Hi Petr, I was asked to take a look at this issue. I wanted to know if, in parallel, there is a customer case open in redhat portal.
If not, could you provide the /var/log/pki-tomcat/ca/debug log file and the timestamp of resubmission ? I would not change manually the cert db's under /etc/pki/pki-tomcat/alias not delete or recreate any object under o=ipaca, as possible. If you have backups, please restore to original ones. I know about issues with certificate encoding. In general, the error I use to see is a little bit different like "error -8179:Peer's Certificate issuer is not recognized". It could be interesting to check your certificates in cert db once date has been set back by doing: certutil -V -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -u O certutil -V -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -u C certutil -V -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -u V certutil -V -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -u J certutil -V -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -u L that is more or less where our selftests are doing for PKI component. Thanks and regards, German. On Fri, Jan 4, 2019 at 1:44 PM Petr Benas via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > we have an issue with resubmitting several certificates. > > We suspect the reason might be the encoding mismatch between the > certificate and the CA certificate. > > Our environment was upgraded during the years from some 3.x version to > current 4.5.4. So the very first CA certificate was encoded in > PRINTABLESTRING. > > Issuer: > organizationName = PRINTABLESTRING:EXAMPLE.COM > commonName = PRINTABLESTRING:Certificate > Authority > Validity > Not Before: Dec 1 14:14:37 2014 GMT > Not After : Dec 1 14:14:37 2034 GMT > Subject: > organizationName = PRINTABLESTRING:EXAMPLE.COM > commonName = PRINTABLESTRING:Certificate > Authority > > When we renew-ed (due to SHA1) we got to PRINTABLESTRING X UTF8STRING and > after we renewed again, so now we have: > > Issuer: > organizationName = UTF8STRING:EXAMPLE.COM > commonName = UTF8STRING:Certificate Authority > Validity > Not Before: Oct 9 07:34:24 2017 GMT > Not After : Oct 9 07:34:24 2037 GMT > Subject: > organizationName = UTF8STRING:EXAMPLE.COM > commonName = UTF8STRING:Certificate Authority > > And most certificated were renewed fine. > > However, recently we noticed that several certificated can't be > resubmitted, all of them seem to be like this: > > Issuer: > organizationName = PRINTABLESTRING:EXAMPLE.COM > commonName = PRINTABLESTRING:Certificate > Authority > Validity > Not Before: Nov 24 12:17:12 2016 GMT > Not After : Nov 14 12:17:12 2018 GMT > Subject: > organizationName = UTF8STRING:EXAMPLE.COM > commonName = UTF8STRING:ipa07.example.com > > The error when resubmitting is: > Peer certificate cannot be authenticated with given CA certificates. The > tcpdump from 8443 says Unknown CA. > > Is the assumption that the encoding mismatch is blocking the submitting > certificate correct? > One of the certificate which we also can't renew is the 'IPA RA' > (/var/lib/ipa/ra-agent.pem) > > What we tried: > Add all versions of CA certificate to /etc/pki/pki-tomcat/alias > trust store (also add them one-by-one) > Setting date back before the expiration. > Advises from: > https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/ > Deleting the related CSR from o=ipaca, supposing that newly > generated csr will be fine. > > Any suggestions what else we could try? > > Thanks > Petr > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org