Yes the cert is correct. The userCertificate field matches the output of "certutil -L -d /etc/httpd/alias/ -n ipaCert -a" with the header and footer removed, and the serial number matches as well albeit in decimal instead of hex.
# ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;4886718345;CN=Certificate Authority,O=DOMAIN.COM; CN=IPA RA, O=DOMAIN.COM userCertificate:: <cert here> userstate: 1 uid: ipara sn: ipara usertype: agentType objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser cn: ipara On Wed, Mar 23, 2016 at 4:31 PM, Petr Vobornik <[email protected]> wrote: > On 03/23/2016 03:50 PM, Sam James wrote: > >> Hello everyone, >> >> I've been banging my head against the wall for a few days now trying to >> resolve >> an issue with PKI and I'm hoping I might get some help. First some >> context. >> >> About a week ago I was alerted that all of our replicas were offline due >> to >> pki-tomcatd not starting. Futher investigation determined that all of >> the pki >> certs had expired two days earlier. I turned back time and successfully >> updated >> the certs and certmonger updated the rest of the replicas. >> >> Now I'm seeing the following symptoms: >> 1. Searching certificates via the web UI will display certificate info. >> 2. Attemping to view certificate details results in an "IPA Error 4301: >> CertificateOperationError" the exception being "Invalid Credential.". >> 3. Issuing the ipa cert-show command results in the same "Invalid >> Credential." >> exception. >> 4. PKI debug log shows: SignedAuditEventFactory: create() >> >> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA >> RA,O=DOMAIN.COM <http://DOMAIN.COM>] authentication failure >> 5. PKI system log shows: Cannot authenticate agent with certificate >> Serial >> 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM <http://DOMAIN.COM>. >> Error: User >> not found. >> > > PKI has some build-in accounts which uses certificates for authentication. > It matches a user by a certificate. The error above means that it cannot > find any user for cert with serial no 0x123456789 > > So the possible cause is the user you checked > (uid=ipara,ou=people,o=ipaca) has still old cert. I.e. you've updated > description, but is the cert correct? > > > >> In trolling this list I've done the following things troubleshooting: >> >> 1. Ensured the certs being monitored by certmonger are correct. >> 2. Ensured the certs in the http and pki-tomcat NSS databases are as >> expected. >> 3. Ensured the uid=ipara,ou=people,o=ipaca object has the correct >> description >> and cert (it had the wrong serialnumber in the description but i've >> updated that). >> 4. Ensured the CS.cfg has the correct certs (it did). >> >> Any suggestions or assistance would be apprecitated. >> >> Thanks! >> Sam >> >> -- > Petr Vobornik >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
