Lucas Diedrich wrote:
> OK!, i got it, i just executed the second script:
> 
> "sudo /usr/libexec/ipa/certmonger/renew_ra_cert "subsystemCert
> cert-pki-ca"", and fixed that problem, there another script called
> renew_ra_cert_pre, should i run this too?

No, it should be run BEFORE renew_ra_cert, but since that has executed
successfully there is no point.

rob

> 
> Thanks.
> 
> Em seg, 26 de dez de 2016 às 17:26, Lucas Diedrich
> <lucas.diedr...@gmail.com <mailto:lucas.diedr...@gmail.com>> escreveu:
> 
>     Florence, at first i thought the problem was fixed, but it wasn't
>     complety.
> 
>     So now, i'm at the CA Master, and when i try to see some
>     certificates it prompts me this "[root@ipa2 ~]# ipa cert-show 1
>     ipa: ERROR: Certificate operation cannot be completed: EXCEPTION
>     (Invalid Credential.)
>     "
>     The same thing show over the Web Interface, i searched a little bit
>     and found that probably it didn't updated the *ipara* user, but
>     can't confirm that, any sugestions?
> 
>     Thanks,
> 
>     Em qui, 22 de dez de 2016 às 11:13, Florence Blanc-Renaud
>     <f...@redhat.com <mailto:f...@redhat.com>> escreveu:
> 
>         On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
>         > Florence, for some creepy reason the cert from pkidbuser is
>         different
>         > from subsystem certs, and this pkidbuser is outdated now, but
>         i can't
>         > manage one way to re-issue it. I had to change the CA server
>         because of
>         > that, and the Selinux in the old CA Server was disabled, on
>         the new one
>         > is in Permissive mode but doesn't a warning in
>         /var/log/audit/audit.log.
>         >
>         > This is the pkidbuser cert:
>         https://paste.fedoraproject.org/511023/24084431/
>         > This is the subsystem cert:
>         https://paste.fedoraproject.org/511025/14824085/
>         > The ca.subsystem.cert matches the pkidbuser cert.
>         >
>         > lucasdiedrich.
>         >
>         Hi,
> 
>         you can try to manually call the post-save command that certmonger
>         should have issued after putting the certificate in
>         /etc/pki/pki-tomcat/alias:
>         on the renewal master:
>         $ sudo /usr/libexec/ipa/certmonger/stop_pkicad
>         $ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
>         cert-pki-ca"
> 
>         Then check the journal log that should display the following if
>         everything goes well:
>         $ sudo journalctl --since today | grep renew_ca_cert
>         [...] renew_ca_cert[6478]: Updating entry
>         uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca
>         [...] renew_ca_cert[6478]: Updating entry
>         uid=pkidbuser,ou=people,o=ipaca
>         [...] renew_ca_cert[6478]: Starting pki_tomcatd
>         [...] renew_ca_cert[6478]: Started pki_tomcatd
> 
>         If the operation does not succeed, you will have to check the LDAP
>         server logs in /etc/dirsrv/slapd-DOMAIN/access.
> 
>         HTH,
>         Flo.
> 
>         > Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
>         > <f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com
>         <mailto:f...@redhat.com>>> escreveu:
>         >
>         >     On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
>         >     > Hello guys,
>         >     >
>         >     > I'm having some trouble with, whats is happening with my
>         server is
>         >     that
>         >     > i'm hiting an old BUG
>         >     > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273).
>         Talking to
>         >     mbasti
>         >     > over irc he oriented me to send this to the email list.
>         >     >
>         >     > The problem is, i got on CA Master, so because of this
>         problem the CA
>         >     > Master certificates couldn't be renewd, so now i
>         promoted another
>         >     master
>         >     > to be the CA. And the problem still persist.
>         >     >
>         >     > This is the certs from my new CA
>         >     > (https://paste.fedoraproject.org/510617/14823448/),
>         >     > this is the certs from my old CA
>         >     > (https://paste.fedoraproject.org/510618/44871148/)
>         >     > This is the log then i restart pki-tomcat( "CA port 636
>         Error
>         >     > netscape.ldap.LDAPException: Authentication failed (49)")
>         >     > This is the log from dirsrv when i restart pki-tomcat
>         >     > (https://paste.fedoraproject.org/510614/23446801/)
>         >     >
>         >     > Basically my CA is not working anymore...
>         >     >
>         >     > Anyway, i tried lots of thing but couldn't fix this,
>         anyone has
>         >     some idea?
>         >     >
>         >     >
>         >     >
>         >     Hi,
>         >
>         >     Pki-tomcat is using the LDAP server as a data store,
>         meaning that it
>         >     needs to authenticate to LDAP. In order to do that,
>         pki-tomcat is using
>         >     the certificate 'subsystemCert cert-pki-ca' stored in
>         >     /etc/pki/pki-tomcat/alias. For the authentication to
>         succeed, the
>         >     certificate must be stored in a user entry
>         >     (uid=pkidbuser,ou=people,o=ipaca).
>         >
>         >     Can you check the content of this entry, especially the
>         usercertificate
>         >     attribute? It should match the certificate used by pki-tomcat:
>         >
>         >     $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
>         >     cert-pki-ca' -a
>         >     -----BEGIN CERTIFICATE-----
>         >     [...]
>         >     -----END CERTIFICATE-----
>         >
>         >     $ kinit admin
>         >     $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
>         >     uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)"
>         usercertificate
>         >     dn: uid=pkidbuser,ou=people,o=ipaca
>         >     usercertificate:: <content should match the output above>
>         >
>         >     The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain
>         this
>         >     certificate in the directive ca.subsystem.cert.
>         >
>         >
>         >     A possible cause for the entries not being updated is the
>         bug 1366915
>         >     [1] linked to SE linux on RHEL7, or bug 1365188 [2] linked
>         to SE linux
>         >     on Fedora 24.
>         >
>         >     Flo
>         >
>         >     [1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
>         >     [2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188
>         >
>         >
>         >
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to