Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote:
In the process of prepping a replication host for changing over the
CA I had to use certmonger to generate another certificate on my
secondary IPA server. Unfortunately it seems to fail every single
time. Here is what I am running and here is what I am getting:
ipa-getcert request -k private/ipa2.abaqis.com.key -f
certs/ipa2.abaqis.com.crt -g 2048
The request appears to work, however when checking the list I
receive the following:
ipa-getcert list -r Number of certificates and requests being
tracked: 9. Request ID '20131128202128': status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: FAILURE
(Authentication Error)). stuck: yes key pair storage:
IPA issuer: subject: expires: unknown pre-save command: post-save
command: track: yes auto-renew: yes
Fine, I check the http logs and get about the same: [Thu Nov 28
22:03:06 2013] [error] ipa: ERROR:
Now as I understand it ipa-getcert is going to theserver listed in
/etc/ipa/default.conf, which in this case is ipa2.abaqis.com (the
request is coming from the same host). The host principle in
/etc/krb5.keytab is used for authentication.
I have tested against the primary ipa server and everything works
as it should. However, any requests going against ipa2 for
certificates are failing.
At this point I am stuck, so any suggestions are welcome.
Replying to myself here, and narrowing this down a bit further this
seems to be a straight auth problem against my secondary ipa server.
All command work against the primary, all certificate commands against
the secondary fail.
It appears to be confined to dogtag (other commands like ipa user-show
work), but how exactly dogtag handles auth I am not clear on. It
appears as though mod_auth_kerb handles most things and that is
definitely working. However any access against dogtag components is
failing, so dogtag must/should/may be handling auth internally in a
way that is failing.
Anyway, suggestions are still welcome,
Run this on the replica and see if it is being tracked by certmonger
# getcert list -d /etc/httpd/alias -n ipaCert
If not, see if the a cert with the nickname ipaCert is in /etc/httpd/alias:
# certutil -L -d /etc/httpd/alias -n ipaCert
If so, see if you have the key:
# certutil -K -d /etc/httpd/alias -n ipaCert -f /etc/httpd/alias/pwdfile.txt
This is the RA agent certificate that IPA uses to authenticate to
dogtag. If it doesn't exist, or is expired, or is the wrong one, then
authentication will fail.
The cert is shared amongst all the IPA masters, so if it is working on
one master then fixing the replica should be straightforward assuming it
already has the key.
Freeipa-users mailing list