Hi Rob,
Here are the answer to your questions.
On Mon, 2018-10-22 at 12:01 -0400, Rob Crittenden via FreeIPA-users
wrote:
> Let's tackle these one at a time.
>
> Missing tracking for {'cert-nickname': 'Server-Cert', 'ca-name':
> 'IPA',
> 'cert-database': '/etc/httpd/alias', 'cert-postsave-command':
> '/usr/libexec/ipa/certmonger/restart_httpd'}
>
> Did you provide your own certificate for the web server (e.g. like
> from
> Let's Encrypt?) What is the value of NSSNickname in
> /etc/httpd/conf.d/nss.conf?
No, the IPA servers are not publicly reachable, all hosts within my
network use ipa certificates only. Only 2 nodes (https and mail) with
public IP-addresses use let's encrypt
/etc/httpd/conf.d/nss.conf has:
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert
# SSL Certificate Nickname:
# The nickname of the ECC server certificate you are going to use, if
you
# have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
>
> Let me get back to you on the template subjects not matching. I want
> to
> run this past the dogtag team to see if my test is correct or not. It
> could be a red herring.
>
> For all of the "Error looking up CA entry in IPA <UUID>: no matching
> entry found"
>
> This means that a subCA is defined in dogtag that is not defined in
> IPA.
> This may not be a problem but it is definitely strange. What this
> test
> does is compare the contents of ou=authorities,ou=ca,o=ipaca to those
> in
> cn=cas,cn=ca,dc=example,dc=com. I'll run this one past the CS team
> too.
>
> In the meantime can you provide some of the contents of those entries
> that are in dogtag?
>
> $ ldapsearch -x -D 'cn=directory manager' -W -b
> ou=authorities,ou=ca,o=ipaca > /tmp/cas.ldif
Attached the file as requested
>
> Validation of /var/lib/ipa/ra-agent.pem failed: Command
> '/usr/bin/openssl verify /var/lib/ipa/ra-agent.pem' returned non-zero
> exit status 2
>
> According to the verify(1) man page 2 ==
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT which suggests that the IPA CA
> is
> not in the global cert bundle.
>
> This should fix it:
>
> # ipa-certupdate
>
That indeed fixed the issue, thanks
> Thanks for helping out!
Well thank you guy for the great product and your efforts to improve
it!
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
# extended LDIF
#
# LDAPv3
# base <ou=authorities,ou=ca,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# authorities, ca, ipaca
dn: ou=authorities,ou=ca,o=ipaca
objectClass: top
objectClass: organizationalUnit
ou: authorities
# eb5c7fc3-9263-4d07-b879-d639554403b8, authorities, ca, ipaca
dn: cn=eb5c7fc3-9263-4d07-b879-d639554403b8,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: eb5c7fc3-9263-4d07-b879-d639554403b8
authorityID: eb5c7fc3-9263-4d07-b879-d639554403b8
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# aeca4a88-630d-4f47-9585-73bad089260b, authorities, ca, ipaca
dn: cn=aeca4a88-630d-4f47-9585-73bad089260b,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: aeca4a88-630d-4f47-9585-73bad089260b
authorityID: aeca4a88-630d-4f47-9585-73bad089260b
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# d8a6fe60-eebe-4dfd-8352-47ca38a29028, authorities, ca, ipaca
dn: cn=d8a6fe60-eebe-4dfd-8352-47ca38a29028,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: d8a6fe60-eebe-4dfd-8352-47ca38a29028
authorityID: d8a6fe60-eebe-4dfd-8352-47ca38a29028
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# 3203c388-7da5-44d3-923b-dd87a3a62ecb, authorities, ca, ipaca
dn: cn=3203c388-7da5-44d3-923b-dd87a3a62ecb,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: 3203c388-7da5-44d3-923b-dd87a3a62ecb
authorityID: 3203c388-7da5-44d3-923b-dd87a3a62ecb
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# f875b832-16cb-4b08-bc8c-1dbef027d101, authorities, ca, ipaca
dn: cn=f875b832-16cb-4b08-bc8c-1dbef027d101,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: f875b832-16cb-4b08-bc8c-1dbef027d101
authorityID: f875b832-16cb-4b08-bc8c-1dbef027d101
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# 2e18e695-55c3-4675-a7f2-84e6b2726893, authorities, ca, ipaca
dn: cn=2e18e695-55c3-4675-a7f2-84e6b2726893,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: 2e18e695-55c3-4675-a7f2-84e6b2726893
authorityID: 2e18e695-55c3-4675-a7f2-84e6b2726893
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# 327f1d40-cf4f-4a6a-95b1-3ba88b725e5f, authorities, ca, ipaca
dn: cn=327f1d40-cf4f-4a6a-95b1-3ba88b725e5f,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: 327f1d40-cf4f-4a6a-95b1-3ba88b725e5f
authorityID: 327f1d40-cf4f-4a6a-95b1-3ba88b725e5f
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# 21288a66-d4c2-48d2-9901-a464cd926681, authorities, ca, ipaca
dn: cn=21288a66-d4c2-48d2-9901-a464cd926681,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: 21288a66-d4c2-48d2-9901-a464cd926681
authorityID: 21288a66-d4c2-48d2-9901-a464cd926681
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# d920f310-4d48-4389-bb3c-2f689e0e8b56, authorities, ca, ipaca
dn: cn=d920f310-4d48-4389-bb3c-2f689e0e8b56,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: d920f310-4d48-4389-bb3c-2f689e0e8b56
authorityID: d920f310-4d48-4389-bb3c-2f689e0e8b56
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# c367b1ce-e839-4b18-b5b0-7765853cce80, authorities, ca, ipaca
dn: cn=c367b1ce-e839-4b18-b5b0-7765853cce80,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: c367b1ce-e839-4b18-b5b0-7765853cce80
authorityID: c367b1ce-e839-4b18-b5b0-7765853cce80
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# 135fd942-7204-4c91-94f0-add5a4a636ff, authorities, ca, ipaca
dn: cn=135fd942-7204-4c91-94f0-add5a4a636ff,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: 135fd942-7204-4c91-94f0-add5a4a636ff
authorityID: 135fd942-7204-4c91-94f0-add5a4a636ff
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# e5e27958-699a-4689-b11f-a61d35a600e7, authorities, ca, ipaca
dn: cn=e5e27958-699a-4689-b11f-a61d35a600e7,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: e5e27958-699a-4689-b11f-a61d35a600e7
authorityID: e5e27958-699a-4689-b11f-a61d35a600e7
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# 6cb2e4f8-ea47-4096-be01-5d324ca81fb8, authorities, ca, ipaca
dn: cn=6cb2e4f8-ea47-4096-be01-5d324ca81fb8,ou=authorities,ou=ca,o=ipaca
objectClass: authority
objectClass: top
cn: 6cb2e4f8-ea47-4096-be01-5d324ca81fb8
authorityID: 6cb2e4f8-ea47-4096-be01-5d324ca81fb8
authorityKeyNickname: caSigningCert cert-pki-ca
authorityEnabled: TRUE
authorityDN: CN=Certificate Authority,O=HOME.FAZANT.NET
description: Host authority
# search result
search: 2
result: 0 Success
# numResponses: 15
# numEntries: 14
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
