[Freeipa-users] Certificates missing (was: Re: Services missing in web-ui)

Jochen Hein jochen at jochen.org
Wed Dec 7 16:54:53 UTC 2016 

I'm unsure if it is related to ticket 6397...

Pavel Vomacka <pvomacka at redhat.com> writes:

> it is caused by missing canonical name on services which were created
> in older versions of FreeIPA. Fixed ticket here:
> https://fedorahosted.org/freeipa/ticket/6397 .

Symptom:
In the web UI on 4.3 on Fedora 24 I have 43 certificates, 
on the 4.4 replica on CentOS 7.3(CR) I see only 16 certificates.

System history:
Old master is 4.3, upgraded from 4.2. Both replicas are new
with CentOS. Yesterday I moved the CA from 4.3 to a 4.4 IDM.
After that I created a certificate for a new service principal.
I can see the new certificate I can see in both web UIs.

Analysis:
Looking at the ipa cli tool, cert-find is consistent with the web UI:

4.3:
-----------------------------
Number of entries returned 43
-----------------------------

4.4:
--------------------------------------
Anzahl der zurückgegebenen Einträge 16
--------------------------------------

Looking at both LDAP servers, I do find the same number of entries.
I looked at ou=ca,ou=requests,o=ipaca.
So replications seems to work fine (and ipa-replica-manage confirms it).

Right now I have two guesses:

My system is hit with https://fedorahosted.org/freeipa/ticket/6397
I do have some certificates for services, and some for hosts.
So my hope would be that updated packages might fix it.
But analysing the certificates in the web UI is futil:

- On CentOS(freeipa 4.4) the certificate list in web UI only displays
  serial number, subject, issuing CA(empty), and status(empty).
  That's not quite correct. In the certificate list I can not select
  a certificate and can get more details...

  4.3 has only serial number, subject, and status, but with valid values.
  I can click on the serial number and get more details about the
  certficate.

  Since I can't see all services in 4.4 due to ticket 6397
  more analysis is hard.

- using "ipa cert-show --all" on 4.4 has more infos about the
  certificates, but on 4.3 it doesn't show more info. 

So right now I'm somewhat stuck how to proceed further.  4.3 seems
to be ok, so I hesitate to update the fredora system to 25 (with IPA 4.4).

I didn't find the files from #6397 to manually apply the patch,
so I'm more or less stuck.  Any ideas?

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

More information about the Freeipa-users mailing list