Hi,

On 6.3.2014 05:42, Robert Story wrote:
Hi,

I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) and an
external CA. I'm getting this error:

Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-jNYt3P -r 
/ca/agent/ca/profileReview?requestId=6 auth.lan:9443' returned non-zero exit 
status 4

I found a thread from back in 2012 with exact same symptoms:

   https://www.redhat.com/archives/freeipa-users/2012-May/msg00357.html

Unfortunately, the thread died out without any resolution/fix. When I run
the suggested commands from that thread, I get the same results the OP did..

#certutil -L -d /tmp/tmp-jNYt3P/

Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI

ipa-ca-agent                                                 u,u,u
Certificate Authority - xxx                   CT,C,C
testnick                                                     P,,
xxx Certificate Authority - xxx            CT,C,C

# certutil -V -u C -n ipa-ca-agent -d /tmp/tmp-jNYt3P/
certutil: certificate is invalid: Issuer certificate is invalid.

Can you please run certutil -V on the issuer certificate (CN=Certificate Authority,O=xxx)? That might give us a clue why it is invalid.


# certutil -L -n ipa-ca-agent -d /tmp/tmp-jNYt3P/
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 5 (0x5)
         Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
         Issuer: "CN=Certificate Authority,O=xxx"
         Validity:
             Not Before: Thu Mar 06 04:17:13 2014
             Not After : Wed Feb 24 04:17:13 2016
         Subject: "CN=ipa-ca-agent,O=xxx"
         Subject Public Key Info:
             Public Key Algorithm: PKCS #1 RSA Encryption
             RSA Public Key:
                 Modulus:
                     bf:0c:5b:f0:14:9e:0f:26:91:21:66:62:95:0c:4d:04:
                     e5:ec:96:6f:a1:3b:a8:05:de:1b:40:a7:7c:59:55:c4:
                     1e:a0:62:3d:7a:50:e8:c4:8b:d7:5d:cd:55:b2:e7:f9:
                     63:f6:43:75:1e:3d:3c:ac:51:a4:81:94:6b:e5:7f:94:
                     d7:b2:aa:8d:e8:b6:50:f2:24:96:76:8d:5f:e9:aa:43:
                     07:97:c8:06:2e:dc:22:9b:d1:2e:90:24:d8:07:94:33:
                     d1:0f:44:e5:14:37:3c:96:ee:24:e0:07:91:f1:ee:c8:
                     c4:01:e9:85:d8:35:eb:42:92:8a:58:c3:ae:e8:7d:27:
                     4d:2d:cb:b8:97:0b:5d:e0:3c:99:8a:a8:a2:b7:e2:10:
                     61:2b:77:33:87:ea:59:16:87:f7:f7:43:cf:c2:7b:60:
                     3a:fc:44:2f:9e:9c:56:bc:99:0c:d0:e9:08:d6:db:f5:
                     b1:d2:5e:28:45:d2:8f:71:1d:49:e9:41:c6:d2:e0:03:
                     ac:85:ea:51:c6:17:5d:ed:eb:a5:11:86:40:37:cf:49:
                     d3:cc:11:f1:3f:17:61:38:52:fa:12:a6:a0:bf:61:74:
                     aa:3e:87:bd:ff:d1:eb:d7:c5:d7:d5:90:8f:d6:d6:e1:
                     ab:d0:1f:db:91:8e:ff:d1:52:e3:6a:7a:fe:20:b3:53
                 Exponent: 65537 (0x10001)
         Signed Extensions:
             Name: Certificate Authority Key Identifier
             Key ID:
                 b5:5e:45:9f:e9:71:c5:11:a2:6c:6c:06:00:be:02:ad:
                 8e:ae:76:1b

             Name: Authority Information Access
             Method: PKIX Online Certificate Status Protocol
             Location:
                 URI: "http://auth.lan:80/ca/ocsp";

             Name: Certificate Key Usage
             Critical: True
             Usages: Digital Signature
                     Non-Repudiation
                     Key Encipherment
                     Data Encipherment

             Name: Extended Key Usage
                 TLS Web Client Authentication Certificate
                 E-Mail Protection Certificate

     Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
     Signature:
         91:e8:3c:26:1e:e6:24:35:64:95:92:10:79:9b:c3:3f:
         3d:6c:7b:db:56:bd:98:85:31:4a:2c:6c:1f:76:e4:74:
         8a:90:49:43:6d:16:63:f9:cc:9b:89:bd:bc:5c:fa:3b:
         55:9e:a8:54:ce:61:fa:62:61:cf:b5:47:54:e5:70:f6:
         d0:a0:a6:56:bf:1e:19:4d:f3:95:8a:70:1f:43:c2:6b:
         85:bf:dd:90:6a:13:f7:58:9d:b2:40:88:d6:3a:d1:84:
         2e:7f:b8:b8:e1:f9:5f:83:c5:d4:55:c4:a7:1a:28:a4:
         64:fc:ac:78:3b:43:a0:00:78:db:f1:cc:a6:b6:11:70:
         64:2f:43:d2:74:a5:2a:50:91:e0:8d:8c:82:c5:1a:5c:
         dd:00:60:62:55:be:0a:ea:b9:75:0f:8d:0e:40:cd:26:
         9c:63:08:3f:7d:79:c5:6b:73:fd:26:60:d3:e4:59:1e:
         1d:0f:82:ea:eb:23:b3:b4:59:7f:a9:87:e8:01:c7:aa:
         7b:c0:dd:0a:f0:4d:da:90:c9:57:00:4b:86:ea:58:22:
         ff:45:11:18:25:de:09:ee:a4:7a:4a:ea:8f:17:c9:ad:
         38:15:af:fa:c0:f3:fb:1c:6c:e1:69:1f:99:4e:fe:a2:
         eb:66:92:77:3a:5d:8f:7a:63:9b:14:ea:95:3e:c7:e9
     Fingerprint (MD5):
         96:68:7A:76:9F:06:78:BC:67:85:0C:82:A8:43:14:6B
     Fingerprint (SHA1):
         99:7D:9F:1B:F4:A7:52:9F:CF:BF:23:4F:5B:1A:90:22:19:14:37:16

     Certificate Trust Flags:
         SSL Flags:
             User
         Email Flags:
             User
         Object Signing Flags:
             User

... and so on...

Any suggestions from anyone who has gotten an external-ca install to work?


Robert

--
Senior Software Engineer @ Parsons

Honza

--
Jan Cholasta

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to