[Freeipa-users] Certificate Issues
Rob Crittenden
rcritten at redhat.com
Thu Jul 28 19:36:12 UTC 2016
Lewis, Adam M CIV NSWCDD, H11 wrote:
> We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA RA certs expired as of 7/23/16. I found and followed the instructions to the letter (http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0) however the CA Subsystem and IPA RA certs will not renew. I've backdated the server to make sure the system was within the renewal window, but that has not help.
Those are the wrong instructions.
You want this instead, https://access.redhat.com/solutions/643753
A bunch of it is for 2.2 but it isn't exactly noted which parts. A
general rule is that you don't/shouldn't need to directly tweak the
dogtag configuration or do any of the start-tracking work (though you
may want to verify that what/if anything you changed from that wrong doc).
> When I run getcert list it reports:
> Ca-error: Sever at "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error
> for both the IPA RA and CA Subsystem certs
>
> The debug log shows:
> SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=MISS.ION] authentication failure
> ReviewReqServlet: Invalid Credential.
The place to start is to get the serial # of the ipaCert:
# certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
Now get the user from the dogtag LDAP server:
# ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b
uid=ipara,ou=People,o=ipaca description
The format is 2;<serial number>;<issuer subject>;<subject>
See if the serial # matches ipaCert. I'm guessing it won't. Follow the
instructions on the page I cited to update the entry with the current
certificate and serial # values. That should get you going.
rob
>
> We are kind of in deep doo-doo until this gets resolved.
>
> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>
> Any thoughts?
>
> Thanks!
>
> Adam M. Lewis
>
>
>
More information about the Freeipa-users
mailing list