On 02/20/2015 06:56 AM, Les Stott wrote:
Hi all,

The following is blocking the ability for me to install a CA replica.

Environment:

RHEL 6.6

IPA 3.0.0-42

PKI 9.0.3-38

On the master the following is happening:

ipa-getcert list

Number of certificates and requests being tracked: 5.

(but it shows no certificate details in the output)

Running “getcert list” shows complete output.

Also, when trying to browse https://master.mydomain.com/ca/ee/ca/getCertChain i
get a failed response. The apache error logs on the master show….

[Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL client cannot
verify your certificate

The reason I am trying to browse that address is because that’s what the
ipa-ca-install setup is failing at (it complains that the CA certificate is not
in proper format, in fact it’s not able to get it at all).

I know from another working ipa setup that ….

Browsing to the above address provides valid xml content and ipa-getcert list
shows certificate details and not just the number of tracked certificates.

Been trying for a long time to figure out the issues without luck.

I would greatly appreciate any help to troubleshoot and resolve the above 
issues.

Regards,

Les

Endi or JanC, would you have any advise for Les? To me, it looks like the Apache does not have proper certificate installed.

My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in total of 8 certs tracked:

# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20141111000002':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=vm-086.example.com,O=EXAMPLE.COM
        expires: 2016-11-11 00:00:01 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20141111000047':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=vm-086.example.com,O=EXAMPLE.COM
        expires: 2016-11-11 00:00:46 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20141111000302':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=vm-086.example.com,O=EXAMPLE.COM
        expires: 2016-11-11 00:03:02 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


What is actually in your Apache NSS database?

# certutil -L -d /etc/httpd/alias/

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to