On Tue, 2018-10-23 at 11:23 +1000, Fraser Tweedale via FreeIPA-users wrote: > Hi Rob, > > (Cc freeipa-users@ for visibility) > > On Mon, Oct 22, 2018 at 04:12:05PM -0400, Rob Crittenden wrote: > > I've gotten some upstream feedback on my cert checking tool and one > > user > > came back with a bunch of errors: > > > > Error looking up CA entry in IPA aeca4a88-630d-4f47-9585- > > 73bad089260b: > > no matching entry found > > Error looking up CA entry in IPA d8a6fe60-eebe-4dfd-8352- > > 47ca38a29028: > > no matching entry found > > Error looking up CA entry in IPA 3203c388-7da5-44d3-923b- > > dd87a3a62ecb: > > no matching entry found > > Error looking up CA entry in IPA f875b832-16cb-4b08-bc8c- > > 1dbef027d101: > > no matching entry found > > Error looking up CA entry in IPA 2e18e695-55c3-4675-a7f2- > > 84e6b2726893: > > no matching entry found > > Error looking up CA entry in IPA 327f1d40-cf4f-4a6a-95b1- > > 3ba88b725e5f: > > no matching entry found > > Error looking up CA entry in IPA 21288a66-d4c2-48d2-9901- > > a464cd926681: > > no matching entry found > > > > So these UUID come from ou=authorities, ou=ca, o=ipaca and the > > equivalent doesn't exist in IPA. Is that by default a problem or is > > it > > perfectly valid? > > > > How would you recommend debugging this further? > > > > thanks > > > > rob > > It could be an occurrence of https://pagure.io/dogtagpki/issue/2475 > / https://bugzilla.redhat.com/show_bug.cgi?id=1390322 which resulted > in the creation of a new lightweight CA (LWCA) entry for the > host/primary CA each time Dogtag started. The issue was fixed a > while ago but we didn't do anything to clean up the spurious > entries. > > To confirm that this is the issue, check if the extra entries have > the same 'authorityDN' attribute. If confirmed the resolution is: > > 1. find the IPA CA authority ID (`ipa ca-show ipa`) > > 2. find all the Dogtag LWCA entries with the same subject DN > > 3. keep the one with the authority ID matching IPA (from step 1) and > delete the others >
Yes this seems to be the problem: https://ipa1.home.fazant.net/ca/rest/authorities gives me: <collection><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096- be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/><authority isHostAuthority="true" id="6cb2e4f8-ea47-4096-be01-5d324ca81fb8" issuerDN="CN=Certificate Authority,O=HOME.FAZANT.NET" serial="1" dn="CN=Certificate Authority,O=HOME.FAZANT.NET" enabled="true" description="Host authority" ready="true"/></collection> I don't fee confident enough rigt now to start deleting entries though BR, Louis _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org