Adam Lewis wrote:
Yup, It's just the text string. I don't know how much this matters but
when I ran the start-tracking for the ipaCert it didn't generate a new
certificate. I'm still working off of serial number 7, which is what
it's been since we installed IPA. Is there some way/reason for me to
generate a whole new ipaCert?


certmonger will take care of that when renewal happens.

Did you go back in time to when this cert was valid?

rob


Thanks

On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Adam Lewis wrote:

        If you mean the usercertificate value from the ldapsearch
        command, then
        yes. That value matches the value from the certutil output.


    The usercertificate in LDAP had the BEGIN/END stripped, right?

    I'll cc a couple of the dogtag developers to see what they think.

    rob


        Thanks

        On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:

             Adam Lewis wrote:

                 A quick update. We did some digging on the segfault
        problem and
                 I think
                 it was due to having to update the trusts on the CA
        cert. So we
                 updated
                 the certmonger package and certmonger now starts again.
                 However we're kind of back to square one where we are still
                 getting the
                 AUTH_FAIL messages in the debug log.
                 I have verified that the ipara entry's serial number
        and cert
                 match the
                 serial number and cert from the one in /etc/httpd/alias.


             How about the certificate PEM? Does it match the
        usercertificate in
             the dogtag LDAP server?

             rob


                 Any other ideas?

                 Thanks!

                 On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis
        <alewis...@gmail.com <mailto:alewis...@gmail.com>
                 <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>>>> wrote:

                      Rob,
                      Thanks for pointing me in the right direction.
        However after
                      following the instructions in the above mentioned
        doc I
                 noticed a
                      few things that are odd and have a new problem.
        The first
                 odd thing
                      I noticed is that when I run service pki-cad status it
                 shows that my
                      PKI Subsystem Type is "CA Clone (Security Domain)"
                      Shouldn't that say something like "CA Master"?
                      Second, when I ran the "ipa-getcert resubmit -I [ID]"
                 commands they
                      all produced the same AUTH_FAIL message in the
        debug log.

                      Now the new problem...after pressing on and
        restarting things
                      certmonger fails to start with a segfault.
                      Starting certmonger: /bin/bash: line 1: 64935
        Segmentation
                      fault      /usr/sbin/certmonger -S -p /var/run
        certmonger.pid

                      Thanks!

                      On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden
                 <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
                      <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>>>>

                 wrote:

                          Lewis, Adam M CIV NSWCDD, H11 wrote:

                              We are currently dead in the water. Our
        OCSP, CA
                 Audit, CA
                              Subsystem, and IPA RA certs expired as of
        7/23/16.
                 I found
                              and followed the instructions to the letter


        
(http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
                              however the CA Subsystem and IPA RA certs
        will not
                 renew.
                              I've backdated the server to make sure the
        system
                 was within
                              the renewal window, but that has not help.


                          Those are the wrong instructions.

                          You want this instead,
        https://access.redhat.com/solutions/643753

                          A bunch of it is for 2.2 but it isn't exactly
        noted
                 which parts.
                          A general rule is that you don't/shouldn't
        need to directly
                          tweak the dogtag configuration or do any of the
                 start-tracking
                          work (though you may want to verify that what/if
                 anything you
                          changed from that wrong doc).

                              When I run getcert list it reports:
                              Ca-error: Sever at

          "https://<fqdn>:9443/ca/agent/ca/profileProcess"
                 replied: 1:
                              Authentication Error
                              for both the IPA RA and CA Subsystem certs

                              The debug log shows:
                              SignedAuditEventFactory: create()


        
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
                              RA,O=MISS.ION] authentication failure
                              ReviewReqServlet: Invalid Credential.


                          The place to start is to get the serial # of
        the ipaCert:

                          # certutil -L -d /etc/httpd/alias -n ipaCert
        |grep Serial

                          Now get the user from the dogtag LDAP server:

                          # ldapsearch -h `hostname` -p 7389 -x -D
        'cn=directory
                 manager'
                          -W -b uid=ipara,ou=People,o=ipaca description

                          The format is 2;<serial number>;<issuer
        subject>;<subject>

                          See if the serial # matches ipaCert. I'm
        guessing it won't.
                          Follow the instructions on the page I cited to
        update
                 the entry
                          with the current certificate and serial #
        values. That
                 should
                          get you going.

                          rob



                              We are kind of in deep doo-doo until this gets
                 resolved.

                              We are running ipa-server-3.0.0-47.el6_7.2
        on RHEL 6.5

                              Any thoughts?

                              Thanks!

                              Adam M. Lewis




                          --
                          Manage your subscription for the Freeipa-users
        mailing
                 list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
                          Go to http://freeipa.org for more info on the
        project




                      --
                      Adam M. Lewis
        alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>>>
                      10807 Allie Place
                      Fredericksburg, VA 22408
        540-412-8643 <tel:540-412-8643> <tel:540-412-8643
        <tel:540-412-8643>> <tel:540-412-8643 <tel:540-412-8643>
                 <tel:540-412-8643 <tel:540-412-8643>>>





                 --
                 Adam M. Lewis
        alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>>>
                 10807 Allie Place
                 Fredericksburg, VA 22408
        540-412-8643 <tel:540-412-8643> <tel:540-412-8643
        <tel:540-412-8643>>








        --
        Adam M. Lewis
        alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
        10807 Allie Place
        Fredericksburg, VA 22408
        540-412-8643 <tel:540-412-8643>






--
Adam M. Lewis
alewis...@gmail.com <mailto:alewis...@gmail.com>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to