Re: [Freeipa-users] Ipa cert automatic renew Failing.

Thu, 22 Dec 2016 00:58:12 -0800 

On 12/21/2016 07:52 PM, Lucas Diedrich wrote:

Hello guys,

I'm having some trouble with, whats is happening with my server is that
i'm hiting an old BUG
(https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to mbasti
over irc he oriented me to send this to the email list.

The problem is, i got on CA Master, so because of this problem the CA
Master certificates couldn't be renewd, so now i promoted another master
to be the CA. And the problem still persist.

This is the certs from my new CA
(https://paste.fedoraproject.org/510617/14823448/),
this is the certs from my old CA
(https://paste.fedoraproject.org/510618/44871148/)
This is the log then i restart pki-tomcat( "CA port 636 Error
netscape.ldap.LDAPException: Authentication failed (49)")
This is the log from dirsrv when i restart pki-tomcat
(https://paste.fedoraproject.org/510614/23446801/)

Basically my CA is not working anymore...

Anyway, i tried lots of thing but couldn't fix this, anyone has some idea?




Hi,
Pki-tomcat is using the LDAP server as a data store, meaning that it needs to authenticate to LDAP. In order to do that, pki-tomcat is using the certificate 'subsystemCert cert-pki-ca' stored in /etc/pki/pki-tomcat/alias. For the authentication to succeed, the certificate must be stored in a user entry (uid=pkidbuser,ou=people,o=ipaca).
Can you check the content of this entry, especially the usercertificate attribute? It should match the certificate used by pki-tomcat: 

$ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

$ kinit admin
$ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate 
dn: uid=pkidbuser,ou=people,o=ipaca
usercertificate:: <content should match the output above>
The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this certificate in the directive ca.subsystem.cert.
A possible cause for the entries not being updated is the bug 1366915 [1] linked to SE linux on RHEL7, or bug 1365188 [2] linked to SE linux on Fedora 24. 

Flo

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to