<div dir="ltr"><div>A quick update. We did some digging on the segfault problem and I think it was due to having to update the trusts on the CA cert. So we updated the certmonger package and certmonger now starts again.<br>However we're kind of back to square one where we are still getting the AUTH_FAIL messages in the debug log.<br>I have verified that the ipara entry's serial number and cert match the serial number and cert from the one in /etc/httpd/alias. </div><div><br></div><div>Any other ideas?</div><div><br></div><div>Thanks!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis <span dir="ltr"><<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Rob, </div><div>Thanks for pointing me in the right direction. However after following the instructions in the above mentioned doc I noticed a few things that are odd and have a new problem. The first odd thing I noticed is that when I run service pki-cad status it shows that my PKI Subsystem Type is "CA Clone (Security Domain)"</div><div>Shouldn't that say something like "CA Master"?</div><div>Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they all produced the same AUTH_FAIL message in the debug log.</div><div><br></div><div>Now the new problem...after pressing on and restarting things certmonger fails to start with a segfault.</div><div>Starting certmonger: /bin/bash: line 1: 64935 Segmentation fault /usr/sbin/certmonger -S -p /var/run certmonger.pid</div><div><br></div><div>Thanks!</div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><span>Lewis, Adam M CIV NSWCDD, H11 wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA RA certs expired as of 7/23/16. I found and followed the instructions to the letter (<a href="http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0" target="_blank" rel="noreferrer">http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0</a>) however the CA Subsystem and IPA RA certs will not renew. I've backdated the server to make sure the system was within the renewal window, but that has not help.<br>
</blockquote>
<br></span>
Those are the wrong instructions.<br>
<br>
You want this instead, <a href="https://access.redhat.com/solutions/643753" target="_blank" rel="noreferrer">https://access.redhat.com/solutions/643753</a><br>
<br>
A bunch of it is for 2.2 but it isn't exactly noted which parts. A general rule is that you don't/shouldn't need to directly tweak the dogtag configuration or do any of the start-tracking work (though you may want to verify that what/if anything you changed from that wrong doc).<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
When I run getcert list it reports:<br>
Ca-error: Sever at "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error<br>
for both the IPA RA and CA Subsystem certs<br>
<br>
The debug log shows:<br>
SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=MISS.ION] authentication failure<br>
ReviewReqServlet: Invalid Credential.<br>
</blockquote>
<br></span>
The place to start is to get the serial # of the ipaCert:<br>
<br>
# certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial<br>
<br>
Now get the user from the dogtag LDAP server:<br>
<br>
# ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca description<br>
<br>
The format is 2;<serial number>;<issuer subject>;<subject><br>
<br>
See if the serial # matches ipaCert. I'm guessing it won't. Follow the instructions on the page I cited to update the entry with the current certificate and serial # values. That should get you going.<br>
<br>
rob<div><div><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<br>
We are kind of in deep doo-doo until this gets resolved.<br>
<br>
We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5<br>
<br>
Any thoughts?<br>
<br>
Thanks!<br>
<br>
Adam M. Lewis<br>
<br>
<br>
<br>
</blockquote>
<br></div></div><span><font color="#888888">
-- <br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank" rel="noreferrer">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank" rel="noreferrer">http://freeipa.org</a> for more info on the project<br>
</font></span></blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br><div data-smartmail="gmail_signature">Adam M. Lewis<br><a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a><br>10807 Allie Place<br>Fredericksburg, VA 22408<br><a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a><br><br><br></div>
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Adam M. Lewis<br><a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a><br>10807 Allie Place<br>Fredericksburg, VA 22408<br>540-412-8643<br><br><br></div>
</div>