If you mean the usercertificate value from the ldapsearch command, then
yes. That value matches the value from the certutil output.

Thanks

On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Adam Lewis wrote:
>
>> A quick update. We did some digging on the segfault problem and I think
>> it was due to having to update the trusts on the CA cert. So we updated
>> the certmonger package and certmonger now starts again.
>> However we're kind of back to square one where we are still getting the
>> AUTH_FAIL messages in the debug log.
>> I have verified that the ipara entry's serial number and cert match the
>> serial number and cert from the one in /etc/httpd/alias.
>>
>
> How about the certificate PEM? Does it match the usercertificate in the
> dogtag LDAP server?
>
> rob
>
>
>> Any other ideas?
>>
>> Thanks!
>>
>> On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis <alewis...@gmail.com
>> <mailto:alewis...@gmail.com>> wrote:
>>
>>     Rob,
>>     Thanks for pointing me in the right direction. However after
>>     following the instructions in the above mentioned doc I noticed a
>>     few things that are odd and have a new problem. The first odd thing
>>     I noticed is that when I run service pki-cad status it shows that my
>>     PKI Subsystem Type is "CA Clone (Security Domain)"
>>     Shouldn't that say something like "CA Master"?
>>     Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they
>>     all produced the same AUTH_FAIL message in the debug log.
>>
>>     Now the new problem...after pressing on and restarting things
>>     certmonger fails to start with a segfault.
>>     Starting certmonger: /bin/bash: line 1: 64935 Segmentation
>>     fault      /usr/sbin/certmonger -S -p /var/run certmonger.pid
>>
>>     Thanks!
>>
>>     On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden <rcrit...@redhat.com
>>     <mailto:rcrit...@redhat.com>> wrote:
>>
>>         Lewis, Adam M CIV NSWCDD, H11 wrote:
>>
>>             We are currently dead in the water. Our OCSP, CA Audit, CA
>>             Subsystem, and IPA RA certs expired as of 7/23/16. I found
>>             and followed the instructions to the letter
>>             (
>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0
>> )
>>             however the CA Subsystem and IPA RA certs will not renew.
>>             I've backdated the server to make sure the system was within
>>             the renewal window, but that has not help.
>>
>>
>>         Those are the wrong instructions.
>>
>>         You want this instead, https://access.redhat.com/solutions/643753
>>
>>         A bunch of it is for 2.2 but it isn't exactly noted which parts.
>>         A general rule is that you don't/shouldn't need to directly
>>         tweak the dogtag configuration or do any of the start-tracking
>>         work (though you may want to verify that what/if anything you
>>         changed from that wrong doc).
>>
>>             When I run getcert list it reports:
>>             Ca-error: Sever at
>>             "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1:
>>             Authentication Error
>>             for both the IPA RA and CA Subsystem certs
>>
>>             The debug log shows:
>>             SignedAuditEventFactory: create()
>>
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>>             RA,O=MISS.ION] authentication failure
>>             ReviewReqServlet: Invalid Credential.
>>
>>
>>         The place to start is to get the serial # of the ipaCert:
>>
>>         # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>>
>>         Now get the user from the dogtag LDAP server:
>>
>>         # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager'
>>         -W -b uid=ipara,ou=People,o=ipaca description
>>
>>         The format is 2;<serial number>;<issuer subject>;<subject>
>>
>>         See if the serial # matches ipaCert. I'm guessing it won't.
>>         Follow the instructions on the page I cited to update the entry
>>         with the current certificate and serial # values. That should
>>         get you going.
>>
>>         rob
>>
>>
>>
>>             We are kind of in deep doo-doo until this gets resolved.
>>
>>             We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>>
>>             Any thoughts?
>>
>>             Thanks!
>>
>>             Adam M. Lewis
>>
>>
>>
>>
>>         --
>>         Manage your subscription for the Freeipa-users mailing list:
>>         https://www.redhat.com/mailman/listinfo/freeipa-users
>>         Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>>     --
>>     Adam M. Lewis
>>     alewis...@gmail.com <mailto:alewis...@gmail.com>
>>     10807 Allie Place
>>     Fredericksburg, VA 22408
>>     540-412-8643 <tel:540-412-8643>
>>
>>
>>
>>
>>
>> --
>> Adam M. Lewis
>> alewis...@gmail.com <mailto:alewis...@gmail.com>
>> 10807 Allie Place
>> Fredericksburg, VA 22408
>> 540-412-8643
>>
>>
>>
>>
>>
>


-- 
Adam M. Lewis
alewis...@gmail.com
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to