[Freeipa-users] Replica issue / Certificate Authority

Thu Jan 5 15:34:59 UTC 2017

Hi

@Fraser,
tried the commands and certificates matched in both cases.

@everyone
I tried to look a little bit in the code, and the only references I saw are in
https://github.com/freeipa/freeipa/blob/master/install/certmonger/dogtag-ipa-ca-renew-agent-submit (4 references)
And the only one that could fit is this one:
https://github.com/freeipa/freeipa/blob/master/install/certmonger/dogtag-ipa-ca-renew-agent-submit#L142
as our cookie seems to be empty (ca-error: Invalid cookie: '')
and this is the only condition of the 4 that does only test for «  None », the other 3 are testing for None, empty strings, … and it should be false.

meaning that somehow the cookie is set somewhere but with no value?

Anyway, do you think it can impact our setup?
Instead of trying to resolve the issue, we could also delete this replica and replicate a new one instead?

What do you think?

Yohan
Doing the following up for Christophe.

On 05 Jan 2017, at 07:33, Fraser Tweedale <ftweedal at redhat.com<mailto:ftweedal at redhat.com>> wrote:

On Wed, Jan 04, 2017 at 01:19:19PM +0000, Christophe TREFOIS wrote:
Hi Florence,

I did what you said, and then the status went to CA_WORKING. Then I restart ipa and certmonger and the status went to CA_UNREACHABLE.
Then i did “resubmit” again and now the status is back to MONITORING, but the cookie error is back.

Any advice?

I have encountered the cookie error before. IIRC it was caused by
authn certs in Dogtag user entries not matching the client certs
used.

Check the following entries:

1. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \
  -b uid=pkidbuser,ou=people,o=ipaca userCertificate``

  should match

  ``certutil -d /etc/pki/pki-tomcat/alias -L -n "subsystemCert cert-pki-ca"``

2. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \
  -b uid=ipara,ou=people,o=ipaca userCertificate``

  should match

  ``certutil -d /etc/httpd/alias -L -n "ipaCert"``

If either of these do not match, update LDAP with what is in the
certificate databases (a.k.a. NSSDBs).  Ensure all certs are
non-expired, etc.

HTH,
Fraser

[root at lums3 ~]# getcert list -n ipaCert
Number of certificates and requests being tracked: 8.
Request ID '20161216025136':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=UNI.LU
subject: CN=IPA RA,O=UNI.LU
expires: 2018-12-16 03:13:48 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes

--

Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc

UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352 46 66 44 6124
F: +352 46 66 44 6949
http://www.uni.lu/lcsb <http://www.uni.lu/lcsb>
<https://www.facebook.com/trefex>   <https://twitter.com/Trefex>   <https://plus.google.com/+ChristopheTrefois/>   <https://www.linkedin.com/in/trefoischristophe>   <http://skype:Trefex?call<http://skype:trefex?call>>
----
This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the original message and any copies.
----

On 4 Jan 2017, at 13:49, Florence Blanc-Renaud <flo at redhat.com<mailto:flo at redhat.com>> wrote:

getcert resubmit -i <id for ipaCert>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170105/2ac78605/attachment.htm>