On 04/04/2018 04:16 PM, lejeczek via FreeIPA-users wrote:



On 04/04/18 12:43, Florence Blanc-Renaud wrote:
You need to check which server is your renewal master (ipa config-show | grep 'IPA CA renewal master'), then make sure that the certs were properly renewed on this master (check consistency between /etc/pki/pki-tomcat/alias, the certs in cn=certificates,cn=ipa,cn=etc,$BASEDN, and the content in /etc/pki/pki-tomcat/ca/CS.cfg).

I have only one cert, a ipaCertSubject: CN=Certificate Authority,O=PRIVATE.CCNR.CEB.PRIVATE.CAM.AC.UK
which seems to correspond with:
$ certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'caSigningCert cert-pki-ca'

The renewed certificates (if any) can be found in LDAP below cn=ca_renewal,cn=ipa,cn=etc,$BASEDN. If your replication got broken at one point, you need to check on different masters.

which is also in /etc/pki/pki-tomcat/ca/CS.cfg, and that is: ca.signing.cert which is different from ca.subsystem.cert
But I'd imagine that's expected(?)

New CA master renewing server still fails:
...
[04/Apr/2018:15:14:44][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate cert: caSigningCert cert-pki-ca [04/Apr/2018:15:14:44][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null
[04/Apr/2018:15:14:44][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host whale port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
...

It seems that these certs are as they should be. How can troubleshoot it further? Can logs verbosity be upped?

You can add verbosity by creating this file:
$ cat /etc/ipa/server.conf
[global]
debug=True

then restart ipa stack. This will add information in httpd's logs.

HTH,
Flo
Many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to