This is the primary error I am receiving:ipa: DEBUG: Caught fault 4301 from server https://server.internalfqdn.lab/ipa/session/xml: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation)
It occurs in the IdM UI and from shell. A similar task, ( ~# ipa user-show admin ) works on the same system. This system is a ipa master and the only CA, version 3.0.0-47 (initially 3.0.0-42) -- everything minus certificate tasks works. SELinux is currently in permissive (I am receiving no related AVCs anyway, even with semodule -BD).
Background on this issue: it started after putting mod_nss (and apache's nssdb) into FIPS mode. I have since restored the apache NSSdb to a known-good (non-FIPS) backup, but I am still receiving the same certificate errors.
The value of 'userCertificate' in 'cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same as the value from certutil for ipaCert. The value of 'cACertificate' from 'cn=CAcert,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same value as the '/etc/ipa/ca.crt' and the value from certutil for INTERNALFQDN.LAB IPA CA.
All logs below were run with a valid admin ticket. It is difficult to transport logs from this system (isolated network), so there are quite a lot of logs in this message; I snipped out as much filler as possible.
## ## cert-show from shell ## [root@server ~]# ipa cert-show <snip (all python plugins)> <snip (cookie stuff)> ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml ipa: DEBUG: NSSConnection init server.internalfqdn.lab ipa: DEBUG: Connecting: 256.256.256.256:0 ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB Validity: Not Before: Mon Jun 22 13:51:40 2015 UTC Not After: Thu Jun 22 13:51:40 2017 UTC Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB <snip> Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate <snip> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Serveripa: DEBUG: cert valid True for "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA <snip (cookie stuff)> ipa: DEBUG: Created connection context.xmlclient Serial number: 0xa ipa: DEBUG: raw: cert_show(u'10') ipa: DEBUG: cert_show(u'10')ipa: INFO: Forwarding 'cert_show' to server u'https://server.internalfqdn.lab/ipa/session/xml'
ipa: DEBUG: NSSConnection init server.internalfqdn.lab ipa: DEBUG: Connecting: 256.256.256.256:0 ipa: DEBUG: handshake complete, peer = 256.256.256.256:443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA <snip (cookie stuff)>ipa: DEBUG: Caught fault 4301 from server https://server.internalfqdn.lab/ipa/session/xml: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation)
ipa: DEBUG: Destroyed connection context.xmlclientipa: ERROR: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation)
## ## (successful) user-show from shell ## [root@server ~]# ipa user-show admin <snip (all python plugins)> <snip (cookie stuff)> ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml ipa: DEBUG: NSSConnection init server.internalfqdn.lab ipa: DEBUG: Connecting: 256.256.256.256:0 ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB Validity: Not Before: Mon Jun 22 13:51:40 2015 UTC Not After: Thu Jun 22 13:51:40 2017 UTC Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB <snip> Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate <snip> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Serveripa: DEBUG: cert valid True for "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA <snip (cookie stuff)> ipa: DEBUG: Created connection context.xmlclientipa: DEBUG: raw: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.49', no_members=False) ipa: DEBUG: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.49', no_members=False) ipa: INFO: Forwarding 'user_show' to server u'https://server.internalfqdn.lab/ipa/session/xml'
ipa: DEBUG: NSSConnection init server.internalfqdn.lab ipa: DEBUG: Connecting: 256.256.256.256:0 ipa: DEBUG: handshake complete, peer = 256.256.256.256:443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA <snip (cookie stuff)> ipa: DEBUG: Destroyed connection context.xmlclient User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 999999999 GID: 999999999 Account disabled: False Password: True Member of groups: admins, trust adminsRoles: IPA HBAC Administrator, IPA Workstation Administrator, IPA Services Administrator, IPA User Manager, IPA Cybersecurity Administrator, IPA Certificate Administrator
Indirect Member of netgroup: servers Indirect Member of Sudo rule: ws_allow_all, srv_allow_allIndirect Member of HBAC rule: console_login, admin_only_login, admin_allow_su
Kerberos keys available: True ## ## apache error_log ##[Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received for child 4 (server server.internalfqdn.lab:443)
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__: <snip (session stuff)> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI xmlserver.__call__:[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Created connection context.ldap2 [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: raw: cert_show(u'10') [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert_show(u'10')[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: IPA: virtual verify retrieve certificate [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: ipaserver.plugins.dogtag.ra.get_certificate() [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request 'https://server.internalfqdn.lab:443/ca/agent/ca/displayBySerial' [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request post 'xml=true&serialNumber=10' [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: NSSConnection init server.internalfqdn.lab
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Connecting: 256.256.256.256:0[Mon Aug 24 06:11:11 2015] [info] Connection to child 0 established (server server.internalfqdn.lab:443, client 256.256.256.256) [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
<snip (cert data, same as above to stdout)>[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert valid True for "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB" [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Protocol: TLS1.2[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA [Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received for child 0 (server server.internalfqdn.lab:443) [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(45): proxy: AJP: canonicalising URL //localhost:9447/ca/agent/ca/displayBySerial [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(1524): [client 256.256.256.256] proxy: ajp: found worker ajp://localhost:9447 for ajp://localhost:9447/ca/agent/ca/displayBySerial [Mon Aug 24 06:11:11 2015] [debug] mod_proxy.c(1026): Running scheme ajp handler (attempt 0) [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(709): proxy: AJP: serving URL ajp://localhost:9447/ca/agent/ca/displayBySerial [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2094): proxy: AJP: has acquired connection for (localhost) [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2150): proxy: connecting ajp://localhost:9447/ca/agent/ca/displayBySerial to localhost:9447 [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2277): proxy: connected /ca/agent/ca/displayBySerial to localhost:9447 [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2528): proxy: AJP: fam 2 socket created to connect to localhost [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(224): Into ajp_marshal_into_msgb [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[0] [Host] = [server.internalfqdn.lab] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[1] [Accept-Encoding] = [identity] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[2] [Content-Length] = [24] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[3] [Content-type] = [application/x-www-form-urlencoded] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[4] [Accept] = [text/plain] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(450): ajp_marshal_into_msgb: Done [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(269): proxy: APR_BUCKET_IS_EOS [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(274): proxy: data to read (max 8186 at 4) [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(289): proxy: got 24 bytes of data [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header: ajp_ilink_received 04
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 04[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(516): ajp_unmarshal_response: status = 200 [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(537): ajp_unmarshal_response: Number of headers is = 2 [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599): ajp_unmarshal_response: Header[0] [Content-Type] = [application/xml] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(609): ajp_unmarshal_response: ap_set_content_type done [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599): ajp_unmarshal_response: Header[1] [Content-Length] = [274] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header: ajp_ilink_received 03
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 03[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header: ajp_ilink_received 05
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 05[Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(616): proxy: got response from (null) (localhost) [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2112): proxy: AJP: has released connection for (localhost) [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: parse_display_cert_xml() xml_text: [Mon Aug 24 06:11:11 2015] [error] <?xml version="1.0" encoding="UTF-8" standalone="no"?><xml><header/><fixed><authorityName>Certificate Manager</authorityName><unexpectedError>You did not provide a valid certificate for this operation</unexpectedError><requestStatus>7</requestStatus></fixed><records/></xml>
[Mon Aug 24 06:11:11 2015] [error] parse_result:[Mon Aug 24 06:11:11 2015] [error] {'request_status': 7, 'error_string': u'You did not provide a valid certificate for this operation', 'authority': u'Certificate Manager'} [Mon Aug 24 06:11:11 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (You did not provide a valid certificate for this operation) [Mon Aug 24 06:11:11 2015] [error] ipa: INFO: [email protected]: cert_show(u'10'): CertificateOperationError [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation) [Mon Aug 24 06:11:11 2015] [info] Connection to child 0 closed (server server.internalfqdn.lab:443, client 256.256.256.256)
<snip (session stuff)>[Mon Aug 24 06:11:11 2015] [info] Connection to child 4 closed (server server.internalfqdn.lab:443, client 256.256.256.256)
## ## enabled apache modules ## [root@server ~]# httpd -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) authz_host_module (shared) authz_user_module (shared) authz_groupfile_module (shared) log_config_module (shared) setenvif_module (shared) mime_module (shared) autoindex_module (shared) negotiation_module (shared) dir_module (shared) alias_module (shared) rewrite_module (shared) proxy_module (shared) proxy_ajp_module (shared) auth_kerb_module (shared) nss_module (shared) wsgi_module (shared) Syntax OK ## ## apache perms (I recently allowed o+r) ##1442776 4 drwxr-xr-x 6 root apache 4096 Aug 23 14:56 /etc/httpd 1442910 0 lrwxrwxrwx 1 root root 29 Jul 27 08:01 /etc/httpd/modules -> ../../usr/lib64/httpd/modules 1442911 0 lrwxrwxrwx 1 root root 19 Jul 27 08:01 /etc/httpd/run -> ../../var/run/httpd 1442502 4 drwxr-xr-x 2 root apache 4096 Aug 9 08:00 /etc/httpd/alias 1442507 8 -rw------- 1 root root 4684 Jun 21 09:49 /etc/httpd/alias/install.log 1442670 16 -rw-r----- 1 root apache 16384 Aug 5 16:10 /etc/httpd/alias/secmod.db 1442512 16 -rw-r----- 1 root apache 16384 Aug 23 16:40 /etc/httpd/alias/key3.db 1442503 4 -r--r--r-- 1 root root 1307 Jun 22 09:50 /etc/httpd/alias/cacert.asc 1442528 4 -r--r----- 1 root apache 20 Jun 22 09:48 /etc/httpd/alias/pwdfile.txt 1442505 64 -rw-r----- 1 root apache 65536 Aug 23 16:40 /etc/httpd/alias/cert8.db 1442516 0 lrwxrwxrwx 1 root root 33 Aug 23 14:56 /etc/httpd/alias/libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so 1442891 4 drwxr-xr-x 2 root apache 4096 Aug 24 06:01 /etc/httpd/conf.d 1442205 4 -rw-rw---- 1 root apache 1487 Aug 24 06:01 /etc/httpd/conf.d/nss.conf 1442100 4 -rw-rw---- 1 root apache 43 Aug 6 17:54 /etc/httpd/conf.d/wsgi.conf 1442748 12 -rw-r--r-- 1 root apache 9456 Jan 23 2015 /etc/httpd/conf.d/nss.conf.rpmnew 1442149 4 -rw-rw---- 1 root apache 760 Aug 6 17:54 /etc/httpd/conf.d/ipa-rewrite.conf 1442171 4 -rw-rw---- 1 root apache 707 Aug 6 17:54 /etc/httpd/conf.d/auth_kerb.conf 1442038 4 -rw-rw---- 1 root apache 3613 Aug 21 19:29 /etc/httpd/conf.d/ipa.conf 1442148 4 -rw-rw---- 1 root apache 1524 Aug 23 16:12 /etc/httpd/conf.d/ipa-pki-proxy.conf 1442778 4 drwxr-xr-x 2 root apache 4096 Aug 24 06:00 /etc/httpd/conf 1443974 4 -r--r----- 1 root apache 30 Aug 23 13:34 /etc/httpd/conf/password.conf 1442186 8 -rw-rw---- 1 root apache 4989 Aug 24 05:42 /etc/httpd/conf/httpd.conf 1443975 4 -rw-rw---- 1 root apache 314 Jun 22 09:52 /etc/httpd/conf/ipa.keytab 1442908 16 -rw-rw---- 1 root apache 13139 Mar 3 12:06 /etc/httpd/conf/magic 1442909 0 lrwxrwxrwx 1 root root 19 Jul 27 08:01 /etc/httpd/logs -> ../../var/log/httpd
## ## ipara cert serial vs nssdb serial ##[root@server ~]# ldapsearch -h localhost -p 7389 -D "CN=Directory Manager" -x -W -b "uid=ipara,ou=People,o=ipaca" description
<snip> # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipacadescription: 2;7;CN=Certificate Authority,O=INTERNALFQDN.LAB;CN=IPA RA,O=INTERNALFQDN.LAB
<snip>
[root@server ~]# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
Serial Number: 7 (0x7)
##
## full getcert list
##
[root@server ~]# getcert list
Number of certificates and requests being tracked: 10.
Request ID '20150622134926':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:48:31 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150622134947':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNALFQDN-LAB/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-22 13:49:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
INTERNALFQDN-LAB
track: yes
auto-renew: yes
Request ID '20150622135035':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-22 13:50:34 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20150623103849':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-23 11:11:18 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150623111624':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-23 11:16:25 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150624145016':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/puppet/ssl/private_keys/server.internalfqdn.lab.pem'
certificate:
type=FILE,location='/var/lib/puppet/ssl/certs/server.internalfqdn.lab.pem'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
expires: 2017-06-24 14:50:17 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150823160608':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=CA Audit,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:48:33 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150823160614':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=OCSP Subsystem,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:48:31 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150823160639':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=CA Subsystem,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:48:32 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150823160643':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
subject: CN=IPA RA,O=INTERNALFQDN.LAB
expires: 2017-06-11 13:49:20 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
##
## getcert list-cas
##
[root@server ~]# getcert list-cas
CA 'SelfSign':
is-default: no
ca-type: INTERNAL:SELF
next-serial-number: 01
CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location:
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/local-submit
CA 'dogtag-ipa-retrieve-agent-submit':
is-default: no
ca-type: EXTERNAL
helper-location:
/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
## ## NSSdbs ## [root@server ~]# certutil -d /etc/pki/nssdb -LCertificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI IPA CA CT,C,C DNS-Servername u,u,u [root@server ~]# certutil -d /etc/httpd/alias -LCertificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI INTERNALFQDN.LAB IPA CA CT,C,C ipaCert u,u,u Signing-Cert u,u,u Server-Cert u,u,u [root@server ~]# certutil -d /var/lib/pki-ca/alias -LCertificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u ## ## pki-ca network processes ## [root@server ~]# netstat -plnt | grep javatcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN 9352/java tcp 0 0 127.0.0.1:9701 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9446 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9447 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9180 0.0.0.0:* LISTEN 9352/java
## ## server.xml ## (No changes from dist other than ssl3=false in sslOptions) ## ## pki-ca tomcat logs ##No entries -- request does not seem to get far enough to trigger anything outside of SignedAudit.
## ## signedAudit ##9352.TP-Processor1 - [24/Aug/2015:06:11:11 EDT] [14] [6] [AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$] authentication failure
## ## basic system info ##[root@server ~]# rpm -q ipa-server pki-ca && uname -a && cat /etc/redhat-release
ipa-server-3.0.0-47.el6.x86_64 pki-ca-9.0.3-43.el6.noarchLinux server.internalfqdn.lab 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 6.7 (Santiago) Regards, -- Paul Arnold IT Systems Engineer Cole Engineering Services, Inc
smime.p7s
Description: S/MIME Cryptographic Signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
