subject:"Re\: \[Freeipa\-users\] ipa\-getcert list fails to report correctly"

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

2015-02-25 Thread Endi Sukma Dewata


On 2/26/2015 8:02 AM, Les Stott wrote:

rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger
/etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid
/usr/share/pki /etc/ipa /var/log/ipa* reboot

Now you have a clean slate.


Do you know which step of the steps above actually helped you resolve the
reinstall issue?



The reboot I think was key to the whole process, but pki remnants seemed left 
behind too which caused grief. Previously I had never rebooted the system in 
between uninstall/reinstall.

/etc/ipa/ca.crt was also left behind. It caused an issue during one reinstall 
as it never got updated and the install bombed out because it found a 
mismatched cert. This led me to deleting all possible ipa/pki directories and 
then removing/reinstalling rpms to restore to default state.

I noticed that in some cases (I went through this same process on 6 servers to reinstall 
and setup CA replicas) I could still see a left over process running as the pkiuser 
(tomcat/java) which stopped the "userdel pkiuser" command from completing. I 
had to kill that process and then userdel pkiuser worked.


Some of the above files/folders should have been removed automatically 
when the Dogtag instance/package is removed. There's already a ticket to 
improve this on Dogtag 10:

https://fedorahosted.org/pki/ticket/1172

I created a new ticket for Dogtag 9:
https://fedorahosted.org/pki/ticket/1280

Thanks!

--
Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

2015-02-25 Thread Les Stott



> -Original Message-
> From: Endi Sukma Dewata [mailto:edew...@redhat.com]
> Sent: Thursday, 26 February 2015 1:50 AM
> To: Martin Kosek
> Cc: Les Stott; Rob Crittenden; freeipa-users@redhat.com; Jan Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly -
> RESOLVED
> 
> On 2/25/2015 6:35 PM, Martin Kosek wrote:
> >> yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent
> >> pki-java-tools pki-symkey pki-util pki-native-tools
> >> ipa-server-selinux ipa-server ipa-client ipa-admintools ipa-python
> >> ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 389-ds-base-libs
> >> userdel pkisrv userdel pkiuser
> >
> > This should not be needed at all, AFAIK.
> 
> This may not be related to this problem, but sometimes reinstalling the
> packages is necessary to resolve installation problem. For example:
> https://fedorahosted.org/freeipa/ticket/4591
> In this ticket reinstalling 389-ds-base will recreate the missing folder.
> 

I didn't actually see this issue when I ran thought reinstall, but then I did 
remove and reinstall 389-ds-base which would have re-created it.

Regards,

Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

2015-02-25 Thread Les Stott



> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Wednesday, 25 February 2015 10:35 PM
> To: Les Stott; Rob Crittenden; freeipa-users@redhat.com; Endi Dewata; Jan
> Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly -
> RESOLVED
> 
> On 02/25/2015 03:11 AM, Les Stott wrote:
> >
> >
> >> -Original Message-
> >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> >> boun...@redhat.com] On Behalf Of Les Stott
> >> Sent: Monday, 23 February 2015 8:01 PM
> >> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi
> >> Dewata; Jan Cholasta
> >> Subject: Re: [Freeipa-users] ipa-getcert list fails to report
> >> correctly
> >>
> >>
> >>
> >>> -Original Message-
> >>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> >>> boun...@redhat.com] On Behalf Of Les Stott
> >>> Sent: Monday, 23 February 2015 12:18 PM
> >>> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi
> >>> Dewata; Jan Cholasta
> >>> Subject: Re: [Freeipa-users] ipa-getcert list fails to report
> >>> correctly
> >>>
> >>>
> >>>
> >>>> -----Original Message-
> >>>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> >>>> Sent: Saturday, 21 February 2015 1:39 AM
> >>>> To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata;
> >>>> Jan Cholasta
> >>>> Subject: Re: [Freeipa-users] ipa-getcert list fails to report
> >>>> correctly
> >>>>
> >>>> Martin Kosek wrote:
> >>>>> On 02/20/2015 06:56 AM, Les Stott wrote:
> >>>>>> Hi all,
> >>>>>>
> >>>>>> The following is blocking the ability for me to install a CA replica.
> >>>>>>
> >>>>>> Environment:
> >>>>>>
> >>>>>> RHEL 6.6
> >>>>>>
> >>>>>> IPA 3.0.0-42
> >>>>>>
> >>>>>> PKI 9.0.3-38
> >>>>>>
> >>>>>> On the master the following is happening:
> >>>>>>
> >>>>>> ipa-getcert list
> >>>>>>
> >>>>>> Number of certificates and requests being tracked: 5.
> >>>>>>
> >>>>>> (but it shows no certificate details in the output)
> >>>>>>
> >>>>>> Running "getcert list" shows complete output.
> >>>>>>
> >>>>>> Also, when trying to browse
> >>>>>> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed
> >>>>>> response. The apache error logs on the master show
> >>>>>>
> >>>>>> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
> >>>>>> client cannot verify your certificate
> >>>>>>
> >>>>>> The reason I am trying to browse that address is because that's
> >>>>>> what the ipa-ca-install setup is failing at (it complains that
> >>>>>> the CA certificate is not in proper format, in fact it's not able
> >>>>>> to get it at all).
> >>>>>>
> >>>>>> I know from another working ipa setup that 
> >>>>>>
> >>>>>> Browsing to the above address provides valid xml content and
> >>>>>> ipa-getcert list shows certificate details and not just the
> >>>>>> number of tracked certificates.
> >>>>>>
> >>>>>> Been trying for a long time to figure out the issues without luck.
> >>>>>>
> >>>>>> I would greatly appreciate any help to troubleshoot and resolve
> >>>>>> the above issues.
> >>>>>>
> >>>>>> Regards,
> >>>>>>
> >>>>>> Les
> >>>>>
> >>>>> Endi or JanC, would you have any advise for Les? To me, it looks
> >>>>> like the Apache does not have proper certificate installed.
> >>>>>
> >>>>> My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it
> >>>>> in total of 8 certs tracked:
> >>>>>
> >>

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

2015-02-25 Thread Endi Sukma Dewata


On 2/25/2015 6:35 PM, Martin Kosek wrote:

yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools 
pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client 
ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 
389-ds-base-libs
userdel pkisrv
userdel pkiuser


This should not be needed at all, AFAIK.


This may not be related to this problem, but sometimes reinstalling the 
packages is necessary to resolve installation problem. For example:

https://fedorahosted.org/freeipa/ticket/4591
In this ticket reinstalling 389-ds-base will recreate the missing folder.

--
Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

2015-02-25 Thread Martin Kosek

On 02/25/2015 03:11 AM, Les Stott wrote:
> 
> 
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
>> boun...@redhat.com] On Behalf Of Les Stott
>> Sent: Monday, 23 February 2015 8:01 PM
>> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata;
>> Jan Cholasta
>> Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly
>>
>>
>>
>>> -Original Message-
>>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
>>> boun...@redhat.com] On Behalf Of Les Stott
>>> Sent: Monday, 23 February 2015 12:18 PM
>>> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi
>>> Dewata; Jan Cholasta
>>> Subject: Re: [Freeipa-users] ipa-getcert list fails to report
>>> correctly
>>>
>>>
>>>
>>>> -Original Message-
>>>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>>>> Sent: Saturday, 21 February 2015 1:39 AM
>>>> To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata;
>>>> Jan Cholasta
>>>> Subject: Re: [Freeipa-users] ipa-getcert list fails to report
>>>> correctly
>>>>
>>>> Martin Kosek wrote:
>>>>> On 02/20/2015 06:56 AM, Les Stott wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> The following is blocking the ability for me to install a CA replica.
>>>>>>
>>>>>> Environment:
>>>>>>
>>>>>> RHEL 6.6
>>>>>>
>>>>>> IPA 3.0.0-42
>>>>>>
>>>>>> PKI 9.0.3-38
>>>>>>
>>>>>> On the master the following is happening:
>>>>>>
>>>>>> ipa-getcert list
>>>>>>
>>>>>> Number of certificates and requests being tracked: 5.
>>>>>>
>>>>>> (but it shows no certificate details in the output)
>>>>>>
>>>>>> Running "getcert list" shows complete output.
>>>>>>
>>>>>> Also, when trying to browse
>>>>>> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed
>>>>>> response. The apache error logs on the master show
>>>>>>
>>>>>> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
>>>>>> client cannot verify your certificate
>>>>>>
>>>>>> The reason I am trying to browse that address is because that's
>>>>>> what the ipa-ca-install setup is failing at (it complains that
>>>>>> the CA certificate is not in proper format, in fact it's not able
>>>>>> to get it at all).
>>>>>>
>>>>>> I know from another working ipa setup that 
>>>>>>
>>>>>> Browsing to the above address provides valid xml content and
>>>>>> ipa-getcert list shows certificate details and not just the
>>>>>> number of tracked certificates.
>>>>>>
>>>>>> Been trying for a long time to figure out the issues without luck.
>>>>>>
>>>>>> I would greatly appreciate any help to troubleshoot and resolve
>>>>>> the above issues.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Les
>>>>>
>>>>> Endi or JanC, would you have any advise for Les? To me, it looks
>>>>> like the Apache does not have proper certificate installed.
>>>>>
>>>>> My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it
>>>>> in total of 8 certs tracked:
>>>>>
>>>>> # ipa-getcert list
>>>>> Number of certificates and requests being tracked: 8.
>>>>> Request ID '201402':
>>>>> status: MONITORING
>>>>> stuck: no
>>>>> key pair storage:
>>>>> type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
>>>> COM',nicknam
>>>>> e='Server-Cert',token='NSS
>>>>> Certificate
>>>>> DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
>>>>> certificate:
>>>>> type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
>>>> COM',nicknam
>>>>

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

2015-02-24 Thread Les Stott



> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Monday, 23 February 2015 8:01 PM
> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata;
> Jan Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly
> 
> 
> 
> > -Original Message-
> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > boun...@redhat.com] On Behalf Of Les Stott
> > Sent: Monday, 23 February 2015 12:18 PM
> > To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi
> > Dewata; Jan Cholasta
> > Subject: Re: [Freeipa-users] ipa-getcert list fails to report
> > correctly
> >
> >
> >
> > > -Original Message-
> > > From: Rob Crittenden [mailto:rcrit...@redhat.com]
> > > Sent: Saturday, 21 February 2015 1:39 AM
> > > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata;
> > > Jan Cholasta
> > > Subject: Re: [Freeipa-users] ipa-getcert list fails to report
> > > correctly
> > >
> > > Martin Kosek wrote:
> > > > On 02/20/2015 06:56 AM, Les Stott wrote:
> > > >> Hi all,
> > > >>
> > > >> The following is blocking the ability for me to install a CA replica.
> > > >>
> > > >> Environment:
> > > >>
> > > >> RHEL 6.6
> > > >>
> > > >> IPA 3.0.0-42
> > > >>
> > > >> PKI 9.0.3-38
> > > >>
> > > >> On the master the following is happening:
> > > >>
> > > >> ipa-getcert list
> > > >>
> > > >> Number of certificates and requests being tracked: 5.
> > > >>
> > > >> (but it shows no certificate details in the output)
> > > >>
> > > >> Running "getcert list" shows complete output.
> > > >>
> > > >> Also, when trying to browse
> > > >> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed
> > > >> response. The apache error logs on the master show
> > > >>
> > > >> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
> > > >> client cannot verify your certificate
> > > >>
> > > >> The reason I am trying to browse that address is because that's
> > > >> what the ipa-ca-install setup is failing at (it complains that
> > > >> the CA certificate is not in proper format, in fact it's not able
> > > >> to get it at all).
> > > >>
> > > >> I know from another working ipa setup that 
> > > >>
> > > >> Browsing to the above address provides valid xml content and
> > > >> ipa-getcert list shows certificate details and not just the
> > > >> number of tracked certificates.
> > > >>
> > > >> Been trying for a long time to figure out the issues without luck.
> > > >>
> > > >> I would greatly appreciate any help to troubleshoot and resolve
> > > >> the above issues.
> > > >>
> > > >> Regards,
> > > >>
> > > >> Les
> > > >
> > > > Endi or JanC, would you have any advise for Les? To me, it looks
> > > > like the Apache does not have proper certificate installed.
> > > >
> > > > My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it
> > > > in total of 8 certs tracked:
> > > >
> > > > # ipa-getcert list
> > > > Number of certificates and requests being tracked: 8.
> > > > Request ID '201402':
> > > > status: MONITORING
> > > > stuck: no
> > > > key pair storage:
> > > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> > > COM',nicknam
> > > > e='Server-Cert',token='NSS
> > > > Certificate
> > > > DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
> > > > certificate:
> > > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> > > COM',nicknam
> > > > e='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >

Re: [Freeipa-users] ipa-getcert list fails to report correctly

2015-02-23 Thread Les Stott



> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Monday, 23 February 2015 12:18 PM
> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata;
> Jan Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly
> 
> 
> 
> > -Original Message-
> > From: Rob Crittenden [mailto:rcrit...@redhat.com]
> > Sent: Saturday, 21 February 2015 1:39 AM
> > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata;
> > Jan Cholasta
> > Subject: Re: [Freeipa-users] ipa-getcert list fails to report
> > correctly
> >
> > Martin Kosek wrote:
> > > On 02/20/2015 06:56 AM, Les Stott wrote:
> > >> Hi all,
> > >>
> > >> The following is blocking the ability for me to install a CA replica.
> > >>
> > >> Environment:
> > >>
> > >> RHEL 6.6
> > >>
> > >> IPA 3.0.0-42
> > >>
> > >> PKI 9.0.3-38
> > >>
> > >> On the master the following is happening:
> > >>
> > >> ipa-getcert list
> > >>
> > >> Number of certificates and requests being tracked: 5.
> > >>
> > >> (but it shows no certificate details in the output)
> > >>
> > >> Running "getcert list" shows complete output.
> > >>
> > >> Also, when trying to browse
> > >> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed
> > >> response. The apache error logs on the master show
> > >>
> > >> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
> > >> client cannot verify your certificate
> > >>
> > >> The reason I am trying to browse that address is because that's
> > >> what the ipa-ca-install setup is failing at (it complains that the
> > >> CA certificate is not in proper format, in fact it's not able to
> > >> get it at all).
> > >>
> > >> I know from another working ipa setup that 
> > >>
> > >> Browsing to the above address provides valid xml content and
> > >> ipa-getcert list shows certificate details and not just the number
> > >> of tracked certificates.
> > >>
> > >> Been trying for a long time to figure out the issues without luck.
> > >>
> > >> I would greatly appreciate any help to troubleshoot and resolve the
> > >> above issues.
> > >>
> > >> Regards,
> > >>
> > >> Les
> > >
> > > Endi or JanC, would you have any advise for Les? To me, it looks
> > > like the Apache does not have proper certificate installed.
> > >
> > > My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it
> > > in total of 8 certs tracked:
> > >
> > > # ipa-getcert list
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '201402':
> > > status: MONITORING
> > > stuck: no
> > > key pair storage:
> > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> > COM',nicknam
> > > e='Server-Cert',token='NSS
> > > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
> > > certificate:
> > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> > COM',nicknam
> > > e='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=vm-086.example.com,O=EXAMPLE.COM
> > > expires: 2016-11-11 00:00:01 UTC
> > > key usage:
> > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '201447':
> > > status: MONITORING
> > > stuck: no
> > > key pair storage:
> > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> > > ,token='NSS Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> > > certificate:
> > > type=NSSDB,location=

Re: [Freeipa-users] ipa-getcert list fails to report correctly

2015-02-22 Thread Les Stott



> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Saturday, 21 February 2015 1:39 AM
> To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata; Jan
> Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly
> 
> Martin Kosek wrote:
> > On 02/20/2015 06:56 AM, Les Stott wrote:
> >> Hi all,
> >>
> >> The following is blocking the ability for me to install a CA replica.
> >>
> >> Environment:
> >>
> >> RHEL 6.6
> >>
> >> IPA 3.0.0-42
> >>
> >> PKI 9.0.3-38
> >>
> >> On the master the following is happening:
> >>
> >> ipa-getcert list
> >>
> >> Number of certificates and requests being tracked: 5.
> >>
> >> (but it shows no certificate details in the output)
> >>
> >> Running "getcert list" shows complete output.
> >>
> >> Also, when trying to browse
> >> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed
> >> response. The apache error logs on the master show
> >>
> >> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
> >> client cannot verify your certificate
> >>
> >> The reason I am trying to browse that address is because that's what
> >> the ipa-ca-install setup is failing at (it complains that the CA
> >> certificate is not in proper format, in fact it's not able to get it
> >> at all).
> >>
> >> I know from another working ipa setup that 
> >>
> >> Browsing to the above address provides valid xml content and
> >> ipa-getcert list shows certificate details and not just the number of
> >> tracked certificates.
> >>
> >> Been trying for a long time to figure out the issues without luck.
> >>
> >> I would greatly appreciate any help to troubleshoot and resolve the
> >> above issues.
> >>
> >> Regards,
> >>
> >> Les
> >
> > Endi or JanC, would you have any advise for Les? To me, it looks like
> > the Apache does not have proper certificate installed.
> >
> > My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in
> > total of 8 certs tracked:
> >
> > # ipa-getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '201402':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> COM',nicknam
> > e='Server-Cert',token='NSS
> > Certificate
> > DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> COM',nicknam
> > e='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > subject: CN=vm-086.example.com,O=EXAMPLE.COM
> > expires: 2016-11-11 00:00:01 UTC
> > key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '201447':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> > ,token='NSS Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> > ,token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > subject: CN=vm-086.example.com,O=EXAMPLE.COM
> > expires: 2016-11-11 00:00:46 UTC
> > key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '2014000302':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N
> > SS Certificate DB',pinfile=

Re: [Freeipa-users] ipa-getcert list fails to report correctly

2015-02-20 Thread Rob Crittenden

Martin Kosek wrote:
> On 02/20/2015 06:56 AM, Les Stott wrote:
>> Hi all,
>>
>> The following is blocking the ability for me to install a CA replica.
>>
>> Environment:
>>
>> RHEL 6.6
>>
>> IPA 3.0.0-42
>>
>> PKI 9.0.3-38
>>
>> On the master the following is happening:
>>
>> ipa-getcert list
>>
>> Number of certificates and requests being tracked: 5.
>>
>> (but it shows no certificate details in the output)
>>
>> Running “getcert list” shows complete output.
>>
>> Also, when trying to browse
>> https://master.mydomain.com/ca/ee/ca/getCertChain i
>> get a failed response. The apache error logs on the master show….
>>
>> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
>> client cannot
>> verify your certificate
>>
>> The reason I am trying to browse that address is because that’s what the
>> ipa-ca-install setup is failing at (it complains that the CA
>> certificate is not
>> in proper format, in fact it’s not able to get it at all).
>>
>> I know from another working ipa setup that ….
>>
>> Browsing to the above address provides valid xml content and
>> ipa-getcert list
>> shows certificate details and not just the number of tracked
>> certificates.
>>
>> Been trying for a long time to figure out the issues without luck.
>>
>> I would greatly appreciate any help to troubleshoot and resolve the
>> above issues.
>>
>> Regards,
>>
>> Les
> 
> Endi or JanC, would you have any advise for Les? To me, it looks like
> the Apache does not have proper certificate installed.
> 
> My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in
> total of 8 certs tracked:
> 
> # ipa-getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '201402':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=vm-086.example.com,O=EXAMPLE.COM
> expires: 2016-11-11 00:00:01 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '201447':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=vm-086.example.com,O=EXAMPLE.COM
> expires: 2016-11-11 00:00:46 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '2014000302':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=vm-086.example.com,O=EXAMPLE.COM
> expires: 2016-11-11 00:03:02 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> 
> 
> What is actually in your Apache NSS database?
> 
> # certutil -L -d /etc/httpd/alias/
> 
> Martin
> 

Remember ipa-getcert is just a shortcut for certificates using the
certmonger CA named IPA, so it's more a filter than anything else. I
don't know why it wouldn't display any output but I'd file a bug.

I think we'd need to see the getcert list output to try to figure out
what is going on.

As for the SSL error fetching the cert chain I think Martin may be onto
something. The request is proxied through Apache. I think the client
here might be the Apache proxy client.

I believe this command replicates what Apache is doing, you might give
it a try on the master. This will get the chain directly from dogtag,
bypassing Apache:

$ curl -v --cacert /etc/ipa/ca.crt
https://`hostname`:9444/ca/ee/ca/getCertChain

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getcert list fails to report correctly

2015-02-20 Thread Martin Kosek


On 02/20/2015 06:56 AM, Les Stott wrote:

Hi all,

The following is blocking the ability for me to install a CA replica.

Environment:

RHEL 6.6

IPA 3.0.0-42

PKI 9.0.3-38

On the master the following is happening:

ipa-getcert list

Number of certificates and requests being tracked: 5.

(but it shows no certificate details in the output)

Running “getcert list” shows complete output.

Also, when trying to browse https://master.mydomain.com/ca/ee/ca/getCertChain i
get a failed response. The apache error logs on the master show….

[Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL client cannot
verify your certificate

The reason I am trying to browse that address is because that’s what the
ipa-ca-install setup is failing at (it complains that the CA certificate is not
in proper format, in fact it’s not able to get it at all).

I know from another working ipa setup that ….

Browsing to the above address provides valid xml content and ipa-getcert list
shows certificate details and not just the number of tracked certificates.

Been trying for a long time to figure out the issues without luck.

I would greatly appreciate any help to troubleshoot and resolve the above 
issues.

Regards,

Les


Endi or JanC, would you have any advise for Les? To me, it looks like the 
Apache does not have proper certificate installed.


My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in total of 
8 certs tracked:


# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '201402':
status: MONITORING
stuck: no
	key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
	certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=vm-086.example.com,O=EXAMPLE.COM
expires: 2016-11-11 00:00:01 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '201447':
status: MONITORING
stuck: no
	key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
	certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=vm-086.example.com,O=EXAMPLE.COM
expires: 2016-11-11 00:00:46 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '2014000302':
status: MONITORING
stuck: no
	key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=vm-086.example.com,O=EXAMPLE.COM
expires: 2016-11-11 00:03:02 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes


What is actually in your Apache NSS database?

# certutil -L -d /etc/httpd/alias/

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

Re: [Freeipa-users] ipa-getcert list fails to report correctly

Re: [Freeipa-users] ipa-getcert list fails to report correctly

Re: [Freeipa-users] ipa-getcert list fails to report correctly

Re: [Freeipa-users] ipa-getcert list fails to report correctly

10 matches

Site Navigation

Mail list logo

Footer information