[Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

Tomasz Torcz tomek at pipebreaker.pl
Sat Jun 25 19:21:24 UTC 2016 

On Wed, Jun 22, 2016 at 05:01:55PM +0200, Youenn PIOLET wrote:
> Hi,

  Hello Youen,

> 
> Can you provide the output of :
> certutil -L -d /etc/dirsrv/slapd-<your domain>/ on replicas that can't
> start the PKI?
> Your CA Cert attributes should be CT,C,C

---
$ certutil -L -d /etc/dirsrv/slapd-PIPEBREAKER-PL/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
PIPEBREAKER.PL IPA CA                                        CT,C,
---

Last 'C' is missing; according to certutil manpage, this is for ”object signing”.

> 
> I experience the same issue as you every two replica I install. The fix is :
> certutil -d /etc/dirsrv/slapd-<your domain>/ -A -t "CT,C,C" -n "<YOUR
> DOMAIN> IPA CA" -i /etc/ipa/ca.crt

  After this command, the output is now:
PIPEBREAKER.PL IPA CA                                        CT,C,C



> and restart ipa server.

It seems error message changed, now it's ”Subsystem unavailable”:

---
Jun 25 20:29:35 okda.pipebreaker.pl server[846021]: Jun 25, 2016 8:29:35 PM org.apache.catalina.core.ContainerBase backgroundProcess
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm at 3e8fa209 background process
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]:     at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:130)
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]:     at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127)
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]:     at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642)
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]:     at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377)
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]:     at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]:     at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]:     at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349)
Jun 25 20:29:36 okda.pipebreaker.pl server[846021]:     at java.lang.Thread.run(Thread.java:745)
---

 
> https://www.redhat.com/archives/freeipa-users/2013-August/msg00088.html
> 
> Can you also provide the following line of the file generated by following
> commands:
> 
> $ ipa certprofile-show --out /tmp/caIPAserviceCert.cfg caIPAserviceCert

  This command creates 0-length file. I've kinited to admin before invoking the command:

---
…
ipa: INFO: trying https://okda.pipebreaker.pl/ipa/json
ipa: DEBUG: NSSConnection init okda.pipebreaker.pl
ipa: DEBUG: Connecting: 2a00:d880:5:a14::8b0d:aed
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL"
ipa: DEBUG: handshake complete, peer = 2a00:d880:5:a14::8b0d:aed
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: received Set-Cookie 'ipa_session=2906766f27c485b00049c51a0ca7d86a; Domain=okda.pipebreaker.pl; Path=/ipa; Expires=Sat, 25 Jun 2016 19:39:54 GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie 'ipa_session=2906766f27c485b00049c51a0ca7d86a; Domain=okda.pipebreaker.pl; Path=/ipa; Expires=Sat, 25 Jun 2016 19:39:54 GMT; Secure; HttpOnly' for principal admin at PIPEBREAKER.PL
ipa: DEBUG: Created connection context.rpcclient_140035796262032
ipa: DEBUG: raw: certprofile_show(u'caIPAserviceCert', rights=False, out=u'/tmp/caIPAserviceCert.cfg', all=False, raw=False, version=u'2.164')
ipa: DEBUG: certprofile_show(u'caIPAserviceCert', rights=False, out=u'/tmp/caIPAserviceCert.cfg', all=False, raw=False, version=u'2.164')
ipa: INFO: Forwarding 'certprofile_show' to json server 'https://okda.pipebreaker.pl/ipa/json'
ipa: DEBUG: NSSConnection init okda.pipebreaker.pl
ipa: DEBUG: Connecting: 2a00:d880:5:a14::8b0d:aed
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL"
ipa: DEBUG: handshake complete, peer = 2a00:d880:5:a14::8b0d:aed
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: received Set-Cookie 'ipa_session=c6b47d5eb7a504b7ab629a2111dec4f3; Domain=okda.pipebreaker.pl; Path=/ipa; Expires=Sat, 25 Jun 2016 19:39:56 GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie 'ipa_session=c6b47d5eb7a504b7ab629a2111dec4f3; Domain=okda.pipebreaker.pl; Path=/ipa; Expires=Sat, 25 Jun 2016 19:39:56 GMT; Secure; HttpOnly' for principal admin at PIPEBREAKER.PL
ipa: DEBUG: Destroyed connection context.rpcclient_140035796262032
ipa: ERROR: Failed to authenticate to CA REST API
---

> $ grep policyset.serverCertSet.1.default.params.name /tmp/caIPAserviceCert.cfg




-- 
Tomasz Torcz                "Funeral in the morning, IDE hacking
xmpp: zdzichubg at chrome.pl    in the afternoon and evening." - Alan Cox

More information about the Freeipa-users mailing list