Florence, for some creepy reason the cert from pkidbuser is different from subsystem certs, and this pkidbuser is outdated now, but i can't manage one way to re-issue it. I had to change the CA server because of that, and the Selinux in the old CA Server was disabled, on the new one is in Permissive mode but doesn't a warning in /var/log/audit/audit.log.
This is the pkidbuser cert: https://paste.fedoraproject.org/511023/24084431/ This is the subsystem cert: https://paste.fedoraproject.org/511025/14824085/ The ca.subsystem.cert matches the pkidbuser cert. lucasdiedrich. Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud <[email protected]> escreveu: > On 12/21/2016 07:52 PM, Lucas Diedrich wrote: > > Hello guys, > > > > I'm having some trouble with, whats is happening with my server is that > > i'm hiting an old BUG > > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to mbasti > > over irc he oriented me to send this to the email list. > > > > The problem is, i got on CA Master, so because of this problem the CA > > Master certificates couldn't be renewd, so now i promoted another master > > to be the CA. And the problem still persist. > > > > This is the certs from my new CA > > (https://paste.fedoraproject.org/510617/14823448/), > > this is the certs from my old CA > > (https://paste.fedoraproject.org/510618/44871148/) > > This is the log then i restart pki-tomcat( "CA port 636 Error > > netscape.ldap.LDAPException: Authentication failed (49)") > > This is the log from dirsrv when i restart pki-tomcat > > (https://paste.fedoraproject.org/510614/23446801/) > > > > Basically my CA is not working anymore... > > > > Anyway, i tried lots of thing but couldn't fix this, anyone has some > idea? > > > > > > > Hi, > > Pki-tomcat is using the LDAP server as a data store, meaning that it > needs to authenticate to LDAP. In order to do that, pki-tomcat is using > the certificate 'subsystemCert cert-pki-ca' stored in > /etc/pki/pki-tomcat/alias. For the authentication to succeed, the > certificate must be stored in a user entry > (uid=pkidbuser,ou=people,o=ipaca). > > Can you check the content of this entry, especially the usercertificate > attribute? It should match the certificate used by pki-tomcat: > > $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' > -a > -----BEGIN CERTIFICATE----- > [...] > -----END CERTIFICATE----- > > $ kinit admin > $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b > uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate > dn: uid=pkidbuser,ou=people,o=ipaca > usercertificate:: <content should match the output above> > > The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this > certificate in the directive ca.subsystem.cert. > > > A possible cause for the entries not being updated is the bug 1366915 > [1] linked to SE linux on RHEL7, or bug 1365188 [2] linked to SE linux > on Fedora 24. > > Flo > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188 >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
