<div dir="ltr"><div>If you mean the usercertificate value from the ldapsearch command, then yes. That value matches the value from the certutil output.</div><div> </div><div>Thanks</div></div><div class="gmail_extra"> <div class="gmail_quote">On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Adam Lewis wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"> A quick update. We did some digging on the segfault problem and I think it was due to having to update the trusts on the CA cert. So we updated the certmonger package and certmonger now starts again. However we're kind of back to square one where we are still getting the AUTH_FAIL messages in the debug log. I have verified that the ipara entry's serial number and cert match the serial number and cert from the one in /etc/httpd/alias. </blockquote> How about the certificate PEM? Does it match the usercertificate in the dogtag LDAP server? rob <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"> Any other ideas? Thanks! On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis <<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>>> wrote: Rob, Thanks for pointing me in the right direction. However after following the instructions in the above mentioned doc I noticed a few things that are odd and have a new problem. The first odd thing I noticed is that when I run service pki-cad status it shows that my PKI Subsystem Type is "CA Clone (Security Domain)" Shouldn't that say something like "CA Master"? Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they all produced the same AUTH_FAIL message in the debug log. Now the new problem...after pressing on and restarting things certmonger fails to start with a segfault. Starting certmonger: /bin/bash: line 1: 64935 Segmentation fault /usr/sbin/certmonger -S -p /var/run certmonger.pid Thanks! On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <div><div class="h5"> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote: Lewis, Adam M CIV NSWCDD, H11 wrote: We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA RA certs expired as of 7/23/16. I found and followed the instructions to the letter (<a href="http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0" target="_blank" rel="noreferrer">http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0</a>) however the CA Subsystem and IPA RA certs will not renew. I've backdated the server to make sure the system was within the renewal window, but that has not help. Those are the wrong instructions. You want this instead, <a href="https://access.redhat.com/solutions/643753" target="_blank" rel="noreferrer">https://access.redhat.com/solutions/643753</a> A bunch of it is for 2.2 but it isn't exactly noted which parts. A general rule is that you don't/shouldn't need to directly tweak the dogtag configuration or do any of the start-tracking work (though you may want to verify that what/if anything you changed from that wrong doc). When I run getcert list it reports: Ca-error: Sever at "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error for both the IPA RA and CA Subsystem certs The debug log shows: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=MISS.ION] authentication failure ReviewReqServlet: Invalid Credential. The place to start is to get the serial # of the ipaCert: # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial Now get the user from the dogtag LDAP server: # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca description The format is 2;<serial number>;<issuer subject>;<subject> See if the serial # matches ipaCert. I'm guessing it won't. Follow the instructions on the page I cited to update the entry with the current certificate and serial # values. That should get you going. rob We are kind of in deep doo-doo until this gets resolved. We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5 Any thoughts? Thanks! Adam M. Lewis -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank" rel="noreferrer">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" target="_blank" rel="noreferrer">http://freeipa.org</a> for more info on the project -- Adam M. Lewis </div></div> <a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>> 10807 Allie Place Fredericksburg, VA 22408 <a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a> <tel:<a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a>> -- Adam M. Lewis <a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> <mailto:<a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a>> 10807 Allie Place Fredericksburg, VA 22408 <a href="tel:540-412-8643" target="_blank" value="+15404128643">540-412-8643</a> </blockquote> </blockquote></div> -- <div class="gmail_signature" data-smartmail="gmail_signature">Adam M. Lewis <a href="mailto:alewis422@gmail.com" target="_blank">alewis422@gmail.com</a> 10807 Allie Place Fredericksburg, VA 22408 540-412-8643 </div> </div>