[Freeipa-users] Replica issue / Certificate Authority
Fraser Tweedale
ftweedal at redhat.com
Thu Jan 5 06:33:27 UTC 2017
On Wed, Jan 04, 2017 at 01:19:19PM +0000, Christophe TREFOIS wrote:
> Hi Florence,
>
> I did what you said, and then the status went to CA_WORKING. Then I restart ipa and certmonger and the status went to CA_UNREACHABLE.
> Then i did “resubmit” again and now the status is back to MONITORING, but the cookie error is back.
>
> Any advice?
>
I have encountered the cookie error before. IIRC it was caused by
authn certs in Dogtag user entries not matching the client certs
used.
Check the following entries:
1. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \
-b uid=pkidbuser,ou=people,o=ipaca userCertificate``
should match
``certutil -d /etc/pki/pki-tomcat/alias -L -n "subsystemCert cert-pki-ca"``
2. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \
-b uid=ipara,ou=people,o=ipaca userCertificate``
should match
``certutil -d /etc/httpd/alias -L -n "ipaCert"``
If either of these do not match, update LDAP with what is in the
certificate databases (a.k.a. NSSDBs). Ensure all certs are
non-expired, etc.
HTH,
Fraser
> [root at lums3 ~]# getcert list -n ipaCert
> Number of certificates and requests being tracked: 8.
> Request ID '20161216025136':
> status: MONITORING
> ca-error: Invalid cookie: ''
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=UNI.LU
> subject: CN=IPA RA,O=UNI.LU
> expires: 2018-12-16 03:13:48 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
> --
>
> Dr Christophe Trefois, Dipl.-Ing.
> Technical Specialist / Post-Doc
>
> UNIVERSITÉ DU LUXEMBOURG
>
> LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
> Campus Belval | House of Biomedicine
> 6, avenue du Swing
> L-4367 Belvaux
> T: +352 46 66 44 6124
> F: +352 46 66 44 6949
> http://www.uni.lu/lcsb <http://www.uni.lu/lcsb>
> <https://www.facebook.com/trefex> <https://twitter.com/Trefex> <https://plus.google.com/+ChristopheTrefois/> <https://www.linkedin.com/in/trefoischristophe> <http://skype:Trefex?call>
> ----
> This message is confidential and may contain privileged information.
> It is intended for the named recipient only.
> If you receive it in error please notify me and permanently delete the original message and any copies.
> ----
>
>
>
> > On 4 Jan 2017, at 13:49, Florence Blanc-Renaud <flo at redhat.com> wrote:
> >
> > getcert resubmit -i <id for ipaCert>
>
More information about the Freeipa-users
mailing list