<div dir="ltr"><div>Yup. I'm currently still sitting back in time. But any time I try to resubmit either the ipaCert or the subsystemCert it errors out.</div><div><br></div><div>getcert list shows :</div><div>ca-error: Server at "<a href="https://ipa.local.domain:9443/ca/agent/ca/profileProcess">https://ipa.local.domain:9443/ca/agent/ca/profileProcess</a>" replied: 1: Authentication Error</div><div><br></div><div>And the debug log shows:</div><div>SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=MISS.ION] authentication failure<br> ReviewReqServlet: Invalid Credential.</div><div><br></div><div>Those appear to be the most significant messages. I'm disconnected so getting the full log info is difficult. If it's the only way let me know and I'll see what I can do. Worst case it'll just take me a while to re-type it.</div><div><br></div><div>Thanks<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 1, 2016 at 3:11 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>Adam Lewis wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
Yup, It's just the text string. I don't know how much this matters but<br>
when I ran the start-tracking for the ipaCert it didn't generate a new<br>
certificate. I'm still working off of serial number 7, which is what<br>
it's been since we installed IPA. Is there some way/reason for me to<br>
generate a whole new ipaCert?<br>
</blockquote>
<br></span>
certmonger will take care of that when renewal happens.<br>
<br>
Did you go back in time to when this cert was valid?<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<br>
Thanks<br>
<br><span>
On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></span><span>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
Adam Lewis wrote:<br>
<br>
If you mean the usercertificate value from the ldapsearch<br>
command, then<br>
yes. That value matches the value from the certutil output.<br>
<br>
<br>
The usercertificate in LDAP had the BEGIN/END stripped, right?<br>
<br>
I'll cc a couple of the dogtag developers to see what they think.<br>
<br>
rob<br>
<br>
<br>
Thanks<br>
<br>
On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden<br>
<<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br></span><span>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>> wrote:<br>
<br></span><div><div class="h5">
Adam Lewis wrote:<br>
<br>
A quick update. We did some digging on the segfault<br>
problem and<br>
I think<br>
it was due to having to update the trusts on the CA<br>
cert. So we<br>
updated<br>
the certmonger package and certmonger now starts again.<br>
However we're kind of back to square one where we are still<br>
getting the<br>
AUTH_FAIL messages in the debug log.<br>
I have verified that the ipara entry's serial number<br>
and cert<br>
match the<br>
serial number and cert from the one in /etc/httpd/alias.<br>
<br>
<br>
How about the certificate PEM? Does it match the<br>
usercertificate in<br>
the dogtag LDAP server?<br>
<br>
rob<br>
<br>
<br>
Any other ideas?<br>
<br>
Thanks!<br>
<br>
On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis<br>
<<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>>><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>>>>> wrote:<br>
<br>
Rob,<br>
Thanks for pointing me in the right direction.<br>
However after<br>
following the instructions in the above mentioned<br>
doc I<br>
noticed a<br>
few things that are odd and have a new problem.<br>
The first<br>
odd thing<br>
I noticed is that when I run service pki-cad status it<br>
shows that my<br>
PKI Subsystem Type is "CA Clone (Security Domain)"<br>
Shouldn't that say something like "CA Master"?<br>
Second, when I ran the "ipa-getcert resubmit -I [ID]"<br>
commands they<br>
all produced the same AUTH_FAIL message in the<br>
debug log.<br>
<br>
Now the new problem...after pressing on and<br>
restarting things<br>
certmonger fails to start with a segfault.<br>
Starting certmonger: /bin/bash: line 1: 64935<br>
Segmentation<br>
fault /usr/sbin/certmonger -S -p /var/run<br>
certmonger.pid<br>
<br>
Thanks!<br>
<br>
On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden<br>
<<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>>><br>
<br>
wrote:<br>
<br>
Lewis, Adam M CIV NSWCDD, H11 wrote:<br>
<br>
We are currently dead in the water. Our<br>
OCSP, CA<br>
Audit, CA<br>
Subsystem, and IPA RA certs expired as of<br>
7/23/16.<br>
I found<br>
and followed the instructions to the letter<br>
<br>
<br>
(<a href="http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0" target="_blank" rel="noreferrer">http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0</a>)<br>
however the CA Subsystem and IPA RA certs<br>
will not<br>
renew.<br>
I've backdated the server to make sure the<br>
system<br>
was within<br>
the renewal window, but that has not help.<br>
<br>
<br>
Those are the wrong instructions.<br>
<br>
You want this instead,<br>
<a href="https://access.redhat.com/solutions/643753" target="_blank" rel="noreferrer">https://access.redhat.com/solutions/643753</a><br>
<br>
A bunch of it is for 2.2 but it isn't exactly<br>
noted<br>
which parts.<br>
A general rule is that you don't/shouldn't<br>
need to directly<br>
tweak the dogtag configuration or do any of the<br>
start-tracking<br>
work (though you may want to verify that what/if<br>
anything you<br>
changed from that wrong doc).<br>
<br>
When I run getcert list it reports:<br>
Ca-error: Sever at<br>
<br>
"https://<fqdn>:9443/ca/agent/ca/profileProcess"<br>
replied: 1:<br>
Authentication Error<br>
for both the IPA RA and CA Subsystem certs<br>
<br>
The debug log shows:<br>
SignedAuditEventFactory: create()<br>
<br>
<br>
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA<br>
RA,O=MISS.ION] authentication failure<br>
ReviewReqServlet: Invalid Credential.<br>
<br>
<br>
The place to start is to get the serial # of<br>
the ipaCert:<br>
<br>
# certutil -L -d /etc/httpd/alias -n ipaCert<br>
|grep Serial<br>
<br>
Now get the user from the dogtag LDAP server:<br>
<br>
# ldapsearch -h `hostname` -p 7389 -x -D<br>
'cn=directory<br>
manager'<br>
-W -b uid=ipara,ou=People,o=ipaca description<br>
<br>
The format is 2;<serial number>;<issuer<br>
subject>;<subject><br>
<br>
See if the serial # matches ipaCert. I'm<br>
guessing it won't.<br>
Follow the instructions on the page I cited to<br>
update<br>
the entry<br>
with the current certificate and serial #<br>
values. That<br>
should<br>
get you going.<br>
<br>
rob<br>
<br>
<br>
<br>
We are kind of in deep doo-doo until this gets<br>
resolved.<br>
<br>
We are running ipa-server-3.0.0-47.el6_7.2<br>
on RHEL 6.5<br>
<br>
Any thoughts?<br>
<br>
Thanks!<br>
<br>
Adam M. Lewis<br>
<br>
<br>
<br>
<br>
--<br>
Manage your subscription for the Freeipa-users<br>
mailing<br>
list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank" rel="noreferrer">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank" rel="noreferrer">http://freeipa.org</a> for more info on the<br>
project<br>
<br>
<br>
<br>
<br>
--<br>
Adam M. Lewis<br>
<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>>><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>>>><br>
10807 Allie Place<br>
Fredericksburg, VA 22408<br>
<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a> <tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a>> <tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a><br></div></div>
<tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a>>> <tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a> <tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a>><br>
<tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a> <tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a>>>><span><br>
<br>
<br>
<br>
<br>
<br>
--<br>
Adam M. Lewis<br>
<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>>><br></span><span>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a><br></span><span>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>>>><br>
10807 Allie Place<br>
Fredericksburg, VA 22408<br>
<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a> <tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a>> <tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a><br>
<tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a>>><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
--<br>
Adam M. Lewis<br>
<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>><br>
<mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>>><br>
10807 Allie Place<br>
Fredericksburg, VA 22408<br>
<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a> <tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a>><br>
<br>
<br>
<br>
<br>
<br>
<br>
--<br>
Adam M. Lewis<br>
<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>><br>
10807 Allie Place<br>
Fredericksburg, VA 22408<br>
<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a><br>
<br>
<br>
</span></blockquote>
<br>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Adam M. Lewis<br><a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a><br>10807 Allie Place<br>Fredericksburg, VA 22408<br>540-412-8643<br><br><br></div>
</div>