Lucas Diedrich wrote: > OK!, i got it, i just executed the second script: > > "sudo /usr/libexec/ipa/certmonger/renew_ra_cert "subsystemCert > cert-pki-ca"", and fixed that problem, there another script called > renew_ra_cert_pre, should i run this too?
No, it should be run BEFORE renew_ra_cert, but since that has executed successfully there is no point. rob > > Thanks. > > Em seg, 26 de dez de 2016 às 17:26, Lucas Diedrich > <lucas.diedr...@gmail.com <mailto:lucas.diedr...@gmail.com>> escreveu: > > Florence, at first i thought the problem was fixed, but it wasn't > complety. > > So now, i'm at the CA Master, and when i try to see some > certificates it prompts me this "[root@ipa2 ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: EXCEPTION > (Invalid Credential.) > " > The same thing show over the Web Interface, i searched a little bit > and found that probably it didn't updated the *ipara* user, but > can't confirm that, any sugestions? > > Thanks, > > Em qui, 22 de dez de 2016 às 11:13, Florence Blanc-Renaud > <f...@redhat.com <mailto:f...@redhat.com>> escreveu: > > On 12/22/2016 01:15 PM, Lucas Diedrich wrote: > > Florence, for some creepy reason the cert from pkidbuser is > different > > from subsystem certs, and this pkidbuser is outdated now, but > i can't > > manage one way to re-issue it. I had to change the CA server > because of > > that, and the Selinux in the old CA Server was disabled, on > the new one > > is in Permissive mode but doesn't a warning in > /var/log/audit/audit.log. > > > > This is the pkidbuser cert: > https://paste.fedoraproject.org/511023/24084431/ > > This is the subsystem cert: > https://paste.fedoraproject.org/511025/14824085/ > > The ca.subsystem.cert matches the pkidbuser cert. > > > > lucasdiedrich. > > > Hi, > > you can try to manually call the post-save command that certmonger > should have issued after putting the certificate in > /etc/pki/pki-tomcat/alias: > on the renewal master: > $ sudo /usr/libexec/ipa/certmonger/stop_pkicad > $ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" > > Then check the journal log that should display the following if > everything goes well: > $ sudo journalctl --since today | grep renew_ca_cert > [...] renew_ca_cert: Updating entry > uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca > [...] renew_ca_cert: Updating entry > uid=pkidbuser,ou=people,o=ipaca > [...] renew_ca_cert: Starting pki_tomcatd > [...] renew_ca_cert: Started pki_tomcatd > > If the operation does not succeed, you will have to check the LDAP > server logs in /etc/dirsrv/slapd-DOMAIN/access. > > HTH, > Flo. > > > Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud > > <f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com > <mailto:f...@redhat.com>>> escreveu: > > > > On 12/21/2016 07:52 PM, Lucas Diedrich wrote: > > > Hello guys, > > > > > > I'm having some trouble with, whats is happening with my > server is > > that > > > i'm hiting an old BUG > > > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). > Talking to > > mbasti > > > over irc he oriented me to send this to the email list. > > > > > > The problem is, i got on CA Master, so because of this > problem the CA > > > Master certificates couldn't be renewd, so now i > promoted another > > master > > > to be the CA. And the problem still persist. > > > > > > This is the certs from my new CA > > > (https://paste.fedoraproject.org/510617/14823448/), > > > this is the certs from my old CA > > > (https://paste.fedoraproject.org/510618/44871148/) > > > This is the log then i restart pki-tomcat( "CA port 636 > Error > > > netscape.ldap.LDAPException: Authentication failed (49)") > > > This is the log from dirsrv when i restart pki-tomcat > > > (https://paste.fedoraproject.org/510614/23446801/) > > > > > > Basically my CA is not working anymore... > > > > > > Anyway, i tried lots of thing but couldn't fix this, > anyone has > > some idea? > > > > > > > > > > > Hi, > > > > Pki-tomcat is using the LDAP server as a data store, > meaning that it > > needs to authenticate to LDAP. In order to do that, > pki-tomcat is using > > the certificate 'subsystemCert cert-pki-ca' stored in > > /etc/pki/pki-tomcat/alias. For the authentication to > succeed, the > > certificate must be stored in a user entry > > (uid=pkidbuser,ou=people,o=ipaca). > > > > Can you check the content of this entry, especially the > usercertificate > > attribute? It should match the certificate used by pki-tomcat: > > > > $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert > > cert-pki-ca' -a > > -----BEGIN CERTIFICATE----- > > [...] > > -----END CERTIFICATE----- > > > > $ kinit admin > > $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b > > uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" > usercertificate > > dn: uid=pkidbuser,ou=people,o=ipaca > > usercertificate:: <content should match the output above> > > > > The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain > this > > certificate in the directive ca.subsystem.cert. > > > > > > A possible cause for the entries not being updated is the > bug 1366915 > >  linked to SE linux on RHEL7, or bug 1365188  linked > to SE linux > > on Fedora 24. > > > > Flo > > > >  https://bugzilla.redhat.com/show_bug.cgi?id=1366915 > >  https://bugzilla.redhat.com/show_bug.cgi?id=1365188 > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project