[Freeipa-users] Ipa cert automatic renew Failing.

Florence Blanc-Renaud flo at redhat.com
Thu Dec 22 13:13:52 UTC 2016 

On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
> Florence, for some creepy reason the cert from pkidbuser is different
> from subsystem certs, and this pkidbuser is outdated now, but i can't
> manage one way to re-issue it. I had to change the CA server because of
> that, and the Selinux in the old CA Server was disabled, on the new one
> is in Permissive mode but doesn't a warning in /var/log/audit/audit.log.
>
> This is the pkidbuser cert: https://paste.fedoraproject.org/511023/24084431/
> This is the subsystem cert: https://paste.fedoraproject.org/511025/14824085/
> The ca.subsystem.cert matches the pkidbuser cert.
>
> lucasdiedrich.
>
Hi,

you can try to manually call the post-save command that certmonger 
should have issued after putting the certificate in 
/etc/pki/pki-tomcat/alias:
on the renewal master:
$ sudo /usr/libexec/ipa/certmonger/stop_pkicad
$ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"

Then check the journal log that should display the following if 
everything goes well:
$ sudo journalctl --since today | grep renew_ca_cert
[...] renew_ca_cert[6478]: Updating entry 
uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca
[...] renew_ca_cert[6478]: Updating entry uid=pkidbuser,ou=people,o=ipaca
[...] renew_ca_cert[6478]: Starting pki_tomcatd
[...] renew_ca_cert[6478]: Started pki_tomcatd

If the operation does not succeed, you will have to check the LDAP 
server logs in /etc/dirsrv/slapd-DOMAIN/access.

HTH,
Flo.

> Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
> <flo at redhat.com <mailto:flo at redhat.com>> escreveu:
>
>     On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
>     > Hello guys,
>     >
>     > I'm having some trouble with, whats is happening with my server is
>     that
>     > i'm hiting an old BUG
>     > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to
>     mbasti
>     > over irc he oriented me to send this to the email list.
>     >
>     > The problem is, i got on CA Master, so because of this problem the CA
>     > Master certificates couldn't be renewd, so now i promoted another
>     master
>     > to be the CA. And the problem still persist.
>     >
>     > This is the certs from my new CA
>     > (https://paste.fedoraproject.org/510617/14823448/),
>     > this is the certs from my old CA
>     > (https://paste.fedoraproject.org/510618/44871148/)
>     > This is the log then i restart pki-tomcat( "CA port 636 Error
>     > netscape.ldap.LDAPException: Authentication failed (49)")
>     > This is the log from dirsrv when i restart pki-tomcat
>     > (https://paste.fedoraproject.org/510614/23446801/)
>     >
>     > Basically my CA is not working anymore...
>     >
>     > Anyway, i tried lots of thing but couldn't fix this, anyone has
>     some idea?
>     >
>     >
>     >
>     Hi,
>
>     Pki-tomcat is using the LDAP server as a data store, meaning that it
>     needs to authenticate to LDAP. In order to do that, pki-tomcat is using
>     the certificate 'subsystemCert cert-pki-ca' stored in
>     /etc/pki/pki-tomcat/alias. For the authentication to succeed, the
>     certificate must be stored in a user entry
>     (uid=pkidbuser,ou=people,o=ipaca).
>
>     Can you check the content of this entry, especially the usercertificate
>     attribute? It should match the certificate used by pki-tomcat:
>
>     $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
>     cert-pki-ca' -a
>     -----BEGIN CERTIFICATE-----
>     [...]
>     -----END CERTIFICATE-----
>
>     $ kinit admin
>     $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
>     uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
>     dn: uid=pkidbuser,ou=people,o=ipaca
>     usercertificate:: <content should match the output above>
>
>     The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this
>     certificate in the directive ca.subsystem.cert.
>
>
>     A possible cause for the entries not being updated is the bug 1366915
>     [1] linked to SE linux on RHEL7, or bug 1365188 [2] linked to SE linux
>     on Fedora 24.
>
>     Flo
>
>     [1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
>     [2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188
>
>
>

More information about the Freeipa-users mailing list