[Freeipa-users] certlist shows ca-error after upgrade

[Cody Ashe-McNalley via FreeIPA-users]

Hi All,

My primary CA's httpd and slapd certs show a 'ca-error' warning "4027 (RPC 
failed at server.  The search criteria was not specific enough.  Expected 1 and 
found 2." 

RHEL 7.9
ipa-server-4.6.8-5.el7.x86_64
CA and DNS enabled

Request ID '20180927235641':
        status: CA_UNREACHABLE
        ca-error: Server at https://<ipaserver>/ipa/xml failed request, will 
retry: 4027 (RPC failed at server.  The search criteria was not specific 
enough. Expected 1 and found 2.).
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-<DOMAIN>',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-<DOMAIN>/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-<DOMAIN>',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=<DOMAIN>
        subject: CN=<ipaserver>,O=<DOMAIN>
        expires: 2022-05-05 23:59:26 UTC
        principal name: ldap/<ipaserver>@<DOMAIN>
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv <DOMAIN>
        track: yes
        auto-renew: yes
Request ID '20180927235642':
        status: CA_UNREACHABLE
        ca-error: Server at https://<ipaserver>/ipa/xml failed request, will 
retry: 4027 (RPC failed at server.  The search criteria was not specific 
enough. Expected 1 and found 2.).
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=<DOMAIN>
        subject: CN=<ipaserver>,O=<DOMAIN>
        expires: 2022-05-05 23:59:25 UTC
        principal name: HTTP/<ipaserver>@<DOMAIN>
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

Advice and experience would be greatly appreciated.

Best regards,
Cody
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org