[Freeipa-users] CA not found?
Guillermo Fuentes
guillermo.fuentes at modernizingmedicine.com
Thu Feb 9 23:27:12 UTC 2017
Hi Fraser,
The cluster was migrated from FreeIPA 3 (CentOS 6) to FreeIPA 4
(CentOS 7) a year ago.
- Output of 'ldapsearch -s sub -b ou=authorities,ou=ca,o=ipaca':
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
- Output providing GSSAPI mechanism:
$ ldapsearch -Y GSSAPI -s sub -b ou=authorities,ou=ca,o=ipaca
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Server
ldap/localhost at EXAMPLE.COM not found in Kerberos database)
- Output providing user credentials:
$ ldapsearch -D "uid=user1,cn=users,cn=accounts,dc=example,dc=com" -W
-H ldaps://`hostname` -s sub -b ou=authorities,ou=ca,o=ipaca
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=authorities,ou=ca,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Thanks for your help!
Guillermo
On Thu, Feb 9, 2017 at 5:06 PM, Fraser Tweedale <ftweedal at redhat.com> wrote:
> On Thu, Feb 09, 2017 at 09:29:14AM -0500, Guillermo Fuentes wrote:
>> Hi list,
>>
>> I'm trying to sign a service certificate but it's failing with "CA not found".
>> The CA does exist but for some reason the ipa cert-request can't find it:
>> $ ipa ca-show ipa
>> Name: ipa
>> Description: IPA CA
>> Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c
>> Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
>> Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> This was working in previous versions of freeipa but in our current
>> environment isn't working:
>> Cluster of four FreeIPA servers
>> CentOS Linux release 7.3.1611 (Core)
>> ipa-client-common-4.4.0-14.el7.centos.4.noarch
>> ipa-client-4.4.0-14.el7.centos.4.x86_64
>> ipa-debuginfo-4.2.0-15.0.1.el7_2.6.1.x86_64
>> ipa-server-trust-ad-4.4.0-14.el7.centos.4.x86_64
>> ipa-server-4.4.0-14.el7.centos.4.x86_64
>> ipa-admintools-4.4.0-14.el7.centos.4.noarch
>> ipa-server-common-4.4.0-14.el7.centos.4.noarch
>> ipa-common-4.4.0-14.el7.centos.4.noarch
>> ipa-server-dns-4.4.0-14.el7.centos.4.noarch
>> ipa-python-compat-4.4.0-14.el7.centos.4.noarch
>> 389-ds-base-1.3.5.10-15.el7_3.x86_64
>> 389-ds-base-libs-1.3.5.10-15.el7_3.x86_64
>> 389-ds-base-snmp-1.3.5.10-15.el7_3.x86_64
>> 389-ds-base-debuginfo-1.3.4.0-30.el7_2.x86_64
>> pki-base-java-10.3.3-16.el7_3.noarch
>> pki-base-10.3.3-16.el7_3.noarch
>> pki-server-10.3.3-16.el7_3.noarch
>> pki-ca-10.3.3-16.el7_3.noarch
>> pki-symkey-10.3.3-16.el7_3.x86_64
>> pki-kra-10.3.3-16.el7_3.noarch
>> pki-tools-10.3.3-16.el7_3.x86_64
>> krb5-libs-1.14.1-27.el7_3.x86_64
>> python-krbV-1.0.90-8.el7.x86_64
>> pam_krb5-2.4.8-6.el7.x86_64
>> krb5-workstation-1.14.1-27.el7_3.x86_64
>> krb5-pkinit-1.14.1-27.el7_3.x86_64
>> sssd-krb5-common-1.14.0-43.el7_3.11.x86_64
>> krb5-server-1.14.1-27.el7_3.x86_64
>> sssd-krb5-1.14.0-43.el7_3.11.x86_64
>>
>> ***********
>> This is the error (same result in all four servers):
>> $ ipa cert-request --principal=HTTP/host1.example.com host1.example.com.csr
>> ipa: ERROR: Certificate operation cannot be completed: FAILURE (CA not
>> found: 0cb513ea-6084-4144-a61c-7a0a8368d25c)
>>
>> ***********
>> >From /var/log/pki/pki-tomcat/ca/debug:
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
>> CMSServlet:service() uri = /ca/eeca/ca/profileSubmitSSLClient
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
>> CMSServlet::service() param name='xml' value='true'
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
>> CMSServlet::service() param name='profileId' value='caIPAserviceCert'
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
>> CMSServlet::service() param name='authorityId'
>> value='0cb513ea-6084-4144-a61c-7a0a8368d25c'
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
>> CMSServlet::service() param name='cert_request' value='(sensitive)'
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
>> CMSServlet::service() param name='cert_request_type' value='pkcs10'
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet:
>> caProfileSubmitSSLClient start to service.
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: xmlOutput true
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
>> ProfileSubmitServlet: isRenewal false
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: according to
>> ccMode, authorization for servlet: caProfileSubmit is LDAP based, not
>> XML {1}, use default authz mgr: {2}.
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
>> ProfileSubmitServlet: profile: caIPAserviceCert
>> CA not found: 0cb513ea-6084-4144-a61c-7a0a8368d25c
>> at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:239)
>> at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128)
>> at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:515)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
>> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>> at sun.reflect.GeneratedMethodAccessor71.invoke(Unknown Source)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
>> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
>> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
>> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
>> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
>> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
>> ProfileSubmitServlet: error in processing request: CA not found:
>> 0cb513ea-6084-4144-a61c-7a0a8368d25c
>> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet:
>> curDate=Tue Feb 07 23:45:49 EST 2017 id=caProfileSubmitSSLClient
>> time=8
>> ***************
>>
>> Any idea why this is happening?
>> It's using the caIPAserviceCert certificate profile which should be
>> fine. I also checked and "played" with the
>> hosts_services_caIPAserviceCert CA ACL with the same results.
>>
>> Thanks in advance!
>>
>> Guillermo
>>
> Was the server upgraded/migrated from an older release, or a new
> installation?
>
> Could you please `ldapsearch -s sub -b ou=authorities,ou=ca,o=ipaca'
> and provide output?
>
> Thanks,
> Fraser
--
GUILLERMO FUENTES
SENIOR SYSTEMS ADMINISTRATOR
T: 561-880-2998 x1337
E: guillermo.fuentes at modmed.com
More information about the Freeipa-users
mailing list