Erinn Looney-Triggs wrote:
Hash: SHA1

On 12/02/2013 07:40 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:

On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote:
In the process of prepping a replication host for changing over
the CA I had to use certmonger to generate another certificate
on my secondary IPA server. Unfortunately it seems to fail
every single time. Here is what I am running and here is what I
am getting:

ipa-getcert request -k private/ -f
certs/ -g 2048

The request appears to work, however when checking the list I
receive the following:

ipa-getcert list -r Number of certificates and requests being
tracked: 9. Request ID '20131128202128': status:
CA_UNREACHABLE ca-error: Server failed request, will retry:
4301 (RPC failed at server.  Certificate operation cannot be
completed: FAILURE (Authentication Error)). stuck: yes key pair
CA: IPA issuer: subject: expires: unknown pre-save command:
post-save command: track: yes auto-renew: yes

Fine, I check the http logs and get about the same: [Thu Nov
28 22:03:06 2013] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE
(Authentication Error)

Now as I understand it ipa-getcert is going to theserver listed
in /etc/ipa/default.conf, which in this case is
(the request is coming from the same host). The host principle
in /etc/krb5.keytab is used for authentication.

I have tested against the primary ipa server and everything
works as it should. However, any requests going against ipa2
for certificates are failing.

At this point I am stuck, so any suggestions are welcome.


Replying to myself here, and narrowing this down a bit further
this seems to be a straight auth problem against my secondary ipa
server. All command work against the primary, all certificate
commands against the secondary fail.

It appears to be confined to dogtag (other commands like ipa
user-show work), but how exactly dogtag handles auth I am not
clear on. It appears as though mod_auth_kerb handles most things
and that is definitely working. However any access against dogtag
components is failing, so dogtag must/should/may be handling auth
internally in a way that is failing.

Anyway, suggestions are still welcome,

Run this on the replica and see if it is being tracked by

# getcert list -d /etc/httpd/alias -n ipaCert

If not, see if the a cert with the nickname ipaCert is in

# certutil -L -d /etc/httpd/alias -n ipaCert

If so, see if you have the key:

# certutil -K -d /etc/httpd/alias -n ipaCert -f

This is the RA agent certificate that IPA uses to authenticate to
dogtag. If it doesn't exist, or is expired, or is the wrong one,
then authentication will fail.

The cert is shared amongst all the IPA masters, so if it is working
on one master then fixing the replica should be straightforward
assuming it already has the key.


getcert list -d /etc/httpd/alias -n ipaCert
Number of certificates and requests being tracked: 9.
Request ID '20130221171049':
         status: MONITORING
         stuck: no
         key pair storage:
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
Certificate DB'
         CA: dogtag-ipa-retrieve-agent-submit
         issuer: CN=Certificate Authority,O=ABAQIS.COM
         subject: CN=IPA RA,O=ABAQIS.COM
         expires: 2013-12-10 03:23:26 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
         track: yes
         auto-renew: yes

All the components appear to be there, the certificate is valid until
the 10th as you can see about. The other two commands worked fine as
well and everything appears to me to be valid.

However, I am still getting the auth errors, and I note in the log,
what I assume to be the first ipa server attempting to connect and
getting auth errors as well.

Ok, I'm a little unclear on something. Can any of your IPA masters communicate with dogtag? I thought that one master could and one couldn't.

A simple way to find out is:

# ipa cert-show 1

This shows some random cert. If you get cert output then things are working. If not the logs will probably confirm the auth failure.

Next step is to run this on each master:

# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial

The serial numbers should be the same. I wonder if you'll find the to be different.

The serial number should match this value:

# ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca description

The second integer in description is the serial number.


Freeipa-users mailing list

Reply via email to