Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: Yup. I'm currently still sitting back in time. But any time I try to resubmit either the ipaCert or the subsystemCert it errors out. getcert list shows : ca-error: Server at "https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1: Authentication Error And the

Re: [Freeipa-users] Certificate Issues

Rob, The only message that seems remotely relevant is: ProfileSubmitServlet: for renewal, original authenticator not found But everything else looks completely fine until the "AUTH_FAIL" message. I started seeing csngen_new_csn - Warning: too much time skew (-xxx secs). Current seqnum=1 So I

Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: Yup. I'm currently still sitting back in time. But any time I try to resubmit either the ipaCert or the subsystemCert it errors out. getcert list shows : ca-error: Server at "https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1: Authentication Error And the

Re: [Freeipa-users] Certificate Issues

Yup. I'm currently still sitting back in time. But any time I try to resubmit either the ipaCert or the subsystemCert it errors out. getcert list shows : ca-error: Server at " https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1: Authentication Error And the debug log shows:

Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: Yup, It's just the text string. I don't know how much this matters but when I ran the start-tracking for the ipaCert it didn't generate a new certificate. I'm still working off of serial number 7, which is what it's been since we installed IPA. Is there some way/reason for me

Re: [Freeipa-users] Certificate Issues

Yup, It's just the text string. I don't know how much this matters but when I ran the start-tracking for the ipaCert it didn't generate a new certificate. I'm still working off of serial number 7, which is what it's been since we installed IPA. Is there some way/reason for me to generate a whole

Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: If you mean the usercertificate value from the ldapsearch command, then yes. That value matches the value from the certutil output. The usercertificate in LDAP had the BEGIN/END stripped, right? I'll cc a couple of the dogtag developers to see what they think. rob Thanks

Re: [Freeipa-users] Certificate Issues

If you mean the usercertificate value from the ldapsearch command, then yes. That value matches the value from the certutil output. Thanks On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden wrote: > Adam Lewis wrote: > >> A quick update. We did some digging on the segfault

Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: A quick update. We did some digging on the segfault problem and I think it was due to having to update the trusts on the CA cert. So we updated the certmonger package and certmonger now starts again. However we're kind of back to square one where we are still getting the

Re: [Freeipa-users] Certificate Issues

A quick update. We did some digging on the segfault problem and I think it was due to having to update the trusts on the CA cert. So we updated the certmonger package and certmonger now starts again. However we're kind of back to square one where we are still getting the AUTH_FAIL messages in the

Re: [Freeipa-users] Certificate Issues

Rob, Thanks for pointing me in the right direction. However after following the instructions in the above mentioned doc I noticed a few things that are odd and have a new problem. The first odd thing I noticed is that when I run service pki-cad status it shows that my PKI Subsystem Type is "CA

Re: [Freeipa-users] Certificate Issues

Lewis, Adam M CIV NSWCDD, H11 wrote: We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA RA certs expired as of 7/23/16. I found and followed the instructions to the letter

Re: [Freeipa-users] Certificate Issues

On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote: This is a followup to some previous discussions. I have been lobbying to keep (and fix) the ability to install your own certificates when configuring IPA in order to make use of wildcard SSL certificates. But it seems this will

Re: [Freeipa-users] Certificate Issues

On 02/19/2013 03:10 PM, Simo Sorce wrote: On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote: This is a followup to some previous discussions. I have been lobbying to keep (and fix) the ability to install your own certificates when configuring IPA in order to make use of wildcard SSL

Re: [Freeipa-users] Certificate Issues

Orion Poplawski wrote: On 02/19/2013 03:10 PM, Simo Sorce wrote: On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote: This is a followup to some previous discussions. I have been lobbying to keep (and fix) the ability to install your own certificates when configuring IPA in order to make

Re: [Freeipa-users] Certificate Issues

On 02/19/2013 05:42 PM, Rob Crittenden wrote: Orion Poplawski wrote: On 02/19/2013 03:10 PM, Simo Sorce wrote: On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote: This is a followup to some previous discussions. I have been lobbying to keep (and fix) the ability to install your own

Re: [Freeipa-users] Certificate Issues

On 02/19/2013 07:31 PM, Dmitri Pal wrote: IMO this should eventually help https://fedoraproject.org/wiki/Features/SharedSystemCertificates Once this is solved the right certs can probably be delivered via OpenLMI or SSSD so rather than using already distributed certs it would be possible to