[Freeipa-users] CA not found?
Fraser Tweedale
ftweedal at redhat.com
Thu Feb 9 22:06:22 UTC 2017
On Thu, Feb 09, 2017 at 09:29:14AM -0500, Guillermo Fuentes wrote:
> Hi list,
>
> I'm trying to sign a service certificate but it's failing with "CA not found".
> The CA does exist but for some reason the ipa cert-request can't find it:
> $ ipa ca-show ipa
> Name: ipa
> Description: IPA CA
> Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c
> Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
> Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM
>
> This was working in previous versions of freeipa but in our current
> environment isn't working:
> Cluster of four FreeIPA servers
> CentOS Linux release 7.3.1611 (Core)
> ipa-client-common-4.4.0-14.el7.centos.4.noarch
> ipa-client-4.4.0-14.el7.centos.4.x86_64
> ipa-debuginfo-4.2.0-15.0.1.el7_2.6.1.x86_64
> ipa-server-trust-ad-4.4.0-14.el7.centos.4.x86_64
> ipa-server-4.4.0-14.el7.centos.4.x86_64
> ipa-admintools-4.4.0-14.el7.centos.4.noarch
> ipa-server-common-4.4.0-14.el7.centos.4.noarch
> ipa-common-4.4.0-14.el7.centos.4.noarch
> ipa-server-dns-4.4.0-14.el7.centos.4.noarch
> ipa-python-compat-4.4.0-14.el7.centos.4.noarch
> 389-ds-base-1.3.5.10-15.el7_3.x86_64
> 389-ds-base-libs-1.3.5.10-15.el7_3.x86_64
> 389-ds-base-snmp-1.3.5.10-15.el7_3.x86_64
> 389-ds-base-debuginfo-1.3.4.0-30.el7_2.x86_64
> pki-base-java-10.3.3-16.el7_3.noarch
> pki-base-10.3.3-16.el7_3.noarch
> pki-server-10.3.3-16.el7_3.noarch
> pki-ca-10.3.3-16.el7_3.noarch
> pki-symkey-10.3.3-16.el7_3.x86_64
> pki-kra-10.3.3-16.el7_3.noarch
> pki-tools-10.3.3-16.el7_3.x86_64
> krb5-libs-1.14.1-27.el7_3.x86_64
> python-krbV-1.0.90-8.el7.x86_64
> pam_krb5-2.4.8-6.el7.x86_64
> krb5-workstation-1.14.1-27.el7_3.x86_64
> krb5-pkinit-1.14.1-27.el7_3.x86_64
> sssd-krb5-common-1.14.0-43.el7_3.11.x86_64
> krb5-server-1.14.1-27.el7_3.x86_64
> sssd-krb5-1.14.0-43.el7_3.11.x86_64
>
> ***********
> This is the error (same result in all four servers):
> $ ipa cert-request --principal=HTTP/host1.example.com host1.example.com.csr
> ipa: ERROR: Certificate operation cannot be completed: FAILURE (CA not
> found: 0cb513ea-6084-4144-a61c-7a0a8368d25c)
>
> ***********
> >From /var/log/pki/pki-tomcat/ca/debug:
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> CMSServlet:service() uri = /ca/eeca/ca/profileSubmitSSLClient
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> CMSServlet::service() param name='xml' value='true'
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> CMSServlet::service() param name='profileId' value='caIPAserviceCert'
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> CMSServlet::service() param name='authorityId'
> value='0cb513ea-6084-4144-a61c-7a0a8368d25c'
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> CMSServlet::service() param name='cert_request' value='(sensitive)'
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> CMSServlet::service() param name='cert_request_type' value='pkcs10'
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet:
> caProfileSubmitSSLClient start to service.
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: xmlOutput true
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> ProfileSubmitServlet: isRenewal false
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: according to
> ccMode, authorization for servlet: caProfileSubmit is LDAP based, not
> XML {1}, use default authz mgr: {2}.
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> ProfileSubmitServlet: profile: caIPAserviceCert
> CA not found: 0cb513ea-6084-4144-a61c-7a0a8368d25c
> at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:239)
> at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128)
> at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:515)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
> at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at sun.reflect.GeneratedMethodAccessor71.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> ProfileSubmitServlet: error in processing request: CA not found:
> 0cb513ea-6084-4144-a61c-7a0a8368d25c
> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet:
> curDate=Tue Feb 07 23:45:49 EST 2017 id=caProfileSubmitSSLClient
> time=8
> ***************
>
> Any idea why this is happening?
> It's using the caIPAserviceCert certificate profile which should be
> fine. I also checked and "played" with the
> hosts_services_caIPAserviceCert CA ACL with the same results.
>
> Thanks in advance!
>
> Guillermo
>
Was the server upgraded/migrated from an older release, or a new
installation?
Could you please `ldapsearch -s sub -b ou=authorities,ou=ca,o=ipaca'
and provide output?
Thanks,
Fraser
More information about the Freeipa-users
mailing list