Yes the cert is correct. The userCertificate field matches the output of
"certutil -L -d /etc/httpd/alias/ -n ipaCert -a" with the header and footer
removed, and the serial number matches as well albeit in decimal instead of
# ipara, people, ipaca
description: 2;4886718345;CN=Certificate Authority,O=DOMAIN.COM;
CN=IPA RA, O=DOMAIN.COM
userCertificate:: <cert here>
On Wed, Mar 23, 2016 at 4:31 PM, Petr Vobornik <pvobo...@redhat.com> wrote:
> On 03/23/2016 03:50 PM, Sam James wrote:
>> Hello everyone,
>> I've been banging my head against the wall for a few days now trying to
>> an issue with PKI and I'm hoping I might get some help. First some
>> About a week ago I was alerted that all of our replicas were offline due
>> pki-tomcatd not starting. Futher investigation determined that all of
>> the pki
>> certs had expired two days earlier. I turned back time and successfully
>> the certs and certmonger updated the rest of the replicas.
>> Now I'm seeing the following symptoms:
>> 1. Searching certificates via the web UI will display certificate info.
>> 2. Attemping to view certificate details results in an "IPA Error 4301:
>> CertificateOperationError" the exception being "Invalid Credential.".
>> 3. Issuing the ipa cert-show command results in the same "Invalid
>> 4. PKI debug log shows: SignedAuditEventFactory: create()
>> RA,O=DOMAIN.COM <http://DOMAIN.COM>] authentication failure
>> 5. PKI system log shows: Cannot authenticate agent with certificate
>> 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM <http://DOMAIN.COM>.
>> Error: User
>> not found.
> PKI has some build-in accounts which uses certificates for authentication.
> It matches a user by a certificate. The error above means that it cannot
> find any user for cert with serial no 0x123456789
> So the possible cause is the user you checked
> (uid=ipara,ou=people,o=ipaca) has still old cert. I.e. you've updated
> description, but is the cert correct?
>> In trolling this list I've done the following things troubleshooting:
>> 1. Ensured the certs being monitored by certmonger are correct.
>> 2. Ensured the certs in the http and pki-tomcat NSS databases are as
>> 3. Ensured the uid=ipara,ou=people,o=ipaca object has the correct
>> and cert (it had the wrong serialnumber in the description but i've
>> updated that).
>> 4. Ensured the CS.cfg has the correct certs (it did).
>> Any suggestions or assistance would be apprecitated.
> Petr Vobornik
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project