Although I modified the ids to release the data, I made sure to use
consistent ids where they appeared.
As you noted, there was a discrepancy and changing the 'ipacaid'
attribute of cn=ipa,cn=cas,cn=ca,dc=ipa,dc=local to match the
authorityID from Dogtag fixed the issue. We're now able to sign
certificates as before. Yay!!!
As of what could have cause this discrepancy, the only thing I can
think of is that, back when we migrated the cluster, there were a few
times where the cloning of the CA from 3.x to 4.x failed.
Thank you very much for your help with this! I really appreciate it!
Have a great time off!
On Fri, Feb 10, 2017 at 5:03 AM, Fraser Tweedale <ftwee...@redhat.com> wrote:
> On Thu, Feb 09, 2017 at 09:01:01PM -0500, Guillermo Fuentes wrote:
>> As we're enforcing encryption, here is via ldaps:
>> $ ldapsearch -H ldaps://`hostname` -D "cn=Directory Manager" -W -s
>> sub -b ou=authorities,ou=ca,o=ipaca Enter LDAP
>> # extended LDIF
>> # LDAPv3
>> # base <ou=authorities,ou=ca,o=ipaca> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> # authorities, ca, ipaca
>> dn: ou=authorities,ou=ca,o=ipaca
>> objectClass: top
>> objectClass: organizationalUnit
>> ou: authorities
>> # 0af769bd-a7ed-4f3a-8859-a877724ea8f2, authorities, ca, ipaca
>> dn: cn=0af769bd-a7ed-4f3a-8859-a877724ea8f2,ou=authorities,ou=ca,o=ipaca
>> objectClass: authority
>> objectClass: top
>> cn: 0af769bd-a7ed-4f3a-8859-a877724ea8f2
>> authorityID: 0af769bd-a7ed-4f3a-8859-a877724ea8f2
>> authorityKeyNickname: caSigningCert cert-pki-ca
>> authorityEnabled: TRUE
>> authorityDN: CN=Certificate Authority,O=EXAMPLE.COM
>> description: Host authority
>> # search result
>> search: 2
>> result: 0 Success
>> # numResponses: 3
>> # numEntries: 2
>> I'll attach the log files soon.
> Hi Guillermo,
> Thanks for the files. At a glance, everything looks normal in ipa
> upgrade and server startup.
> There is a discrepancy between the authority record in Dogtag
> (in the ldapsearch output above) and the corresponding entry in
>>> $ ipa ca-show ipa
>>> Name: ipa
>>> Description: IPA CA
>>> Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c
>>> Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
>>> Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM
> If these are indeed different (not a result of substitutions you
> performed in releasing the data), this is a problem I have not seen
> before (can you think of anything that might have caused this e.g.
> deletion of the authority entry from Dogtag?). To resolve, change
> the 'ipacaid' attribute of cn=ipa,cn=cas,cn=ca,dc=ipa,dc=local to
> P.S. I am away next week, so please help Guillermo if he's still
> having trouble.
SENIOR SYSTEMS ADMINISTRATOR
T: 561-880-2998 x1337
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project