subject:"Re\: \[Freeipa\-users\] Ipa cert automatic renew Failing."

Re: [Freeipa-users] Ipa cert automatic renew Failing.

2017-01-01 Thread Rob Crittenden

Lucas Diedrich wrote:
> OK!, i got it, i just executed the second script:
> 
> "sudo /usr/libexec/ipa/certmonger/renew_ra_cert "subsystemCert
> cert-pki-ca"", and fixed that problem, there another script called
> renew_ra_cert_pre, should i run this too?

No, it should be run BEFORE renew_ra_cert, but since that has executed
successfully there is no point.

rob

> 
> Thanks.
> 
> Em seg, 26 de dez de 2016 às 17:26, Lucas Diedrich
> mailto:lucas.diedr...@gmail.com>> escreveu:
> 
> Florence, at first i thought the problem was fixed, but it wasn't
> complety.
> 
> So now, i'm at the CA Master, and when i try to see some
> certificates it prompts me this "[root@ipa2 ~]# ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: EXCEPTION
> (Invalid Credential.)
> "
> The same thing show over the Web Interface, i searched a little bit
> and found that probably it didn't updated the *ipara* user, but
> can't confirm that, any sugestions?
> 
> Thanks,
> 
> Em qui, 22 de dez de 2016 às 11:13, Florence Blanc-Renaud
> mailto:f...@redhat.com>> escreveu:
> 
> On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
> > Florence, for some creepy reason the cert from pkidbuser is
> different
> > from subsystem certs, and this pkidbuser is outdated now, but
> i can't
> > manage one way to re-issue it. I had to change the CA server
> because of
> > that, and the Selinux in the old CA Server was disabled, on
> the new one
> > is in Permissive mode but doesn't a warning in
> /var/log/audit/audit.log.
> >
> > This is the pkidbuser cert:
> https://paste.fedoraproject.org/511023/24084431/
> > This is the subsystem cert:
> https://paste.fedoraproject.org/511025/14824085/
> > The ca.subsystem.cert matches the pkidbuser cert.
> >
> > lucasdiedrich.
> >
> Hi,
> 
> you can try to manually call the post-save command that certmonger
> should have issued after putting the certificate in
> /etc/pki/pki-tomcat/alias:
> on the renewal master:
> $ sudo /usr/libexec/ipa/certmonger/stop_pkicad
> $ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca"
> 
> Then check the journal log that should display the following if
> everything goes well:
> $ sudo journalctl --since today | grep renew_ca_cert
> [...] renew_ca_cert[6478]: Updating entry
> uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Updating entry
> uid=pkidbuser,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Starting pki_tomcatd
> [...] renew_ca_cert[6478]: Started pki_tomcatd
> 
> If the operation does not succeed, you will have to check the LDAP
> server logs in /etc/dirsrv/slapd-DOMAIN/access.
> 
> HTH,
> Flo.
> 
> > Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
> > mailto:f...@redhat.com>  >> escreveu:
> >
> > On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> > > Hello guys,
> > >
> > > I'm having some trouble with, whats is happening with my
> server is
> > that
> > > i'm hiting an old BUG
> > > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273).
> Talking to
> > mbasti
> > > over irc he oriented me to send this to the email list.
> > >
> > > The problem is, i got on CA Master, so because of this
> problem the CA
> > > Master certificates couldn't be renewd, so now i
> promoted another
> > master
> > > to be the CA. And the problem still persist.
> > >
> > > This is the certs from my new CA
> > > (https://paste.fedoraproject.org/510617/14823448/),
> > > this is the certs from my old CA
> > > (https://paste.fedoraproject.org/510618/44871148/)
> > > This is the log then i restart pki-tomcat( "CA port 636
> Error
> > > netscape.ldap.LDAPException: Authentication failed (49)")
> > > This is the log from dirsrv when i restart pki-tomcat
> > > (https://paste.fedoraproject.org/510614/23446801/)
> > >
> > > Basically my CA is not working anymore...
> > >
> > > Anyway, i tried lots of thing but couldn't fix this,
> anyone has
> > some idea?
> > >
> > >
> > >
> > Hi,
> >
> > Pki-tomcat is using the LDAP server as a data store,
> meaning that it
> > needs to authenticate to LDAP. In order to do that,
>

Re: [Freeipa-users] Ipa cert automatic renew Failing.

2016-12-26 Thread Lucas Diedrich

OK!, i got it, i just executed the second script:

"sudo /usr/libexec/ipa/certmonger/renew_ra_cert "subsystemCert
cert-pki-ca"", and fixed that problem, there another script called
renew_ra_cert_pre, should i run this too?

Thanks.

Em seg, 26 de dez de 2016 às 17:26, Lucas Diedrich 
escreveu:

> Florence, at first i thought the problem was fixed, but it wasn't complety.
>
> So now, i'm at the CA Master, and when i try to see some certificates it
> prompts me this "[root@ipa2 ~]# ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid
> Credential.)
> "
> The same thing show over the Web Interface, i searched a little bit and
> found that probably it didn't updated the *ipara* user, but can't confirm
> that, any sugestions?
>
> Thanks,
>
> Em qui, 22 de dez de 2016 às 11:13, Florence Blanc-Renaud 
> escreveu:
>
> On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
> > Florence, for some creepy reason the cert from pkidbuser is different
> > from subsystem certs, and this pkidbuser is outdated now, but i can't
> > manage one way to re-issue it. I had to change the CA server because of
> > that, and the Selinux in the old CA Server was disabled, on the new one
> > is in Permissive mode but doesn't a warning in /var/log/audit/audit.log.
> >
> > This is the pkidbuser cert:
> https://paste.fedoraproject.org/511023/24084431/
> > This is the subsystem cert:
> https://paste.fedoraproject.org/511025/14824085/
> > The ca.subsystem.cert matches the pkidbuser cert.
> >
> > lucasdiedrich.
> >
> Hi,
>
> you can try to manually call the post-save command that certmonger
> should have issued after putting the certificate in
> /etc/pki/pki-tomcat/alias:
> on the renewal master:
> $ sudo /usr/libexec/ipa/certmonger/stop_pkicad
> $ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca"
>
> Then check the journal log that should display the following if
> everything goes well:
> $ sudo journalctl --since today | grep renew_ca_cert
> [...] renew_ca_cert[6478]: Updating entry
> uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Updating entry uid=pkidbuser,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Starting pki_tomcatd
> [...] renew_ca_cert[6478]: Started pki_tomcatd
>
> If the operation does not succeed, you will have to check the LDAP
> server logs in /etc/dirsrv/slapd-DOMAIN/access.
>
> HTH,
> Flo.
>
> > Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
> > mailto:f...@redhat.com>> escreveu:
> >
> > On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> > > Hello guys,
> > >
> > > I'm having some trouble with, whats is happening with my server is
> > that
> > > i'm hiting an old BUG
> > > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to
> > mbasti
> > > over irc he oriented me to send this to the email list.
> > >
> > > The problem is, i got on CA Master, so because of this problem the
> CA
> > > Master certificates couldn't be renewd, so now i promoted another
> > master
> > > to be the CA. And the problem still persist.
> > >
> > > This is the certs from my new CA
> > > (https://paste.fedoraproject.org/510617/14823448/),
> > > this is the certs from my old CA
> > > (https://paste.fedoraproject.org/510618/44871148/)
> > > This is the log then i restart pki-tomcat( "CA port 636 Error
> > > netscape.ldap.LDAPException: Authentication failed (49)")
> > > This is the log from dirsrv when i restart pki-tomcat
> > > (https://paste.fedoraproject.org/510614/23446801/)
> > >
> > > Basically my CA is not working anymore...
> > >
> > > Anyway, i tried lots of thing but couldn't fix this, anyone has
> > some idea?
> > >
> > >
> > >
> > Hi,
> >
> > Pki-tomcat is using the LDAP server as a data store, meaning that it
> > needs to authenticate to LDAP. In order to do that, pki-tomcat is
> using
> > the certificate 'subsystemCert cert-pki-ca' stored in
> > /etc/pki/pki-tomcat/alias. For the authentication to succeed, the
> > certificate must be stored in a user entry
> > (uid=pkidbuser,ou=people,o=ipaca).
> >
> > Can you check the content of this entry, especially the
> usercertificate
> > attribute? It should match the certificate used by pki-tomcat:
> >
> > $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
> > cert-pki-ca' -a
> > -BEGIN CERTIFICATE-
> > [...]
> > -END CERTIFICATE-
> >
> > $ kinit admin
> > $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
> > uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
> > dn: uid=pkidbuser,ou=people,o=ipaca
> > usercertificate:: 
> >
> > The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this
> > certificate in the directive ca.subsystem.cert.
> >
> >
> > A possible cause for the entries not being updated is the bug 1366915
> > [1] linke

Re: [Freeipa-users] Ipa cert automatic renew Failing.

2016-12-26 Thread Lucas Diedrich

Florence, at first i thought the problem was fixed, but it wasn't complety.

So now, i'm at the CA Master, and when i try to see some certificates it
prompts me this "[root@ipa2 ~]# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid
Credential.)
"
The same thing show over the Web Interface, i searched a little bit and
found that probably it didn't updated the *ipara* user, but can't confirm
that, any sugestions?

Thanks,

Em qui, 22 de dez de 2016 às 11:13, Florence Blanc-Renaud 
escreveu:

> On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
> > Florence, for some creepy reason the cert from pkidbuser is different
> > from subsystem certs, and this pkidbuser is outdated now, but i can't
> > manage one way to re-issue it. I had to change the CA server because of
> > that, and the Selinux in the old CA Server was disabled, on the new one
> > is in Permissive mode but doesn't a warning in /var/log/audit/audit.log.
> >
> > This is the pkidbuser cert:
> https://paste.fedoraproject.org/511023/24084431/
> > This is the subsystem cert:
> https://paste.fedoraproject.org/511025/14824085/
> > The ca.subsystem.cert matches the pkidbuser cert.
> >
> > lucasdiedrich.
> >
> Hi,
>
> you can try to manually call the post-save command that certmonger
> should have issued after putting the certificate in
> /etc/pki/pki-tomcat/alias:
> on the renewal master:
> $ sudo /usr/libexec/ipa/certmonger/stop_pkicad
> $ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca"
>
> Then check the journal log that should display the following if
> everything goes well:
> $ sudo journalctl --since today | grep renew_ca_cert
> [...] renew_ca_cert[6478]: Updating entry
> uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Updating entry uid=pkidbuser,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Starting pki_tomcatd
> [...] renew_ca_cert[6478]: Started pki_tomcatd
>
> If the operation does not succeed, you will have to check the LDAP
> server logs in /etc/dirsrv/slapd-DOMAIN/access.
>
> HTH,
> Flo.
>
> > Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
> > mailto:f...@redhat.com>> escreveu:
> >
> > On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> > > Hello guys,
> > >
> > > I'm having some trouble with, whats is happening with my server is
> > that
> > > i'm hiting an old BUG
> > > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to
> > mbasti
> > > over irc he oriented me to send this to the email list.
> > >
> > > The problem is, i got on CA Master, so because of this problem the
> CA
> > > Master certificates couldn't be renewd, so now i promoted another
> > master
> > > to be the CA. And the problem still persist.
> > >
> > > This is the certs from my new CA
> > > (https://paste.fedoraproject.org/510617/14823448/),
> > > this is the certs from my old CA
> > > (https://paste.fedoraproject.org/510618/44871148/)
> > > This is the log then i restart pki-tomcat( "CA port 636 Error
> > > netscape.ldap.LDAPException: Authentication failed (49)")
> > > This is the log from dirsrv when i restart pki-tomcat
> > > (https://paste.fedoraproject.org/510614/23446801/)
> > >
> > > Basically my CA is not working anymore...
> > >
> > > Anyway, i tried lots of thing but couldn't fix this, anyone has
> > some idea?
> > >
> > >
> > >
> > Hi,
> >
> > Pki-tomcat is using the LDAP server as a data store, meaning that it
> > needs to authenticate to LDAP. In order to do that, pki-tomcat is
> using
> > the certificate 'subsystemCert cert-pki-ca' stored in
> > /etc/pki/pki-tomcat/alias. For the authentication to succeed, the
> > certificate must be stored in a user entry
> > (uid=pkidbuser,ou=people,o=ipaca).
> >
> > Can you check the content of this entry, especially the
> usercertificate
> > attribute? It should match the certificate used by pki-tomcat:
> >
> > $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
> > cert-pki-ca' -a
> > -BEGIN CERTIFICATE-
> > [...]
> > -END CERTIFICATE-
> >
> > $ kinit admin
> > $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
> > uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
> > dn: uid=pkidbuser,ou=people,o=ipaca
> > usercertificate:: 
> >
> > The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this
> > certificate in the directive ca.subsystem.cert.
> >
> >
> > A possible cause for the entries not being updated is the bug 1366915
> > [1] linked to SE linux on RHEL7, or bug 1365188 [2] linked to SE
> linux
> > on Fedora 24.
> >
> > Flo
> >
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://w

Re: [Freeipa-users] Ipa cert automatic renew Failing.

2016-12-22 Thread Lucas Diedrich

Yey!! It fixed the problem over the new CA Master now, i finally can see
and search for the certs. But, in the replicas i can't browse for them, it
prompts me this (IPA Error 4301: CertificateOperationError), should i ran
the post-save command in all replicas?

Thanks.

Em qui, 22 de dez de 2016 às 11:13, Florence Blanc-Renaud 
escreveu:

> On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
> > Florence, for some creepy reason the cert from pkidbuser is different
> > from subsystem certs, and this pkidbuser is outdated now, but i can't
> > manage one way to re-issue it. I had to change the CA server because of
> > that, and the Selinux in the old CA Server was disabled, on the new one
> > is in Permissive mode but doesn't a warning in /var/log/audit/audit.log.
> >
> > This is the pkidbuser cert:
> https://paste.fedoraproject.org/511023/24084431/
> > This is the subsystem cert:
> https://paste.fedoraproject.org/511025/14824085/
> > The ca.subsystem.cert matches the pkidbuser cert.
> >
> > lucasdiedrich.
> >
> Hi,
>
> you can try to manually call the post-save command that certmonger
> should have issued after putting the certificate in
> /etc/pki/pki-tomcat/alias:
> on the renewal master:
> $ sudo /usr/libexec/ipa/certmonger/stop_pkicad
> $ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca"
>
> Then check the journal log that should display the following if
> everything goes well:
> $ sudo journalctl --since today | grep renew_ca_cert
> [...] renew_ca_cert[6478]: Updating entry
> uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Updating entry uid=pkidbuser,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Starting pki_tomcatd
> [...] renew_ca_cert[6478]: Started pki_tomcatd
>
> If the operation does not succeed, you will have to check the LDAP
> server logs in /etc/dirsrv/slapd-DOMAIN/access.
>
> HTH,
> Flo.
>
> > Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
> > mailto:f...@redhat.com>> escreveu:
> >
> > On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> > > Hello guys,
> > >
> > > I'm having some trouble with, whats is happening with my server is
> > that
> > > i'm hiting an old BUG
> > > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to
> > mbasti
> > > over irc he oriented me to send this to the email list.
> > >
> > > The problem is, i got on CA Master, so because of this problem the
> CA
> > > Master certificates couldn't be renewd, so now i promoted another
> > master
> > > to be the CA. And the problem still persist.
> > >
> > > This is the certs from my new CA
> > > (https://paste.fedoraproject.org/510617/14823448/),
> > > this is the certs from my old CA
> > > (https://paste.fedoraproject.org/510618/44871148/)
> > > This is the log then i restart pki-tomcat( "CA port 636 Error
> > > netscape.ldap.LDAPException: Authentication failed (49)")
> > > This is the log from dirsrv when i restart pki-tomcat
> > > (https://paste.fedoraproject.org/510614/23446801/)
> > >
> > > Basically my CA is not working anymore...
> > >
> > > Anyway, i tried lots of thing but couldn't fix this, anyone has
> > some idea?
> > >
> > >
> > >
> > Hi,
> >
> > Pki-tomcat is using the LDAP server as a data store, meaning that it
> > needs to authenticate to LDAP. In order to do that, pki-tomcat is
> using
> > the certificate 'subsystemCert cert-pki-ca' stored in
> > /etc/pki/pki-tomcat/alias. For the authentication to succeed, the
> > certificate must be stored in a user entry
> > (uid=pkidbuser,ou=people,o=ipaca).
> >
> > Can you check the content of this entry, especially the
> usercertificate
> > attribute? It should match the certificate used by pki-tomcat:
> >
> > $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
> > cert-pki-ca' -a
> > -BEGIN CERTIFICATE-
> > [...]
> > -END CERTIFICATE-
> >
> > $ kinit admin
> > $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
> > uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
> > dn: uid=pkidbuser,ou=people,o=ipaca
> > usercertificate:: 
> >
> > The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this
> > certificate in the directive ca.subsystem.cert.
> >
> >
> > A possible cause for the entries not being updated is the bug 1366915
> > [1] linked to SE linux on RHEL7, or bug 1365188 [2] linked to SE
> linux
> > on Fedora 24.
> >
> > Flo
> >
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa cert automatic renew Failing.

2016-12-22 Thread Florence Blanc-Renaud

On 12/22/2016 01:15 PM, Lucas Diedrich wrote:

Florence, for some creepy reason the cert from pkidbuser is different
from subsystem certs, and this pkidbuser is outdated now, but i can't
manage one way to re-issue it. I had to change the CA server because of
that, and the Selinux in the old CA Server was disabled, on the new one
is in Permissive mode but doesn't a warning in /var/log/audit/audit.log.

This is the pkidbuser cert: https://paste.fedoraproject.org/511023/24084431/
This is the subsystem cert: https://paste.fedoraproject.org/511025/14824085/
The ca.subsystem.cert matches the pkidbuser cert.

lucasdiedrich.

Hi,

you can try to manually call the post-save command that certmonger 
should have issued after putting the certificate in 
/etc/pki/pki-tomcat/alias:

on the renewal master:
$ sudo /usr/libexec/ipa/certmonger/stop_pkicad
$ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"

Then check the journal log that should display the following if 
everything goes well:

$ sudo journalctl --since today | grep renew_ca_cert
[...] renew_ca_cert[6478]: Updating entry 
uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca

[...] renew_ca_cert[6478]: Updating entry uid=pkidbuser,ou=people,o=ipaca
[...] renew_ca_cert[6478]: Starting pki_tomcatd
[...] renew_ca_cert[6478]: Started pki_tomcatd

If the operation does not succeed, you will have to check the LDAP 
server logs in /etc/dirsrv/slapd-DOMAIN/access.

HTH,
Flo.

Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud
mailto:f...@redhat.com>> escreveu:

On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> Hello guys,
>
> I'm having some trouble with, whats is happening with my server is
that
> i'm hiting an old BUG
> (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to
mbasti
> over irc he oriented me to send this to the email list.
>
> The problem is, i got on CA Master, so because of this problem the CA
> Master certificates couldn't be renewd, so now i promoted another
master
> to be the CA. And the problem still persist.
>
> This is the certs from my new CA
> (https://paste.fedoraproject.org/510617/14823448/),
> this is the certs from my old CA
> (https://paste.fedoraproject.org/510618/44871148/)
> This is the log then i restart pki-tomcat( "CA port 636 Error
> netscape.ldap.LDAPException: Authentication failed (49)")
> This is the log from dirsrv when i restart pki-tomcat
> (https://paste.fedoraproject.org/510614/23446801/)
>
> Basically my CA is not working anymore...
>
> Anyway, i tried lots of thing but couldn't fix this, anyone has
some idea?
>
>
>
Hi,

Pki-tomcat is using the LDAP server as a data store, meaning that it
needs to authenticate to LDAP. In order to do that, pki-tomcat is using
the certificate 'subsystemCert cert-pki-ca' stored in
/etc/pki/pki-tomcat/alias. For the authentication to succeed, the
certificate must be stored in a user entry
(uid=pkidbuser,ou=people,o=ipaca).

Can you check the content of this entry, especially the usercertificate
attribute? It should match the certificate used by pki-tomcat:

$ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
cert-pki-ca' -a
-BEGIN CERTIFICATE-
[...]
-END CERTIFICATE-

$ kinit admin
$ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
dn: uid=pkidbuser,ou=people,o=ipaca
usercertificate:: 

The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this
certificate in the directive ca.subsystem.cert.

A possible cause for the entries not being updated is the bug 1366915
[1] linked to SE linux on RHEL7, or bug 1365188 [2] linked to SE linux
on Fedora 24.

Flo

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa cert automatic renew Failing.

2016-12-22 Thread Lucas Diedrich

Florence, for some creepy reason the cert from pkidbuser is different from
subsystem certs, and this pkidbuser is outdated now, but i can't manage one
way to re-issue it. I had to change the CA server because of that, and the
Selinux in the old CA Server was disabled, on the new one is in Permissive
mode but doesn't a warning in /var/log/audit/audit.log.

This is the pkidbuser cert: https://paste.fedoraproject.org/511023/24084431/
This is the subsystem cert: https://paste.fedoraproject.org/511025/14824085/
The ca.subsystem.cert matches the pkidbuser cert.

lucasdiedrich.

Em qui, 22 de dez de 2016 às 06:54, Florence Blanc-Renaud 
escreveu:

> On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> > Hello guys,
> >
> > I'm having some trouble with, whats is happening with my server is that
> > i'm hiting an old BUG
> > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to mbasti
> > over irc he oriented me to send this to the email list.
> >
> > The problem is, i got on CA Master, so because of this problem the CA
> > Master certificates couldn't be renewd, so now i promoted another master
> > to be the CA. And the problem still persist.
> >
> > This is the certs from my new CA
> > (https://paste.fedoraproject.org/510617/14823448/),
> > this is the certs from my old CA
> > (https://paste.fedoraproject.org/510618/44871148/)
> > This is the log then i restart pki-tomcat( "CA port 636 Error
> > netscape.ldap.LDAPException: Authentication failed (49)")
> > This is the log from dirsrv when i restart pki-tomcat
> > (https://paste.fedoraproject.org/510614/23446801/)
> >
> > Basically my CA is not working anymore...
> >
> > Anyway, i tried lots of thing but couldn't fix this, anyone has some
> idea?
> >
> >
> >
> Hi,
>
> Pki-tomcat is using the LDAP server as a data store, meaning that it
> needs to authenticate to LDAP. In order to do that, pki-tomcat is using
> the certificate 'subsystemCert cert-pki-ca' stored in
> /etc/pki/pki-tomcat/alias. For the authentication to succeed, the
> certificate must be stored in a user entry
> (uid=pkidbuser,ou=people,o=ipaca).
>
> Can you check the content of this entry, especially the usercertificate
> attribute? It should match the certificate used by pki-tomcat:
>
> $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
> -a
> -BEGIN CERTIFICATE-
> [...]
> -END CERTIFICATE-
>
> $ kinit admin
> $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
> uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
> dn: uid=pkidbuser,ou=people,o=ipaca
> usercertificate:: 
>
> The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this
> certificate in the directive ca.subsystem.cert.
>
>
> A possible cause for the entries not being updated is the bug 1366915
> [1] linked to SE linux on RHEL7, or bug 1365188 [2] linked to SE linux
> on Fedora 24.
>
> Flo
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa cert automatic renew Failing.

2016-12-22 Thread Florence Blanc-Renaud


On 12/21/2016 07:52 PM, Lucas Diedrich wrote:

Hello guys,

I'm having some trouble with, whats is happening with my server is that
i'm hiting an old BUG
(https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to mbasti
over irc he oriented me to send this to the email list.

The problem is, i got on CA Master, so because of this problem the CA
Master certificates couldn't be renewd, so now i promoted another master
to be the CA. And the problem still persist.

This is the certs from my new CA
(https://paste.fedoraproject.org/510617/14823448/),
this is the certs from my old CA
(https://paste.fedoraproject.org/510618/44871148/)
This is the log then i restart pki-tomcat( "CA port 636 Error
netscape.ldap.LDAPException: Authentication failed (49)")
This is the log from dirsrv when i restart pki-tomcat
(https://paste.fedoraproject.org/510614/23446801/)

Basically my CA is not working anymore...

Anyway, i tried lots of thing but couldn't fix this, anyone has some idea?




Hi,

Pki-tomcat is using the LDAP server as a data store, meaning that it 
needs to authenticate to LDAP. In order to do that, pki-tomcat is using 
the certificate 'subsystemCert cert-pki-ca' stored in 
/etc/pki/pki-tomcat/alias. For the authentication to succeed, the 
certificate must be stored in a user entry 
(uid=pkidbuser,ou=people,o=ipaca).


Can you check the content of this entry, especially the usercertificate 
attribute? It should match the certificate used by pki-tomcat:


$ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a
-BEGIN CERTIFICATE-
[...]
-END CERTIFICATE-

$ kinit admin
$ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b 
uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate

dn: uid=pkidbuser,ou=people,o=ipaca
usercertificate:: 

The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain this 
certificate in the directive ca.subsystem.cert.



A possible cause for the entries not being updated is the bug 1366915 
[1] linked to SE linux on RHEL7, or bug 1365188 [2] linked to SE linux 
on Fedora 24.


Flo

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa cert automatic renew Failing.

Re: [Freeipa-users] Ipa cert automatic renew Failing.

Re: [Freeipa-users] Ipa cert automatic renew Failing.

Re: [Freeipa-users] Ipa cert automatic renew Failing.

Re: [Freeipa-users] Ipa cert automatic renew Failing.

Re: [Freeipa-users] Ipa cert automatic renew Failing.

Re: [Freeipa-users] Ipa cert automatic renew Failing.

7 matches

Site Navigation

Mail list logo

Footer information