
>>                      Subsystem, and IPA RA certs expired as of 7/23/16.
>>         I found
>>                      and followed the instructions to the letter
>>
>>         (
>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0
>> )
>>                      however the CA Subsystem and IPA RA certs will not
>>         renew.
>>                      I've backdated the server to make sure the system
>>         was within
>>                      the renewal window, but that has not help.
>>
>>
>>                  Those are the wrong instructions.
>>
>>                  You want this instead,
>>         https://access.redhat.com/solutions/643753
>>
>>                  A bunch of it is for 2.2 but it isn't exactly noted
>>         which parts.
>>                  A general rule is that you don't/shouldn't need to
>> directly
>>                  tweak the dogtag configuration or do any of the
>>         start-tracking
>>                  work (though you may want to verify that what/if
>>         anything you
>>                  changed from that wrong doc).
>>
>>                      When I run getcert list it reports:
>>                      Ca-error: Sever at
>>                      "https://<fqdn>:9443/ca/agent/ca/profileProcess"
>>         replied: 1:
>>                      Authentication Error
>>                      for both the IPA RA and CA Subsystem certs
>>
>>                      The debug log shows:
>>                      SignedAuditEventFactory: create()
>>
>>
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>>                      RA,O=MISS.ION] authentication failure
>>                      ReviewReqServlet: Invalid Credential.
>>
>>
>>                  The place to start is to get the serial # of the ipaCert:
>>
>>                  # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>>
>>                  Now get the user from the dogtag LDAP server:
>>
>>                  # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory
>>         manager'
>>                  -W -b uid=ipara,ou=People,o=ipaca description
>>
>>                  The format is 2;<serial number>;<issuer
>> subject>;<subject>
>>
>>                  See if the serial # matches ipaCert. I'm guessing it
>> won't.
>>                  Follow the instructions on the page I cited to update
>>         the entry
>>                  with the current certificate and serial # values. That
>>         should
>>                  get you going.
>>
>>                  rob
>>
>>
>>
>>                      We are kind of in deep doo-doo until this gets
>>         resolved.
>>
>>                      We are running ipa-server-3.0.0-47.el6_7.2 on RHEL
>> 6.5
>>
>>                      Any thoughts?
>>
>>                      Thanks!
>>
>>                      Adam M. Lewis
>>
>>
>>
>>
>>                  --
>>                  Manage your subscription for the Freeipa-users mailing
>>         list:
>>         https://www.redhat.com/mailman/listinfo/freeipa-users
>>                  Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>>              --
>>              Adam M. Lewis
>>         alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>>         <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>
>>              10807 Allie Place
>>              Fredericksburg, VA 22408
>>         540-412-8643 <tel:540-412-8643> <tel:540-412-8643
>>         <tel:540-412-8643>>
>>
>>
>>
>>
>>
>>         --
>>         Adam M. Lewis
>>         alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>>         <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>
>>         10807 Allie Place
>>         Fredericksburg, VA 22408
>>         540-412-8643 <tel:540-412-8643>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Adam M. Lewis
>> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>> 10807 Allie Place
>> Fredericksburg, VA 22408
>> 540-412-8643
>>
>>
>>
>


-- 
Adam M. Lewis
alewis422 at gmail.com
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160801/04e7343d/attachment.htm>

More information about the Freeipa-users mailing list