Adam Lewis wrote:
If you mean the usercertificate value from the ldapsearch command, then
yes. That value matches the value from the certutil output.


The usercertificate in LDAP had the BEGIN/END stripped, right?

I'll cc a couple of the dogtag developers to see what they think.

rob


Thanks

On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Adam Lewis wrote:

        A quick update. We did some digging on the segfault problem and
        I think
        it was due to having to update the trusts on the CA cert. So we
        updated
        the certmonger package and certmonger now starts again.
        However we're kind of back to square one where we are still
        getting the
        AUTH_FAIL messages in the debug log.
        I have verified that the ipara entry's serial number and cert
        match the
        serial number and cert from the one in /etc/httpd/alias.


    How about the certificate PEM? Does it match the usercertificate in
    the dogtag LDAP server?

    rob


        Any other ideas?

        Thanks!

        On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis <alewis...@gmail.com
        <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>> wrote:

             Rob,
             Thanks for pointing me in the right direction. However after
             following the instructions in the above mentioned doc I
        noticed a
             few things that are odd and have a new problem. The first
        odd thing
             I noticed is that when I run service pki-cad status it
        shows that my
             PKI Subsystem Type is "CA Clone (Security Domain)"
             Shouldn't that say something like "CA Master"?
             Second, when I ran the "ipa-getcert resubmit -I [ID]"
        commands they
             all produced the same AUTH_FAIL message in the debug log.

             Now the new problem...after pressing on and restarting things
             certmonger fails to start with a segfault.
             Starting certmonger: /bin/bash: line 1: 64935 Segmentation
             fault      /usr/sbin/certmonger -S -p /var/run certmonger.pid

             Thanks!

             On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
             <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>
        wrote:

                 Lewis, Adam M CIV NSWCDD, H11 wrote:

                     We are currently dead in the water. Our OCSP, CA
        Audit, CA
                     Subsystem, and IPA RA certs expired as of 7/23/16.
        I found
                     and followed the instructions to the letter

        
(http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
                     however the CA Subsystem and IPA RA certs will not
        renew.
                     I've backdated the server to make sure the system
        was within
                     the renewal window, but that has not help.


                 Those are the wrong instructions.

                 You want this instead,
        https://access.redhat.com/solutions/643753

                 A bunch of it is for 2.2 but it isn't exactly noted
        which parts.
                 A general rule is that you don't/shouldn't need to directly
                 tweak the dogtag configuration or do any of the
        start-tracking
                 work (though you may want to verify that what/if
        anything you
                 changed from that wrong doc).

                     When I run getcert list it reports:
                     Ca-error: Sever at
                     "https://<fqdn>:9443/ca/agent/ca/profileProcess"
        replied: 1:
                     Authentication Error
                     for both the IPA RA and CA Subsystem certs

                     The debug log shows:
                     SignedAuditEventFactory: create()

        
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
                     RA,O=MISS.ION] authentication failure
                     ReviewReqServlet: Invalid Credential.


                 The place to start is to get the serial # of the ipaCert:

                 # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial

                 Now get the user from the dogtag LDAP server:

                 # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory
        manager'
                 -W -b uid=ipara,ou=People,o=ipaca description

                 The format is 2;<serial number>;<issuer subject>;<subject>

                 See if the serial # matches ipaCert. I'm guessing it won't.
                 Follow the instructions on the page I cited to update
        the entry
                 with the current certificate and serial # values. That
        should
                 get you going.

                 rob



                     We are kind of in deep doo-doo until this gets
        resolved.

                     We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5

                     Any thoughts?

                     Thanks!

                     Adam M. Lewis




                 --
                 Manage your subscription for the Freeipa-users mailing
        list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
                 Go to http://freeipa.org for more info on the project




             --
             Adam M. Lewis
        alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
             10807 Allie Place
             Fredericksburg, VA 22408
        540-412-8643 <tel:540-412-8643> <tel:540-412-8643
        <tel:540-412-8643>>





        --
        Adam M. Lewis
        alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
        10807 Allie Place
        Fredericksburg, VA 22408
        540-412-8643 <tel:540-412-8643>








--
Adam M. Lewis
alewis...@gmail.com <mailto:alewis...@gmail.com>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to