Hi,

Posting back here, in case someone gets this issue in the future...

The problem turned out to be that IPA put wrong CA cert subject in the LDAP 
entry under "uid=ipakra,ou=people,o=kra,o=ipaca". 
It looked like this: 

dn: uid=ipakra,ou=people,o=kra,o=ipaca
description: 2;7;CN=Certificate Authority,O=<my_realm>;CN=IPA RA,O=<my_realm>
uid: ipakra
sn: IPA KRA User
usertype: undefined
userCertificate:: <here cert comes>
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
cn: IPA KRA User

So there are a couple of requirements that this entry must satisfy, such as:
- `userCertificate` must contain the cert from  /var/lib/ipa/ra-agent.pem 
- `description` must contain cert serial number (it's the second integer, 
usually 7)
- `description` must further contain the issuer of that the cert and its 
subject (CN=IPA RA...)

So in our case, the problem was with the wrong issuer. 
`CN=Certificate Authority` is the default issuer subject, but in my environment 
I actually use a custom one:

$ openssl x509 -noout -issuer -subject -in /var/lib/ipa/ra-agent.pem 
issuer= /CN=My CA/O=<my_realm>
subject= /O=<my_realm>/CN=IPA RA

So the solution was to update that entry in LDAP. The right value for me was 
(note reversed elements of RDN):

description: 2;7;O=<my_realm>,CN=My CA;CN=IPA RA,O=<my_realm>

I believe it's a bug, and I am almost sure I know how to reproduce it. We had 
it in two different environments, and in both of them the following flow 
happened:

1. Deploy the very first IPA1 server, with CA and KRA, using custom CA subject 
("--ca-subject" flag)
2. Deploy a replica IPA2, replicating CA and KRA
3. Destroy IPA1

It looks like maybe during the replication IPA puts the default CA subject 
instead of the custom one...
IPA 4.6.4 on RHEL7.6.

Hope it helps someone.

---
Regards,
Dmitry Perets 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to