[Freeipa-users] CA not found?
Fraser Tweedale
ftweedal at redhat.com
Thu Feb 9 23:52:14 UTC 2017
On Thu, Feb 09, 2017 at 06:27:12PM -0500, Guillermo Fuentes wrote:
> Hi Fraser,
>
> The cluster was migrated from FreeIPA 3 (CentOS 6) to FreeIPA 4
> (CentOS 7) a year ago.
>
> - Output of 'ldapsearch -s sub -b ou=authorities,ou=ca,o=ipaca':
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
>
> - Output providing GSSAPI mechanism:
> $ ldapsearch -Y GSSAPI -s sub -b ou=authorities,ou=ca,o=ipaca
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Server
> ldap/localhost at EXAMPLE.COM not found in Kerberos database)
>
> - Output providing user credentials:
> $ ldapsearch -D "uid=user1,cn=users,cn=accounts,dc=example,dc=com" -W
> -H ldaps://`hostname` -s sub -b ou=authorities,ou=ca,o=ipaca
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <ou=authorities,ou=ca,o=ipaca> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
>
> Thanks for your help!
> Guillermo
>
What happens when you run the ldapsearch as Directory Manager, i.e.:
ldapsearch -D "cn=Directory Manager" -w <dm-password> \
-s sub -b ou=authorities,ou=ca,o=ipaca
Could you run `ipa-server-upgrade` and send log file
/var/log/ipaupgrade.log ?
Could you please restart the server and attach the resulting portion
of log file /var/log/pki/pki-tomcat/ca/debug ?
Thanks,
Fraser
> On Thu, Feb 9, 2017 at 5:06 PM, Fraser Tweedale <ftweedal at redhat.com> wrote:
> > On Thu, Feb 09, 2017 at 09:29:14AM -0500, Guillermo Fuentes wrote:
> >> Hi list,
> >>
> >> I'm trying to sign a service certificate but it's failing with "CA not found".
> >> The CA does exist but for some reason the ipa cert-request can't find it:
> >> $ ipa ca-show ipa
> >> Name: ipa
> >> Description: IPA CA
> >> Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c
> >> Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
> >> Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM
> >>
> >> This was working in previous versions of freeipa but in our current
> >> environment isn't working:
> >> Cluster of four FreeIPA servers
> >> CentOS Linux release 7.3.1611 (Core)
> >> ipa-client-common-4.4.0-14.el7.centos.4.noarch
> >> ipa-client-4.4.0-14.el7.centos.4.x86_64
> >> ipa-debuginfo-4.2.0-15.0.1.el7_2.6.1.x86_64
> >> ipa-server-trust-ad-4.4.0-14.el7.centos.4.x86_64
> >> ipa-server-4.4.0-14.el7.centos.4.x86_64
> >> ipa-admintools-4.4.0-14.el7.centos.4.noarch
> >> ipa-server-common-4.4.0-14.el7.centos.4.noarch
> >> ipa-common-4.4.0-14.el7.centos.4.noarch
> >> ipa-server-dns-4.4.0-14.el7.centos.4.noarch
> >> ipa-python-compat-4.4.0-14.el7.centos.4.noarch
> >> 389-ds-base-1.3.5.10-15.el7_3.x86_64
> >> 389-ds-base-libs-1.3.5.10-15.el7_3.x86_64
> >> 389-ds-base-snmp-1.3.5.10-15.el7_3.x86_64
> >> 389-ds-base-debuginfo-1.3.4.0-30.el7_2.x86_64
> >> pki-base-java-10.3.3-16.el7_3.noarch
> >> pki-base-10.3.3-16.el7_3.noarch
> >> pki-server-10.3.3-16.el7_3.noarch
> >> pki-ca-10.3.3-16.el7_3.noarch
> >> pki-symkey-10.3.3-16.el7_3.x86_64
> >> pki-kra-10.3.3-16.el7_3.noarch
> >> pki-tools-10.3.3-16.el7_3.x86_64
> >> krb5-libs-1.14.1-27.el7_3.x86_64
> >> python-krbV-1.0.90-8.el7.x86_64
> >> pam_krb5-2.4.8-6.el7.x86_64
> >> krb5-workstation-1.14.1-27.el7_3.x86_64
> >> krb5-pkinit-1.14.1-27.el7_3.x86_64
> >> sssd-krb5-common-1.14.0-43.el7_3.11.x86_64
> >> krb5-server-1.14.1-27.el7_3.x86_64
> >> sssd-krb5-1.14.0-43.el7_3.11.x86_64
> >>
> >> ***********
> >> This is the error (same result in all four servers):
> >> $ ipa cert-request --principal=HTTP/host1.example.com host1.example.com.csr
> >> ipa: ERROR: Certificate operation cannot be completed: FAILURE (CA not
> >> found: 0cb513ea-6084-4144-a61c-7a0a8368d25c)
> >>
> >> ***********
> >> >From /var/log/pki/pki-tomcat/ca/debug:
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> >> CMSServlet:service() uri = /ca/eeca/ca/profileSubmitSSLClient
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> >> CMSServlet::service() param name='xml' value='true'
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> >> CMSServlet::service() param name='profileId' value='caIPAserviceCert'
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> >> CMSServlet::service() param name='authorityId'
> >> value='0cb513ea-6084-4144-a61c-7a0a8368d25c'
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> >> CMSServlet::service() param name='cert_request' value='(sensitive)'
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> >> CMSServlet::service() param name='cert_request_type' value='pkcs10'
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet:
> >> caProfileSubmitSSLClient start to service.
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: xmlOutput true
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> >> ProfileSubmitServlet: isRenewal false
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: according to
> >> ccMode, authorization for servlet: caProfileSubmit is LDAP based, not
> >> XML {1}, use default authz mgr: {2}.
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> >> ProfileSubmitServlet: profile: caIPAserviceCert
> >> CA not found: 0cb513ea-6084-4144-a61c-7a0a8368d25c
> >> at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:239)
> >> at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128)
> >> at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:515)
> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
> >> at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)
> >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> at java.lang.reflect.Method.invoke(Method.java:498)
> >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> >> at java.security.AccessController.doPrivileged(Native Method)
> >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> >> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
> >> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
> >> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
> >> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
> >> at java.security.AccessController.doPrivileged(Native Method)
> >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
> >> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> >> at sun.reflect.GeneratedMethodAccessor71.invoke(Unknown Source)
> >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> at java.lang.reflect.Method.invoke(Method.java:498)
> >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> >> at java.security.AccessController.doPrivileged(Native Method)
> >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> >> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
> >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
> >> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
> >> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
> >> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
> >> at java.security.AccessController.doPrivileged(Native Method)
> >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
> >> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> >> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> >> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
> >> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
> >> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> >> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
> >> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> >> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
> >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
> >> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
> >> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> >> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> >> at java.lang.Thread.run(Thread.java:745)
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
> >> ProfileSubmitServlet: error in processing request: CA not found:
> >> 0cb513ea-6084-4144-a61c-7a0a8368d25c
> >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet:
> >> curDate=Tue Feb 07 23:45:49 EST 2017 id=caProfileSubmitSSLClient
> >> time=8
> >> ***************
> >>
> >> Any idea why this is happening?
> >> It's using the caIPAserviceCert certificate profile which should be
> >> fine. I also checked and "played" with the
> >> hosts_services_caIPAserviceCert CA ACL with the same results.
> >>
> >> Thanks in advance!
> >>
> >> Guillermo
> >>
> > Was the server upgraded/migrated from an older release, or a new
> > installation?
> >
> > Could you please `ldapsearch -s sub -b ou=authorities,ou=ca,o=ipaca'
> > and provide output?
> >
> > Thanks,
> > Fraser
>
>
>
> --
> GUILLERMO FUENTES
> SENIOR SYSTEMS ADMINISTRATOR
>
> T: 561-880-2998 x1337
>
> E: guillermo.fuentes at modmed.com
More information about the Freeipa-users
mailing list