On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
I'm having some trouble with, whats is happening with my server is that
i'm hiting an old BUG
(https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to mbasti
over irc he oriented me to send this to the email list.
The problem is, i got on CA Master, so because of this problem the CA
Master certificates couldn't be renewd, so now i promoted another master
to be the CA. And the problem still persist.
This is the certs from my new CA
this is the certs from my old CA
This is the log then i restart pki-tomcat( "CA port 636 Error
netscape.ldap.LDAPException: Authentication failed (49)")
This is the log from dirsrv when i restart pki-tomcat
Basically my CA is not working anymore...
Anyway, i tried lots of thing but couldn't fix this, anyone has some idea?
Pki-tomcat is using the LDAP server as a data store, meaning that it
needs to authenticate to LDAP. In order to do that, pki-tomcat is using
the certificate 'subsystemCert cert-pki-ca' stored in
/etc/pki/pki-tomcat/alias. For the authentication to succeed, the
certificate must be stored in a user entry
Can you check the content of this entry, especially the usercertificate
attribute? It should match the certificate used by pki-tomcat:
$ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a
$ kinit admin
$ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
usercertificate:: <content should match the output above>
The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this
certificate in the directive ca.subsystem.cert.
A possible cause for the entries not being updated is the bug 1366915
 linked to SE linux on RHEL7, or bug 1365188  linked to SE linux
on Fedora 24.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project