-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/02/2013 07:40 AM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote:
>>> In the process of prepping a replication host for changing over
>>> the CA I had to use certmonger to generate another certificate
>>> on my secondary IPA server. Unfortunately it seems to fail
>>> every single time. Here is what I am running and here is what I
>>> am getting:
>>> 
>>> ipa-getcert request -k private/ipa2.abaqis.com.key -f 
>>> certs/ipa2.abaqis.com.crt -g 2048
>>> 
>>> The request appears to work, however when checking the list I 
>>> receive the following:
>>> 
>>> ipa-getcert list -r Number of certificates and requests being 
>>> tracked: 9. Request ID '20131128202128': status:
>>> CA_UNREACHABLE ca-error: Server failed request, will retry:
>>> 4301 (RPC failed at server.  Certificate operation cannot be
>>> completed: FAILURE (Authentication Error)). stuck: yes key pair
>>> storage: 
>>> type=FILE,location='/etc/pki/tls/private/ipa2.abaqis.com.key' 
>>> certificate: 
>>> type=FILE,location='/etc/pki/tls/certs/ipa2.abaqis.com.crt'
>>> CA: IPA issuer: subject: expires: unknown pre-save command:
>>> post-save command: track: yes auto-renew: yes
>>> 
>>> Fine, I check the http logs and get about the same: [Thu Nov
>>> 28 22:03:06 2013] [error] ipa: ERROR: 
>>> ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE 
>>> (Authentication Error)
>>> 
>>> Now as I understand it ipa-getcert is going to theserver listed
>>> in /etc/ipa/default.conf, which in this case is ipa2.abaqis.com
>>> (the request is coming from the same host). The host principle
>>> in /etc/krb5.keytab is used for authentication.
>>> 
>>> I have tested against the primary ipa server and everything
>>> works as it should. However, any requests going against ipa2
>>> for certificates are failing.
>>> 
>>> At this point I am stuck, so any suggestions are welcome.
>>> 
>>> -Erinn
>>> 
>>> 
>> 
>> Replying to myself here, and narrowing this down a bit further
>> this seems to be a straight auth problem against my secondary ipa
>> server. All command work against the primary, all certificate
>> commands against the secondary fail.
>> 
>> It appears to be confined to dogtag (other commands like ipa
>> user-show work), but how exactly dogtag handles auth I am not
>> clear on. It appears as though mod_auth_kerb handles most things
>> and that is definitely working. However any access against dogtag
>> components is failing, so dogtag must/should/may be handling auth
>> internally in a way that is failing.
>> 
>> Anyway, suggestions are still welcome,
> 
> Run this on the replica and see if it is being tracked by
> certmonger
> 
> # getcert list -d /etc/httpd/alias -n ipaCert
> 
> If not, see if the a cert with the nickname ipaCert is in
> /etc/httpd/alias:
> 
> # certutil -L -d /etc/httpd/alias -n ipaCert
> 
> If so, see if you have the key:
> 
> # certutil -K -d /etc/httpd/alias -n ipaCert -f 
> /etc/httpd/alias/pwdfile.txt
> 
> This is the RA agent certificate that IPA uses to authenticate to 
> dogtag. If it doesn't exist, or is expired, or is the wrong one,
> then authentication will fail.
> 
> The cert is shared amongst all the IPA masters, so if it is working
> on one master then fixing the replica should be straightforward
> assuming it already has the key.
> 
> rob

getcert list -d /etc/httpd/alias -n ipaCert
Number of certificates and requests being tracked: 9.
Request ID '20130221171049':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
        CA: dogtag-ipa-retrieve-agent-submit
        issuer: CN=Certificate Authority,O=ABAQIS.COM
        subject: CN=IPA RA,O=ABAQIS.COM
        expires: 2013-12-10 03:23:26 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

All the components appear to be there, the certificate is valid until
the 10th as you can see about. The other two commands worked fine as
well and everything appears to me to be valid.

However, I am still getting the auth errors, and I note in the log,
what I assume to be the first ipa server attempting to connect and
getting auth errors as well.

- -Erinn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBAgAGBQJSnKu/AAoJENetaK3v/E7P208IAJOLZ3gAouWOgTMyWeFyePGV
bwjnkfzkCzoyZuzqyqfTg9AwfxhVClcG6jxadd4CIdA1sUYdvYQGyPubjyMX3W1T
Yfvx4y7z4DTcCwyxl5VTmqcTJe7yEhD48Cn+5fNb0fJZZpc6ngG1u4HvZKpZ/KmX
i3Ck0e2sDuIGPAf35c3Gg2fPmCDu9TXzu2MbujpAhBMsqo+YrizNkp2P6tdkHINw
gIBXl/DcSV4vbC7DSaSXMCNzJk77EdYihbtAccpJZXznmsbWWVhsxBTQNfmum5Fe
G8xjUhSJljDLd0iXewUVpa6i7MZrzRjNzsF1ikKFFecHw/QTHRE1iHJUR1LVv4g=
=Hisv
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to