[Freeipa-users] Certificates missing (was: Re: Services missing in web-ui)
Jochen Hein
jochen at jochen.org
Wed Dec 7 16:54:53 UTC 2016
I'm unsure if it is related to ticket 6397...
Pavel Vomacka <pvomacka at redhat.com> writes:
> it is caused by missing canonical name on services which were created
> in older versions of FreeIPA. Fixed ticket here:
> https://fedorahosted.org/freeipa/ticket/6397 .
Symptom:
In the web UI on 4.3 on Fedora 24 I have 43 certificates,
on the 4.4 replica on CentOS 7.3(CR) I see only 16 certificates.
System history:
Old master is 4.3, upgraded from 4.2. Both replicas are new
with CentOS. Yesterday I moved the CA from 4.3 to a 4.4 IDM.
After that I created a certificate for a new service principal.
I can see the new certificate I can see in both web UIs.
Analysis:
Looking at the ipa cli tool, cert-find is consistent with the web UI:
4.3:
-----------------------------
Number of entries returned 43
-----------------------------
4.4:
--------------------------------------
Anzahl der zurückgegebenen Einträge 16
--------------------------------------
Looking at both LDAP servers, I do find the same number of entries.
I looked at ou=ca,ou=requests,o=ipaca.
So replications seems to work fine (and ipa-replica-manage confirms it).
Right now I have two guesses:
My system is hit with https://fedorahosted.org/freeipa/ticket/6397
I do have some certificates for services, and some for hosts.
So my hope would be that updated packages might fix it.
But analysing the certificates in the web UI is futil:
- On CentOS(freeipa 4.4) the certificate list in web UI only displays
serial number, subject, issuing CA(empty), and status(empty).
That's not quite correct. In the certificate list I can not select
a certificate and can get more details...
4.3 has only serial number, subject, and status, but with valid values.
I can click on the serial number and get more details about the
certficate.
Since I can't see all services in 4.4 due to ticket 6397
more analysis is hard.
- using "ipa cert-show --all" on 4.4 has more infos about the
certificates, but on 4.3 it doesn't show more info.
So right now I'm somewhat stuck how to proceed further. 4.3 seems
to be ok, so I hesitate to update the fredora system to 25 (with IPA 4.4).
I didn't find the files from #6397 to manually apply the patch,
so I'm more or less stuck. Any ideas?
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
More information about the Freeipa-users
mailing list