Erinn Looney-Triggs wrote:
Hash: SHA1

On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote:
In the process of prepping a replication host for changing over the
CA I had to use certmonger to generate another certificate on my
secondary IPA server. Unfortunately it seems to fail every single
time. Here is what I am running and here is what I am getting:

ipa-getcert request -k private/ -f
certs/ -g 2048

The request appears to work, however when checking the list I
receive the following:

ipa-getcert list -r Number of certificates and requests being
tracked: 9. Request ID '20131128202128': status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: FAILURE
(Authentication Error)). stuck: yes key pair storage:
type=FILE,location='/etc/pki/tls/certs/' CA:
IPA issuer: subject: expires: unknown pre-save command: post-save
command: track: yes auto-renew: yes

Fine, I check the http logs and get about the same: [Thu Nov 28
22:03:06 2013] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE
(Authentication Error)

Now as I understand it ipa-getcert is going to theserver listed in
/etc/ipa/default.conf, which in this case is (the
request is coming from the same host). The host principle in
/etc/krb5.keytab is used for authentication.

I have tested against the primary ipa server and everything works
as it should. However, any requests going against ipa2 for
certificates are failing.

At this point I am stuck, so any suggestions are welcome.


Replying to myself here, and narrowing this down a bit further this
seems to be a straight auth problem against my secondary ipa server.
All command work against the primary, all certificate commands against
the secondary fail.

It appears to be confined to dogtag (other commands like ipa user-show
work), but how exactly dogtag handles auth I am not clear on. It
appears as though mod_auth_kerb handles most things and that is
definitely working. However any access against dogtag components is
failing, so dogtag must/should/may be handling auth internally in a
way that is failing.

Anyway, suggestions are still welcome,

Run this on the replica and see if it is being tracked by certmonger

# getcert list -d /etc/httpd/alias -n ipaCert

If not, see if the a cert with the nickname ipaCert is in /etc/httpd/alias:

# certutil -L -d /etc/httpd/alias -n ipaCert

If so, see if you have the key:

# certutil -K -d /etc/httpd/alias -n ipaCert -f /etc/httpd/alias/pwdfile.txt

This is the RA agent certificate that IPA uses to authenticate to dogtag. If it doesn't exist, or is expired, or is the wrong one, then authentication will fail.

The cert is shared amongst all the IPA masters, so if it is working on one master then fixing the replica should be straightforward assuming it already has the key.


Freeipa-users mailing list

Reply via email to