[Freeipa-users] Certificate Issues
Adam Lewis
alewis422 at gmail.com
Tue Aug 2 12:33:53 UTC 2016
Rob,
The only message that seems remotely relevant is:
ProfileSubmitServlet: for renewal, original authenticator not found
But everything else looks completely fine until the "AUTH_FAIL" message.
I started seeing
csngen_new_csn - Warning: too much time skew (-xxx secs). Current seqnum=1
So I searched for that and found a few articles...but most of them deal
with replication. I don't have any replication agreements right now, and I
updated nsslapd-ignore-time-skew to on, but that didn't fix it either.
Any ideas?
Thanks
On Mon, Aug 1, 2016 at 3:29 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Adam Lewis wrote:
>
>> Yup. I'm currently still sitting back in time. But any time I try to
>> resubmit either the ipaCert or the subsystemCert it errors out.
>>
>> getcert list shows :
>> ca-error: Server at
>> "https://ipa.local.domain:9443/ca/agent/ca/profileProcess" replied: 1:
>> Authentication Error
>>
>> And the debug log shows:
>> SignedAuditEventFactory: create()
>>
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=MISS.ION] authentication failure
>> ReviewReqServlet: Invalid Credential.
>>
>
> I'd look at the lines above that for clues, and check the 389-ds access
> log. I assume it is finding an entry for uid=ipara, right?
>
> The way the auth works as I understand it is dogtag first compares the
> serial number, issuer and subject of the provided certificate with the
> description attribute in the entry it finds in LDAP. Then it compares the
> full certificate. If things match up then you are authenticated. It then
> does some authorization work.
>
> For reference, mine looks like:
>
> dn: uid=ipara,ou=people,o=ipaca
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: cmsuser
> uid: ipara
> sn: ipara
> cn: ipara
> usertype: agentType
> userstate: 1
> userCertificate::
> MIIDbTCCAlWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtH
> [snip]
> o0i1CCw1v++2tgvHiiZEEeeuOEMGEdXZfv4Xw=
> description: 2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=
> EXAMPLE.COM
>
> Those appear to be the most significant messages. I'm disconnected so
>> getting the full log info is difficult. If it's the only way let me know
>> and I'll see what I can do. Worst case it'll just take me a while to
>> re-type it.
>>
>
> Understood.
>
>
>
>> Thanks
>>
>>
>> On Mon, Aug 1, 2016 at 3:11 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Adam Lewis wrote:
>>
>> Yup, It's just the text string. I don't know how much this
>> matters but
>> when I ran the start-tracking for the ipaCert it didn't generate
>> a new
>> certificate. I'm still working off of serial number 7, which is
>> what
>> it's been since we installed IPA. Is there some way/reason for me
>> to
>> generate a whole new ipaCert?
>>
>>
>> certmonger will take care of that when renewal happens.
>>
>> Did you go back in time to when this cert was valid?
>>
>> rob
>>
>>
>> Thanks
>>
>> On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>>
>> Adam Lewis wrote:
>>
>> If you mean the usercertificate value from the ldapsearch
>> command, then
>> yes. That value matches the value from the certutil
>> output.
>>
>>
>> The usercertificate in LDAP had the BEGIN/END stripped,
>> right?
>>
>> I'll cc a couple of the dogtag developers to see what they
>> think.
>>
>> rob
>>
>>
>> Thanks
>>
>> On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
>> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>>> wrote:
>>
>> Adam Lewis wrote:
>>
>> A quick update. We did some digging on the
>> segfault
>> problem and
>> I think
>> it was due to having to update the trusts on
>> the CA
>> cert. So we
>> updated
>> the certmonger package and certmonger now
>> starts again.
>> However we're kind of back to square one where
>> we are still
>> getting the
>> AUTH_FAIL messages in the debug log.
>> I have verified that the ipara entry's serial
>> number
>> and cert
>> match the
>> serial number and cert from the one in
>> /etc/httpd/alias.
>>
>>
>> How about the certificate PEM? Does it match the
>> usercertificate in
>> the dogtag LDAP server?
>>
>> rob
>>
>>
>> Any other ideas?
>>
>> Thanks!
>>
>> On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis
>> <alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>>>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>>>>> wrote:
>>
>> Rob,
>> Thanks for pointing me in the right
>> direction.
>> However after
>> following the instructions in the above
>> mentioned
>> doc I
>> noticed a
>> few things that are odd and have a new
>> problem.
>> The first
>> odd thing
>> I noticed is that when I run service
>> pki-cad status it
>> shows that my
>> PKI Subsystem Type is "CA Clone (Security
>> Domain)"
>> Shouldn't that say something like "CA
>> Master"?
>> Second, when I ran the "ipa-getcert
>> resubmit -I [ID]"
>> commands they
>> all produced the same AUTH_FAIL message
>> in the
>> debug log.
>>
>> Now the new problem...after pressing on and
>> restarting things
>> certmonger fails to start with a segfault.
>> Starting certmonger: /bin/bash: line 1:
>> 64935
>> Segmentation
>> fault /usr/sbin/certmonger -S -p
>> /var/run
>> certmonger.pid
>>
>> Thanks!
>>
>> On Thu, Jul 28, 2016 at 3:36 PM, Rob
>> Crittenden
>> <rcritten at redhat.com
>> <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>
>> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>>
>> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>>>>
>>
>> wrote:
>>
>> Lewis, Adam M CIV NSWCDD, H11 wrote:
>>
>> We are currently dead in the
>> water. Our
>> OCSP, CA
>> Audit, CA
>> Subsystem, and IPA RA certs
>> expired as of
>> 7/23/16.
>> I found
>> and followed the instructions to
>> the letter
>>
>>
>>
>> (
>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0
>> )
>> however the CA Subsystem and IPA
>> RA certs
>> will not
>> renew.
>> I've backdated the server to make
>> sure the
>> system
>> was within
>> the renewal window, but that has
>> not help.
>>
>>
>> Those are the wrong instructions.
>>
>> You want this instead,
>> https://access.redhat.com/solutions/643753
>>
>> A bunch of it is for 2.2 but it isn't
>> exactly
>> noted
>> which parts.
>> A general rule is that you
>> don't/shouldn't
>> need to directly
>> tweak the dogtag configuration or do
>> any of the
>> start-tracking
>> work (though you may want to verify
>> that what/if
>> anything you
>> changed from that wrong doc).
>>
>> When I run getcert list it reports:
>> Ca-error: Sever at
>>
>> "https://<fqdn>:9443/ca/agent/ca/profileProcess"
>> replied: 1:
>> Authentication Error
>> for both the IPA RA and CA
>> Subsystem certs
>>
>> The debug log shows:
>> SignedAuditEventFactory: create()
>>
>>
>>
>>
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=MISS.ION] authentication
>> failure
>> ReviewReqServlet: Invalid
>> Credential.
>>
>>
>> The place to start is to get the
>> serial # of
>> the ipaCert:
>>
>> # certutil -L -d /etc/httpd/alias -n
>> ipaCert
>> |grep Serial
>>
>> Now get the user from the dogtag LDAP
>> server:
>>
>> # ldapsearch -h `hostname` -p 7389 -x
>> -D
>> 'cn=directory
>> manager'
>> -W -b uid=ipara,ou=People,o=ipaca
>> description
>>
>> The format is 2;<serial number>;<issuer
>> subject>;<subject>
>>
>> See if the serial # matches ipaCert.
>> I'm
>> guessing it won't.
>> Follow the instructions on the page I
>> cited to
>> update
>> the entry
>> with the current certificate and
>> serial #
>> values. That
>> should
>> get you going.
>>
>> rob
>>
>>
>>
>> We are kind of in deep doo-doo
>> until this gets
>> resolved.
>>
>> We are running
>> ipa-server-3.0.0-47.el6_7.2
>> on RHEL 6.5
>>
>> Any thoughts?
>>
>> Thanks!
>>
>> Adam M. Lewis
>>
>>
>>
>>
>> --
>> Manage your subscription for the
>> Freeipa-users
>> mailing
>> list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more
>> info on the
>> project
>>
>>
>>
>>
>> --
>> Adam M. Lewis
>> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>>>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com
>> >>>>
>> 10807 Allie Place
>> Fredericksburg, VA 22408
>> 540-412-8643 <tel:540-412-8643> <tel:540-412-8643
>> <tel:540-412-8643>> <tel:540-412-8643 <tel:540-412-8643>
>> <tel:540-412-8643 <tel:540-412-8643>>>
>> <tel:540-412-8643 <tel:540-412-8643> <tel:540-412-8643
>> <tel:540-412-8643>>
>> <tel:540-412-8643 <tel:540-412-8643>
>> <tel:540-412-8643 <tel:540-412-8643>>>>
>>
>>
>>
>>
>>
>> --
>> Adam M. Lewis
>> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>>>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com
>> >>>>
>>
>> 10807 Allie Place
>> Fredericksburg, VA 22408
>> 540-412-8643 <tel:540-412-8643> <tel:540-412-8643
>> <tel:540-412-8643>> <tel:540-412-8643 <tel:540-412-8643>
>> <tel:540-412-8643 <tel:540-412-8643>>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Adam M. Lewis
>> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>
>> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com> <mailto:alewis422 at gmail.com
>> <mailto:alewis422 at gmail.com>>>
>> 10807 Allie Place
>> Fredericksburg, VA 22408
>> 540-412-8643 <tel:540-412-8643> <tel:540-412-8643
>> <tel:540-412-8643>>
>>
>>
>>
>>
>>
>>
>> --
>> Adam M. Lewis
>> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>> <mailto:alewis422 at gmail.com <mailto:alewis422 at gmail.com>>
>> 10807 Allie Place
>> Fredericksburg, VA 22408
>> 540-412-8643 <tel:540-412-8643>
>>
>>
>>
>>
>>
>>
>> --
>> Adam M. Lewis
>> alewis422 at gmail.com <mailto:alewis422 at gmail.com>
>> 10807 Allie Place
>> Fredericksburg, VA 22408
>> 540-412-8643
>>
>>
>>
>
--
Adam M. Lewis
alewis422 at gmail.com
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160802/7afa9b65/attachment.htm>
More information about the Freeipa-users
mailing list