On 04/04/18 12:43, Florence Blanc-Renaud wrote:
You need to check which server is your renewal master (ipa
config-show | grep 'IPA CA renewal master'), then make
sure that the certs were properly renewed on this master
(check consistency between /etc/pki/pki-tomcat/alias, the
certs in cn=certificates,cn=ipa,cn=etc,$BASEDN, and the
content in /etc/pki/pki-tomcat/ca/CS.cfg).
I have only one cert, a ipaCertSubject: CN=Certificate
Authority,O=PRIVATE.CCNR.CEB.PRIVATE.CAM.AC.UK
which seems to correspond with:
$ certutil -L -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt -n 'caSigningCert cert-pki-ca'
which is also in /etc/pki/pki-tomcat/ca/CS.cfg, and that is:
ca.signing.cert which is different from ca.subsystem.cert
But I'd imagine that's expected(?)
New CA master renewing server still fails:
...
[04/Apr/2018:15:14:44][localhost-startStop-1]:
SSLClientCertificatSelectionCB: Entering!
[04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate
cert: Server-Cert cert-pki-ca
[04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate
cert: caSigningCert cert-pki-ca
[04/Apr/2018:15:14:44][localhost-startStop-1]:
SSLClientCertificateSelectionCB: returning: null
[04/Apr/2018:15:14:44][localhost-startStop-1]: SSL handshake
happened
Could not connect to LDAP server host whale port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
...
It seems that these certs are as they should be. How can
troubleshoot it further? Can logs verbosity be upped?
Many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org