Adam Lewis wrote:
Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.

getcert list shows :
ca-error: Server at
"https://ipa.local.domain:9443/ca/agent/ca/profileProcess"; replied: 1:
Authentication Error

And the debug log shows:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.

I'd look at the lines above that for clues, and check the 389-ds access log. I assume it is finding an entry for uid=ipara, right?

The way the auth works as I understand it is dogtag first compares the serial number, issuer and subject of the provided certificate with the description attribute in the entry it finds in LDAP. Then it compares the full certificate. If things match up then you are authenticated. It then does some authorization work.

For reference, mine looks like:

dn: uid=ipara,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: ipara
sn: ipara
cn: ipara
usertype: agentType
userstate: 1
userCertificate:: MIIDbTCCAlWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtH
 [snip]
 o0i1CCw1v++2tgvHiiZEEeeuOEMGEdXZfv4Xw=
description: 2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM

Those appear to be the most significant messages. I'm disconnected so
getting the full log info is difficult. If it's the only way let me know
and I'll see what I can do. Worst case it'll just take me a while to
re-type it.

Understood.



Thanks


On Mon, Aug 1, 2016 at 3:11 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Adam Lewis wrote:

        Yup, It's just the text string. I don't know how much this
        matters but
        when I ran the start-tracking for the ipaCert it didn't generate
        a new
        certificate. I'm still working off of serial number 7, which is what
        it's been since we installed IPA. Is there some way/reason for me to
        generate a whole new ipaCert?


    certmonger will take care of that when renewal happens.

    Did you go back in time to when this cert was valid?

    rob


        Thanks

        On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:

             Adam Lewis wrote:

                 If you mean the usercertificate value from the ldapsearch
                 command, then
                 yes. That value matches the value from the certutil output.


             The usercertificate in LDAP had the BEGIN/END stripped, right?

             I'll cc a couple of the dogtag developers to see what they
        think.

             rob


                 Thanks

                 On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden
                 <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
                 <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>>>> wrote:

                      Adam Lewis wrote:

                          A quick update. We did some digging on the
        segfault
                 problem and
                          I think
                          it was due to having to update the trusts on
        the CA
                 cert. So we
                          updated
                          the certmonger package and certmonger now
        starts again.
                          However we're kind of back to square one where
        we are still
                          getting the
                          AUTH_FAIL messages in the debug log.
                          I have verified that the ipara entry's serial
        number
                 and cert
                          match the
                          serial number and cert from the one in
        /etc/httpd/alias.


                      How about the certificate PEM? Does it match the
                 usercertificate in
                      the dogtag LDAP server?

                      rob


                          Any other ideas?

                          Thanks!

                          On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis
                 <alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
                          <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>>>
                          <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>>>>> wrote:

                               Rob,
                               Thanks for pointing me in the right
        direction.
                 However after
                               following the instructions in the above
        mentioned
                 doc I
                          noticed a
                               few things that are odd and have a new
        problem.
                 The first
                          odd thing
                               I noticed is that when I run service
        pki-cad status it
                          shows that my
                               PKI Subsystem Type is "CA Clone (Security
        Domain)"
                               Shouldn't that say something like "CA
        Master"?
                               Second, when I ran the "ipa-getcert
        resubmit -I [ID]"
                          commands they
                               all produced the same AUTH_FAIL message
        in the
                 debug log.

                               Now the new problem...after pressing on and
                 restarting things
                               certmonger fails to start with a segfault.
                               Starting certmonger: /bin/bash: line 1: 64935
                 Segmentation
                               fault      /usr/sbin/certmonger -S -p
        /var/run
                 certmonger.pid

                               Thanks!

                               On Thu, Jul 28, 2016 at 3:36 PM, Rob
        Crittenden
                          <rcrit...@redhat.com
        <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>>
                 <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>>>
                               <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>
                 <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>> <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>
                 <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>>>>>

                          wrote:

                                   Lewis, Adam M CIV NSWCDD, H11 wrote:

                                       We are currently dead in the
        water. Our
                 OCSP, CA
                          Audit, CA
                                       Subsystem, and IPA RA certs
        expired as of
                 7/23/16.
                          I found
                                       and followed the instructions to
        the letter



        
(http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
                                       however the CA Subsystem and IPA
        RA certs
                 will not
                          renew.
                                       I've backdated the server to make
        sure the
                 system
                          was within
                                       the renewal window, but that has
        not help.


                                   Those are the wrong instructions.

                                   You want this instead,
        https://access.redhat.com/solutions/643753

                                   A bunch of it is for 2.2 but it isn't
        exactly
                 noted
                          which parts.
                                   A general rule is that you
        don't/shouldn't
                 need to directly
                                   tweak the dogtag configuration or do
        any of the
                          start-tracking
                                   work (though you may want to verify
        that what/if
                          anything you
                                   changed from that wrong doc).

                                       When I run getcert list it reports:
                                       Ca-error: Sever at

                   "https://<fqdn>:9443/ca/agent/ca/profileProcess"
                          replied: 1:
                                       Authentication Error
                                       for both the IPA RA and CA
        Subsystem certs

                                       The debug log shows:
                                       SignedAuditEventFactory: create()



        
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
                                       RA,O=MISS.ION] authentication failure
                                       ReviewReqServlet: Invalid Credential.


                                   The place to start is to get the
        serial # of
                 the ipaCert:

                                   # certutil -L -d /etc/httpd/alias -n
        ipaCert
                 |grep Serial

                                   Now get the user from the dogtag LDAP
        server:

                                   # ldapsearch -h `hostname` -p 7389 -x -D
                 'cn=directory
                          manager'
                                   -W -b uid=ipara,ou=People,o=ipaca
        description

                                   The format is 2;<serial number>;<issuer
                 subject>;<subject>

                                   See if the serial # matches ipaCert. I'm
                 guessing it won't.
                                   Follow the instructions on the page I
        cited to
                 update
                          the entry
                                   with the current certificate and serial #
                 values. That
                          should
                                   get you going.

                                   rob



                                       We are kind of in deep doo-doo
        until this gets
                          resolved.

                                       We are running
        ipa-server-3.0.0-47.el6_7.2
                 on RHEL 6.5

                                       Any thoughts?

                                       Thanks!

                                       Adam M. Lewis




                                   --
                                   Manage your subscription for the
        Freeipa-users
                 mailing
                          list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
                                   Go to http://freeipa.org for more
        info on the
                 project




                               --
                               Adam M. Lewis
        alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>>>
                          <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>
                 <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>>>
                               10807 Allie Place
                               Fredericksburg, VA 22408
        540-412-8643 <tel:540-412-8643> <tel:540-412-8643
        <tel:540-412-8643>> <tel:540-412-8643 <tel:540-412-8643>
                 <tel:540-412-8643 <tel:540-412-8643>>>
        <tel:540-412-8643 <tel:540-412-8643> <tel:540-412-8643
        <tel:540-412-8643>>
                          <tel:540-412-8643 <tel:540-412-8643>
        <tel:540-412-8643 <tel:540-412-8643>>>>





                          --
                          Adam M. Lewis
        alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>>>
                          <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>
                 <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>>>
                          10807 Allie Place
                          Fredericksburg, VA 22408
        540-412-8643 <tel:540-412-8643> <tel:540-412-8643
        <tel:540-412-8643>> <tel:540-412-8643 <tel:540-412-8643>
                 <tel:540-412-8643 <tel:540-412-8643>>>








                 --
                 Adam M. Lewis
        alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
                 <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com> <mailto:alewis...@gmail.com
        <mailto:alewis...@gmail.com>>>
                 10807 Allie Place
                 Fredericksburg, VA 22408
        540-412-8643 <tel:540-412-8643> <tel:540-412-8643
        <tel:540-412-8643>>






        --
        Adam M. Lewis
        alewis...@gmail.com <mailto:alewis...@gmail.com>
        <mailto:alewis...@gmail.com <mailto:alewis...@gmail.com>>
        10807 Allie Place
        Fredericksburg, VA 22408
        540-412-8643 <tel:540-412-8643>






--
Adam M. Lewis
alewis...@gmail.com <mailto:alewis...@gmail.com>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to