[Freeipa-users] PKI Authentication Issues

Petr Vobornik pvoborni at redhat.com
Wed Mar 23 16:31:20 UTC 2016 

On 03/23/2016 03:50 PM, Sam James wrote:
> Hello everyone,
>
> I've been banging my head against the wall for a few days now trying to resolve
> an issue with PKI and I'm hoping I might get some help.  First some context.
>
> About a week ago I was alerted that all of our replicas were offline due to
> pki-tomcatd not starting.  Futher investigation determined that all of the pki
> certs had expired two days earlier.  I turned back time and successfully updated
> the certs and certmonger updated the rest of the replicas.
>
> Now I'm seeing the following symptoms:
> 1.  Searching certificates via the web UI will display certificate info.
> 2.  Attemping to view certificate details results in an "IPA Error 4301:
> CertificateOperationError" the exception being "Invalid Credential.".
> 3.  Issuing the ipa cert-show command results in the same "Invalid Credential."
> exception.
> 4.  PKI debug log shows:  SignedAuditEventFactory: create()
> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
> RA,O=DOMAIN.COM <http://DOMAIN.COM>] authentication failure
> 5.  PKI system log shows: Cannot authenticate agent with certificate Serial
> 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM <http://DOMAIN.COM>. Error: User
> not found.

PKI has some build-in accounts which uses certificates for 
authentication. It matches a user by a certificate. The error above 
means that it cannot find any user for cert with serial no 0x123456789

So the possible cause is the user you checked 
(uid=ipara,ou=people,o=ipaca) has still old cert. I.e. you've updated 
description, but is the cert correct?

>
> In trolling this list I've done the following things troubleshooting:
>
> 1.  Ensured the certs being monitored by certmonger are correct.
> 2.  Ensured the certs in the http and pki-tomcat NSS databases are as expected.
> 3.  Ensured the uid=ipara,ou=people,o=ipaca object has the correct description
> and cert (it had the wrong serialnumber in the description but i've updated that).
> 4.  Ensured the CS.cfg has the correct certs (it did).
>
> Any suggestions or assistance would be apprecitated.
>
> Thanks!
> Sam
>
-- 
Petr Vobornik

More information about the Freeipa-users mailing list