[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
On 2/2/20 11:30 PM, Jochen Demmer via FreeIPA-users wrote: Hi, this is the outputs: [root@srv107 ipa]# openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET [root@srv107 ipa]# openssl x509 -noout -in ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET [root@srv107 ipa]# ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;21;CN=Certificate Authority,O=UNIX.domain.NET;CN=IPA RA,O=UNIX.domain.NET usercertificate:: MIIDccCCAlqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcyODE0MTIyMFoXDTE4MDcxODE0MTIyMFowKjEXMBUGA1UECgwOVU5JWC5HT1NJWC5ORVQxDzANBfNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24aQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBkzCBkDAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9zcnYxMDcuZ29zaXgubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAg6wMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi8CxlPVaFHi7XlT1sSY74WPy9BlZW/Dt9by94wDCs14pZeMalmwkY8iHkvQtTagoS7y/Nq0p7PTHbcr7y9CisiAP+DykYZHdIyBtjrQ37GIADjyXhbYJ+Y90O/J24M2q2t1X8xbSIhxqQ8eN4ICTDHqzBIn2YkAHxT1QkitNIZWlMSWdEImcpmQB5CIU1q8swaK6u1k5ksC4mNwUxkSzi1nr+ixuuIkSDjuC3f1kGOaJGV92fJRk+TbRvP6hxKMY9ITwy0upwcUvO/Sv8kdJ21pJ/VJmxfZDilHW6ZrZtME6zaMUmVCVmchxIV2jTvJ3PCAqly6fI41oOsEoPSYu1Q== usercertificate:: MIIadDCCAlygAwIBAgIBFTANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDYyMDE0MTI1MloXDTIwMDYwOTE0MTI1MlowKjEXMBUGA1UEChMOVU5JWC5HT1NJWC5ORVQxDzANBgNVBAMTBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24qQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBlTCBkjAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQB+WTlsE5LmEvbfEk/fOlKfwkNv187o/6AtwBxrjvC0D0QobfnxSIgd7R905haHf9fyONYsQKn8mlbghtY3URfGnfYNXJ9ez1pOqoCAlpy5Z5tvDlQMGvVVjk/9pSibTI90noZeMrUE+Tetq45c8ZjFXxcrH4R07xUDRXZg8AXviQMyclUSZbWKsIL7a979Hp13q8sJ8MAod1OhqdP6EOk84AOyRcQuRhv5uEdeDSN4k+4mMSZGnMlKO+0gKnhUIq63/TlW8wp7NhCE+kYdOkF4M0lBYOPE66d/4VdX45soMdp4WphjZMrirarhFJvHpHloUwdoiIFglPvOkvbWndbM I can see that the serial is different but I cannot compare the usercertificate attributes since they are not given in the openssl command output. Hi, Serial is 15 on the node srv107 but 21 in LDAP. This means that the cert was renewed but the local file didn't get updated. Can you check first which node is your CA renewal master? $ kinit admin $ ipa config-show | grep "CA renewal master" IPA CA renewal master: master.ipa.domain On this node check that the file /var/lib/ipa/ra-agent.pem and the content in ldap are consistent. You can do just $ cat /var/lib/ipa/ra-agent.pem to compare the content of the cert with the usercertificate attribute of the ldap entry. If everything is OK on the renewal master, you can copy the file /var/lib/ipa/ra-agent.pem to the failing node srv107. HTH, flo Shall I just adjust the serial and try again? Jochen On Friday, January 31, 2020 10:29 CET, Florence Blanc-Renaud via FreeIPA-users wrote: This error occurs when IPA framework tries to authenticate to Dogtag CA and it fails. It is using the certificate located in /var/lib/ipa/ra-agent.pem. According to your getcert output, the cert is valid. You will need to check if it is consistent with what is stored in LDAP. Note the values related to the actual certificate: $ cat /var/lib/ipa/ra-agent.pem -BEGIN CERTIFICATE- MII...NSF -END CERTIFICATE- $ openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial= subject= CN=IPA RA,O= issuer= CN=Certificate Authority,O= Then compare the result with the ldapentry: $ ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W \ -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description:
[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
Hi, this is the outputs: [root@srv107 ipa]# openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET [root@srv107 ipa]# openssl x509 -noout -in ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET [root@srv107 ipa]# ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;21;CN=Certificate Authority,O=UNIX.domain.NET;CN=IPA RA,O=UNIX.domain.NET usercertificate:: MIIDccCCAlqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcyODE0MTIyMFoXDTE4MDcxODE0MTIyMFowKjEXMBUGA1UECgwOVU5JWC5HT1NJWC5ORVQxDzANBfNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24aQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBkzCBkDAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9zcnYxMDcuZ29zaXgubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAg6wMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi8CxlPVaFHi7XlT1sSY74WPy9BlZW/Dt9by94wDCs14pZeMalmwkY8iHkvQtTagoS7y/Nq0p7PTHbcr7y9CisiAP+DykYZHdIyBtjrQ37GIADjyXhbYJ+Y90O/J24M2q2t1X8xbSIhxqQ8eN4ICTDHqzBIn2YkAHxT1QkitNIZWlMSWdEImcpmQB5CIU1q8swaK6u1k5ksC4mNwUxkSzi1nr+ixuuIkSDjuC3f1kGOaJGV92fJRk+TbRvP6hxKMY9ITwy0upwcUvO/Sv8kdJ21pJ/VJmxfZDilHW6ZrZtME6zaMUmVCVmchxIV2jTvJ3PCAqly6fI41oOsEoPSYu1Q== usercertificate:: MIIadDCCAlygAwIBAgIBFTANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDYyMDE0MTI1MloXDTIwMDYwOTE0MTI1MlowKjEXMBUGA1UEChMOVU5JWC5HT1NJWC5ORVQxDzANBgNVBAMTBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24qQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBlTCBkjAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQB+WTlsE5LmEvbfEk/fOlKfwkNv187o/6AtwBxrjvC0D0QobfnxSIgd7R905haHf9fyONYsQKn8mlbghtY3URfGnfYNXJ9ez1pOqoCAlpy5Z5tvDlQMGvVVjk/9pSibTI90noZeMrUE+Tetq45c8ZjFXxcrH4R07xUDRXZg8AXviQMyclUSZbWKsIL7a979Hp13q8sJ8MAod1OhqdP6EOk84AOyRcQuRhv5uEdeDSN4k+4mMSZGnMlKO+0gKnhUIq63/TlW8wp7NhCE+kYdOkF4M0lBYOPE66d/4VdX45soMdp4WphjZMrirarhFJvHpHloUwdoiIFglPvOkvbWndbM I can see that the serial is different but I cannot compare the usercertificate attributes since they are not given in the openssl command output. Shall I just adjust the serial and try again? Jochen On Friday, January 31, 2020 10:29 CET, Florence Blanc-Renaud via FreeIPA-users wrote: This error occurs when IPA framework tries to authenticate to Dogtag CA and it fails. It is using the certificate located in /var/lib/ipa/ra-agent.pem. According to your getcert output, the cert is valid. You will need to check if it is consistent with what is stored in LDAP. Note the values related to the actual certificate: $ cat /var/lib/ipa/ra-agent.pem -BEGIN CERTIFICATE- MII...NSF -END CERTIFICATE- $ openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial= subject= CN=IPA RA,O= issuer= CN=Certificate Authority,O= Then compare the result with the ldapentry: $ ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W \ -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;23;CN=Certificate Authority,O=;CN=IPA RA,O= usercertificate:: MII..NSF usercertificate:: MII...tKR/c 1/ The usercertificate attribute may contain multiple values. Make sure that one of them corresponds to the value from the file /var/lib/ipa/ra-agent.pem. 2/ The description attribute must contain 2;;; If it's not the case you can use ldapmodify to update the ldap entry with what is expected. HTH, flo > 2020-01-30T22:45:09Z DEBUG The ipa-server-upgrade command failed, > exception: RemoteRetrieveError: Failed to authenticate to CA REST API > 2020-01-30T22:45:09Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > RemoteRetrieveError: Failed to authenticate to CA REST API > 2020-01-30T22:45:09Z ERROR The