Hi Fraser, The cluster was migrated from FreeIPA 3 (CentOS 6) to FreeIPA 4 (CentOS 7) a year ago.
- Output of 'ldapsearch -s sub -b ou=authorities,ou=ca,o=ipaca': SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: - Output providing GSSAPI mechanism: $ ldapsearch -Y GSSAPI -s sub -b ou=authorities,ou=ca,o=ipaca SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/localh...@example.com not found in Kerberos database) - Output providing user credentials: $ ldapsearch -D "uid=user1,cn=users,cn=accounts,dc=example,dc=com" -W -H ldaps://`hostname` -s sub -b ou=authorities,ou=ca,o=ipaca Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=authorities,ou=ca,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Thanks for your help! Guillermo On Thu, Feb 9, 2017 at 5:06 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Thu, Feb 09, 2017 at 09:29:14AM -0500, Guillermo Fuentes wrote: >> Hi list, >> >> I'm trying to sign a service certificate but it's failing with "CA not >> found". >> The CA does exist but for some reason the ipa cert-request can't find it: >> $ ipa ca-show ipa >> Name: ipa >> Description: IPA CA >> Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c >> Subject DN: CN=Certificate Authority,O=EXAMPLE.COM >> Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM >> >> This was working in previous versions of freeipa but in our current >> environment isn't working: >> Cluster of four FreeIPA servers >> CentOS Linux release 7.3.1611 (Core) >> ipa-client-common-4.4.0-14.el7.centos.4.noarch >> ipa-client-4.4.0-14.el7.centos.4.x86_64 >> ipa-debuginfo-4.2.0-15.0.1.el7_2.6.1.x86_64 >> ipa-server-trust-ad-4.4.0-14.el7.centos.4.x86_64 >> ipa-server-4.4.0-14.el7.centos.4.x86_64 >> ipa-admintools-4.4.0-14.el7.centos.4.noarch >> ipa-server-common-4.4.0-14.el7.centos.4.noarch >> ipa-common-4.4.0-14.el7.centos.4.noarch >> ipa-server-dns-4.4.0-14.el7.centos.4.noarch >> ipa-python-compat-4.4.0-14.el7.centos.4.noarch >> 389-ds-base-1.3.5.10-15.el7_3.x86_64 >> 389-ds-base-libs-1.3.5.10-15.el7_3.x86_64 >> 389-ds-base-snmp-1.3.5.10-15.el7_3.x86_64 >> 389-ds-base-debuginfo-1.3.4.0-30.el7_2.x86_64 >> pki-base-java-10.3.3-16.el7_3.noarch >> pki-base-10.3.3-16.el7_3.noarch >> pki-server-10.3.3-16.el7_3.noarch >> pki-ca-10.3.3-16.el7_3.noarch >> pki-symkey-10.3.3-16.el7_3.x86_64 >> pki-kra-10.3.3-16.el7_3.noarch >> pki-tools-10.3.3-16.el7_3.x86_64 >> krb5-libs-1.14.1-27.el7_3.x86_64 >> python-krbV-1.0.90-8.el7.x86_64 >> pam_krb5-2.4.8-6.el7.x86_64 >> krb5-workstation-1.14.1-27.el7_3.x86_64 >> krb5-pkinit-1.14.1-27.el7_3.x86_64 >> sssd-krb5-common-1.14.0-43.el7_3.11.x86_64 >> krb5-server-1.14.1-27.el7_3.x86_64 >> sssd-krb5-1.14.0-43.el7_3.11.x86_64 >> >> *********** >> This is the error (same result in all four servers): >> $ ipa cert-request --principal=HTTP/host1.example.com host1.example.com.csr >> ipa: ERROR: Certificate operation cannot be completed: FAILURE (CA not >> found: 0cb513ea-6084-4144-a61c-7a0a8368d25c) >> >> *********** >> >From /var/log/pki/pki-tomcat/ca/debug: >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: >> CMSServlet:service() uri = /ca/eeca/ca/profileSubmitSSLClient >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: >> CMSServlet::service() param name='xml' value='true' >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: >> CMSServlet::service() param name='profileId' value='caIPAserviceCert' >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: >> CMSServlet::service() param name='authorityId' >> value='0cb513ea-6084-4144-a61c-7a0a8368d25c' >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: >> CMSServlet::service() param name='cert_request' value='(sensitive)' >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: >> CMSServlet::service() param name='cert_request_type' value='pkcs10' >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet: >> caProfileSubmitSSLClient start to service. >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: xmlOutput true >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: >> ProfileSubmitServlet: isRenewal false >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: according to >> ccMode, authorization for servlet: caProfileSubmit is LDAP based, not >> XML {1}, use default authz mgr: {2}. >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: >> ProfileSubmitServlet: profile: caIPAserviceCert >> CA not found: 0cb513ea-6084-4144-a61c-7a0a8368d25c >> at >> com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:239) >> at >> com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128) >> at >> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:515) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >> at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) >> at >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >> at >> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) >> at >> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) >> at >> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) >> at >> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) >> at >> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) >> at >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >> at sun.reflect.GeneratedMethodAccessor71.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) >> at >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >> at >> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) >> at >> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) >> at >> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) >> at >> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) >> at >> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >> at >> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:745) >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: >> ProfileSubmitServlet: error in processing request: CA not found: >> 0cb513ea-6084-4144-a61c-7a0a8368d25c >> [07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet: >> curDate=Tue Feb 07 23:45:49 EST 2017 id=caProfileSubmitSSLClient >> time=8 >> *************** >> >> Any idea why this is happening? >> It's using the caIPAserviceCert certificate profile which should be >> fine. I also checked and "played" with the >> hosts_services_caIPAserviceCert CA ACL with the same results. >> >> Thanks in advance! >> >> Guillermo >> > Was the server upgraded/migrated from an older release, or a new > installation? > > Could you please `ldapsearch -s sub -b ou=authorities,ou=ca,o=ipaca' > and provide output? > > Thanks, > Fraser -- GUILLERMO FUENTES SENIOR SYSTEMS ADMINISTRATOR T: 561-880-2998 x1337 E:  guillermo.fuen...@modmed.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project