[Freeipa-users] PKI Authentication Issues
Sam James
samuel.joseph.james at gmail.com
Wed Mar 23 18:00:15 UTC 2016
Yes the cert is correct. The userCertificate field matches the output of
"certutil -L -d /etc/httpd/alias/ -n ipaCert -a" with the header and footer
removed, and the serial number matches as well albeit in decimal instead of
hex.
# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;4886718345;CN=Certificate Authority,O=DOMAIN.COM;
CN=IPA RA, O=DOMAIN.COM
userCertificate:: <cert here>
userstate: 1
uid: ipara
sn: ipara
usertype: agentType
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
cn: ipara
On Wed, Mar 23, 2016 at 4:31 PM, Petr Vobornik <pvoborni at redhat.com> wrote:
> On 03/23/2016 03:50 PM, Sam James wrote:
>
>> Hello everyone,
>>
>> I've been banging my head against the wall for a few days now trying to
>> resolve
>> an issue with PKI and I'm hoping I might get some help. First some
>> context.
>>
>> About a week ago I was alerted that all of our replicas were offline due
>> to
>> pki-tomcatd not starting. Futher investigation determined that all of
>> the pki
>> certs had expired two days earlier. I turned back time and successfully
>> updated
>> the certs and certmonger updated the rest of the replicas.
>>
>> Now I'm seeing the following symptoms:
>> 1. Searching certificates via the web UI will display certificate info.
>> 2. Attemping to view certificate details results in an "IPA Error 4301:
>> CertificateOperationError" the exception being "Invalid Credential.".
>> 3. Issuing the ipa cert-show command results in the same "Invalid
>> Credential."
>> exception.
>> 4. PKI debug log shows: SignedAuditEventFactory: create()
>>
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=DOMAIN.COM <http://DOMAIN.COM>] authentication failure
>> 5. PKI system log shows: Cannot authenticate agent with certificate
>> Serial
>> 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM <http://DOMAIN.COM>.
>> Error: User
>> not found.
>>
>
> PKI has some build-in accounts which uses certificates for authentication.
> It matches a user by a certificate. The error above means that it cannot
> find any user for cert with serial no 0x123456789
>
> So the possible cause is the user you checked
> (uid=ipara,ou=people,o=ipaca) has still old cert. I.e. you've updated
> description, but is the cert correct?
>
>
>
>> In trolling this list I've done the following things troubleshooting:
>>
>> 1. Ensured the certs being monitored by certmonger are correct.
>> 2. Ensured the certs in the http and pki-tomcat NSS databases are as
>> expected.
>> 3. Ensured the uid=ipara,ou=people,o=ipaca object has the correct
>> description
>> and cert (it had the wrong serialnumber in the description but i've
>> updated that).
>> 4. Ensured the CS.cfg has the correct certs (it did).
>>
>> Any suggestions or assistance would be apprecitated.
>>
>> Thanks!
>> Sam
>>
>> --
> Petr Vobornik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160323/78568880/attachment.htm>
More information about the Freeipa-users
mailing list