[Freeipa-users] Re: Error upgrading to version 4.11.0

Rob Crittenden via FreeIPA-users Mon, 16 Sep 2024 10:49:34 -0700

Duarte Petiz wrote:
> Hello,
> Everything fine?
> Did you had availability to check it?
> Regards
> 
> On Fri, Sep 6, 2024 at 9:58 AM Duarte Petiz <[email protected]
> <mailto:[email protected]>> wrote:
> 
>     Hello Rob
>     Thank you a lot for your help.
> 
>     Answers:
>     openssl crl2pkcs7 -nocrl -certfile /etc/ipa/ca.crt | openssl pkcs7
>     -print_certs -text -noout
> 
>         Certificate:
> 
>                 Data:
>                     Version: 3 (0x2)
>                     Serial Number: 1 (0x1)
>                     Signature Algorithm: sha256WithRSAEncryption
>                     Issuer: O=JSCRAMBLER.COM <http://JSCRAMBLER.COM>,
>             CN=Certificate Authority
>                     Validity
>                         Not Before: Sep  4 09:46:01 2024 GMT
>                         Not After : Sep  4 09:46:01 2044 GMT
>                     Subject: O=JSCRAMBLER.COM <http://JSCRAMBLER.COM>,
>             CN=Certificate Authority
>                     Subject Public Key Info:
>                         Public Key Algorithm: rsaEncryption
>                             Public-Key: (3072 bit)
>                             Modulus:
>                                
>             00:a7:73:8a:1d:06:fa:c2:2e:ca:f2:c1:6b:ec:9a:
>                                
>             e2:19:1b:20:8c:ab:8f:d5:51:b2:87:e1:32:a8:8c:
>                                
>             fc:e3:a6:58:a2:91:51:4d:03:c8:05:c3:6a:a1:94:
>                                
>             d1:77:ce:bf:6f:5b:c3:d9:c0:4f:da:29:a8:9a:bf:
>                                
>             f2:a4:b2:fc:b4:8b:a2:5e:47:20:74:23:12:2d:8e:
>                                
>             67:d4:a3:17:0c:8f:e8:d4:de:75:62:cc:f3:5d:c1:
>                                
>             6a:ed:28:16:3c:57:a6:f1:8d:51:15:d9:a3:8a:90:
>                                
>             04:94:72:7c:3a:fa:dd:50:d3:fb:82:21:1f:84:d2:
>                                
>             3e:5e:75:c4:12:23:89:ae:34:c7:b8:fc:c0:c8:b7:
>                                
>             38:1f:e7:2f:71:21:96:4f:98:a3:6f:53:d5:a0:73:
>                                
>             c4:9e:78:1b:59:d9:ec:6f:4f:d8:84:fa:b2:af:55:
>                                
>             7a:8a:93:12:a4:50:f6:cd:9d:7f:3c:39:23:4b:62:
>                                
>             0f:a6:31:30:61:d8:95:08:e9:3a:a7:6f:f7:91:29:
>                                
>             f4:67:14:40:59:ff:98:1f:54:13:f0:f3:c1:76:f4:
>                                
>             ff:1c:b9:18:e6:c1:3d:44:2a:8c:59:0d:9d:70:c0:
>                                
>             5a:eb:84:e7:ec:be:b2:b5:9d:42:cd:fc:4c:33:8b:
>                                
>             0d:65:01:7f:59:0f:fe:59:bc:2b:60:7d:36:0d:f3:
>                                
>             b1:e6:91:e0:d6:c5:a0:ae:61:9d:bb:20:b6:42:5b:
>                                
>             99:5b:a7:28:e4:e7:4a:35:17:3d:22:67:61:e2:c0:
>                                
>             99:a5:bb:0f:b1:82:04:cf:55:ab:94:c7:54:d0:6d:
>                                
>             1a:0a:b2:3d:bc:b8:c2:bc:c8:7e:e2:59:eb:f8:4c:
>                                
>             b3:3c:f7:c0:94:44:39:3f:6a:93:b2:36:e3:43:dc:
>                                
>             8f:16:5f:3a:dc:2c:0a:74:a0:8c:c6:b2:af:a5:f4:
>                                
>             2a:e1:36:38:bf:bf:29:98:13:a8:04:5e:79:f4:8e:
>                                
>             28:c7:01:d8:7b:51:84:10:d8:3b:7a:8b:b4:91:e6:
>                                 2c:a9:69:50:10:98:2a:54:8e:25
>                             Exponent: 65537 (0x10001)
>                     X509v3 extensions:
>                         X509v3 Authority Key Identifier:
>                            
>             22:35:09:8D:75:D8:D9:07:9E:C7:A3:21:D3:49:2A:53:79:94:CF:74
>                         X509v3 Basic Constraints: critical
>                             CA:TRUE
>                         X509v3 Key Usage: critical
>                             Digital Signature, Non Repudiation,
>             Certificate Sign, CRL Sign
>                         X509v3 Subject Key Identifier:
>                            
>             22:35:09:8D:75:D8:D9:07:9E:C7:A3:21:D3:49:2A:53:79:94:CF:74
>                         Authority Information Access:
>                             OCSP - URI:http://ipa-ca.jscrambler.com/ca/ocsp
>                 Signature Algorithm: sha256WithRSAEncryption
>                 Signature Value:
>                     a4:14:11:b4:c5:ba:7b:3a:41:08:ea:69:92:41:e7:1b:71:2e:
>                     45:30:f0:0d:92:c7:b0:a4:bc:83:4b:b5:ff:1d:78:ae:52:c7:
>                     cd:f4:9c:f6:92:01:c8:f0:aa:8e:0a:9a:36:81:53:45:06:d3:
>                     1a:2c:7a:27:6d:00:d0:08:47:d8:2f:0b:2b:67:14:1f:76:13:
>                     62:2a:0c:b9:24:91:f4:55:50:7b:0b:a2:b8:d7:66:68:49:cf:
>                     76:25:18:3e:4d:71:6a:10:1a:4e:33:c3:44:2d:75:6c:c8:73:
>                     62:03:06:44:5d:1d:68:a1:a7:7f:91:9d:33:c0:7f:76:50:6f:
>                     73:5b:6a:2c:91:3b:e8:9f:5a:d6:61:61:f6:44:85:45:8e:a1:
>                     f0:8d:a8:07:4d:24:70:73:c7:91:54:e2:99:0b:cc:04:fd:b3:
>                     1b:ed:f2:8a:fc:d2:cf:18:76:18:87:45:3e:f9:cf:58:f0:5b:
>                     da:23:b1:51:b9:23:1a:f0:b2:be:3a:6e:c0:c6:13:17:ea:ca:
>                     2d:a6:09:fa:17:04:a2:44:e6:35:9c:6a:d9:4e:e8:37:67:38:
>                     00:69:35:9f:9c:57:2b:01:51:eb:f8:ce:ac:18:d7:87:93:a1:
>                     e8:24:fd:fc:c3:9e:21:0a:9f:27:79:6a:00:0b:83:ca:dc:cd:
>                     8e:b2:7c:95:99:ad:3c:4a:81:a1:d7:5f:e9:20:3e:75:ab:cb:
>                     ab:46:c3:19:e2:55:9b:ea:5c:79:e1:80:36:84:03:a8:37:89:
>                     2a:d8:45:b3:ba:7c:49:74:a4:ad:8f:09:90:35:32:c6:07:42:
>                     65:28:7b:d8:ec:f6:40:88:38:74:1b:6f:79:f3:0a:67:4f:c0:
>                     d3:37:3b:c9:8e:bb:9e:28:e0:0d:ac:49:a3:e9:97:bf:40:b3:
>                     7d:4f:71:22:be:cb:b6:64:8b:41:12:f3:f0:76:c7:a1:18:17:
>                     3d:fc:75:2b:cd:7f:84:09:31:78:4c:b2:c1:9a:ba:3a:f8:44:
>                     02:81:75:9c:57:c2
>             Certificate:
>                 Data:
>                     Version: 3 (0x2)
>                     Serial Number:
>                         09:0e:e8:c5:de:5b:fa:62:d2:ae:2f:f7:09:7c:48:57
>                     Signature Algorithm: sha256WithRSAEncryption
>                     Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com
>             <http://www.digicert.com>, CN=DigiCert Global Root G2
>                     Validity
>                         Not Before: Nov  2 12:24:25 2017 GMT
>                         Not After : Nov  2 12:24:25 2027 GMT
>                     Subject: C=US, O=DigiCert Inc, OU=www.digicert.com
>             <http://www.digicert.com>, CN=Thawte TLS RSA CA G1
>                     Subject Public Key Info:
>                         Public Key Algorithm: rsaEncryption
>                             Public-Key: (2048 bit)
>                             Modulus:
>                                
>             00:c6:39:e0:98:f8:55:7a:d0:b4:6f:fa:33:6d:82:
>                                
>             5d:cc:e0:54:03:5b:0c:a2:0e:3b:d3:7d:1c:00:ff:
>                                
>             8f:db:70:0d:50:df:20:ad:71:02:2f:c3:61:0c:41:
>                                
>             78:17:54:7d:b4:bd:30:63:49:9c:cc:76:91:d1:ae:
>                                
>             e5:61:a9:e5:c6:dc:16:a3:5b:36:b8:69:e7:c8:3b:
>                                
>             3a:98:e0:ac:eb:a7:b0:db:0d:d8:11:3a:fa:4d:bd:
>                                
>             78:c6:08:e9:bb:58:06:16:d0:1e:7b:06:a2:90:ef:
>                                
>             45:b9:df:21:c4:62:53:4b:09:fc:c5:e3:64:7c:a5:
>                                
>             56:a4:3d:8b:e2:f1:4d:df:a1:4d:83:17:a2:94:ae:
>                                
>             9a:13:8c:a4:80:60:33:36:5a:24:4e:9e:a1:34:e2:
>                                
>             c0:62:90:f2:49:d2:c0:3c:ac:ee:25:24:3b:24:21:
>                                
>             19:e8:ef:92:0c:ac:b0:21:d5:cb:a0:c4:e7:a7:1b:
>                                
>             81:28:64:86:f3:c3:56:4e:8d:c2:1c:23:86:99:01:
>                                
>             02:89:ad:b2:a9:d3:c3:8e:02:ea:9c:48:98:36:3c:
>                                
>             10:2f:cb:8c:aa:3f:2b:3a:f9:4c:82:f8:81:70:70:
>                                
>             3b:c6:dc:be:ef:fb:98:2c:de:99:4b:b5:6a:d7:f1:
>                                
>             7f:95:58:55:39:fe:5e:8f:a8:d9:76:60:7c:e6:cc:
>                                 c5:6d
>                             Exponent: 65537 (0x10001)
>                     X509v3 extensions:
>                         X509v3 Subject Key Identifier:
>                            
>             A5:8C:FE:32:CC:EB:0F:2C:D4:19:C6:08:B8:00:24:88:5D:C3:C5:B7
>                         X509v3 Authority Key Identifier:
>                            
>             4E:22:54:20:18:95:E6:E3:6E:E6:0F:FA:FA:B9:12:ED:06:17:8F:39
>                         X509v3 Key Usage: critical
>                             Digital Signature, Certificate Sign, CRL Sign
>                         X509v3 Extended Key Usage:
>                             TLS Web Server Authentication, TLS Web
>             Client Authentication
>                         X509v3 Basic Constraints: critical
>                             CA:TRUE, pathlen:0
>                         Authority Information Access:
>                             OCSP - URI:http://ocsp.digicert.com
>                         X509v3 CRL Distribution Points:
>                             Full Name:
>                              
>             URI:http://crl3.digicert.com/DigiCertGlobalRootG2.crl
>                         X509v3 Certificate Policies:
>                             Policy: X509v3 Any Policy
>                               CPS: https://www.digicert.com/CPS
>                 Signature Algorithm: sha256WithRSAEncryption
>                 Signature Value:
>                     ba:92:6d:0a:03:8b:13:6f:65:58:a4:40:66:fe:e2:f6:1c:bf:
>                     e9:65:7f:41:ec:bf:e1:6c:9e:0d:72:80:5e:ed:5e:7a:a0:29:
>                     ed:ed:a7:88:a3:cb:0c:8c:24:56:4c:25:99:0f:57:58:d3:ed:
>                     8a:64:e0:b5:74:a8:fc:77:55:57:5c:0b:67:8f:2b:43:0e:e3:
>                     cf:7f:af:e2:a3:0d:26:61:04:ce:fc:60:20:fc:c2:f2:2f:a0:
>                     83:9b:71:73:0c:1f:15:b6:c1:ff:69:e3:20:3f:aa:60:0f:55:
>                     d0:ab:3f:a1:68:39:df:9c:94:ca:06:ec:61:72:99:f1:dc:07:
>                     5b:95:eb:9e:fd:09:cf:7f:58:47:61:af:0b:f9:1b:fc:3e:2e:
>                     54:87:85:7d:17:01:ce:7e:98:5d:31:73:b1:8b:5e:0e:aa:6b:
>                     22:4d:b7:39:70:eb:3d:fe:eb:a4:1f:e6:15:b2:e1:5d:59:39:
>                     da:e8:85:70:d6:a8:7e:b4:4b:72:1f:5e:91:be:68:bb:a6:4a:
>                     b2:65:85:0b:38:f3:08:13:b6:af:ae:58:d5:54:16:6e:8a:4c:
>                     00:46:d6:3c:b4:25:55:e8:fa:7d:97:75:5e:6a:00:6a:6f:67:
>                     df:82:a3:49:b7:70:b4:4d:83:58:40:8f:81:5c:6d:51:d5:c0:
>                     01:96:89:5d
> 
>         Certificate:
>             Data:
>                 Version: 3 (0x2)
>                 Serial Number:
>                     03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
>                 Signature Algorithm: sha256WithRSAEncryption
>                 Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com
>         <http://www.digicert.com>, CN=DigiCert Global Root G2
>                 Validity
>                     Not Before: Aug  1 12:00:00 2013 GMT
>                     Not After : Jan 15 12:00:00 2038 GMT
>                 Subject: C=US, O=DigiCert Inc, OU=www.digicert.com
>         <http://www.digicert.com>, CN=DigiCert Global Root G2
>                 Subject Public Key Info:
>                     Public Key Algorithm: rsaEncryption
>                         Public-Key: (2048 bit)
>                         Modulus:
>                             00:bb:37:cd:34:dc:7b:6b:c9:b2:68:90:ad:4a:75:
>                             ff:46:ba:21:0a:08:8d:f5:19:54:c9:fb:88:db:f3:
>                             ae:f2:3a:89:91:3c:7a:e6:ab:06:1a:6b:cf:ac:2d:
>                             e8:5e:09:24:44:ba:62:9a:7e:d6:a3:a8:7e:e0:54:
>                             75:20:05:ac:50:b7:9c:63:1a:6c:30:dc:da:1f:19:
>                             b1:d7:1e:de:fd:d7:e0:cb:94:83:37:ae:ec:1f:43:
>                             4e:dd:7b:2c:d2:bd:2e:a5:2f:e4:a9:b8:ad:3a:d4:
>                             99:a4:b6:25:e9:9b:6b:00:60:92:60:ff:4f:21:49:
>                             18:f7:67:90:ab:61:06:9c:8f:f2:ba:e9:b4:e9:92:
>                             32:6b:b5:f3:57:e8:5d:1b:cd:8c:1d:ab:95:04:95:
>                             49:f3:35:2d:96:e3:49:6d:dd:77:e3:fb:49:4b:b4:
>                             ac:55:07:a9:8f:95:b3:b4:23:bb:4c:6d:45:f0:f6:
>                             a9:b2:95:30:b4:fd:4c:55:8c:27:4a:57:14:7c:82:
>                             9d:cd:73:92:d3:16:4a:06:0c:8c:50:d1:8f:1e:09:
>                             be:17:a1:e6:21:ca:fd:83:e5:10:bc:83:a5:0a:c4:
>                             67:28:f6:73:14:14:3d:46:76:c3:87:14:89:21:34:
>                             4d:af:0f:45:0c:a6:49:a1:ba:bb:9c:c5:b1:33:83:
>                             29:85
>                         Exponent: 65537 (0x10001)
>                 X509v3 extensions:
>                     X509v3 Basic Constraints: critical
>                         CA:TRUE
>                     X509v3 Key Usage: critical
>                         Digital Signature, Certificate Sign, CRL Sign
>                     X509v3 Subject Key Identifier:
>                        
>         4E:22:54:20:18:95:E6:E3:6E:E6:0F:FA:FA:B9:12:ED:06:17:8F:39
>             Signature Algorithm: sha256WithRSAEncryption
>             Signature Value:
>                 60:67:28:94:6f:0e:48:63:eb:31:dd:ea:67:18:d5:89:7d:3c:
>                 c5:8b:4a:7f:e9:be:db:2b:17:df:b0:5f:73:77:2a:32:13:39:
>                 81:67:42:84:23:f2:45:67:35:ec:88:bf:f8:8f:b0:61:0c:34:
>                 a4:ae:20:4c:84:c6:db:f8:35:e1:76:d9:df:a6:42:bb:c7:44:
>                 08:86:7f:36:74:24:5a:da:6c:0d:14:59:35:bd:f2:49:dd:b6:
>                 1f:c9:b3:0d:47:2a:3d:99:2f:bb:5c:bb:b5:d4:20:e1:99:5f:
>                 53:46:15:db:68:9b:f0:f3:30:d5:3e:31:e2:8d:84:9e:e3:8a:
>                 da:da:96:3e:35:13:a5:5f:f0:f9:70:50:70:47:41:11:57:19:
>                 4e:c0:8f:ae:06:c4:95:13:17:2f:1b:25:9f:75:f2:b1:8e:99:
>                 a1:6f:13:b1:41:71:fe:88:2a:c8:4f:10:20:55:d7:f3:14:45:
>                 e5:e0:44:f4:ea:87:95:32:93:0e:fe:53:46:fa:2c:9d:ff:8b:
>                 22:b9:4b:d9:09:45:a4:de:a4:b8:9a:58:dd:1b:7d:52:9f:8e:
>                 59:43:88:81:a4:9e:26:d5:6f:ad:dd:0d:c6:37:7d:ed:03:92:
>                 1b:e5:77:5f:76:ee:3c:8d:c4:5d:56:5b:a2:d9:66:6e:b3:35:
>                 37:e5:32:b6


So the certificate is there. I wonder if the check is not able to
retriever serial #1 and mis-reporting that as a different issue.


> 
>     [root@prod-us-freeipa /]# ldapsearch -LLL -x -D 'cn=directory
>     manager' -W -b ou=certificateRepository,ou=ca,o=ipaca
>     '(subjectName=CN=CA Audit,O=JSCRAMBLER.COM <http://JSCRAMBLER.COM>)' cn
>     Enter LDAP Password:
>     dn: cn=5,ou=certificateRepository,ou=ca,o=ipaca
>     cn: 5
> 
> 
>     [root@prod-us-freeipa /]# certutil -L -d /etc/pki/pki-tomcat/alias
>     -n 'auditSigningCert cert-pki-ca' | grep 'Serial Number'
>             Serial Number: 5 (0x5)

So there is only one copy of the audit signing cert and the serial
numbers match.

Nothing conclusive here for either issue unfortunately.

So why are you trying to use ipa-restore at all?

rob

> 
> 
>     -- 
>     /Kind Regards/
> 
>     *Duarte Petiz*
>     *DevOps Team Lead *| jscrambler.com <http://jscrambler.com/>
>     *
>     *
>     *
>     *
> 
> 
> 
> -- 
> /Kind Regards/
> 
> *Duarte Petiz*
> *DevOps Team Lead *| jscrambler.com <http://jscrambler.com/>
> *
> *
> *
> *
> 

-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Error upgrading to version 4.11.0

Reply via email to