[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

junhou he via FreeIPA-users Mon, 12 Dec 2022 01:11:01 -0800

Hi ,
getcert list
Number of certificates and requests being tracked: 7.
Request ID '20221116023302':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=WINGON.HK
        subject: CN=IPA RA,O=WINGON.HK
        issued: 2022-11-16 10:33:02 HKT
        expires: 2024-11-05 10:33:02 HKT
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-clientAuth
        profile: caSubsystemCert
        pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20221116023307':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=WINGON.HK
        subject: CN=CA Audit,O=WINGON.HK
        issued: 2022-11-16 10:31:47 HKT
        expires: 2024-11-05 10:31:47 HKT
        key usage: digitalSignature,nonRepudiation
        profile: caSignedLogCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221116023309':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=WINGON.HK
        subject: CN=OCSP Subsystem,O=WINGON.HK
        issued: 2022-11-16 10:31:46 HKT
        expires: 2024-11-05 10:31:46 HKT
        eku: id-kp-OCSPSigning
        profile: caOCSPCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221116023310':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=WINGON.HK
        subject: CN=CA Subsystem,O=WINGON.HK
        issued: 2022-11-16 10:31:46 HKT
        expires: 2024-11-05 10:31:46 HKT
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-clientAuth
        profile: caSubsystemCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221116023311':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=WINGON.HK
        subject: CN=Certificate Authority,O=WINGON.HK
        issued: 2022-11-16 10:31:44 HKT
        expires: 2042-11-16 10:31:44 HKT
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        profile: caCACert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"caSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221116023312':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=WINGON.HK
        subject: CN=wocfreeipa.wingon.hk,O=WINGON.HK
        issued: 2022-11-16 10:31:46 HKT
        expires: 2024-11-05 10:31:46 HKT
        dns: wocfreeipa.wingon.hk
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth
        profile: caServerCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"Server-Cert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221116023354':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=WINGON.HK
        subject: CN=wocfreeipa.wingon.hk,O=WINGON.HK
        issued: 2022-11-16 10:33:55 HKT
        expires: 2024-11-16 10:33:55 HKT
        dns: wocfreeipa.wingon.hk
        principal name: krbtgt/wingon...@wingon.hk
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        profile: KDCs_PKINIT_Certs
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes
ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b 
uid=ipara,ou=people,o=ipaca description usercertificate*
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=WINGON.HK;CN=IPA RA,O=WINGON.HK


openssl x509 -nameopt RFC2253 -noout -subject -serial -issuer -in 
/var/lib/ipa/ra-agent.pem
subject=CN=IPA RA,O=WINGON.HK
serial=07
issuer=CN=Certificate Authority,O=WINGON.HK

[root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n ipaCert
certutil: Could not find cert: ipaCert
: PR_FILE_NOT_FOUND_ERROR: File not found
[root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US C,,
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, 
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority 
- G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, 
Inc.,L=Scottsdale,ST=Arizona,C=US C,,

I executed the above command as you suggested, unfortunately ipaCert* cannot be 
found
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Reply via email to