It is difficult to troubleshoot issues remotely without understanding some of the history and motivations.
This includes things like "why are the DigiCert CA's present?" Are they currently in use? Previously? These aren't likely a root cause but it provides a fuller picture. Was the old server working properly when it was "destroyed?" So far the details have been pretty thin. I'm not sure we've seen the state of the certs since you've done a full restore, other than the healthcheck output. rob Duarte Petiz wrote: > Because we had this installed in baremetal and we moved it to a > different server. The old server was destroyed and we wanted to recover > the data. > It is normal to have disaster recovery procedures and we would like to > have one for freeipa :/ > > On Mon, Sep 16, 2024 at 6:49 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Duarte Petiz wrote: > > Hello, > > Everything fine? > > Did you had availability to check it? > > Regards > > > > On Fri, Sep 6, 2024 at 9:58 AM Duarte Petiz > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> wrote: > > > > Hello Rob > > Thank you a lot for your help. > > > > Answers: > > openssl crl2pkcs7 -nocrl -certfile /etc/ipa/ca.crt | openssl pkcs7 > > -print_certs -text -noout > > > > Certificate: > > > > Data: > > Version: 3 (0x2) > > Serial Number: 1 (0x1) > > Signature Algorithm: sha256WithRSAEncryption > > Issuer: O=JSCRAMBLER.COM > <http://JSCRAMBLER.COM> <http://JSCRAMBLER.COM>, > > CN=Certificate Authority > > Validity > > Not Before: Sep 4 09:46:01 2024 GMT > > Not After : Sep 4 09:46:01 2044 GMT > > Subject: O=JSCRAMBLER.COM > <http://JSCRAMBLER.COM> <http://JSCRAMBLER.COM>, > > CN=Certificate Authority > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (3072 bit) > > Modulus: > > > > 00:a7:73:8a:1d:06:fa:c2:2e:ca:f2:c1:6b:ec:9a: > > > > e2:19:1b:20:8c:ab:8f:d5:51:b2:87:e1:32:a8:8c: > > > > fc:e3:a6:58:a2:91:51:4d:03:c8:05:c3:6a:a1:94: > > > > d1:77:ce:bf:6f:5b:c3:d9:c0:4f:da:29:a8:9a:bf: > > > > f2:a4:b2:fc:b4:8b:a2:5e:47:20:74:23:12:2d:8e: > > > > 67:d4:a3:17:0c:8f:e8:d4:de:75:62:cc:f3:5d:c1: > > > > 6a:ed:28:16:3c:57:a6:f1:8d:51:15:d9:a3:8a:90: > > > > 04:94:72:7c:3a:fa:dd:50:d3:fb:82:21:1f:84:d2: > > > > 3e:5e:75:c4:12:23:89:ae:34:c7:b8:fc:c0:c8:b7: > > > > 38:1f:e7:2f:71:21:96:4f:98:a3:6f:53:d5:a0:73: > > > > c4:9e:78:1b:59:d9:ec:6f:4f:d8:84:fa:b2:af:55: > > > > 7a:8a:93:12:a4:50:f6:cd:9d:7f:3c:39:23:4b:62: > > > > 0f:a6:31:30:61:d8:95:08:e9:3a:a7:6f:f7:91:29: > > > > f4:67:14:40:59:ff:98:1f:54:13:f0:f3:c1:76:f4: > > > > ff:1c:b9:18:e6:c1:3d:44:2a:8c:59:0d:9d:70:c0: > > > > 5a:eb:84:e7:ec:be:b2:b5:9d:42:cd:fc:4c:33:8b: > > > > 0d:65:01:7f:59:0f:fe:59:bc:2b:60:7d:36:0d:f3: > > > > b1:e6:91:e0:d6:c5:a0:ae:61:9d:bb:20:b6:42:5b: > > > > 99:5b:a7:28:e4:e7:4a:35:17:3d:22:67:61:e2:c0: > > > > 99:a5:bb:0f:b1:82:04:cf:55:ab:94:c7:54:d0:6d: > > > > 1a:0a:b2:3d:bc:b8:c2:bc:c8:7e:e2:59:eb:f8:4c: > > > > b3:3c:f7:c0:94:44:39:3f:6a:93:b2:36:e3:43:dc: > > > > 8f:16:5f:3a:dc:2c:0a:74:a0:8c:c6:b2:af:a5:f4: > > > > 2a:e1:36:38:bf:bf:29:98:13:a8:04:5e:79:f4:8e: > > > > 28:c7:01:d8:7b:51:84:10:d8:3b:7a:8b:b4:91:e6: > > 2c:a9:69:50:10:98:2a:54:8e:25 > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Authority Key Identifier: > > > > > 22:35:09:8D:75:D8:D9:07:9E:C7:A3:21:D3:49:2A:53:79:94:CF:74 > > X509v3 Basic Constraints: critical > > CA:TRUE > > X509v3 Key Usage: critical > > Digital Signature, Non Repudiation, > > Certificate Sign, CRL Sign > > X509v3 Subject Key Identifier: > > > > > 22:35:09:8D:75:D8:D9:07:9E:C7:A3:21:D3:49:2A:53:79:94:CF:74 > > Authority Information Access: > > OCSP - > URI:http://ipa-ca.jscrambler.com/ca/ocsp > > Signature Algorithm: sha256WithRSAEncryption > > Signature Value: > > > a4:14:11:b4:c5:ba:7b:3a:41:08:ea:69:92:41:e7:1b:71:2e: > > > 45:30:f0:0d:92:c7:b0:a4:bc:83:4b:b5:ff:1d:78:ae:52:c7: > > > cd:f4:9c:f6:92:01:c8:f0:aa:8e:0a:9a:36:81:53:45:06:d3: > > > 1a:2c:7a:27:6d:00:d0:08:47:d8:2f:0b:2b:67:14:1f:76:13: > > > 62:2a:0c:b9:24:91:f4:55:50:7b:0b:a2:b8:d7:66:68:49:cf: > > > 76:25:18:3e:4d:71:6a:10:1a:4e:33:c3:44:2d:75:6c:c8:73: > > > 62:03:06:44:5d:1d:68:a1:a7:7f:91:9d:33:c0:7f:76:50:6f: > > > 73:5b:6a:2c:91:3b:e8:9f:5a:d6:61:61:f6:44:85:45:8e:a1: > > > f0:8d:a8:07:4d:24:70:73:c7:91:54:e2:99:0b:cc:04:fd:b3: > > > 1b:ed:f2:8a:fc:d2:cf:18:76:18:87:45:3e:f9:cf:58:f0:5b: > > > da:23:b1:51:b9:23:1a:f0:b2:be:3a:6e:c0:c6:13:17:ea:ca: > > > 2d:a6:09:fa:17:04:a2:44:e6:35:9c:6a:d9:4e:e8:37:67:38: > > > 00:69:35:9f:9c:57:2b:01:51:eb:f8:ce:ac:18:d7:87:93:a1: > > > e8:24:fd:fc:c3:9e:21:0a:9f:27:79:6a:00:0b:83:ca:dc:cd: > > > 8e:b2:7c:95:99:ad:3c:4a:81:a1:d7:5f:e9:20:3e:75:ab:cb: > > > ab:46:c3:19:e2:55:9b:ea:5c:79:e1:80:36:84:03:a8:37:89: > > > 2a:d8:45:b3:ba:7c:49:74:a4:ad:8f:09:90:35:32:c6:07:42: > > > 65:28:7b:d8:ec:f6:40:88:38:74:1b:6f:79:f3:0a:67:4f:c0: > > > d3:37:3b:c9:8e:bb:9e:28:e0:0d:ac:49:a3:e9:97:bf:40:b3: > > > 7d:4f:71:22:be:cb:b6:64:8b:41:12:f3:f0:76:c7:a1:18:17: > > > 3d:fc:75:2b:cd:7f:84:09:31:78:4c:b2:c1:9a:ba:3a:f8:44: > > 02:81:75:9c:57:c2 > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: > > > 09:0e:e8:c5:de:5b:fa:62:d2:ae:2f:f7:09:7c:48:57 > > Signature Algorithm: sha256WithRSAEncryption > > Issuer: C=US, O=DigiCert Inc, > OU=www.digicert.com <http://www.digicert.com> > > <http://www.digicert.com>, CN=DigiCert Global Root G2 > > Validity > > Not Before: Nov 2 12:24:25 2017 GMT > > Not After : Nov 2 12:24:25 2027 GMT > > Subject: C=US, O=DigiCert Inc, > OU=www.digicert.com <http://www.digicert.com> > > <http://www.digicert.com>, CN=Thawte TLS RSA CA G1 > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (2048 bit) > > Modulus: > > > > 00:c6:39:e0:98:f8:55:7a:d0:b4:6f:fa:33:6d:82: > > > > 5d:cc:e0:54:03:5b:0c:a2:0e:3b:d3:7d:1c:00:ff: > > > > 8f:db:70:0d:50:df:20:ad:71:02:2f:c3:61:0c:41: > > > > 78:17:54:7d:b4:bd:30:63:49:9c:cc:76:91:d1:ae: > > > > e5:61:a9:e5:c6:dc:16:a3:5b:36:b8:69:e7:c8:3b: > > > > 3a:98:e0:ac:eb:a7:b0:db:0d:d8:11:3a:fa:4d:bd: > > > > 78:c6:08:e9:bb:58:06:16:d0:1e:7b:06:a2:90:ef: > > > > 45:b9:df:21:c4:62:53:4b:09:fc:c5:e3:64:7c:a5: > > > > 56:a4:3d:8b:e2:f1:4d:df:a1:4d:83:17:a2:94:ae: > > > > 9a:13:8c:a4:80:60:33:36:5a:24:4e:9e:a1:34:e2: > > > > c0:62:90:f2:49:d2:c0:3c:ac:ee:25:24:3b:24:21: > > > > 19:e8:ef:92:0c:ac:b0:21:d5:cb:a0:c4:e7:a7:1b: > > > > 81:28:64:86:f3:c3:56:4e:8d:c2:1c:23:86:99:01: > > > > 02:89:ad:b2:a9:d3:c3:8e:02:ea:9c:48:98:36:3c: > > > > 10:2f:cb:8c:aa:3f:2b:3a:f9:4c:82:f8:81:70:70: > > > > 3b:c6:dc:be:ef:fb:98:2c:de:99:4b:b5:6a:d7:f1: > > > > 7f:95:58:55:39:fe:5e:8f:a8:d9:76:60:7c:e6:cc: > > c5:6d > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Subject Key Identifier: > > > > > A5:8C:FE:32:CC:EB:0F:2C:D4:19:C6:08:B8:00:24:88:5D:C3:C5:B7 > > X509v3 Authority Key Identifier: > > > > > 4E:22:54:20:18:95:E6:E3:6E:E6:0F:FA:FA:B9:12:ED:06:17:8F:39 > > X509v3 Key Usage: critical > > Digital Signature, Certificate Sign, > CRL Sign > > X509v3 Extended Key Usage: > > TLS Web Server Authentication, TLS Web > > Client Authentication > > X509v3 Basic Constraints: critical > > CA:TRUE, pathlen:0 > > Authority Information Access: > > OCSP - URI:http://ocsp.digicert.com > > X509v3 CRL Distribution Points: > > Full Name: > > > > URI:http://crl3.digicert.com/DigiCertGlobalRootG2.crl > > X509v3 Certificate Policies: > > Policy: X509v3 Any Policy > > CPS: https://www.digicert.com/CPS > > Signature Algorithm: sha256WithRSAEncryption > > Signature Value: > > > ba:92:6d:0a:03:8b:13:6f:65:58:a4:40:66:fe:e2:f6:1c:bf: > > > e9:65:7f:41:ec:bf:e1:6c:9e:0d:72:80:5e:ed:5e:7a:a0:29: > > > ed:ed:a7:88:a3:cb:0c:8c:24:56:4c:25:99:0f:57:58:d3:ed: > > > 8a:64:e0:b5:74:a8:fc:77:55:57:5c:0b:67:8f:2b:43:0e:e3: > > > cf:7f:af:e2:a3:0d:26:61:04:ce:fc:60:20:fc:c2:f2:2f:a0: > > > 83:9b:71:73:0c:1f:15:b6:c1:ff:69:e3:20:3f:aa:60:0f:55: > > > d0:ab:3f:a1:68:39:df:9c:94:ca:06:ec:61:72:99:f1:dc:07: > > > 5b:95:eb:9e:fd:09:cf:7f:58:47:61:af:0b:f9:1b:fc:3e:2e: > > > 54:87:85:7d:17:01:ce:7e:98:5d:31:73:b1:8b:5e:0e:aa:6b: > > > 22:4d:b7:39:70:eb:3d:fe:eb:a4:1f:e6:15:b2:e1:5d:59:39: > > > da:e8:85:70:d6:a8:7e:b4:4b:72:1f:5e:91:be:68:bb:a6:4a: > > > b2:65:85:0b:38:f3:08:13:b6:af:ae:58:d5:54:16:6e:8a:4c: > > > 00:46:d6:3c:b4:25:55:e8:fa:7d:97:75:5e:6a:00:6a:6f:67: > > > df:82:a3:49:b7:70:b4:4d:83:58:40:8f:81:5c:6d:51:d5:c0: > > 01:96:89:5d > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: > > 03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5 > > Signature Algorithm: sha256WithRSAEncryption > > Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com > <http://www.digicert.com> > > <http://www.digicert.com>, CN=DigiCert Global Root G2 > > Validity > > Not Before: Aug 1 12:00:00 2013 GMT > > Not After : Jan 15 12:00:00 2038 GMT > > Subject: C=US, O=DigiCert Inc, OU=www.digicert.com > <http://www.digicert.com> > > <http://www.digicert.com>, CN=DigiCert Global Root G2 > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (2048 bit) > > Modulus: > > > 00:bb:37:cd:34:dc:7b:6b:c9:b2:68:90:ad:4a:75: > > > ff:46:ba:21:0a:08:8d:f5:19:54:c9:fb:88:db:f3: > > > ae:f2:3a:89:91:3c:7a:e6:ab:06:1a:6b:cf:ac:2d: > > > e8:5e:09:24:44:ba:62:9a:7e:d6:a3:a8:7e:e0:54: > > > 75:20:05:ac:50:b7:9c:63:1a:6c:30:dc:da:1f:19: > > > b1:d7:1e:de:fd:d7:e0:cb:94:83:37:ae:ec:1f:43: > > > 4e:dd:7b:2c:d2:bd:2e:a5:2f:e4:a9:b8:ad:3a:d4: > > > 99:a4:b6:25:e9:9b:6b:00:60:92:60:ff:4f:21:49: > > > 18:f7:67:90:ab:61:06:9c:8f:f2:ba:e9:b4:e9:92: > > > 32:6b:b5:f3:57:e8:5d:1b:cd:8c:1d:ab:95:04:95: > > > 49:f3:35:2d:96:e3:49:6d:dd:77:e3:fb:49:4b:b4: > > > ac:55:07:a9:8f:95:b3:b4:23:bb:4c:6d:45:f0:f6: > > > a9:b2:95:30:b4:fd:4c:55:8c:27:4a:57:14:7c:82: > > > 9d:cd:73:92:d3:16:4a:06:0c:8c:50:d1:8f:1e:09: > > > be:17:a1:e6:21:ca:fd:83:e5:10:bc:83:a5:0a:c4: > > > 67:28:f6:73:14:14:3d:46:76:c3:87:14:89:21:34: > > > 4d:af:0f:45:0c:a6:49:a1:ba:bb:9c:c5:b1:33:83: > > 29:85 > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Basic Constraints: critical > > CA:TRUE > > X509v3 Key Usage: critical > > Digital Signature, Certificate Sign, CRL Sign > > X509v3 Subject Key Identifier: > > > > 4E:22:54:20:18:95:E6:E3:6E:E6:0F:FA:FA:B9:12:ED:06:17:8F:39 > > Signature Algorithm: sha256WithRSAEncryption > > Signature Value: > > 60:67:28:94:6f:0e:48:63:eb:31:dd:ea:67:18:d5:89:7d:3c: > > c5:8b:4a:7f:e9:be:db:2b:17:df:b0:5f:73:77:2a:32:13:39: > > 81:67:42:84:23:f2:45:67:35:ec:88:bf:f8:8f:b0:61:0c:34: > > a4:ae:20:4c:84:c6:db:f8:35:e1:76:d9:df:a6:42:bb:c7:44: > > 08:86:7f:36:74:24:5a:da:6c:0d:14:59:35:bd:f2:49:dd:b6: > > 1f:c9:b3:0d:47:2a:3d:99:2f:bb:5c:bb:b5:d4:20:e1:99:5f: > > 53:46:15:db:68:9b:f0:f3:30:d5:3e:31:e2:8d:84:9e:e3:8a: > > da:da:96:3e:35:13:a5:5f:f0:f9:70:50:70:47:41:11:57:19: > > 4e:c0:8f:ae:06:c4:95:13:17:2f:1b:25:9f:75:f2:b1:8e:99: > > a1:6f:13:b1:41:71:fe:88:2a:c8:4f:10:20:55:d7:f3:14:45: > > e5:e0:44:f4:ea:87:95:32:93:0e:fe:53:46:fa:2c:9d:ff:8b: > > 22:b9:4b:d9:09:45:a4:de:a4:b8:9a:58:dd:1b:7d:52:9f:8e: > > 59:43:88:81:a4:9e:26:d5:6f:ad:dd:0d:c6:37:7d:ed:03:92: > > 1b:e5:77:5f:76:ee:3c:8d:c4:5d:56:5b:a2:d9:66:6e:b3:35: > > 37:e5:32:b6 > > So the certificate is there. I wonder if the check is not able to > retriever serial #1 and mis-reporting that as a different issue. > > > > > > [root@prod-us-freeipa /]# ldapsearch -LLL -x -D 'cn=directory > > manager' -W -b ou=certificateRepository,ou=ca,o=ipaca > > '(subjectName=CN=CA Audit,O=JSCRAMBLER.COM > <http://JSCRAMBLER.COM> <http://JSCRAMBLER.COM>)' cn > > Enter LDAP Password: > > dn: cn=5,ou=certificateRepository,ou=ca,o=ipaca > > cn: 5 > > > > > > [root@prod-us-freeipa /]# certutil -L -d /etc/pki/pki-tomcat/alias > > -n 'auditSigningCert cert-pki-ca' | grep 'Serial Number' > > Serial Number: 5 (0x5) > > So there is only one copy of the audit signing cert and the serial > numbers match. > > Nothing conclusive here for either issue unfortunately. > > So why are you trying to use ipa-restore at all? > > rob > > > > > > > -- > > /Kind Regards/ > > > > *Duarte Petiz* > > *DevOps Team Lead *| jscrambler.com <http://jscrambler.com> > <http://jscrambler.com/> > > * > > * > > * > > * > > > > > > > > -- > > /Kind Regards/ > > > > *Duarte Petiz* > > *DevOps Team Lead *| jscrambler.com <http://jscrambler.com> > <http://jscrambler.com/> > > * > > * > > * > > * > > > > > > -- > /Kind Regards/ > > *Duarte Petiz* > *DevOps Team Lead *| jscrambler.com <http://jscrambler.com/> > * > * > * > * > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
