Let's tackle these one at a time.
Missing tracking for {'cert-nickname': 'Server-Cert', 'ca-name': 'IPA',
'cert-database': '/etc/httpd/alias', 'cert-postsave-command':
'/usr/libexec/ipa/certmonger/restart_httpd'}
Did you provide your own certificate for the web server (e.g. like from
Let's Encrypt?) What is the value of NSSNickname in
/etc/httpd/conf.d/nss.conf?
Let me get back to you on the template subjects not matching. I want to
run this past the dogtag team to see if my test is correct or not. It
could be a red herring.
For all of the "Error looking up CA entry in IPA <UUID>: no matching
entry found"
This means that a subCA is defined in dogtag that is not defined in IPA.
This may not be a problem but it is definitely strange. What this test
does is compare the contents of ou=authorities,ou=ca,o=ipaca to those in
cn=cas,cn=ca,dc=example,dc=com. I'll run this one past the CS team too.
In the meantime can you provide some of the contents of those entries
that are in dogtag?
$ ldapsearch -x -D 'cn=directory manager' -W -b
ou=authorities,ou=ca,o=ipaca > /tmp/cas.ldif
Validation of /var/lib/ipa/ra-agent.pem failed: Command
'/usr/bin/openssl verify /var/lib/ipa/ra-agent.pem' returned non-zero
exit status 2
According to the verify(1) man page 2 ==
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT which suggests that the IPA CA is
not in the global cert bundle.
This should fix it:
# ipa-certupdate
Thanks for helping out!
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
