Thank you. your help is appreciated. We are still out of luck and this is 
becoming very critical for us.


Please help.


We did remove all but 1 certificate, restarted master (ds01) but 
clientinstallation, connection check and replica installation still fails.


certutil -D -d /etc/pki/nssdb -n 'ARTERIS.COM IPA CA'


the log messages are,


/var/log/ipaclient-install.log

2017-10-13T06:25:31Z DEBUG Starting external process
2017-10-13T06:25:31Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n 
ARTERIS.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt
2017-10-13T06:25:31Z DEBUG Process finished, return code=255
2017-10-13T06:25:31Z DEBUG stdout=
2017-10-13T06:25:31Z DEBUG stderr=certutil: could not add certificate to token 
or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.

2017-10-13T06:25:31Z ERROR Installation failed. Rolling back changes.

/var/log/ipareplica-conncheck.log

2017-10-13T01:56:19Z DEBUG Starting external process
2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A -n 
CN=Certificate Authority,O=ARTERIS.COM -t C,, -f /tmp/tmpbrAYYO/pwdfile.txt
2017-10-13T01:56:19Z DEBUG Process finished, return code=0
2017-10-13T01:56:19Z DEBUG stdout=
2017-10-13T01:56:19Z DEBUG stderr=
2017-10-13T01:56:19Z DEBUG Starting external process
2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A -n 
CN=Certificate Authority,O=ARTERIS.COM -t C,, -f /tmp/tmpbrAYYO/pwdfile.txt
2017-10-13T01:56:19Z DEBUG Process finished, return code=255
2017-10-13T01:56:19Z DEBUG stdout=
2017-10-13T01:56:19Z DEBUG stderr=certutil: could not add certificate to token 
or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.

Here is the Red Hat thread https://access.redhat.com/solutions/1143193.

regards,
Bhavin

________________________________
From: Rob Crittenden <rcrit...@redhat.com>
Sent: Friday, October 13, 2017 5:38 AM
To: FreeIPA users list; Bhavin Vaidya
Cc: John Dennis
Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries

John Dennis via FreeIPA-users wrote:
> On 10/12/2017 05:06 PM, Bhavin Vaidya wrote:
>> Hello Jon,
>>
>>
>> thank you for your help. responded to main thread, and just sending
>> you the actual output for certutil.
>>
>>
>> [root@ds01 log]#  certutil -d /etc/pki/nssdb -L
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> ARTERIS.COM IPA CA                                           CT,C,C
>> ARTERIS.COM IPA CA                                           CT,C,C
>> ARTERIS.COM IPA CA                                           CT,C,C
>> ARTERIS.COM IPA CA                                           CT,C,C
>
> These nicknames do not look unique to me, I'm assuming you're still
> editing them for inclusion in this email.
>
> But irregardless here is where I'm going with this. Your goal is to
> identify the correct cert to use and which to discard. The only way you
> can do that is to examine each individual cert. To examine an individual
> cert you must have it's *unique* nickname to pass to "certutil -L -a -n
> xxx" where xxx is the unique nickname.
>
> Only you can identify the correct cert once you list them. At the
> absolute minimum they should each have a unique (issuer,serial_number)
> pair. The one you want to use will probably select based on the issuer
> and validity dates.

This is how NSS handles multiple copies of the same certificate subject
in a given database.

My assumption is that the CA was renewed multiple times.

This should get you the PEM-encoded copies of the certs:

# certutil -D -d /etc/pki/nssdb -n "ARTERIS.COM IPA CA" -a

rob

>
>>
>> ------------------------------------------------------------------------
>> *From:* John Dennis <jden...@redhat.com>
>> *Sent:* Thursday, October 12, 2017 6:10 AM
>> *To:* FreeIPA users list
>> *Cc:* Bhavin Vaidya; Rob Crittenden
>> *Subject:* Re: [Freeipa-users] Re: several IPA CA certificate entries
>> On 10/12/2017 03:29 AM, Rob Crittenden via FreeIPA-users wrote:
>>> Bhavin Vaidya via FreeIPA-users wrote:
>>>> Hello,
>>>>
>>>>
>>>> I'm having various problem on our FreeIPA setup, like can not establish
>>>> new replica server or add a client anymore. Initially we had
>>>> certificate
>>>> issue, then we upgraded the Master FreeIPA server (CentOS 7.0.146) to
>>>> FreeIPA v4.4.0) few months back.
>>>>
>>>>
>>>> On master server it shows up 4 entries for IPA CA certificate. Is this
>>>> normal?
>>>>
>>>>
>>>> [root@ds01 ~]# certutil -d /etc/pki/nssdb -L
>>>>
>>>> Certificate Nickname                                         Trust
>>>> Attributes
>>>>
>>>>         SSL,S/MIME,JAR/XPI
>>>>
>>>> EXAMPLE.COM IPA CA                                           CT,C,C
>>>> EXAMPLE.COM IPA CA                                           CT,C,C
>>>> EXAMPLE.COM IPA CA                                           CT,C,C
>>>> EXAMPLE.COM IPA CA                                           CT,C,C
>>>
>>> The question is: are these all different certificates (and why)? I
>>> assume someone ran ipa-cacert-manage renew a bunch of times.
>>>
>>> Multiple entries in itself shouldn't be a problem.
>>>
>>> I assume this is related to your client install issues. You may be
>>> able to get away with having just the latest CA cert stored in LDAP
>>> to avoid this.
>>
>> I saw this last night and my first thought was this shouldn't happen
>> because certutil enforces nickname uniqueness.
>>
>> We would like to verify what each cert is, specifically it's issuer and
>> serial number. But we can't ask certutil to show us the details of a
>> cert because you must pass the -n nickname flag to certutil so it can
>> find the cert to display. But since the nicknames are not unique you
>> can't do that. This is why certutil (and any low level NSS API that adds
>> a cert to the db) demands name uniqueness.
>>
>> Are the names listed with -L truly unique? It looks like you edited them.
>>
>>
>> --
>> John
>
>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to