I have been beating my head against the keyboard for the past 2 weeks trying to figure this one out. I'm hoping I am missing something simple, as my next course of action is to completely re-install IPA.


This is the primary error I am receiving:

ipa: DEBUG: Caught fault 4301 from server https://server.internalfqdn.lab/ipa/session/xml: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation)

It occurs in the IdM UI and from shell. A similar task, ( ~# ipa user-show admin ) works on the same system. This system is a ipa master and the only CA, version 3.0.0-47 (initially 3.0.0-42) -- everything minus certificate tasks works. SELinux is currently in permissive (I am receiving no related AVCs anyway, even with semodule -BD).

Background on this issue: it started after putting mod_nss (and apache's nssdb) into FIPS mode. I have since restored the apache NSSdb to a known-good (non-FIPS) backup, but I am still receiving the same certificate errors.

The value of 'userCertificate' in 'cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same as the value from certutil for ipaCert. The value of 'cACertificate' from 'cn=CAcert,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same value as the '/etc/ipa/ca.crt' and the value from certutil for INTERNALFQDN.LAB IPA CA.

All logs below were run with a valid admin ticket. It is difficult to transport logs from this system (isolated network), so there are quite a lot of logs in this message; I snipped out as much filler as possible.


##
## cert-show from shell
##
[root@server ~]# ipa cert-show
<snip (all python plugins)>
<snip (cookie stuff)>
ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml
ipa: DEBUG: NSSConnection init server.internalfqdn.lab
ipa: DEBUG: Connecting: 256.256.256.256:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
        Version:       3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        Validity:
            Not Before: Mon Jun 22 13:51:40 2015 UTC
            Not After:  Thu Jun 22 13:51:40 2017 UTC
        Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
<snip>
        Name:     Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name:     Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate
<snip>
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
<snip (cookie stuff)>
ipa: DEBUG: Created connection context.xmlclient
Serial number: 0xa
ipa: DEBUG: raw: cert_show(u'10')
ipa: DEBUG: cert_show(u'10')
ipa: INFO: Forwarding 'cert_show' to server u'https://server.internalfqdn.lab/ipa/session/xml'
ipa: DEBUG: NSSConnection init server.internalfqdn.lab
ipa: DEBUG: Connecting: 256.256.256.256:0
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
<snip (cookie stuff)>
ipa: DEBUG: Caught fault 4301 from server https://server.internalfqdn.lab/ipa/session/xml: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation)


##
## (successful) user-show from shell
##
[root@server ~]# ipa user-show admin
<snip (all python plugins)>
<snip (cookie stuff)>
ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml
ipa: DEBUG: NSSConnection init server.internalfqdn.lab
ipa: DEBUG: Connecting: 256.256.256.256:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
        Version:       3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        Validity:
            Not Before: Mon Jun 22 13:51:40 2015 UTC
            Not After:  Thu Jun 22 13:51:40 2017 UTC
        Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
<snip>
        Name:     Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name:     Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate
<snip>
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
<snip (cookie stuff)>
ipa: DEBUG: Created connection context.xmlclient
ipa: DEBUG: raw: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.49', no_members=False) ipa: DEBUG: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.49', no_members=False) ipa: INFO: Forwarding 'user_show' to server u'https://server.internalfqdn.lab/ipa/session/xml'
ipa: DEBUG: NSSConnection init server.internalfqdn.lab
ipa: DEBUG: Connecting: 256.256.256.256:0
ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
<snip (cookie stuff)>
ipa: DEBUG: Destroyed connection context.xmlclient
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 999999999
  GID: 999999999
  Account disabled: False
  Password: True
  Member of groups: admins, trust admins
Roles: IPA HBAC Administrator, IPA Workstation Administrator, IPA Services Administrator, IPA User Manager, IPA Cybersecurity Administrator, IPA Certificate Administrator
  Indirect Member of netgroup: servers
  Indirect Member of Sudo rule: ws_allow_all, srv_allow_all
Indirect Member of HBAC rule: console_login, admin_only_login, admin_allow_su
  Kerberos keys available: True


##
## apache error_log
##
[Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received for child 4 (server server.internalfqdn.lab:443)
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
<snip (session stuff)>
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI xmlserver.__call__:
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Created connection context.ldap2 [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: raw: cert_show(u'10')
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert_show(u'10')
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: IPA: virtual verify retrieve certificate [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: ipaserver.plugins.dogtag.ra.get_certificate() [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request 'https://server.internalfqdn.lab:443/ca/agent/ca/displayBySerial' [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request post 'xml=true&serialNumber=10' [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: NSSConnection init server.internalfqdn.lab
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Connecting: 256.256.256.256:0
[Mon Aug 24 06:11:11 2015] [info] Connection to child 0 established (server server.internalfqdn.lab:443, client 256.256.256.256) [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
<snip (cert data, same as above to stdout)>
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert valid True for "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB" [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Protocol: TLS1.2
[Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA [Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received for child 0 (server server.internalfqdn.lab:443) [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(45): proxy: AJP: canonicalising URL //localhost:9447/ca/agent/ca/displayBySerial [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(1524): [client 256.256.256.256] proxy: ajp: found worker ajp://localhost:9447 for ajp://localhost:9447/ca/agent/ca/displayBySerial [Mon Aug 24 06:11:11 2015] [debug] mod_proxy.c(1026): Running scheme ajp handler (attempt 0) [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(709): proxy: AJP: serving URL ajp://localhost:9447/ca/agent/ca/displayBySerial [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2094): proxy: AJP: has acquired connection for (localhost) [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2150): proxy: connecting ajp://localhost:9447/ca/agent/ca/displayBySerial to localhost:9447 [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2277): proxy: connected /ca/agent/ca/displayBySerial to localhost:9447 [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2528): proxy: AJP: fam 2 socket created to connect to localhost [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(224): Into ajp_marshal_into_msgb [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[0] [Host] = [server.internalfqdn.lab] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[1] [Accept-Encoding] = [identity] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[2] [Content-Length] = [24] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[3] [Content-type] = [application/x-www-form-urlencoded] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[4] [Accept] = [text/plain] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(450): ajp_marshal_into_msgb: Done [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(269): proxy: APR_BUCKET_IS_EOS [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(274): proxy: data to read (max 8186 at 4) [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(289): proxy: got 24 bytes of data [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header: ajp_ilink_received 04
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 04
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(516): ajp_unmarshal_response: status = 200 [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(537): ajp_unmarshal_response: Number of headers is = 2 [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599): ajp_unmarshal_response: Header[0] [Content-Type] = [application/xml] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(609): ajp_unmarshal_response: ap_set_content_type done [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599): ajp_unmarshal_response: Header[1] [Content-Length] = [274] [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header: ajp_ilink_received 03
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 03
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header: ajp_ilink_received 05
[Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 05
[Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(616): proxy: got response from (null) (localhost) [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2112): proxy: AJP: has released connection for (localhost) [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: parse_display_cert_xml() xml_text: [Mon Aug 24 06:11:11 2015] [error] <?xml version="1.0" encoding="UTF-8" standalone="no"?><xml><header/><fixed><authorityName>Certificate Manager</authorityName><unexpectedError>You did not provide a valid certificate for this operation</unexpectedError><requestStatus>7</requestStatus></fixed><records/></xml>
[Mon Aug 24 06:11:11 2015] [error] parse_result:
[Mon Aug 24 06:11:11 2015] [error] {'request_status': 7, 'error_string': u'You did not provide a valid certificate for this operation', 'authority': u'Certificate Manager'} [Mon Aug 24 06:11:11 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (You did not provide a valid certificate for this operation) [Mon Aug 24 06:11:11 2015] [error] ipa: INFO: ad...@internalfqdn.lab: cert_show(u'10'): CertificateOperationError [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation) [Mon Aug 24 06:11:11 2015] [info] Connection to child 0 closed (server server.internalfqdn.lab:443, client 256.256.256.256)
<snip (session stuff)>
[Mon Aug 24 06:11:11 2015] [info] Connection to child 4 closed (server server.internalfqdn.lab:443, client 256.256.256.256)


##
## enabled apache modules
##
[root@server ~]# httpd -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 authz_host_module (shared)
 authz_user_module (shared)
 authz_groupfile_module (shared)
 log_config_module (shared)
 setenvif_module (shared)
 mime_module (shared)
 autoindex_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 alias_module (shared)
 rewrite_module (shared)
 proxy_module (shared)
 proxy_ajp_module (shared)
 auth_kerb_module (shared)
 nss_module (shared)
 wsgi_module (shared)
Syntax OK


##
## apache perms (I recently allowed o+r)
##
1442776 4 drwxr-xr-x 6 root apache 4096 Aug 23 14:56 /etc/httpd 1442910 0 lrwxrwxrwx 1 root root 29 Jul 27 08:01 /etc/httpd/modules -> ../../usr/lib64/httpd/modules 1442911 0 lrwxrwxrwx 1 root root 19 Jul 27 08:01 /etc/httpd/run -> ../../var/run/httpd 1442502 4 drwxr-xr-x 2 root apache 4096 Aug 9 08:00 /etc/httpd/alias 1442507 8 -rw------- 1 root root 4684 Jun 21 09:49 /etc/httpd/alias/install.log 1442670 16 -rw-r----- 1 root apache 16384 Aug 5 16:10 /etc/httpd/alias/secmod.db 1442512 16 -rw-r----- 1 root apache 16384 Aug 23 16:40 /etc/httpd/alias/key3.db 1442503 4 -r--r--r-- 1 root root 1307 Jun 22 09:50 /etc/httpd/alias/cacert.asc 1442528 4 -r--r----- 1 root apache 20 Jun 22 09:48 /etc/httpd/alias/pwdfile.txt 1442505 64 -rw-r----- 1 root apache 65536 Aug 23 16:40 /etc/httpd/alias/cert8.db 1442516 0 lrwxrwxrwx 1 root root 33 Aug 23 14:56 /etc/httpd/alias/libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so 1442891 4 drwxr-xr-x 2 root apache 4096 Aug 24 06:01 /etc/httpd/conf.d 1442205 4 -rw-rw---- 1 root apache 1487 Aug 24 06:01 /etc/httpd/conf.d/nss.conf 1442100 4 -rw-rw---- 1 root apache 43 Aug 6 17:54 /etc/httpd/conf.d/wsgi.conf 1442748 12 -rw-r--r-- 1 root apache 9456 Jan 23 2015 /etc/httpd/conf.d/nss.conf.rpmnew 1442149 4 -rw-rw---- 1 root apache 760 Aug 6 17:54 /etc/httpd/conf.d/ipa-rewrite.conf 1442171 4 -rw-rw---- 1 root apache 707 Aug 6 17:54 /etc/httpd/conf.d/auth_kerb.conf 1442038 4 -rw-rw---- 1 root apache 3613 Aug 21 19:29 /etc/httpd/conf.d/ipa.conf 1442148 4 -rw-rw---- 1 root apache 1524 Aug 23 16:12 /etc/httpd/conf.d/ipa-pki-proxy.conf 1442778 4 drwxr-xr-x 2 root apache 4096 Aug 24 06:00 /etc/httpd/conf 1443974 4 -r--r----- 1 root apache 30 Aug 23 13:34 /etc/httpd/conf/password.conf 1442186 8 -rw-rw---- 1 root apache 4989 Aug 24 05:42 /etc/httpd/conf/httpd.conf 1443975 4 -rw-rw---- 1 root apache 314 Jun 22 09:52 /etc/httpd/conf/ipa.keytab 1442908 16 -rw-rw---- 1 root apache 13139 Mar 3 12:06 /etc/httpd/conf/magic 1442909 0 lrwxrwxrwx 1 root root 19 Jul 27 08:01 /etc/httpd/logs -> ../../var/log/httpd


##
## ipara cert serial vs nssdb serial
##
[root@server ~]# ldapsearch -h localhost -p 7389 -D "CN=Directory Manager" -x -W -b "uid=ipara,ou=People,o=ipaca" description
<snip>
# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=INTERNALFQDN.LAB;CN=IPA RA,O=INTERNALFQDN.LAB
<snip>
[root@server ~]# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
        Serial Number: 7 (0x7)


##
## full getcert list
##
[root@server ~]# getcert list
Number of certificates and requests being tracked: 10.
Request ID '20150622134926':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
        expires: 2017-06-11 13:48:31 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150622134947':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNALFQDN-LAB/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
        expires: 2017-06-22 13:49:46 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv INTERNALFQDN-LAB
        track: yes
        auto-renew: yes
Request ID '20150622135035':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
        expires: 2017-06-22 13:50:34 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
        track: yes
        auto-renew: yes
Request ID '20150623103849':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
        expires: 2017-06-23 11:11:18 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150623111624':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
        expires: 2017-06-23 11:16:25 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150624145016':
        status: MONITORING
        stuck: no
key pair storage: type=FILE,location='/var/lib/puppet/ssl/private_keys/server.internalfqdn.lab.pem' certificate: type=FILE,location='/var/lib/puppet/ssl/certs/server.internalfqdn.lab.pem'
        CA: IPA
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
        expires: 2017-06-24 14:50:17 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150823160608':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=CA Audit,O=INTERNALFQDN.LAB
        expires: 2017-06-11 13:48:33 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20150823160614':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=OCSP Subsystem,O=INTERNALFQDN.LAB
        expires: 2017-06-11 13:48:31 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        eku: id-kp-OCSPSigning
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20150823160639':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=CA Subsystem,O=INTERNALFQDN.LAB
        expires: 2017-06-11 13:48:32 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20150823160643':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
        subject: CN=IPA RA,O=INTERNALFQDN.LAB
        expires: 2017-06-11 13:49:20 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes


##
## getcert list-cas
##
[root@server ~]# getcert list-cas
CA 'SelfSign':
        is-default: no
        ca-type: INTERNAL:SELF
        next-serial-number: 01
CA 'IPA':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
        is-default: no
        ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/local-submit
CA 'dogtag-ipa-retrieve-agent-submit':
        is-default: no
        ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit


##
## NSSdbs
##
[root@server ~]# certutil -d /etc/pki/nssdb -L

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IPA CA                                                       CT,C,C
DNS-Servername                                               u,u,u
[root@server ~]# certutil -d /etc/httpd/alias -L

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
INTERNALFQDN.LAB IPA CA CT,C,C
ipaCert                                                      u,u,u
Signing-Cert                                                 u,u,u
Server-Cert                                                  u,u,u
[root@server ~]# certutil -d /var/lib/pki-ca/alias -L

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u


##
## pki-ca network processes
##
[root@server ~]# netstat -plnt | grep java
tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN 9352/java tcp 0 0 127.0.0.1:9701 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9446 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9447 0.0.0.0:* LISTEN 9352/java tcp 0 0 0.0.0.0:9180 0.0.0.0:* LISTEN 9352/java


##
## server.xml
##
(No changes from dist other than ssl3=false in sslOptions)


##
## pki-ca tomcat logs
##
No entries -- request does not seem to get far enough to trigger anything outside of SignedAudit.


##
## signedAudit
##
9352.TP-Processor1 - [24/Aug/2015:06:11:11 EDT] [14] [6] [AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$] authentication failure


##
## basic system info
##

[root@server ~]# rpm -q ipa-server pki-ca && uname -a && cat /etc/redhat-release
ipa-server-3.0.0-47.el6.x86_64
pki-ca-9.0.3-43.el6.noarch
Linux server.internalfqdn.lab 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 6.7 (Santiago)



Regards,

--
Paul Arnold
IT Systems Engineer
Cole Engineering Services, Inc


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to