Hello everyone, I've been banging my head against the wall for a few days now trying to resolve an issue with PKI and I'm hoping I might get some help. First some context.
About a week ago I was alerted that all of our replicas were offline due to pki-tomcatd not starting. Futher investigation determined that all of the pki certs had expired two days earlier. I turned back time and successfully updated the certs and certmonger updated the rest of the replicas. Now I'm seeing the following symptoms: 1. Searching certificates via the web UI will display certificate info. 2. Attemping to view certificate details results in an "IPA Error 4301: CertificateOperationError" the exception being "Invalid Credential.". 3. Issuing the ipa cert-show command results in the same "Invalid Credential." exception. 4. PKI debug log shows: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=DOMAIN.COM] authentication failure 5. PKI system log shows: Cannot authenticate agent with certificate Serial 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM. Error: User not found. In trolling this list I've done the following things troubleshooting: 1. Ensured the certs being monitored by certmonger are correct. 2. Ensured the certs in the http and pki-tomcat NSS databases are as expected. 3. Ensured the uid=ipara,ou=people,o=ipaca object has the correct description and cert (it had the wrong serialnumber in the description but i've updated that). 4. Ensured the CS.cfg has the correct certs (it did). Any suggestions or assistance would be apprecitated. Thanks! Sam
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
