Thank you. your help is appreciated. We are still out of luck and this is becoming very critical for us.
Please help. We did remove all but 1 certificate, restarted master (ds01) but clientinstallation, connection check and replica installation still fails. certutil -D -d /etc/pki/nssdb -n 'ARTERIS.COM IPA CA' the log messages are, /var/log/ipaclient-install.log 2017-10-13T06:25:31Z DEBUG Starting external process 2017-10-13T06:25:31Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n ARTERIS.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt 2017-10-13T06:25:31Z DEBUG Process finished, return code=255 2017-10-13T06:25:31Z DEBUG stdout= 2017-10-13T06:25:31Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database. 2017-10-13T06:25:31Z ERROR Installation failed. Rolling back changes. /var/log/ipareplica-conncheck.log 2017-10-13T01:56:19Z DEBUG Starting external process 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f /tmp/tmpbrAYYO/pwdfile.txt 2017-10-13T01:56:19Z DEBUG Process finished, return code=0 2017-10-13T01:56:19Z DEBUG stdout= 2017-10-13T01:56:19Z DEBUG stderr= 2017-10-13T01:56:19Z DEBUG Starting external process 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f /tmp/tmpbrAYYO/pwdfile.txt 2017-10-13T01:56:19Z DEBUG Process finished, return code=255 2017-10-13T01:56:19Z DEBUG stdout= 2017-10-13T01:56:19Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database. Here is the Red Hat thread https://access.redhat.com/solutions/1143193. regards, Bhavin ________________________________ From: Rob Crittenden <[email protected]> Sent: Friday, October 13, 2017 5:38 AM To: FreeIPA users list; Bhavin Vaidya Cc: John Dennis Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries John Dennis via FreeIPA-users wrote: > On 10/12/2017 05:06 PM, Bhavin Vaidya wrote: >> Hello Jon, >> >> >> thank you for your help. responded to main thread, and just sending >> you the actual output for certutil. >> >> >> [root@ds01 log]# certutil -d /etc/pki/nssdb -L >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> ARTERIS.COM IPA CA CT,C,C >> ARTERIS.COM IPA CA CT,C,C >> ARTERIS.COM IPA CA CT,C,C >> ARTERIS.COM IPA CA CT,C,C > > These nicknames do not look unique to me, I'm assuming you're still > editing them for inclusion in this email. > > But irregardless here is where I'm going with this. Your goal is to > identify the correct cert to use and which to discard. The only way you > can do that is to examine each individual cert. To examine an individual > cert you must have it's *unique* nickname to pass to "certutil -L -a -n > xxx" where xxx is the unique nickname. > > Only you can identify the correct cert once you list them. At the > absolute minimum they should each have a unique (issuer,serial_number) > pair. The one you want to use will probably select based on the issuer > and validity dates. This is how NSS handles multiple copies of the same certificate subject in a given database. My assumption is that the CA was renewed multiple times. This should get you the PEM-encoded copies of the certs: # certutil -D -d /etc/pki/nssdb -n "ARTERIS.COM IPA CA" -a rob > >> >> ------------------------------------------------------------------------ >> *From:* John Dennis <[email protected]> >> *Sent:* Thursday, October 12, 2017 6:10 AM >> *To:* FreeIPA users list >> *Cc:* Bhavin Vaidya; Rob Crittenden >> *Subject:* Re: [Freeipa-users] Re: several IPA CA certificate entries >> On 10/12/2017 03:29 AM, Rob Crittenden via FreeIPA-users wrote: >>> Bhavin Vaidya via FreeIPA-users wrote: >>>> Hello, >>>> >>>> >>>> I'm having various problem on our FreeIPA setup, like can not establish >>>> new replica server or add a client anymore. Initially we had >>>> certificate >>>> issue, then we upgraded the Master FreeIPA server (CentOS 7.0.146) to >>>> FreeIPA v4.4.0) few months back. >>>> >>>> >>>> On master server it shows up 4 entries for IPA CA certificate. Is this >>>> normal? >>>> >>>> >>>> [root@ds01 ~]# certutil -d /etc/pki/nssdb -L >>>> >>>> Certificate Nickname Trust >>>> Attributes >>>> >>>> SSL,S/MIME,JAR/XPI >>>> >>>> EXAMPLE.COM IPA CA CT,C,C >>>> EXAMPLE.COM IPA CA CT,C,C >>>> EXAMPLE.COM IPA CA CT,C,C >>>> EXAMPLE.COM IPA CA CT,C,C >>> >>> The question is: are these all different certificates (and why)? I >>> assume someone ran ipa-cacert-manage renew a bunch of times. >>> >>> Multiple entries in itself shouldn't be a problem. >>> >>> I assume this is related to your client install issues. You may be >>> able to get away with having just the latest CA cert stored in LDAP >>> to avoid this. >> >> I saw this last night and my first thought was this shouldn't happen >> because certutil enforces nickname uniqueness. >> >> We would like to verify what each cert is, specifically it's issuer and >> serial number. But we can't ask certutil to show us the details of a >> cert because you must pass the -n nickname flag to certutil so it can >> find the cert to display. But since the nicknames are not unique you >> can't do that. This is why certutil (and any low level NSS API that adds >> a cert to the db) demands name uniqueness. >> >> Are the names listed with -L truly unique? It looks like you edited them. >> >> >> -- >> John > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
