On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
Hello guys,

I'm having some trouble with, whats is happening with my server is that
i'm hiting an old BUG
(https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to mbasti
over irc he oriented me to send this to the email list.

The problem is, i got on CA Master, so because of this problem the CA
Master certificates couldn't be renewd, so now i promoted another master
to be the CA. And the problem still persist.

This is the certs from my new CA
this is the certs from my old CA
This is the log then i restart pki-tomcat( "CA port 636 Error
netscape.ldap.LDAPException: Authentication failed (49)")
This is the log from dirsrv when i restart pki-tomcat

Basically my CA is not working anymore...

Anyway, i tried lots of thing but couldn't fix this, anyone has some idea?


Pki-tomcat is using the LDAP server as a data store, meaning that it needs to authenticate to LDAP. In order to do that, pki-tomcat is using the certificate 'subsystemCert cert-pki-ca' stored in /etc/pki/pki-tomcat/alias. For the authentication to succeed, the certificate must be stored in a user entry (uid=pkidbuser,ou=people,o=ipaca).

Can you check the content of this entry, especially the usercertificate attribute? It should match the certificate used by pki-tomcat:

$ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a

$ kinit admin
$ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
dn: uid=pkidbuser,ou=people,o=ipaca
usercertificate:: <content should match the output above>

The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this certificate in the directive ca.subsystem.cert.

A possible cause for the entries not being updated is the bug 1366915 [1] linked to SE linux on RHEL7, or bug 1365188 [2] linked to SE linux on Fedora 24.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to