Re: [Freeipa-users] CA not found?

Fri, 10 Feb 2017 02:08:16 -0800 

On Thu, Feb 09, 2017 at 09:01:01PM -0500, Guillermo Fuentes wrote:
> As we're enforcing encryption, here is via ldaps:
> $ ldapsearch -H ldaps://`hostname` -D "cn=Directory Manager"  -W -s
> sub -b ou=authorities,ou=ca,o=ipaca                   Enter LDAP
> Password:
> # extended LDIF
> #
> # LDAPv3
> # base <ou=authorities,ou=ca,o=ipaca> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # authorities, ca, ipaca
> dn: ou=authorities,ou=ca,o=ipaca
> objectClass: top
> objectClass: organizationalUnit
> ou: authorities
> 
> # 0af769bd-a7ed-4f3a-8859-a877724ea8f2, authorities, ca, ipaca
> dn: cn=0af769bd-a7ed-4f3a-8859-a877724ea8f2,ou=authorities,ou=ca,o=ipaca
> objectClass: authority
> objectClass: top
> cn: 0af769bd-a7ed-4f3a-8859-a877724ea8f2
> authorityID: 0af769bd-a7ed-4f3a-8859-a877724ea8f2
> authorityKeyNickname: caSigningCert cert-pki-ca
> authorityEnabled: TRUE
> authorityDN: CN=Certificate Authority,O=EXAMPLE.COM
> description: Host authority
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 3
> # numEntries: 2
> 
> I'll attach the log files soon.
>
Hi Guillermo,

Thanks for the files.  At a glance, everything looks normal in ipa
upgrade and server startup.

There is a discrepancy between the authority record in Dogtag
(in the ldapsearch output above) and the corresponding entry in
FreeIPA:

>> $ ipa ca-show ipa
>>  Name: ipa
>>  Description: IPA CA
>>  Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c
>>  Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
>>  Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM

If these are indeed different (not a result of substitutions you
performed in releasing the data), this is a problem I have not seen
before (can you think of anything that might have caused this e.g.
deletion of the authority entry from Dogtag?).  To resolve, change
the 'ipacaid' attribute of cn=ipa,cn=cas,cn=ca,dc=ipa,dc=local to
'0af769bd-a7ed-4f3a-8859-a877724ea8f2'

HTH,
Fraser

P.S. I am away next week, so please help Guillermo if he's still
having trouble.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to