Hello everyone,

I've been banging my head against the wall for a few days now trying to
resolve an issue with PKI and I'm hoping I might get some help.  First some

About a week ago I was alerted that all of our replicas were offline due to
pki-tomcatd not starting.  Futher investigation determined that all of the
pki certs had expired two days earlier.  I turned back time and
successfully updated the certs and certmonger updated the rest of the

Now I'm seeing the following symptoms:
1.  Searching certificates via the web UI will display certificate info.
2.  Attemping to view certificate details results in an "IPA Error 4301:
CertificateOperationError" the exception being "Invalid Credential.".
3.  Issuing the ipa cert-show command results in the same "Invalid
Credential." exception.
4.  PKI debug log shows:  SignedAuditEventFactory: create()
RA,O=DOMAIN.COM] authentication failure
5.  PKI system log shows: Cannot authenticate agent with certificate Serial
0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM. Error: User not found.

In trolling this list I've done the following things troubleshooting:

1.  Ensured the certs being monitored by certmonger are correct.
2.  Ensured the certs in the http and pki-tomcat NSS databases are as
3.  Ensured the uid=ipara,ou=people,o=ipaca object has the correct
description and cert (it had the wrong serialnumber in the description but
i've updated that).
4.  Ensured the CS.cfg has the correct certs (it did).

Any suggestions or assistance would be apprecitated.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to