subject:"\[Freeipa\-users\] Re\: getcert list \-d \/etc\/httpd\/alias \-n \"Server\-Cert\" status\: CA

[Freeipa-users] Re: getcert list -d /etc/httpd/alias -n "Server-Cert" status: CA_UNREACHABLE

2017-05-24 Thread Jake via FreeIPA-users

Hey Flo,
everything matches:

sudo certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
IPA.EXAMPLE.COM IPA CA   CT,C,C
ipaCert  u,u,u
Server-Cert  u,u,u
CN=Certificate Authority Root,DC=example,DC=com   CT,C,C
$ sudo certutil -L -d /etc/httpd/alias/ -n ipaCert | grep Serial
Serial Number: 6 (0x6)
$ kinit admin
Password for ad...@ipa.example.com:
$ ldapsearch -Y GSSAPI -Q -LLL  -b uid=ipara,ou=people,o=ipaca description
dn: uid=ipara,ou=people,o=ipaca
description: 2;6;CN=Certificate Authority,O=IPA.EXAMPLE.COM;CN=IPA 
RA,O=IPA.EXAMPLE.COM

Any other ideas?  Should I just run "ipa-certupdate" anyway?

Thanks!
-Jake

- Original Message -
From: "Florence Blanc-Renaud" 
To: "Jake" , "freeipa-users" 

Sent: Wednesday, May 24, 2017 5:00:52 AM
Subject: Re: [Freeipa-users] getcert list -d /etc/httpd/alias -n "Server-Cert" 
status: CA_UNREACHABLE

On 05/23/2017 10:56 PM, Jake via FreeIPA-users wrote:
> I am trying to renew the last certificate for the IPA masters (previous
> email) and am coming across this issue on my original IPA master (first
> server)
>
>
> getcert list -d /etc/httpd/alias -n "Server-Cert"
> Number of certificates and requests being tracked: 8.
> Request ID '20170428162941':
> status: CA_UNREACHABLE
> ca-error: Server at https://ipa01.ipa.example.com/ipa/xml failed
> request, will retry: 4001 (RPC failed at server.  nss certificate db:
> user not found).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IPA. EXAMPLE.COM
> subject: CN=ipa01.ipa.example.com,O=IPA.EXAMPLE.COM
> expires: 2018-07-30 13:08:58 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> This server was 4.2.0 originally, then upgraded to 4.4.0, I
> tried 
> https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html
> but that doesn't seem to make a difference.
>
> If possible, can I stop tracking and regenerate this certificate?
>
>
> All other masters (7 out of 8) did not have an issue renewing their
> certificates.
>
> Thanks!!
>
> -Jake
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>

Hi Jake,

1. can you check that /etc/httpd/alias contains the certificate used to 
authenticate IPA to the Certificate Server:

$ sudo certutil -L -d /etc/httpd/alias
The output should show ipaCert  u,u,u

2. Check that this cert is associated to ipara user:
Note the serial number:
$ sudo certutil -L -d /etc/httpd/alias/ -n ipaCert | grep Serial
 Serial Number: 7 (0x7)

Check the cert associated to the user ipara:
$ kinit admin
$ ldapsearch -Y GSSAPI -Q -LLL  -b uid=ipara,ou=people,o=ipaca description
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=DOM-IPA.COM;CN=IPA 
RA,O=DOM-IPA.COM

The serial number obtained in the first step must match the second 
number in the description attribute. If it is not the case, it may 
happen because the ipaCert was renewed but not copied on your failing 
master. In this case, running ipa-certupdate should install the renewed 
ipaCert, and allow you to re-run getcert resubmit.

HTH,
Flo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: getcert list -d /etc/httpd/alias -n "Server-Cert" status: CA_UNREACHABLE

2017-05-24 Thread Florence Blanc-Renaud via FreeIPA-users


On 05/23/2017 10:56 PM, Jake via FreeIPA-users wrote:

I am trying to renew the last certificate for the IPA masters (previous
email) and am coming across this issue on my original IPA master (first
server)


getcert list -d /etc/httpd/alias -n "Server-Cert"
Number of certificates and requests being tracked: 8.
Request ID '20170428162941':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.ipa.example.com/ipa/xml failed
request, will retry: 4001 (RPC failed at server.  nss certificate db:
user not found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA. EXAMPLE.COM
subject: CN=ipa01.ipa.example.com,O=IPA.EXAMPLE.COM
expires: 2018-07-30 13:08:58 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

This server was 4.2.0 originally, then upgraded to 4.4.0, I
tried https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html
but that doesn't seem to make a difference.

If possible, can I stop tracking and regenerate this certificate?


All other masters (7 out of 8) did not have an issue renewing their
certificates.

Thanks!!

-Jake


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



Hi Jake,

1. can you check that /etc/httpd/alias contains the certificate used to 
authenticate IPA to the Certificate Server:


$ sudo certutil -L -d /etc/httpd/alias
The output should show ipaCert  u,u,u

2. Check that this cert is associated to ipara user:
Note the serial number:
$ sudo certutil -L -d /etc/httpd/alias/ -n ipaCert | grep Serial
Serial Number: 7 (0x7)

Check the cert associated to the user ipara:
$ kinit admin
$ ldapsearch -Y GSSAPI -Q -LLL  -b uid=ipara,ou=people,o=ipaca description
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=DOM-IPA.COM;CN=IPA 
RA,O=DOM-IPA.COM


The serial number obtained in the first step must match the second 
number in the description attribute. If it is not the case, it may 
happen because the ipaCert was renewed but not copied on your failing 
master. In this case, running ipa-certupdate should install the renewed 
ipaCert, and allow you to re-run getcert resubmit.


HTH,
Flo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: getcert list -d /etc/httpd/alias -n "Server-Cert" status: CA_UNREACHABLE

[Freeipa-users] Re: getcert list -d /etc/httpd/alias -n "Server-Cert" status: CA_UNREACHABLE

2 matches

Site Navigation

Mail list logo

Footer information