Re: [Freeipa-users] Certificate Issues

[Rob Crittenden]

Adam Lewis wrote:

Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.

getcert list shows :
ca-error: Server at
"https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1:
Authentication Error

And the debug log shows:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.

Those appear to be the most significant messages. I'm disconnected so
getting the full log info is difficult. If it's the only way let me know
and I'll see what I can do. Worst case it'll just take me a while to
re-type it.


Sorry for the delay.

Are you sure you are going to back far enough in time? Some of the certs 
expire at different points.


I typically use this to get the list of expiration dates
# getcert list | grep expires

Picking the "right" date can be tricky sometimes.

Some other things that the dogtag engineers suggested to test to ensure 
the CA is actually up:


Get the cert chain:

$ curl http://ipa.example.com:8080/ca/ee/ca/getCertChain

And ensure it can contact it's database by getting a cert:

$ curl 
'https://ipa.example.com:9443/ca/ee/ca/displayBySerial?op=displayBySerial=0x1'


rob



Thanks


On Mon, Aug 1, 2016 at 3:11 PM, Rob Crittenden > wrote:

Adam Lewis wrote:

Yup, It's just the text string. I don't know how much this
matters but
when I ran the start-tracking for the ipaCert it didn't generate
a new
certificate. I'm still working off of serial number 7, which is what
it's been since we installed IPA. Is there some way/reason for me to
generate a whole new ipaCert?


certmonger will take care of that when renewal happens.

Did you go back in time to when this cert was valid?

rob


Thanks

On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden

>> wrote:

 Adam Lewis wrote:

 If you mean the usercertificate value from the ldapsearch
 command, then
 yes. That value matches the value from the certutil output.


 The usercertificate in LDAP had the BEGIN/END stripped, right?

 I'll cc a couple of the dogtag developers to see what they
think.

 rob


 Thanks

 On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden
 
>
  
>
   >>
  
 > 
  wrote:

   Rob,
   Thanks for pointing me in the right
direction.
 However after
   

Re: [Freeipa-users] Certificate Issues

[Adam Lewis]

Rob,
The only message that seems remotely relevant is:

ProfileSubmitServlet: for renewal, original authenticator not found

But everything else looks completely fine until the "AUTH_FAIL" message.
I started seeing

csngen_new_csn - Warning: too much time skew (-xxx secs). Current seqnum=1

So I searched for that and found a few articles...but most of them deal
with replication. I don't have any replication agreements right now, and I
updated nsslapd-ignore-time-skew to on, but that didn't fix it either.

Any ideas?

Thanks

On Mon, Aug 1, 2016 at 3:29 PM, Rob Crittenden  wrote:

> Adam Lewis wrote:
>
>> Yup. I'm currently still sitting back in time. But any time I try to
>> resubmit either the ipaCert or the subsystemCert it errors out.
>>
>> getcert list shows :
>> ca-error: Server at
>> "https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1:
>> Authentication Error
>>
>> And the debug log shows:
>> SignedAuditEventFactory: create()
>>
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=MISS.ION] authentication failure
>> ReviewReqServlet: Invalid Credential.
>>
>
> I'd look at the lines above that for clues, and check the 389-ds access
> log. I assume it is finding an entry for uid=ipara, right?
>
> The way the auth works as I understand it is dogtag first compares the
> serial number, issuer and subject of the provided certificate with the
> description attribute in the entry it finds in LDAP. Then it compares the
> full certificate. If things match up then you are authenticated. It then
> does some authorization work.
>
> For reference, mine looks like:
>
> dn: uid=ipara,ou=people,o=ipaca
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: cmsuser
> uid: ipara
> sn: ipara
> cn: ipara
> usertype: agentType
> userstate: 1
> userCertificate::
> MIIDbTCCAlWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtH
>  [snip]
>  o0i1CCw1v++2tgvHiiZEEeeuOEMGEdXZfv4Xw=
> description: 2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=
> EXAMPLE.COM
>
> Those appear to be the most significant messages. I'm disconnected so
>> getting the full log info is difficult. If it's the only way let me know
>> and I'll see what I can do. Worst case it'll just take me a while to
>> re-type it.
>>
>
> Understood.
>
>
>
>> Thanks
>>
>>
>> On Mon, Aug 1, 2016 at 3:11 PM, Rob Crittenden > > wrote:
>>
>> Adam Lewis wrote:
>>
>> Yup, It's just the text string. I don't know how much this
>> matters but
>> when I ran the start-tracking for the ipaCert it didn't generate
>> a new
>> certificate. I'm still working off of serial number 7, which is
>> what
>> it's been since we installed IPA. Is there some way/reason for me
>> to
>> generate a whole new ipaCert?
>>
>>
>> certmonger will take care of that when renewal happens.
>>
>> Did you go back in time to when this cert was valid?
>>
>> rob
>>
>>
>> Thanks
>>
>> On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden
>> 
>> >> wrote:
>>
>>  Adam Lewis wrote:
>>
>>  If you mean the usercertificate value from the ldapsearch
>>  command, then
>>  yes. That value matches the value from the certutil
>> output.
>>
>>
>>  The usercertificate in LDAP had the BEGIN/END stripped,
>> right?
>>
>>  I'll cc a couple of the dogtag developers to see what they
>> think.
>>
>>  rob
>>
>>
>>  Thanks
>>
>>  On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden
>>  
>> >
>>  >  > >
>>   Adam Lewis wrote:
>>
>>   A quick update. We did some digging on the
>> segfault
>>  problem and
>>   I think
>>   it was due to having to update the trusts on
>> the CA
>>  cert. So we
>>   updated
>>   the certmonger package and certmonger now
>> starts again.
>>   However we're kind of back to square one where
>> we are still
>>   getting the
>>   AUTH_FAIL messages in the debug log.
>>   I have verified that the ipara entry's serial
>> number
>>  and cert
>>   

Re: [Freeipa-users] Certificate Issues

[Rob Crittenden]

Adam Lewis wrote:

Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.

getcert list shows :
ca-error: Server at
"https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1:
Authentication Error

And the debug log shows:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.


I'd look at the lines above that for clues, and check the 389-ds access 
log. I assume it is finding an entry for uid=ipara, right?


The way the auth works as I understand it is dogtag first compares the 
serial number, issuer and subject of the provided certificate with the 
description attribute in the entry it finds in LDAP. Then it compares 
the full certificate. If things match up then you are authenticated. It 
then does some authorization work.


For reference, mine looks like:

dn: uid=ipara,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: ipara
sn: ipara
cn: ipara
usertype: agentType
userstate: 1
userCertificate:: 
MIIDbTCCAlWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtH

 [snip]
 o0i1CCw1v++2tgvHiiZEEeeuOEMGEdXZfv4Xw=
description: 2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA 
RA,O=EXAMPLE.COM



Those appear to be the most significant messages. I'm disconnected so
getting the full log info is difficult. If it's the only way let me know
and I'll see what I can do. Worst case it'll just take me a while to
re-type it.


Understood.




Thanks


On Mon, Aug 1, 2016 at 3:11 PM, Rob Crittenden > wrote:

Adam Lewis wrote:

Yup, It's just the text string. I don't know how much this
matters but
when I ran the start-tracking for the ipaCert it didn't generate
a new
certificate. I'm still working off of serial number 7, which is what
it's been since we installed IPA. Is there some way/reason for me to
generate a whole new ipaCert?


certmonger will take care of that when renewal happens.

Did you go back in time to when this cert was valid?

rob


Thanks

On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden

>> wrote:

 Adam Lewis wrote:

 If you mean the usercertificate value from the ldapsearch
 command, then
 yes. That value matches the value from the certutil output.


 The usercertificate in LDAP had the BEGIN/END stripped, right?

 I'll cc a couple of the dogtag developers to see what they
think.

 rob


 Thanks

 On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden
 
>
  
>
   >>
  
 > 

Re: [Freeipa-users] Certificate Issues

[Adam Lewis]

Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.

getcert list shows :
ca-error: Server at "
https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1:
Authentication Error

And the debug log shows:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.

Those appear to be the most significant messages. I'm disconnected so
getting the full log info is difficult. If it's the only way let me know
and I'll see what I can do. Worst case it'll just take me a while to
re-type it.

Thanks


On Mon, Aug 1, 2016 at 3:11 PM, Rob Crittenden  wrote:

> Adam Lewis wrote:
>
>> Yup, It's just the text string. I don't know how much this matters but
>> when I ran the start-tracking for the ipaCert it didn't generate a new
>> certificate. I'm still working off of serial number 7, which is what
>> it's been since we installed IPA. Is there some way/reason for me to
>> generate a whole new ipaCert?
>>
>
> certmonger will take care of that when renewal happens.
>
> Did you go back in time to when this cert was valid?
>
> rob
>
>
>> Thanks
>>
>> On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden > > wrote:
>>
>> Adam Lewis wrote:
>>
>> If you mean the usercertificate value from the ldapsearch
>> command, then
>> yes. That value matches the value from the certutil output.
>>
>>
>> The usercertificate in LDAP had the BEGIN/END stripped, right?
>>
>> I'll cc a couple of the dogtag developers to see what they think.
>>
>> rob
>>
>>
>> Thanks
>>
>> On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden
>> 
>> >> wrote:
>>
>>  Adam Lewis wrote:
>>
>>  A quick update. We did some digging on the segfault
>> problem and
>>  I think
>>  it was due to having to update the trusts on the CA
>> cert. So we
>>  updated
>>  the certmonger package and certmonger now starts again.
>>  However we're kind of back to square one where we are
>> still
>>  getting the
>>  AUTH_FAIL messages in the debug log.
>>  I have verified that the ipara entry's serial number
>> and cert
>>  match the
>>  serial number and cert from the one in /etc/httpd/alias.
>>
>>
>>  How about the certificate PEM? Does it match the
>> usercertificate in
>>  the dogtag LDAP server?
>>
>>  rob
>>
>>
>>  Any other ideas?
>>
>>  Thanks!
>>
>>  On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis
>> 
>>  > >>
>>  >  > >
>>   Rob,
>>   Thanks for pointing me in the right direction.
>> However after
>>   following the instructions in the above mentioned
>> doc I
>>  noticed a
>>   few things that are odd and have a new problem.
>> The first
>>  odd thing
>>   I noticed is that when I run service pki-cad status
>> it
>>  shows that my
>>   PKI Subsystem Type is "CA Clone (Security Domain)"
>>   Shouldn't that say something like "CA Master"?
>>   Second, when I ran the "ipa-getcert resubmit -I
>> [ID]"
>>  commands they
>>   all produced the same AUTH_FAIL message in the
>> debug log.
>>
>>   Now the new problem...after pressing on and
>> restarting things
>>   certmonger fails to start with a segfault.
>>   Starting certmonger: /bin/bash: line 1: 64935
>> Segmentation
>>   fault  /usr/sbin/certmonger -S -p /var/run
>> certmonger.pid
>>
>>   Thanks!
>>
>>   On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden
>>  
>> >
>>   >  > 

Re: [Freeipa-users] Certificate Issues

[Rob Crittenden]

Adam Lewis wrote:

Yup, It's just the text string. I don't know how much this matters but
when I ran the start-tracking for the ipaCert it didn't generate a new
certificate. I'm still working off of serial number 7, which is what
it's been since we installed IPA. Is there some way/reason for me to
generate a whole new ipaCert?


certmonger will take care of that when renewal happens.

Did you go back in time to when this cert was valid?

rob



Thanks

On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden > wrote:

Adam Lewis wrote:

If you mean the usercertificate value from the ldapsearch
command, then
yes. That value matches the value from the certutil output.


The usercertificate in LDAP had the BEGIN/END stripped, right?

I'll cc a couple of the dogtag developers to see what they think.

rob


Thanks

On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden

>> wrote:

 Adam Lewis wrote:

 A quick update. We did some digging on the segfault
problem and
 I think
 it was due to having to update the trusts on the CA
cert. So we
 updated
 the certmonger package and certmonger now starts again.
 However we're kind of back to square one where we are still
 getting the
 AUTH_FAIL messages in the debug log.
 I have verified that the ipara entry's serial number
and cert
 match the
 serial number and cert from the one in /etc/httpd/alias.


 How about the certificate PEM? Does it match the
usercertificate in
 the dogtag LDAP server?

 rob


 Any other ideas?

 Thanks!

 On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis

 >
  
>
   

Re: [Freeipa-users] Certificate Issues

[Adam Lewis]

Yup, It's just the text string. I don't know how much this matters but when
I ran the start-tracking for the ipaCert it didn't generate a new
certificate. I'm still working off of serial number 7, which is what it's
been since we installed IPA. Is there some way/reason for me to generate a
whole new ipaCert?

Thanks

On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden  wrote:

> Adam Lewis wrote:
>
>> If you mean the usercertificate value from the ldapsearch command, then
>> yes. That value matches the value from the certutil output.
>>
>
> The usercertificate in LDAP had the BEGIN/END stripped, right?
>
> I'll cc a couple of the dogtag developers to see what they think.
>
> rob
>
>
>> Thanks
>>
>> On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden > > wrote:
>>
>> Adam Lewis wrote:
>>
>> A quick update. We did some digging on the segfault problem and
>> I think
>> it was due to having to update the trusts on the CA cert. So we
>> updated
>> the certmonger package and certmonger now starts again.
>> However we're kind of back to square one where we are still
>> getting the
>> AUTH_FAIL messages in the debug log.
>> I have verified that the ipara entry's serial number and cert
>> match the
>> serial number and cert from the one in /etc/httpd/alias.
>>
>>
>> How about the certificate PEM? Does it match the usercertificate in
>> the dogtag LDAP server?
>>
>> rob
>>
>>
>> Any other ideas?
>>
>> Thanks!
>>
>> On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis > 
>> >> wrote:
>>
>>  Rob,
>>  Thanks for pointing me in the right direction. However after
>>  following the instructions in the above mentioned doc I
>> noticed a
>>  few things that are odd and have a new problem. The first
>> odd thing
>>  I noticed is that when I run service pki-cad status it
>> shows that my
>>  PKI Subsystem Type is "CA Clone (Security Domain)"
>>  Shouldn't that say something like "CA Master"?
>>  Second, when I ran the "ipa-getcert resubmit -I [ID]"
>> commands they
>>  all produced the same AUTH_FAIL message in the debug log.
>>
>>  Now the new problem...after pressing on and restarting things
>>  certmonger fails to start with a segfault.
>>  Starting certmonger: /bin/bash: line 1: 64935 Segmentation
>>  fault  /usr/sbin/certmonger -S -p /var/run certmonger.pid
>>
>>  Thanks!
>>
>>  On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden
>> 
>>  >>
>>
>> wrote:
>>
>>  Lewis, Adam M CIV NSWCDD, H11 wrote:
>>
>>  We are currently dead in the water. Our OCSP, CA
>> Audit, CA
>>  Subsystem, and IPA RA certs expired as of 7/23/16.
>> I found
>>  and followed the instructions to the letter
>>
>> (
>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0
>> )
>>  however the CA Subsystem and IPA RA certs will not
>> renew.
>>  I've backdated the server to make sure the system
>> was within
>>  the renewal window, but that has not help.
>>
>>
>>  Those are the wrong instructions.
>>
>>  You want this instead,
>> https://access.redhat.com/solutions/643753
>>
>>  A bunch of it is for 2.2 but it isn't exactly noted
>> which parts.
>>  A general rule is that you don't/shouldn't need to
>> directly
>>  tweak the dogtag configuration or do any of the
>> start-tracking
>>  work (though you may want to verify that what/if
>> anything you
>>  changed from that wrong doc).
>>
>>  When I run getcert list it reports:
>>  Ca-error: Sever at
>>  "https://:9443/ca/agent/ca/profileProcess"
>> replied: 1:
>>  Authentication Error
>>  for both the IPA RA and CA Subsystem certs
>>
>>  The debug log shows:
>>  SignedAuditEventFactory: create()
>>
>>
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>>  RA,O=MISS.ION] authentication failure
>>  ReviewReqServlet: Invalid Credential.
>>
>>
>>

Re: [Freeipa-users] Certificate Issues

[Rob Crittenden]

Adam Lewis wrote:

If you mean the usercertificate value from the ldapsearch command, then
yes. That value matches the value from the certutil output.


The usercertificate in LDAP had the BEGIN/END stripped, right?

I'll cc a couple of the dogtag developers to see what they think.

rob



Thanks

On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden > wrote:

Adam Lewis wrote:

A quick update. We did some digging on the segfault problem and
I think
it was due to having to update the trusts on the CA cert. So we
updated
the certmonger package and certmonger now starts again.
However we're kind of back to square one where we are still
getting the
AUTH_FAIL messages in the debug log.
I have verified that the ipara entry's serial number and cert
match the
serial number and cert from the one in /etc/httpd/alias.


How about the certificate PEM? Does it match the usercertificate in
the dogtag LDAP server?

rob


Any other ideas?

Thanks!

On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis 
>> wrote:

 Rob,
 Thanks for pointing me in the right direction. However after
 following the instructions in the above mentioned doc I
noticed a
 few things that are odd and have a new problem. The first
odd thing
 I noticed is that when I run service pki-cad status it
shows that my
 PKI Subsystem Type is "CA Clone (Security Domain)"
 Shouldn't that say something like "CA Master"?
 Second, when I ran the "ipa-getcert resubmit -I [ID]"
commands they
 all produced the same AUTH_FAIL message in the debug log.

 Now the new problem...after pressing on and restarting things
 certmonger fails to start with a segfault.
 Starting certmonger: /bin/bash: line 1: 64935 Segmentation
 fault  /usr/sbin/certmonger -S -p /var/run certmonger.pid

 Thanks!

 On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden

 >>
wrote:

 Lewis, Adam M CIV NSWCDD, H11 wrote:

 We are currently dead in the water. Our OCSP, CA
Audit, CA
 Subsystem, and IPA RA certs expired as of 7/23/16.
I found
 and followed the instructions to the letter


(http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
 however the CA Subsystem and IPA RA certs will not
renew.
 I've backdated the server to make sure the system
was within
 the renewal window, but that has not help.


 Those are the wrong instructions.

 You want this instead,
https://access.redhat.com/solutions/643753

 A bunch of it is for 2.2 but it isn't exactly noted
which parts.
 A general rule is that you don't/shouldn't need to directly
 tweak the dogtag configuration or do any of the
start-tracking
 work (though you may want to verify that what/if
anything you
 changed from that wrong doc).

 When I run getcert list it reports:
 Ca-error: Sever at
 "https://:9443/ca/agent/ca/profileProcess"
replied: 1:
 Authentication Error
 for both the IPA RA and CA Subsystem certs

 The debug log shows:
 SignedAuditEventFactory: create()


message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
 RA,O=MISS.ION] authentication failure
 ReviewReqServlet: Invalid Credential.


 The place to start is to get the serial # of the ipaCert:

 # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial

 Now get the user from the dogtag LDAP server:

 # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory
manager'
 -W -b uid=ipara,ou=People,o=ipaca description

 The format is 2;;;

 See if the serial # matches ipaCert. I'm guessing it won't.
 Follow the instructions on the page I cited to update
the entry
 with the current certificate and serial # values. That
should
 get you going.

 rob



  

Re: [Freeipa-users] Certificate Issues

[Adam Lewis]

If you mean the usercertificate value from the ldapsearch command, then
yes. That value matches the value from the certutil output.

Thanks

On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden  wrote:

> Adam Lewis wrote:
>
>> A quick update. We did some digging on the segfault problem and I think
>> it was due to having to update the trusts on the CA cert. So we updated
>> the certmonger package and certmonger now starts again.
>> However we're kind of back to square one where we are still getting the
>> AUTH_FAIL messages in the debug log.
>> I have verified that the ipara entry's serial number and cert match the
>> serial number and cert from the one in /etc/httpd/alias.
>>
>
> How about the certificate PEM? Does it match the usercertificate in the
> dogtag LDAP server?
>
> rob
>
>
>> Any other ideas?
>>
>> Thanks!
>>
>> On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis > > wrote:
>>
>> Rob,
>> Thanks for pointing me in the right direction. However after
>> following the instructions in the above mentioned doc I noticed a
>> few things that are odd and have a new problem. The first odd thing
>> I noticed is that when I run service pki-cad status it shows that my
>> PKI Subsystem Type is "CA Clone (Security Domain)"
>> Shouldn't that say something like "CA Master"?
>> Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they
>> all produced the same AUTH_FAIL message in the debug log.
>>
>> Now the new problem...after pressing on and restarting things
>> certmonger fails to start with a segfault.
>> Starting certmonger: /bin/bash: line 1: 64935 Segmentation
>> fault  /usr/sbin/certmonger -S -p /var/run certmonger.pid
>>
>> Thanks!
>>
>> On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden > > wrote:
>>
>> Lewis, Adam M CIV NSWCDD, H11 wrote:
>>
>> We are currently dead in the water. Our OCSP, CA Audit, CA
>> Subsystem, and IPA RA certs expired as of 7/23/16. I found
>> and followed the instructions to the letter
>> (
>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0
>> )
>> however the CA Subsystem and IPA RA certs will not renew.
>> I've backdated the server to make sure the system was within
>> the renewal window, but that has not help.
>>
>>
>> Those are the wrong instructions.
>>
>> You want this instead, https://access.redhat.com/solutions/643753
>>
>> A bunch of it is for 2.2 but it isn't exactly noted which parts.
>> A general rule is that you don't/shouldn't need to directly
>> tweak the dogtag configuration or do any of the start-tracking
>> work (though you may want to verify that what/if anything you
>> changed from that wrong doc).
>>
>> When I run getcert list it reports:
>> Ca-error: Sever at
>> "https://:9443/ca/agent/ca/profileProcess" replied: 1:
>> Authentication Error
>> for both the IPA RA and CA Subsystem certs
>>
>> The debug log shows:
>> SignedAuditEventFactory: create()
>>
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=MISS.ION] authentication failure
>> ReviewReqServlet: Invalid Credential.
>>
>>
>> The place to start is to get the serial # of the ipaCert:
>>
>> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>>
>> Now get the user from the dogtag LDAP server:
>>
>> # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager'
>> -W -b uid=ipara,ou=People,o=ipaca description
>>
>> The format is 2;;;
>>
>> See if the serial # matches ipaCert. I'm guessing it won't.
>> Follow the instructions on the page I cited to update the entry
>> with the current certificate and serial # values. That should
>> get you going.
>>
>> rob
>>
>>
>>
>> We are kind of in deep doo-doo until this gets resolved.
>>
>> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>>
>> Any thoughts?
>>
>> Thanks!
>>
>> Adam M. Lewis
>>
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>> --
>> Adam M. Lewis
>> alewis...@gmail.com 
>> 10807 Allie Place
>> Fredericksburg, VA 22408
>> 540-412-8643 
>>
>>
>>
>>
>>
>> --
>> Adam M. Lewis
>> alewis...@gmail.com 
>> 10807 Allie Place
>> Fredericksburg, VA 22408
>> 540-412-8643
>>

Re: [Freeipa-users] Certificate Issues

[Rob Crittenden]

Adam Lewis wrote:

A quick update. We did some digging on the segfault problem and I think
it was due to having to update the trusts on the CA cert. So we updated
the certmonger package and certmonger now starts again.
However we're kind of back to square one where we are still getting the
AUTH_FAIL messages in the debug log.
I have verified that the ipara entry's serial number and cert match the
serial number and cert from the one in /etc/httpd/alias.


How about the certificate PEM? Does it match the usercertificate in the 
dogtag LDAP server?


rob



Any other ideas?

Thanks!

On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis > wrote:

Rob,
Thanks for pointing me in the right direction. However after
following the instructions in the above mentioned doc I noticed a
few things that are odd and have a new problem. The first odd thing
I noticed is that when I run service pki-cad status it shows that my
PKI Subsystem Type is "CA Clone (Security Domain)"
Shouldn't that say something like "CA Master"?
Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they
all produced the same AUTH_FAIL message in the debug log.

Now the new problem...after pressing on and restarting things
certmonger fails to start with a segfault.
Starting certmonger: /bin/bash: line 1: 64935 Segmentation
fault  /usr/sbin/certmonger -S -p /var/run certmonger.pid

Thanks!

On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden > wrote:

Lewis, Adam M CIV NSWCDD, H11 wrote:

We are currently dead in the water. Our OCSP, CA Audit, CA
Subsystem, and IPA RA certs expired as of 7/23/16. I found
and followed the instructions to the letter

(http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
however the CA Subsystem and IPA RA certs will not renew.
I've backdated the server to make sure the system was within
the renewal window, but that has not help.


Those are the wrong instructions.

You want this instead, https://access.redhat.com/solutions/643753

A bunch of it is for 2.2 but it isn't exactly noted which parts.
A general rule is that you don't/shouldn't need to directly
tweak the dogtag configuration or do any of the start-tracking
work (though you may want to verify that what/if anything you
changed from that wrong doc).

When I run getcert list it reports:
Ca-error: Sever at
"https://:9443/ca/agent/ca/profileProcess" replied: 1:
Authentication Error
for both the IPA RA and CA Subsystem certs

The debug log shows:
SignedAuditEventFactory: create()

message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.


The place to start is to get the serial # of the ipaCert:

# certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial

Now get the user from the dogtag LDAP server:

# ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager'
-W -b uid=ipara,ou=People,o=ipaca description

The format is 2;;;

See if the serial # matches ipaCert. I'm guessing it won't.
Follow the instructions on the page I cited to update the entry
with the current certificate and serial # values. That should
get you going.

rob



We are kind of in deep doo-doo until this gets resolved.

We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5

Any thoughts?

Thanks!

Adam M. Lewis




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Adam M. Lewis
alewis...@gmail.com 
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643 





--
Adam M. Lewis
alewis...@gmail.com 
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Issues

[Adam Lewis]

A quick update. We did some digging on the segfault problem and I think it
was due to having to update the trusts on the CA cert. So we updated the
certmonger package and certmonger now starts again.
However we're kind of back to square one where we are still getting the
AUTH_FAIL messages in the debug log.
I have verified that the ipara entry's serial number and cert match the
serial number and cert from the one in /etc/httpd/alias.

Any other ideas?

Thanks!

On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis  wrote:

> Rob,
> Thanks for pointing me in the right direction. However after following the
> instructions in the above mentioned doc I noticed a few things that are odd
> and have a new problem. The first odd thing I noticed is that when I run
> service pki-cad status it shows that my PKI Subsystem Type is "CA Clone
> (Security Domain)"
> Shouldn't that say something like "CA Master"?
> Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they all
> produced the same AUTH_FAIL message in the debug log.
>
> Now the new problem...after pressing on and restarting things certmonger
> fails to start with a segfault.
> Starting certmonger: /bin/bash: line 1: 64935 Segmentation fault
> /usr/sbin/certmonger -S -p /var/run certmonger.pid
>
> Thanks!
>
> On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden 
> wrote:
>
>> Lewis, Adam M CIV NSWCDD, H11 wrote:
>>
>>> We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem,
>>> and IPA RA certs expired as of 7/23/16. I found and followed the
>>> instructions to the letter (
>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
>>> however the CA Subsystem and IPA RA certs will not renew. I've backdated
>>> the server to make sure the system was within the renewal window, but that
>>> has not help.
>>>
>>
>> Those are the wrong instructions.
>>
>> You want this instead, https://access.redhat.com/solutions/643753
>>
>> A bunch of it is for 2.2 but it isn't exactly noted which parts. A
>> general rule is that you don't/shouldn't need to directly tweak the dogtag
>> configuration or do any of the start-tracking work (though you may want to
>> verify that what/if anything you changed from that wrong doc).
>>
>> When I run getcert list it reports:
>>> Ca-error: Sever at "https://:9443/ca/agent/ca/profileProcess"
>>> replied: 1: Authentication Error
>>> for both the IPA RA and CA Subsystem certs
>>>
>>> The debug log shows:
>>> SignedAuditEventFactory: create()
>>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>>> RA,O=MISS.ION] authentication failure
>>> ReviewReqServlet: Invalid Credential.
>>>
>>
>> The place to start is to get the serial # of the ipaCert:
>>
>> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>>
>> Now get the user from the dogtag LDAP server:
>>
>> # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b
>> uid=ipara,ou=People,o=ipaca description
>>
>> The format is 2;;;
>>
>> See if the serial # matches ipaCert. I'm guessing it won't. Follow the
>> instructions on the page I cited to update the entry with the current
>> certificate and serial # values. That should get you going.
>>
>> rob
>>
>>
>>
>>> We are kind of in deep doo-doo until this gets resolved.
>>>
>>> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>>>
>>> Any thoughts?
>>>
>>> Thanks!
>>>
>>> Adam M. Lewis
>>>
>>>
>>>
>>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
> --
> Adam M. Lewis
> alewis...@gmail.com
> 10807 Allie Place
> Fredericksburg, VA 22408
> 540-412-8643
>
>
>


-- 
Adam M. Lewis
alewis...@gmail.com
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Issues

[Adam Lewis]

Rob,
Thanks for pointing me in the right direction. However after following the
instructions in the above mentioned doc I noticed a few things that are odd
and have a new problem. The first odd thing I noticed is that when I run
service pki-cad status it shows that my PKI Subsystem Type is "CA Clone
(Security Domain)"
Shouldn't that say something like "CA Master"?
Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they all
produced the same AUTH_FAIL message in the debug log.

Now the new problem...after pressing on and restarting things certmonger
fails to start with a segfault.
Starting certmonger: /bin/bash: line 1: 64935 Segmentation fault
/usr/sbin/certmonger -S -p /var/run certmonger.pid

Thanks!

On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden  wrote:

> Lewis, Adam M CIV NSWCDD, H11 wrote:
>
>> We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and
>> IPA RA certs expired as of 7/23/16. I found and followed the instructions
>> to the letter (
>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
>> however the CA Subsystem and IPA RA certs will not renew. I've backdated
>> the server to make sure the system was within the renewal window, but that
>> has not help.
>>
>
> Those are the wrong instructions.
>
> You want this instead, https://access.redhat.com/solutions/643753
>
> A bunch of it is for 2.2 but it isn't exactly noted which parts. A general
> rule is that you don't/shouldn't need to directly tweak the dogtag
> configuration or do any of the start-tracking work (though you may want to
> verify that what/if anything you changed from that wrong doc).
>
> When I run getcert list it reports:
>> Ca-error: Sever at "https://:9443/ca/agent/ca/profileProcess"
>> replied: 1: Authentication Error
>> for both the IPA RA and CA Subsystem certs
>>
>> The debug log shows:
>> SignedAuditEventFactory: create()
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=MISS.ION] authentication failure
>> ReviewReqServlet: Invalid Credential.
>>
>
> The place to start is to get the serial # of the ipaCert:
>
> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>
> Now get the user from the dogtag LDAP server:
>
> # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b
> uid=ipara,ou=People,o=ipaca description
>
> The format is 2;;;
>
> See if the serial # matches ipaCert. I'm guessing it won't. Follow the
> instructions on the page I cited to update the entry with the current
> certificate and serial # values. That should get you going.
>
> rob
>
>
>
>> We are kind of in deep doo-doo until this gets resolved.
>>
>> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>>
>> Any thoughts?
>>
>> Thanks!
>>
>> Adam M. Lewis
>>
>>
>>
>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Adam M. Lewis
alewis...@gmail.com
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Issues

[Rob Crittenden]

Lewis, Adam M CIV NSWCDD, H11 wrote:

We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA 
RA certs expired as of 7/23/16. I found and followed the instructions to the 
letter 
(http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
 however the CA Subsystem and IPA RA certs will not renew. I've backdated the 
server to make sure the system was within the renewal window, but that has not 
help.


Those are the wrong instructions.

You want this instead, https://access.redhat.com/solutions/643753

A bunch of it is for 2.2 but it isn't exactly noted which parts. A 
general rule is that you don't/shouldn't need to directly tweak the 
dogtag configuration or do any of the start-tracking work (though you 
may want to verify that what/if anything you changed from that wrong doc).



When I run getcert list it reports:
Ca-error: Sever at "https://:9443/ca/agent/ca/profileProcess" replied: 1: 
Authentication Error
for both the IPA RA and CA Subsystem certs

The debug log shows:
SignedAuditEventFactory: create() 
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
 RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.


The place to start is to get the serial # of the ipaCert:

# certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial

Now get the user from the dogtag LDAP server:

# ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b 
uid=ipara,ou=People,o=ipaca description


The format is 2;;;

See if the serial # matches ipaCert. I'm guessing it won't. Follow the 
instructions on the page I cited to update the entry with the current 
certificate and serial # values. That should get you going.


rob



We are kind of in deep doo-doo until this gets resolved.

We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5

Any thoughts?

Thanks!

Adam M. Lewis





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Issues

[Simo Sorce]

On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:
 This is a followup to some previous discussions.  I have been lobbying to 
 keep 
 (and fix) the ability to install your own certificates when configuring IPA 
 in 
 order to make use of wildcard SSL certificates.  But it seems this will not 
 be 
 the case.  My last post on this went unanswered and I see tickets for the 
 removal going forward.
 
 As I understand it though, I'll still be able to generate a CSR for the 
 server 
 and get it signed by and external CA?  If this is the case, I guess this 
 extra 
 expense of individual SSL certificates for the various IPA servers could be 
 acceptable, although unfortunate as this is what we had hoped to avoid with 
 the wildcard cert.
 
 Finally, there was mention of the possibility of getting the IPA CA signed by 
 an external authority.  Just to let everyone know, this is a very expensive 
 proposition.  I was quoted a $22,500 start fee plus licensing costs.  This is 
 *way* out of our (and I suspect many other small businesses) price range.

Why would you need to get your CA signed by a public authority ?

When we say external we generally think of another Internal CA that
you already use for your own services.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Certificate Issues

[Orion Poplawski]

On 02/19/2013 03:10 PM, Simo Sorce wrote:

On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:

This is a followup to some previous discussions.  I have been lobbying to keep
(and fix) the ability to install your own certificates when configuring IPA in
order to make use of wildcard SSL certificates.  But it seems this will not be
the case.  My last post on this went unanswered and I see tickets for the
removal going forward.

As I understand it though, I'll still be able to generate a CSR for the server
and get it signed by and external CA?  If this is the case, I guess this extra
expense of individual SSL certificates for the various IPA servers could be
acceptable, although unfortunate as this is what we had hoped to avoid with
the wildcard cert.

Finally, there was mention of the possibility of getting the IPA CA signed by
an external authority.  Just to let everyone know, this is a very expensive
proposition.  I was quoted a $22,500 start fee plus licensing costs.  This is
*way* out of our (and I suspect many other small businesses) price range.


Why would you need to get your CA signed by a public authority ?

When we say external we generally think of another Internal CA that
you already use for your own services.

Simo.



https://www.redhat.com/archives/freeipa-users/2013-January/msg00216.html

--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office  FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Certificate Issues

[Rob Crittenden]

Orion Poplawski wrote:

On 02/19/2013 03:10 PM, Simo Sorce wrote:

On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:

This is a followup to some previous discussions.  I have been
lobbying to keep
(and fix) the ability to install your own certificates when
configuring IPA in
order to make use of wildcard SSL certificates.  But it seems this
will not be
the case.  My last post on this went unanswered and I see tickets for
the
removal going forward.

As I understand it though, I'll still be able to generate a CSR for
the server
and get it signed by and external CA?  If this is the case, I guess
this extra
expense of individual SSL certificates for the various IPA servers
could be
acceptable, although unfortunate as this is what we had hoped to
avoid with
the wildcard cert.

Finally, there was mention of the possibility of getting the IPA CA
signed by
an external authority.  Just to let everyone know, this is a very
expensive
proposition.  I was quoted a $22,500 start fee plus licensing costs.
This is
*way* out of our (and I suspect many other small businesses) price
range.


Why would you need to get your CA signed by a public authority ?

When we say external we generally think of another Internal CA that
you already use for your own services.

Simo.



https://www.redhat.com/archives/freeipa-users/2013-January/msg00216.html



The problems with this are:

- Only a very small handful of people actually use this (or used it).
- We don't test this (obviously) and there are a lot of bugs and corner 
cases
- Even if we do fix it, we likely still won't test it very often, 
leading to more woes

- This will blow up at cert renewal time
- There is still an underlying CA hidden in there, doing nothing (but 
perhaps cause problems)
- If you want to support FF  15 you need an object signing cert too to 
sign the auto-configure jar


A far better solution than replacing the certificates post-install is to 
have an option to have a CA-less IPA installation. I doubt we'd actively 
work on adding such an option. But it would likely be a lot more robust 
than changing things after-the-fact.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Certificate Issues

[Dmitri Pal]

On 02/19/2013 05:42 PM, Rob Crittenden wrote:
 Orion Poplawski wrote:
 On 02/19/2013 03:10 PM, Simo Sorce wrote:
 On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:
 This is a followup to some previous discussions.  I have been
 lobbying to keep
 (and fix) the ability to install your own certificates when
 configuring IPA in
 order to make use of wildcard SSL certificates.  But it seems this
 will not be
 the case.  My last post on this went unanswered and I see tickets for
 the
 removal going forward.

 As I understand it though, I'll still be able to generate a CSR for
 the server
 and get it signed by and external CA?  If this is the case, I guess
 this extra
 expense of individual SSL certificates for the various IPA servers
 could be
 acceptable, although unfortunate as this is what we had hoped to
 avoid with
 the wildcard cert.

 Finally, there was mention of the possibility of getting the IPA CA
 signed by
 an external authority.  Just to let everyone know, this is a very
 expensive
 proposition.  I was quoted a $22,500 start fee plus licensing costs.
 This is
 *way* out of our (and I suspect many other small businesses) price
 range.

 Why would you need to get your CA signed by a public authority ?

 When we say external we generally think of another Internal CA that
 you already use for your own services.

 Simo.


 https://www.redhat.com/archives/freeipa-users/2013-January/msg00216.html


 The problems with this are:

 - Only a very small handful of people actually use this (or used it).
 - We don't test this (obviously) and there are a lot of bugs and
 corner cases
 - Even if we do fix it, we likely still won't test it very often,
 leading to more woes
 - This will blow up at cert renewal time
 - There is still an underlying CA hidden in there, doing nothing (but
 perhaps cause problems)
 - If you want to support FF  15 you need an object signing cert too
 to sign the auto-configure jar

 A far better solution than replacing the certificates post-install is
 to have an option to have a CA-less IPA installation. I doubt we'd
 actively work on adding such an option. But it would likely be a lot
 more robust than changing things after-the-fact.

IMO this should eventually help
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
Once this is solved the right certs can probably be delivered via
OpenLMI or SSSD so rather than using already distributed certs it would
be possible to easily distribute and apply the ones you need.
Solves the problem but from a different side.
Orion, if implemented would it work for you?


 rob

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Certificate Issues

[Orion Poplawski]

On 02/19/2013 07:31 PM, Dmitri Pal wrote:

IMO this should eventually help
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
Once this is solved the right certs can probably be delivered via
OpenLMI or SSSD so rather than using already distributed certs it would
be possible to easily distribute and apply the ones you need.
Solves the problem but from a different side.
Orion, if implemented would it work for you?


My biggest concerns are Windows and OS X clients.  Probably need to look 
at the various mozilla deployment tools.



--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA DivisionFAX: 303-415-9702
3380 Mitchell Lane  or...@cora.nwra.com
Boulder, CO 80301  http://www.cora.nwra.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users