[Freeipa-users] [SOLVED] CA not found?
Guillermo Fuentes
guillermo.fuentes at modernizingmedicine.com
Fri Feb 10 15:05:14 UTC 2017
Hi Fraser,
Although I modified the ids to release the data, I made sure to use
consistent ids where they appeared.
As you noted, there was a discrepancy and changing the 'ipacaid'
attribute of cn=ipa,cn=cas,cn=ca,dc=ipa,dc=local to match the
authorityID from Dogtag fixed the issue. We're now able to sign
certificates as before. Yay!!!
As of what could have cause this discrepancy, the only thing I can
think of is that, back when we migrated the cluster, there were a few
times where the cloning of the CA from 3.x to 4.x failed.
Thank you very much for your help with this! I really appreciate it!
Have a great time off!
Guillermo
On Fri, Feb 10, 2017 at 5:03 AM, Fraser Tweedale <ftweedal at redhat.com> wrote:
> On Thu, Feb 09, 2017 at 09:01:01PM -0500, Guillermo Fuentes wrote:
>> As we're enforcing encryption, here is via ldaps:
>> $ ldapsearch -H ldaps://`hostname` -D "cn=Directory Manager" -W -s
>> sub -b ou=authorities,ou=ca,o=ipaca Enter LDAP
>> Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=authorities,ou=ca,o=ipaca> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # authorities, ca, ipaca
>> dn: ou=authorities,ou=ca,o=ipaca
>> objectClass: top
>> objectClass: organizationalUnit
>> ou: authorities
>>
>> # 0af769bd-a7ed-4f3a-8859-a877724ea8f2, authorities, ca, ipaca
>> dn: cn=0af769bd-a7ed-4f3a-8859-a877724ea8f2,ou=authorities,ou=ca,o=ipaca
>> objectClass: authority
>> objectClass: top
>> cn: 0af769bd-a7ed-4f3a-8859-a877724ea8f2
>> authorityID: 0af769bd-a7ed-4f3a-8859-a877724ea8f2
>> authorityKeyNickname: caSigningCert cert-pki-ca
>> authorityEnabled: TRUE
>> authorityDN: CN=Certificate Authority,O=EXAMPLE.COM
>> description: Host authority
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 3
>> # numEntries: 2
>>
>> I'll attach the log files soon.
>>
> Hi Guillermo,
>
> Thanks for the files. At a glance, everything looks normal in ipa
> upgrade and server startup.
>
> There is a discrepancy between the authority record in Dogtag
> (in the ldapsearch output above) and the corresponding entry in
> FreeIPA:
>
>>> $ ipa ca-show ipa
>>> Name: ipa
>>> Description: IPA CA
>>> Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c
>>> Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
>>> Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM
>
> If these are indeed different (not a result of substitutions you
> performed in releasing the data), this is a problem I have not seen
> before (can you think of anything that might have caused this e.g.
> deletion of the authority entry from Dogtag?). To resolve, change
> the 'ipacaid' attribute of cn=ipa,cn=cas,cn=ca,dc=ipa,dc=local to
> '0af769bd-a7ed-4f3a-8859-a877724ea8f2'
>
> HTH,
> Fraser
>
> P.S. I am away next week, so please help Guillermo if he's still
> having trouble.
--
GUILLERMO FUENTES
SENIOR SYSTEMS ADMINISTRATOR
T: 561-880-2998 x1337
E: guillermo.fuentes at modmed.com
More information about the Freeipa-users
mailing list