On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
Florence, for some creepy reason the cert from pkidbuser is different
from subsystem certs, and this pkidbuser is outdated now, but i can't
manage one way to re-issue it. I had to change the CA server because of
that, and the Selinux in the old CA Server was disabled, on the new one
is in Permissive mode but doesn't a warning in /var/log/audit/audit.log.
This is the pkidbuser cert: https://paste.fedoraproject.org/511023/24084431/
This is the subsystem cert: https://paste.fedoraproject.org/511025/14824085/
The ca.subsystem.cert matches the pkidbuser cert.
you can try to manually call the post-save command that certmonger
should have issued after putting the certificate in
on the renewal master:
$ sudo /usr/libexec/ipa/certmonger/stop_pkicad
$ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
Then check the journal log that should display the following if
everything goes well:
$ sudo journalctl --since today | grep renew_ca_cert
[...] renew_ca_cert: Updating entry
[...] renew_ca_cert: Updating entry uid=pkidbuser,ou=people,o=ipaca
[...] renew_ca_cert: Starting pki_tomcatd
[...] renew_ca_cert: Started pki_tomcatd
If the operation does not succeed, you will have to check the LDAP
server logs in /etc/dirsrv/slapd-DOMAIN/access.
Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
<f...@redhat.com <mailto:f...@redhat.com>> escreveu:
On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> Hello guys,
> I'm having some trouble with, whats is happening with my server is
> i'm hiting an old BUG
> (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to
> over irc he oriented me to send this to the email list.
> The problem is, i got on CA Master, so because of this problem the CA
> Master certificates couldn't be renewd, so now i promoted another
> to be the CA. And the problem still persist.
> This is the certs from my new CA
> this is the certs from my old CA
> This is the log then i restart pki-tomcat( "CA port 636 Error
> netscape.ldap.LDAPException: Authentication failed (49)")
> This is the log from dirsrv when i restart pki-tomcat
> Basically my CA is not working anymore...
> Anyway, i tried lots of thing but couldn't fix this, anyone has
Pki-tomcat is using the LDAP server as a data store, meaning that it
needs to authenticate to LDAP. In order to do that, pki-tomcat is using
the certificate 'subsystemCert cert-pki-ca' stored in
/etc/pki/pki-tomcat/alias. For the authentication to succeed, the
certificate must be stored in a user entry
Can you check the content of this entry, especially the usercertificate
attribute? It should match the certificate used by pki-tomcat:
$ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
$ kinit admin
$ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
usercertificate:: <content should match the output above>
The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this
certificate in the directive ca.subsystem.cert.
A possible cause for the entries not being updated is the bug 1366915
 linked to SE linux on RHEL7, or bug 1365188  linked to SE linux
on Fedora 24.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project