[Freeipa-users] Certificate Issues
Lewis, Adam M CIV NSWCDD, H11
adam.m.lewis at navy.mil
Thu Jul 28 19:02:25 UTC 2016
We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA RA certs expired as of 7/23/16. I found and followed the instructions to the letter (http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0) however the CA Subsystem and IPA RA certs will not renew. I've backdated the server to make sure the system was within the renewal window, but that has not help.
When I run getcert list it reports:
Ca-error: Sever at "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error
for both the IPA RA and CA Subsystem certs
The debug log shows:
SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.
We are kind of in deep doo-doo until this gets resolved.
We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
Any thoughts?
Thanks!
Adam M. Lewis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6495 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160728/5747b08a/attachment.p7s>
More information about the Freeipa-users
mailing list