Marc- I used this
dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify delete: userCertificate - add: userCertificate userCertificate:: MII…. - And now ldapsearch gives me: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate:: MII…. I restarted the pki-tomcat service for the instance. Now when I try to access it, I am back to the simple “Invalid Credential” error. /var/log/pki/risd-ise/ca/system says: 0.http-bio-8373-exec-1 - [18/Feb/2020:10:25:12 CST] [6] [3] Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI Administrator,E=caad...@risdca1.risd.org,OU=risd-ise,O=RISD.ORG. Error: User not found Could the problem be that there is no naming context for risd-ise, so it’s not matching the caadmin user? From your first response yesterday, it seems like you expected there to be, but I just have dc=ca,dc=risd,dc=org. I’ve been doing the ldapmodifies on it. If there ever was an entry for risd-ise, I don’t know what happened to it. I definitely didn’t intentionally delete it, because I didn’t really even know about the directory server part beyond the steps in the Installation Guide. ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts Enter LDAP Password: dn: namingcontexts: dc=ca,dc=risd,dc=org namingcontexts: dc=risd,dc=org ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=bwolf,ou=People,dc=ca,dc=risd,dc=org … - Brian From: Marc Sauton <msau...@redhat.com> Sent: Monday, February 17, 2020 7:12 PM To: Wolf, Brian <brian.w...@risd.org> Cc: pki-users@redhat.com Subject: Re: [Pki-users] pki 10.5 - Unable to log in to PKI console Extra note, a ldapmodify "replace" should be used as the userCertificate can be multi valued, and the first sample may be used from a LDAP search result set, which can be the older certificate, so it is better to either del/add or replace it to avoid confusion. Thanks, M. On Mon, Feb 17, 2020 at 5:05 PM Marc Sauton <msau...@redhat.com<mailto:msau...@redhat.com>> wrote: For the pkiconsole: correct for RHEL, would need the RHCS subscription. but it is available from Fedora: pki-console-10.7.3-3.fc31.noarch : PKI Console Package Repo : fedora I do not think we have the pkiconsole in CentOS ( http://mirror.centos.org/centos/7.7.1908/ ) For the ldapmodify, add the colon char twice because the value is already base-64 encoded, like for example: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify delete: userCertificate - add: userCertificate userCertificate:: MII... That should solve the issue! Thanks, M. On Mon, Feb 17, 2020 at 3:13 PM Wolf, Brian <brian.w...@risd.org<mailto:brian.w...@risd.org>> wrote: Marc- You were correct that the directory manager had the serial #6 version. I tried to replace it with the #33 version, but now when I try to connect, I get the error “You did not provide a valid certificate for this operation.” Instead of “Invalid credential.” First, you mentioned using pkiconsole. I don’t have pkiconsole installed. I think we found that that was part of RHCS, and we don’t have a subscription for RHCS. So I’m just wading through the CLI commands. Also, I didn’t find any naming contexts specifically referencing the instance. Caadmin showed up in the Agents and Administrators queries for dc=ca,dc=risd,dc=org. And there is no CN=PKI Administrator entry in the list of Administrators. # ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts Enter LDAP Password: dn: namingcontexts: dc=ca,dc=risd,dc=org namingcontexts: dc=risd,dc=org # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember Enter LDAP Password: [root@risdca1 tmp]# # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember Enter LDAP Password: dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember Enter LDAP Password: dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or The user certificate appeared to be in X509 format. I copied that to a file and verified that it was the expired #6 version. # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate Enter LDAP Password: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate:: MII******************************************************** S*************************************************************************** G*************************************************************************** … **********************************************************************M7nQ== I didn’t find any examples of multi-line values in the ldapmodify file, so I tried using the same format as the search used, with the second and subsequent lines beginning with a space and a “-“ on the last line. $ cat ldapmodify.caadmin.txt dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify replace: userCertificate userCertificate: MII********************************************************* S**************************************************************************** … P***********************************************************************mDw== - # ldapmodify -x -D "cn=directory manager" -W -f /tmp/ldapmodify.caadmin.txt Enter LDAP Password: modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org" # # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate Enter LDAP Password: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate: MII**************************************************************************** V****************************************************************************************** …. K***********************************************************************************mdw== So it took what I gave it. I noticed that for the old cert, ldapsearch displayed “userCertificate::” (two colons), and now it only has “userCertificate:” (one colon). Is that significant? I tried changing the input file to read userCertificate::, and then ldapsearch showed both colons again, but I still got the “you did not provide a valid credential…” error when I tried to connect from my laptop. I verified that Firefox on my laptop is using PKI Administrator [33] for identification. - Brian From: Marc Sauton <msau...@redhat.com<mailto:msau...@redhat.com>> Sent: Monday, February 17, 2020 2:00 PM To: Wolf, Brian <brian.w...@risd.org<mailto:brian.w...@risd.org>> Cc: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] pki 10.5 - Unable to log in to PKI console The entry CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance,O=MyDomain likely has the older cert with serial 6, it just needs the newer one with serial 0x33 / 51 It may be easier to use the pkiconsole to add it, under" "Configuration | Users and Groups | Users | admin | Certificates | Import" Thanks, M. On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton <msau...@redhat.com<mailto:msau...@redhat.com>> wrote: Hello, Probably either there is no caadmin (uid=admin may set from the older environment), or the SSL client certificate is simply missing from the administrator or agent groups. Try for example: locate the LDAP base DN of the PKI repository: ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts output example: dn: namingcontexts: dc=example,dc=test namingcontexts: o=rootca1-CA namingcontexts: o=subca1-CA note it could be also in the form of namingcontexts: dc=ca1.example.test-pki-ca1 and in your case it may be similar to o=risd-ise-CA then search into that LDAP backend to verify the values of the attribute uniquemember of the entries, like as this example but by replacing the string o=subca1-CA to match your environment: either for the agent users: ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Agents dn uniqueMember or the administrators (admin or caadmin is the default one, like a "root" user): ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember then verify the uniqueMember value correspond to a valid existing LDAP entry, like for example: dn: uid=caadmin,ou=people,o=subca1-CA and then verify that admin or agent user entry has a corresponding user certificate, like for example: ldapsearch -LLLx -D "cn=directory manager" -W -b ou=people,o=subca1-CA uid=caadmin userCertificate you may have to update the value of the userCertificate with ldapmodify to match the certificate with serial number 0x33 and subject DN CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance,O=MyDomain from the NSS db at ~/.dogtag/risd-ise/ca/alias/ Note this can be done using the pkiconsole. Thanks, M. On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian <brian.w...@risd.org<mailto:brian.w...@risd.org>> wrote: I installed PKI-CA several years ago on a Redhat 7 (actually Oracle Unbreakable Linux) server. I used it to create certificates for an application and have not really used it since. I had to renew the base certificates last year. That took some effort, but I got it to work. Now I am unable to connect to the web-based agent page. I copied the PKI Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and installed it under “Your Certificates and the signing certificate under Authorities in Firefox. When I try to connect to the agent page (https://.../ca/agent/ca), the padlock goes green, but I get an “Invalid Credential” error. /var/log/pki/risd-ise/ca/system contains Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance,O=MyDomain. Error: User not found The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are actually two entries- the current one and the previous expired one. It is also in /etc/pki/ca-trust/source/anchors What it is looking for and where? - Brian # certutil -L -d ~/.dogtag/MyInstance/ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - MyDomain CT,c, caadmin u,u,u caadmin u,u,u # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Fri Mar 10 22:38:25 2017 Not After : Thu Feb 28 22:38:25 2019 Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomainr,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - MyDomain" Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: Current versions: Current versions: Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM pki-base-10.5.16-6 pki-base-java-10.5.16-6.el7_7.noarch java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 _______________________________________________ Pki-users mailing list Pki-users@redhat.com<mailto:Pki-users@redhat.com> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
