Yey!! It fixed the problem over the new CA Master now, i finally can see
and search for the certs. But, in the replicas i can't browse for them, it
prompts me this (IPA Error 4301: CertificateOperationError), should i ran
the post-save command in all replicas?
Em qui, 22 de dez de 2016 às 11:13, Florence Blanc-Renaud <f...@redhat.com>
> On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
> > Florence, for some creepy reason the cert from pkidbuser is different
> > from subsystem certs, and this pkidbuser is outdated now, but i can't
> > manage one way to re-issue it. I had to change the CA server because of
> > that, and the Selinux in the old CA Server was disabled, on the new one
> > is in Permissive mode but doesn't a warning in /var/log/audit/audit.log.
> > This is the pkidbuser cert:
> > This is the subsystem cert:
> > The ca.subsystem.cert matches the pkidbuser cert.
> > lucasdiedrich.
> you can try to manually call the post-save command that certmonger
> should have issued after putting the certificate in
> on the renewal master:
> $ sudo /usr/libexec/ipa/certmonger/stop_pkicad
> $ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> Then check the journal log that should display the following if
> everything goes well:
> $ sudo journalctl --since today | grep renew_ca_cert
> [...] renew_ca_cert: Updating entry
> [...] renew_ca_cert: Updating entry uid=pkidbuser,ou=people,o=ipaca
> [...] renew_ca_cert: Starting pki_tomcatd
> [...] renew_ca_cert: Started pki_tomcatd
> If the operation does not succeed, you will have to check the LDAP
> server logs in /etc/dirsrv/slapd-DOMAIN/access.
> > Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
> > <f...@redhat.com <mailto:f...@redhat.com>> escreveu:
> > On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> > > Hello guys,
> > >
> > > I'm having some trouble with, whats is happening with my server is
> > that
> > > i'm hiting an old BUG
> > > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to
> > mbasti
> > > over irc he oriented me to send this to the email list.
> > >
> > > The problem is, i got on CA Master, so because of this problem the
> > > Master certificates couldn't be renewd, so now i promoted another
> > master
> > > to be the CA. And the problem still persist.
> > >
> > > This is the certs from my new CA
> > > (https://paste.fedoraproject.org/510617/14823448/),
> > > this is the certs from my old CA
> > > (https://paste.fedoraproject.org/510618/44871148/)
> > > This is the log then i restart pki-tomcat( "CA port 636 Error
> > > netscape.ldap.LDAPException: Authentication failed (49)")
> > > This is the log from dirsrv when i restart pki-tomcat
> > > (https://paste.fedoraproject.org/510614/23446801/)
> > >
> > > Basically my CA is not working anymore...
> > >
> > > Anyway, i tried lots of thing but couldn't fix this, anyone has
> > some idea?
> > >
> > >
> > >
> > Hi,
> > Pki-tomcat is using the LDAP server as a data store, meaning that it
> > needs to authenticate to LDAP. In order to do that, pki-tomcat is
> > the certificate 'subsystemCert cert-pki-ca' stored in
> > /etc/pki/pki-tomcat/alias. For the authentication to succeed, the
> > certificate must be stored in a user entry
> > (uid=pkidbuser,ou=people,o=ipaca).
> > Can you check the content of this entry, especially the
> > attribute? It should match the certificate used by pki-tomcat:
> > $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
> > cert-pki-ca' -a
> > -----BEGIN CERTIFICATE-----
> > [...]
> > -----END CERTIFICATE-----
> > $ kinit admin
> > $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
> > uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
> > dn: uid=pkidbuser,ou=people,o=ipaca
> > usercertificate:: <content should match the output above>
> > The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this
> > certificate in the directive ca.subsystem.cert.
> > A possible cause for the entries not being updated is the bug 1366915
> >  linked to SE linux on RHEL7, or bug 1365188  linked to SE
> > on Fedora 24.
> > Flo
> >  https://bugzilla.redhat.com/show_bug.cgi?id=1366915
> >  https://bugzilla.redhat.com/show_bug.cgi?id=1365188
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project