Yes the cert is correct.  The userCertificate field matches the output of
"certutil -L -d /etc/httpd/alias/ -n ipaCert -a" with the header and footer
removed, and the serial number matches as well albeit in decimal instead of

# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;4886718345;CN=Certificate Authority,O=DOMAIN.COM;
userCertificate:: <cert here>
userstate: 1
uid: ipara
sn: ipara
usertype: agentType
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
cn: ipara

On Wed, Mar 23, 2016 at 4:31 PM, Petr Vobornik <> wrote:

> On 03/23/2016 03:50 PM, Sam James wrote:
>> Hello everyone,
>> I've been banging my head against the wall for a few days now trying to
>> resolve
>> an issue with PKI and I'm hoping I might get some help.  First some
>> context.
>> About a week ago I was alerted that all of our replicas were offline due
>> to
>> pki-tomcatd not starting.  Futher investigation determined that all of
>> the pki
>> certs had expired two days earlier.  I turned back time and successfully
>> updated
>> the certs and certmonger updated the rest of the replicas.
>> Now I'm seeing the following symptoms:
>> 1.  Searching certificates via the web UI will display certificate info.
>> 2.  Attemping to view certificate details results in an "IPA Error 4301:
>> CertificateOperationError" the exception being "Invalid Credential.".
>> 3.  Issuing the ipa cert-show command results in the same "Invalid
>> Credential."
>> exception.
>> 4.  PKI debug log shows:  SignedAuditEventFactory: create()
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=DOMAIN.COM <http://DOMAIN.COM>] authentication failure
>> 5.  PKI system log shows: Cannot authenticate agent with certificate
>> Serial
>> 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM <http://DOMAIN.COM>.
>> Error: User
>> not found.
> PKI has some build-in accounts which uses certificates for authentication.
> It matches a user by a certificate. The error above means that it cannot
> find any user for cert with serial no 0x123456789
> So the possible cause is the user you checked
> (uid=ipara,ou=people,o=ipaca) has still old cert. I.e. you've updated
> description, but is the cert correct?
>> In trolling this list I've done the following things troubleshooting:
>> 1.  Ensured the certs being monitored by certmonger are correct.
>> 2.  Ensured the certs in the http and pki-tomcat NSS databases are as
>> expected.
>> 3.  Ensured the uid=ipara,ou=people,o=ipaca object has the correct
>> description
>> and cert (it had the wrong serialnumber in the description but i've
>> updated that).
>> 4.  Ensured the CS.cfg has the correct certs (it did).
>> Any suggestions or assistance would be apprecitated.
>> Thanks!
>> Sam
>> --
> Petr Vobornik
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to