Cody Ashe-McNalley via FreeIPA-users wrote: > Hi All, > > My primary CA's httpd and slapd certs show a 'ca-error' warning "4027 (RPC > failed at server. The search criteria was not specific enough. Expected 1 > and found 2." > > RHEL 7.9 > ipa-server-4.6.8-5.el7.x86_64 > CA and DNS enabled > > Request ID '20180927235641': > status: CA_UNREACHABLE > ca-error: Server at https://<ipaserver>/ipa/xml failed request, will > retry: 4027 (RPC failed at server. The search criteria was not specific > enough. Expected 1 and found 2.). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-<DOMAIN>',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-<DOMAIN>/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-<DOMAIN>',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=<DOMAIN> > subject: CN=<ipaserver>,O=<DOMAIN> > expires: 2022-05-05 23:59:26 UTC > principal name: ldap/<ipaserver>@<DOMAIN> > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv <DOMAIN> > track: yes > auto-renew: yes > Request ID '20180927235642': > status: CA_UNREACHABLE > ca-error: Server at https://<ipaserver>/ipa/xml failed request, will > retry: 4027 (RPC failed at server. The search criteria was not specific > enough. Expected 1 and found 2.). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=<DOMAIN> > subject: CN=<ipaserver>,O=<DOMAIN> > expires: 2022-05-05 23:59:25 UTC > principal name: HTTP/<ipaserver>@<DOMAIN> > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > Advice and experience would be greatly appreciated.
I suspect replication conflict entries. I'd suggest starting with: $ kinit admin $ ldapseach -LLL -Y GSSAPI -b cn=services,cn=accounts,$BASEDN '(krbprincipalname=ldap/<ipaserver>@DOMAIN)' Similar for the HTTP principal. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
