Hi Fraser, Although I modified the ids to release the data, I made sure to use consistent ids where they appeared. As you noted, there was a discrepancy and changing the 'ipacaid' attribute of cn=ipa,cn=cas,cn=ca,dc=ipa,dc=local to match the authorityID from Dogtag fixed the issue. We're now able to sign certificates as before. Yay!!! As of what could have cause this discrepancy, the only thing I can think of is that, back when we migrated the cluster, there were a few times where the cloning of the CA from 3.x to 4.x failed.
Thank you very much for your help with this! I really appreciate it! Have a great time off! Guillermo On Fri, Feb 10, 2017 at 5:03 AM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Thu, Feb 09, 2017 at 09:01:01PM -0500, Guillermo Fuentes wrote: >> As we're enforcing encryption, here is via ldaps: >> $ ldapsearch -H ldaps://`hostname` -D "cn=Directory Manager" -W -s >> sub -b ou=authorities,ou=ca,o=ipaca Enter LDAP >> Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <ou=authorities,ou=ca,o=ipaca> with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # authorities, ca, ipaca >> dn: ou=authorities,ou=ca,o=ipaca >> objectClass: top >> objectClass: organizationalUnit >> ou: authorities >> >> # 0af769bd-a7ed-4f3a-8859-a877724ea8f2, authorities, ca, ipaca >> dn: cn=0af769bd-a7ed-4f3a-8859-a877724ea8f2,ou=authorities,ou=ca,o=ipaca >> objectClass: authority >> objectClass: top >> cn: 0af769bd-a7ed-4f3a-8859-a877724ea8f2 >> authorityID: 0af769bd-a7ed-4f3a-8859-a877724ea8f2 >> authorityKeyNickname: caSigningCert cert-pki-ca >> authorityEnabled: TRUE >> authorityDN: CN=Certificate Authority,O=EXAMPLE.COM >> description: Host authority >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 3 >> # numEntries: 2 >> >> I'll attach the log files soon. >> > Hi Guillermo, > > Thanks for the files. At a glance, everything looks normal in ipa > upgrade and server startup. > > There is a discrepancy between the authority record in Dogtag > (in the ldapsearch output above) and the corresponding entry in > FreeIPA: > >>> $ ipa ca-show ipa >>> Name: ipa >>> Description: IPA CA >>> Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c >>> Subject DN: CN=Certificate Authority,O=EXAMPLE.COM >>> Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM > > If these are indeed different (not a result of substitutions you > performed in releasing the data), this is a problem I have not seen > before (can you think of anything that might have caused this e.g. > deletion of the authority entry from Dogtag?). To resolve, change > the 'ipacaid' attribute of cn=ipa,cn=cas,cn=ca,dc=ipa,dc=local to > '0af769bd-a7ed-4f3a-8859-a877724ea8f2' > > HTH, > Fraser > > P.S. I am away next week, so please help Guillermo if he's still > having trouble. -- GUILLERMO FUENTES SENIOR SYSTEMS ADMINISTRATOR T: 561-880-2998 x1337 E: guillermo.fuen...@modmed.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project