On Mon, Aug 24, 2015 at 07:00:00AM -0400, Arnold, Paul C CTR USARMY PEO STRI 
(US) wrote:
> I have been beating my head against the keyboard for the past 2 weeks trying
> to figure this one out. I'm hoping I am missing something simple, as my next
> course of action is to completely re-install IPA.
> 
> 
> This is the primary error I am receiving:
> 
> ipa: DEBUG: Caught fault 4301 from server
> https://server.internalfqdn.lab/ipa/session/xml: Certificate operation
> cannot be completed: EXCEPTION (You did not provide a valid certificate for
> this operation)
> 
Dogtag raises this exception when it expected but did not receive a
client certificate.  The `ipaCert' certificate from /etc/httpd/alias
is the certificate used by FreeIPA to talk to Dogtag.

If `ipaCert' is not expired, there must be some other reason the
client is not sending the cert.  Is Dogtag in FIPS mode?  Can you
export the certificate and try and connect to the server using,
e.g., `openssl s_client -msg' to debug the handshake?

Thanks,
Fraser

> It occurs in the IdM UI and from shell. A similar task, ( ~# ipa user-show
> admin ) works on the same system. This system is a ipa master and the only
> CA, version 3.0.0-47 (initially 3.0.0-42) -- everything minus certificate
> tasks works. SELinux is currently in permissive (I am receiving no related
> AVCs anyway, even with semodule -BD).
> 
> Background on this issue: it started after putting mod_nss (and apache's
> nssdb) into FIPS mode. I have since restored the apache NSSdb to a
> known-good (non-FIPS) backup, but I am still receiving the same certificate
> errors.
> 
> The value of 'userCertificate' in
> 'cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same
> as the value from certutil for ipaCert. The value of 'cACertificate' from
> 'cn=CAcert,cn=ipa,cn=etc,dc=internalfqdn,dc=lab' is the same value as the
> '/etc/ipa/ca.crt' and the value from certutil for INTERNALFQDN.LAB IPA CA.
> 
> All logs below were run with a valid admin ticket. It is difficult to
> transport logs from this system (isolated network), so there are quite a lot
> of logs in this message; I snipped out as much filler as possible.
> 
> 
> ##
> ## cert-show from shell
> ##
> [root@server ~]# ipa cert-show
> <snip (all python plugins)>
> <snip (cookie stuff)>
> ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml
> ipa: DEBUG: NSSConnection init server.internalfqdn.lab
> ipa: DEBUG: Connecting: 256.256.256.256:0
> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
> Data:
>         Version:       3 (0x2)
>         Serial Number: 10 (0xa)
>         Signature Algorithm:
>             Algorithm: PKCS #1 SHA-256 With RSA Encryption
>         Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         Validity:
>             Not Before: Mon Jun 22 13:51:40 2015 UTC
>             Not After:  Thu Jun 22 13:51:40 2017 UTC
>         Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> <snip>
>         Name:     Certificate Key Usage
>         Critical: True
>         Usages:
>             Digital Signature
>             Non-Repudiation
>             Key Encipherment
>             Data Encipherment
> 
>         Name:     Extended Key Usage
>         Critical: False
>         Usages:
>             TLS Web Server Authentication Certificate
>             TLS Web Client Authentication Certificate
> <snip>
> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> ipa: DEBUG: cert valid True for
> "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
> ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> <snip (cookie stuff)>
> ipa: DEBUG: Created connection context.xmlclient
> Serial number: 0xa
> ipa: DEBUG: raw: cert_show(u'10')
> ipa: DEBUG: cert_show(u'10')
> ipa: INFO: Forwarding 'cert_show' to server
> u'https://server.internalfqdn.lab/ipa/session/xml'
> ipa: DEBUG: NSSConnection init server.internalfqdn.lab
> ipa: DEBUG: Connecting: 256.256.256.256:0
> ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> <snip (cookie stuff)>
> ipa: DEBUG: Caught fault 4301 from server
> https://server.internalfqdn.lab/ipa/session/xml: Certificate operation
> cannot be completed: EXCEPTION (You did not provide a valid certificate for
> this operation)
> ipa: DEBUG: Destroyed connection context.xmlclient
> ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (You did
> not provide a valid certificate for this operation)
> 
> 
> ##
> ## (successful) user-show from shell
> ##
> [root@server ~]# ipa user-show admin
> <snip (all python plugins)>
> <snip (cookie stuff)>
> ipa: INFO: trying https://server.internalfqdn.lab/ipa/session/xml
> ipa: DEBUG: NSSConnection init server.internalfqdn.lab
> ipa: DEBUG: Connecting: 256.256.256.256:0
> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
> Data:
>         Version:       3 (0x2)
>         Serial Number: 10 (0xa)
>         Signature Algorithm:
>             Algorithm: PKCS #1 SHA-256 With RSA Encryption
>         Issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         Validity:
>             Not Before: Mon Jun 22 13:51:40 2015 UTC
>             Not After:  Thu Jun 22 13:51:40 2017 UTC
>         Subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
> <snip>
>         Name:     Certificate Key Usage
>         Critical: True
>         Usages:
>             Digital Signature
>             Non-Repudiation
>             Key Encipherment
>             Data Encipherment
> 
>         Name:     Extended Key Usage
>         Critical: False
>         Usages:
>             TLS Web Server Authentication Certificate
>             TLS Web Client Authentication Certificate
> <snip>
> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> ipa: DEBUG: cert valid True for
> "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
> ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> <snip (cookie stuff)>
> ipa: DEBUG: Created connection context.xmlclient
> ipa: DEBUG: raw: user_show(u'admin', rights=False, all=False, raw=False,
> version=u'2.49', no_members=False)
> ipa: DEBUG: user_show(u'admin', rights=False, all=False, raw=False,
> version=u'2.49', no_members=False)
> ipa: INFO: Forwarding 'user_show' to server
> u'https://server.internalfqdn.lab/ipa/session/xml'
> ipa: DEBUG: NSSConnection init server.internalfqdn.lab
> ipa: DEBUG: Connecting: 256.256.256.256:0
> ipa: DEBUG: handshake complete, peer = 256.256.256.256:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> <snip (cookie stuff)>
> ipa: DEBUG: Destroyed connection context.xmlclient
>   User login: admin
>   Last name: Administrator
>   Home directory: /home/admin
>   Login shell: /bin/bash
>   UID: 999999999
>   GID: 999999999
>   Account disabled: False
>   Password: True
>   Member of groups: admins, trust admins
>   Roles: IPA HBAC Administrator, IPA Workstation Administrator, IPA Services
> Administrator, IPA User Manager, IPA Cybersecurity Administrator, IPA
> Certificate Administrator
>   Indirect Member of netgroup: servers
>   Indirect Member of Sudo rule: ws_allow_all, srv_allow_all
>   Indirect Member of HBAC rule: console_login, admin_only_login,
> admin_allow_su
>   Kerberos keys available: True
> 
> 
> ##
> ## apache error_log
> ##
> [Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received for
> child 4 (server server.internalfqdn.lab:443)
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
> <snip (session stuff)>
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI xmlserver.__call__:
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Created connection
> context.ldap2
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: WSGI
> WSGIExecutioner.__call__:
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: raw: cert_show(u'10')
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert_show(u'10')
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: IPA: virtual verify retrieve
> certificate
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG:
> ipaserver.plugins.dogtag.ra.get_certificate()
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request
> 'https://server.internalfqdn.lab:443/ca/agent/ca/displayBySerial'
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: https_request post
> 'xml=true&serialNumber=10'
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: NSSConnection init
> server.internalfqdn.lab
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Connecting: 256.256.256.256:0
> [Mon Aug 24 06:11:11 2015] [info] Connection to child 0 established (server
> server.internalfqdn.lab:443, client 256.256.256.256)
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: auth_certificate_callback:
> check_sig=True is_server=False
> <snip (cert data, same as above to stdout)>
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: approved_usage = SSL Server
> intended_usage = SSL Server
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: cert valid True for
> "CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB"
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: handshake complete, peer =
> 256.256.256.256:443
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Protocol: TLS1.2
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: Cipher:
> TLS_RSA_WITH_AES_256_CBC_SHA
> [Mon Aug 24 06:11:11 2015] [info] Initial (No.1) HTTPS request received for
> child 0 (server server.internalfqdn.lab:443)
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(45): proxy: AJP:
> canonicalising URL //localhost:9447/ca/agent/ca/displayBySerial
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(1524): [client
> 256.256.256.256] proxy: ajp: found worker ajp://localhost:9447 for
> ajp://localhost:9447/ca/agent/ca/displayBySerial
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy.c(1026): Running scheme ajp
> handler (attempt 0)
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(709): proxy: AJP: serving
> URL ajp://localhost:9447/ca/agent/ca/displayBySerial
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2094): proxy: AJP: has
> acquired connection for (localhost)
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2150): proxy: connecting
> ajp://localhost:9447/ca/agent/ca/displayBySerial to localhost:9447
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2277): proxy: connected
> /ca/agent/ca/displayBySerial to localhost:9447
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2528): proxy: AJP: fam 2
> socket created to connect to localhost
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(224): Into
> ajp_marshal_into_msgb
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[0] [Host] = [server.internalfqdn.lab]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[1] [Accept-Encoding] = [identity]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[2] [Content-Length] = [24]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[3] [Content-type] = [application/x-www-form-urlencoded]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(290): ajp_marshal_into_msgb:
> Header[4] [Accept] = [text/plain]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(450): ajp_marshal_into_msgb:
> Done
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(269): proxy:
> APR_BUCKET_IS_EOS
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(274): proxy: data to read
> (max 8186 at 4)
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(289): proxy: got 24 bytes
> of data
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header:
> ajp_ilink_received 04
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 04
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(516):
> ajp_unmarshal_response: status = 200
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(537):
> ajp_unmarshal_response: Number of headers is = 2
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599):
> ajp_unmarshal_response: Header[0] [Content-Type] = [application/xml]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(609):
> ajp_unmarshal_response: ap_set_content_type done
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(599):
> ajp_unmarshal_response: Header[1] [Content-Length] = [274]
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header:
> ajp_ilink_received 03
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 03
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(687): ajp_read_header:
> ajp_ilink_received 05
> [Mon Aug 24 06:11:11 2015] [debug] ajp_header.c(697): ajp_parse_type: got 05
> [Mon Aug 24 06:11:11 2015] [debug] mod_proxy_ajp.c(616): proxy: got response
> from (null) (localhost)
> [Mon Aug 24 06:11:11 2015] [debug] proxy_util.c(2112): proxy: AJP: has
> released connection for (localhost)
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: parse_display_cert_xml()
> xml_text:
> [Mon Aug 24 06:11:11 2015] [error] <?xml version="1.0" encoding="UTF-8"
> standalone="no"?><xml><header/><fixed><authorityName>Certificate
> Manager</authorityName><unexpectedError>You did not provide a valid
> certificate for this 
> operation</unexpectedError><requestStatus>7</requestStatus></fixed><records/></xml>
> [Mon Aug 24 06:11:11 2015] [error] parse_result:
> [Mon Aug 24 06:11:11 2015] [error] {'request_status': 7, 'error_string':
> u'You did not provide a valid certificate for this operation', 'authority':
> u'Certificate Manager'}
> [Mon Aug 24 06:11:11 2015] [error] ipa: ERROR:
> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (You did not
> provide a valid certificate for this operation)
> [Mon Aug 24 06:11:11 2015] [error] ipa: INFO: ad...@internalfqdn.lab:
> cert_show(u'10'): CertificateOperationError
> [Mon Aug 24 06:11:11 2015] [error] ipa: DEBUG: response:
> CertificateOperationError: Certificate operation cannot be completed:
> EXCEPTION (You did not provide a valid certificate for this operation)
> [Mon Aug 24 06:11:11 2015] [info] Connection to child 0 closed (server
> server.internalfqdn.lab:443, client 256.256.256.256)
> <snip (session stuff)>
> [Mon Aug 24 06:11:11 2015] [info] Connection to child 4 closed (server
> server.internalfqdn.lab:443, client 256.256.256.256)
> 
> 
> ##
> ## enabled apache modules
> ##
> [root@server ~]# httpd -M
> Loaded Modules:
>  core_module (static)
>  mpm_prefork_module (static)
>  http_module (static)
>  so_module (static)
>  authz_host_module (shared)
>  authz_user_module (shared)
>  authz_groupfile_module (shared)
>  log_config_module (shared)
>  setenvif_module (shared)
>  mime_module (shared)
>  autoindex_module (shared)
>  negotiation_module (shared)
>  dir_module (shared)
>  alias_module (shared)
>  rewrite_module (shared)
>  proxy_module (shared)
>  proxy_ajp_module (shared)
>  auth_kerb_module (shared)
>  nss_module (shared)
>  wsgi_module (shared)
> Syntax OK
> 
> 
> ##
> ## apache perms (I recently allowed o+r)
> ##
> 1442776    4 drwxr-xr-x   6 root     apache       4096 Aug 23 14:56
> /etc/httpd
> 1442910    0 lrwxrwxrwx   1 root     root           29 Jul 27 08:01
> /etc/httpd/modules -> ../../usr/lib64/httpd/modules
> 1442911    0 lrwxrwxrwx   1 root     root           19 Jul 27 08:01
> /etc/httpd/run -> ../../var/run/httpd
> 1442502    4 drwxr-xr-x   2 root     apache       4096 Aug  9 08:00
> /etc/httpd/alias
> 1442507    8 -rw-------   1 root     root         4684 Jun 21 09:49
> /etc/httpd/alias/install.log
> 1442670   16 -rw-r-----   1 root     apache      16384 Aug  5 16:10
> /etc/httpd/alias/secmod.db
> 1442512   16 -rw-r-----   1 root     apache      16384 Aug 23 16:40
> /etc/httpd/alias/key3.db
> 1442503    4 -r--r--r--   1 root     root         1307 Jun 22 09:50
> /etc/httpd/alias/cacert.asc
> 1442528    4 -r--r-----   1 root     apache         20 Jun 22 09:48
> /etc/httpd/alias/pwdfile.txt
> 1442505   64 -rw-r-----   1 root     apache      65536 Aug 23 16:40
> /etc/httpd/alias/cert8.db
> 1442516    0 lrwxrwxrwx   1 root     root           33 Aug 23 14:56
> /etc/httpd/alias/libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so
> 1442891    4 drwxr-xr-x   2 root     apache       4096 Aug 24 06:01
> /etc/httpd/conf.d
> 1442205    4 -rw-rw----   1 root     apache       1487 Aug 24 06:01
> /etc/httpd/conf.d/nss.conf
> 1442100    4 -rw-rw----   1 root     apache         43 Aug  6 17:54
> /etc/httpd/conf.d/wsgi.conf
> 1442748   12 -rw-r--r--   1 root     apache       9456 Jan 23  2015
> /etc/httpd/conf.d/nss.conf.rpmnew
> 1442149    4 -rw-rw----   1 root     apache        760 Aug  6 17:54
> /etc/httpd/conf.d/ipa-rewrite.conf
> 1442171    4 -rw-rw----   1 root     apache        707 Aug  6 17:54
> /etc/httpd/conf.d/auth_kerb.conf
> 1442038    4 -rw-rw----   1 root     apache       3613 Aug 21 19:29
> /etc/httpd/conf.d/ipa.conf
> 1442148    4 -rw-rw----   1 root     apache       1524 Aug 23 16:12
> /etc/httpd/conf.d/ipa-pki-proxy.conf
> 1442778    4 drwxr-xr-x   2 root     apache       4096 Aug 24 06:00
> /etc/httpd/conf
> 1443974    4 -r--r-----   1 root     apache         30 Aug 23 13:34
> /etc/httpd/conf/password.conf
> 1442186    8 -rw-rw----   1 root     apache       4989 Aug 24 05:42
> /etc/httpd/conf/httpd.conf
> 1443975    4 -rw-rw----   1 root     apache        314 Jun 22 09:52
> /etc/httpd/conf/ipa.keytab
> 1442908   16 -rw-rw----   1 root     apache      13139 Mar  3 12:06
> /etc/httpd/conf/magic
> 1442909    0 lrwxrwxrwx   1 root     root           19 Jul 27 08:01
> /etc/httpd/logs -> ../../var/log/httpd
> 
> 
> ##
> ## ipara cert serial vs nssdb serial
> ##
> [root@server ~]# ldapsearch -h localhost -p 7389 -D "CN=Directory Manager"
> -x -W -b "uid=ipara,ou=People,o=ipaca" description
> <snip>
> # ipara, people, ipaca
> dn: uid=ipara,ou=people,o=ipaca
> description: 2;7;CN=Certificate Authority,O=INTERNALFQDN.LAB;CN=IPA
> RA,O=INTERNALFQDN.LAB
> <snip>
> [root@server ~]# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
>         Serial Number: 7 (0x7)
> 
> 
> ##
> ## full getcert list
> ##
> [root@server ~]# getcert list
> Number of certificates and requests being tracked: 10.
> Request ID '20150622134926':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
>         expires: 2017-06-11 13:48:31 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> Request ID '20150622134947':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNALFQDN-LAB/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-INTERNALFQDN-LAB',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
>         expires: 2017-06-22 13:49:46 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> INTERNALFQDN-LAB
>         track: yes
>         auto-renew: yes
> Request ID '20150622135035':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
>         expires: 2017-06-22 13:50:34 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
>         track: yes
>         auto-renew: yes
> Request ID '20150623103849':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS
> Certificate DB'
>         certificate:
> type=NSSDB,location='/etc/pki/nssdb',nickname='NFS-server',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
>         expires: 2017-06-23 11:11:18 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> Request ID '20150623111624':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS
> Certificate DB'
>         certificate:
> type=NSSDB,location='/etc/pki/nssdb',nickname='DNS-server',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
>         expires: 2017-06-23 11:16:25 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> Request ID '20150624145016':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=FILE,location='/var/lib/puppet/ssl/private_keys/server.internalfqdn.lab.pem'
>         certificate:
> type=FILE,location='/var/lib/puppet/ssl/certs/server.internalfqdn.lab.pem'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=server.internalfqdn.lab,O=INTERNALFQDN.LAB
>         expires: 2017-06-24 14:50:17 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> Request ID '20150823160608':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=CA Audit,O=INTERNALFQDN.LAB
>         expires: 2017-06-11 13:48:33 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20150823160614':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=OCSP Subsystem,O=INTERNALFQDN.LAB
>         expires: 2017-06-11 13:48:31 UTC
>         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>         eku: id-kp-OCSPSigning
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20150823160639':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=CA Subsystem,O=INTERNALFQDN.LAB
>         expires: 2017-06-11 13:48:32 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20150823160643':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=INTERNALFQDN.LAB
>         subject: CN=IPA RA,O=INTERNALFQDN.LAB
>         expires: 2017-06-11 13:49:20 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes
> 
> 
> ##
> ## getcert list-cas
> ##
> [root@server ~]# getcert list-cas
> CA 'SelfSign':
>         is-default: no
>         ca-type: INTERNAL:SELF
>         next-serial-number: 01
> CA 'IPA':
>         is-default: no
>         ca-type: EXTERNAL
>         helper-location: /usr/libexec/certmonger/ipa-submit
> CA 'certmaster':
>         is-default: no
>         ca-type: EXTERNAL
>         helper-location: /usr/libexec/certmonger/certmaster-submit
> CA 'dogtag-ipa-renew-agent':
>         is-default: no
>         ca-type: EXTERNAL
>         helper-location:
> /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> CA 'local':
>         is-default: no
>         ca-type: EXTERNAL
>         helper-location: /usr/libexec/certmonger/local-submit
> CA 'dogtag-ipa-retrieve-agent-submit':
>         is-default: no
>         ca-type: EXTERNAL
>         helper-location:
> /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
> 
> 
> ##
> ## NSSdbs
> ##
> [root@server ~]# certutil -d /etc/pki/nssdb -L
> 
> Certificate Nickname                                         Trust
> Attributes
> SSL,S/MIME,JAR/XPI
> IPA CA                                                       CT,C,C
> DNS-Servername                                               u,u,u
> [root@server ~]# certutil -d /etc/httpd/alias -L
> 
> Certificate Nickname                                         Trust
> Attributes
> SSL,S/MIME,JAR/XPI
> INTERNALFQDN.LAB IPA CA CT,C,C
> ipaCert                                                      u,u,u
> Signing-Cert                                                 u,u,u
> Server-Cert                                                  u,u,u
> [root@server ~]# certutil -d /var/lib/pki-ca/alias -L
> 
> Certificate Nickname                                         Trust
> Attributes
> SSL,S/MIME,JAR/XPI
> caSigningCert cert-pki-ca CTu,Cu,Cu
> Server-Cert cert-pki-ca                                      u,u,u
> auditSigningCert cert-pki-ca                                 u,u,Pu
> ocspSigningCert cert-pki-ca                                  u,u,u
> subsystemCert cert-pki-ca                                    u,u,u
> 
> 
> ##
> ## pki-ca network processes
> ##
> [root@server ~]# netstat -plnt | grep java
> tcp        0      0 0.0.0.0:9443 0.0.0.0:*                   LISTEN
> 9352/java
> tcp        0      0 0.0.0.0:9444 0.0.0.0:*                   LISTEN
> 9352/java
> tcp        0      0 127.0.0.1:9701 0.0.0.0:*                   LISTEN
> 9352/java
> tcp        0      0 0.0.0.0:9445 0.0.0.0:*                   LISTEN
> 9352/java
> tcp        0      0 0.0.0.0:9446 0.0.0.0:*                   LISTEN
> 9352/java
> tcp        0      0 0.0.0.0:9447 0.0.0.0:*                   LISTEN
> 9352/java
> tcp        0      0 0.0.0.0:9180 0.0.0.0:*                   LISTEN
> 9352/java
> 
> 
> ##
> ## server.xml
> ##
> (No changes from dist other than ssl3=false in sslOptions)
> 
> 
> ##
> ## pki-ca tomcat logs
> ##
> No entries -- request does not seem to get far enough to trigger anything
> outside of SignedAudit.
> 
> 
> ##
> ## signedAudit
> ##
> 9352.TP-Processor1 - [24/Aug/2015:06:11:11 EDT] [14] [6] 
> [AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$]
> authentication failure
> 
> 
> ##
> ## basic system info
> ##
> 
> [root@server ~]# rpm -q ipa-server pki-ca && uname -a && cat
> /etc/redhat-release
> ipa-server-3.0.0-47.el6.x86_64
> pki-ca-9.0.3-43.el6.noarch
> Linux server.internalfqdn.lab 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14
> 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
> Red Hat Enterprise Linux Server release 6.7 (Santiago)
> 
> 
> 
> Regards,
> 
> -- 
> Paul Arnold
> IT Systems Engineer
> Cole Engineering Services, Inc
> 
> 



> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to