Adam Lewis wrote:
Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.
getcert list shows :
ca-error: Server at
"https://ipa.local.domain:9443/ca/agent/ca/profileProcess" replied: 1:
Authentication Error
And the debug log shows:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.
Those appear to be the most significant messages. I'm disconnected so
getting the full log info is difficult. If it's the only way let me know
and I'll see what I can do. Worst case it'll just take me a while to
re-type it.
Sorry for the delay.
Are you sure you are going to back far enough in time? Some of the certs
expire at different points.
I typically use this to get the list of expiration dates
# getcert list | grep expires
Picking the "right" date can be tricky sometimes.
Some other things that the dogtag engineers suggested to test to ensure
the CA is actually up:
Get the cert chain:
$ curl http://ipa.example.com:8080/ca/ee/ca/getCertChain
And ensure it can contact it's database by getting a cert:
$ curl
'https://ipa.example.com:9443/ca/ee/ca/displayBySerial?op=displayBySerial&serialNumber=0x1'
rob
Thanks
On Mon, Aug 1, 2016 at 3:11 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Adam Lewis wrote:
Yup, It's just the text string. I don't know how much this
matters but
when I ran the start-tracking for the ipaCert it didn't generate
a new
certificate. I'm still working off of serial number 7, which is what
it's been since we installed IPA. Is there some way/reason for me to
generate a whole new ipaCert?
certmonger will take care of that when renewal happens.
Did you go back in time to when this cert was valid?
rob
Thanks
On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
Adam Lewis wrote:
If you mean the usercertificate value from the ldapsearch
command, then
yes. That value matches the value from the certutil output.
The usercertificate in LDAP had the BEGIN/END stripped, right?
I'll cc a couple of the dogtag developers to see what they
think.
rob
Thanks
On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
<mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>>> wrote:
Adam Lewis wrote:
A quick update. We did some digging on the
segfault
problem and
I think
it was due to having to update the trusts on
the CA
cert. So we
updated
the certmonger package and certmonger now
starts again.
However we're kind of back to square one where
we are still
getting the
AUTH_FAIL messages in the debug log.
I have verified that the ipara entry's serial
number
and cert
match the
serial number and cert from the one in
/etc/httpd/alias.
How about the certificate PEM? Does it match the
usercertificate in
the dogtag LDAP server?
rob
Any other ideas?
Thanks!
On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis
<alewis...@gmail.com <mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>>>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>> <mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>>>>> wrote:
Rob,
Thanks for pointing me in the right
direction.
However after
following the instructions in the above
mentioned
doc I
noticed a
few things that are odd and have a new
problem.
The first
odd thing
I noticed is that when I run service
pki-cad status it
shows that my
PKI Subsystem Type is "CA Clone (Security
Domain)"
Shouldn't that say something like "CA
Master"?
Second, when I ran the "ipa-getcert
resubmit -I [ID]"
commands they
all produced the same AUTH_FAIL message
in the
debug log.
Now the new problem...after pressing on and
restarting things
certmonger fails to start with a segfault.
Starting certmonger: /bin/bash: line 1: 64935
Segmentation
fault /usr/sbin/certmonger -S -p
/var/run
certmonger.pid
Thanks!
On Thu, Jul 28, 2016 at 3:36 PM, Rob
Crittenden
<rcrit...@redhat.com
<mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>
<mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>>
<mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>>>>
wrote:
Lewis, Adam M CIV NSWCDD, H11 wrote:
We are currently dead in the
water. Our
OCSP, CA
Audit, CA
Subsystem, and IPA RA certs
expired as of
7/23/16.
I found
and followed the instructions to
the letter
(http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
however the CA Subsystem and IPA
RA certs
will not
renew.
I've backdated the server to make
sure the
system
was within
the renewal window, but that has
not help.
Those are the wrong instructions.
You want this instead,
https://access.redhat.com/solutions/643753
A bunch of it is for 2.2 but it isn't
exactly
noted
which parts.
A general rule is that you
don't/shouldn't
need to directly
tweak the dogtag configuration or do
any of the
start-tracking
work (though you may want to verify
that what/if
anything you
changed from that wrong doc).
When I run getcert list it reports:
Ca-error: Sever at
"https://<fqdn>:9443/ca/agent/ca/profileProcess"
replied: 1:
Authentication Error
for both the IPA RA and CA
Subsystem certs
The debug log shows:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.
The place to start is to get the
serial # of
the ipaCert:
# certutil -L -d /etc/httpd/alias -n
ipaCert
|grep Serial
Now get the user from the dogtag LDAP
server:
# ldapsearch -h `hostname` -p 7389 -x -D
'cn=directory
manager'
-W -b uid=ipara,ou=People,o=ipaca
description
The format is 2;<serial number>;<issuer
subject>;<subject>
See if the serial # matches ipaCert. I'm
guessing it won't.
Follow the instructions on the page I
cited to
update
the entry
with the current certificate and serial #
values. That
should
get you going.
rob
We are kind of in deep doo-doo
until this gets
resolved.
We are running
ipa-server-3.0.0-47.el6_7.2
on RHEL 6.5
Any thoughts?
Thanks!
Adam M. Lewis
--
Manage your subscription for the
Freeipa-users
mailing
list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more
info on the
project
--
Adam M. Lewis
alewis...@gmail.com <mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>>>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>> <mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>>>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643 <tel:540-412-8643> <tel:540-412-8643
<tel:540-412-8643>> <tel:540-412-8643 <tel:540-412-8643>
<tel:540-412-8643 <tel:540-412-8643>>>
<tel:540-412-8643 <tel:540-412-8643> <tel:540-412-8643
<tel:540-412-8643>>
<tel:540-412-8643 <tel:540-412-8643>
<tel:540-412-8643 <tel:540-412-8643>>>>
--
Adam M. Lewis
alewis...@gmail.com <mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>>>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>> <mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>>>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643 <tel:540-412-8643> <tel:540-412-8643
<tel:540-412-8643>> <tel:540-412-8643 <tel:540-412-8643>
<tel:540-412-8643 <tel:540-412-8643>>>
--
Adam M. Lewis
alewis...@gmail.com <mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
<mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
<mailto:alewis...@gmail.com>>>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643 <tel:540-412-8643> <tel:540-412-8643
<tel:540-412-8643>>
--
Adam M. Lewis
alewis...@gmail.com <mailto:alewis...@gmail.com>
<mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643 <tel:540-412-8643>
--
Adam M. Lewis
alewis...@gmail.com <mailto:alewis...@gmail.com>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project