On Thu, Sep 12, 2019 at 02:10:22PM -0400, Ben Rawson via FreeIPA-users wrote: > Thanks for the quick response Fraser. I did some more digging based on your > suggestions, and I think I have a pretty good handle on whats going on. > > We actually have 3 ipa servers, with ipa01 being the CA master. After I > created the sub-CA, its keys were added to the /etc/pki/pki-tomcat/alias > database on ipa01, but not ipa02 or ipa03. > > The ipa client on our host was pointing directly to ipa02, and since the CA > wasn't in the database it was throwing the error in my original post. By > changing /etc/ipa/default.conf to point at ipa01 (and changing the > certificate policy,) I was able to get certmonger to issue the cert I > wanted. > > So the question now is: Shouldn't the pki-tomcat/aliases database get > automatically replicated from the master to the replicas? What > configuration is responsible for doing this, and why might it not be > working? > Yes, sub-CA keys should be replicated automatically. Something is not working.
Have a look in the /etc/pki/pki-tomcat/ca/debug log on ipa02 (search backwards from end for string KeyRetriever and see what's nearby). If you want to see fresh results, restart Dogtag (systemctl restart pki-tomcatd@pki-tomcat) because failed key retrieval retries with exponential backoff. Also check /var/log/httpd/error_log on ipa-01 to see if there's any indication why the key retrieval requests failed. 'systemctl restart ipa-custodia' on ipa-01. Sometimes I have seen custodia get into a funk and a restart resolves it. Cheers, Fraser > Thanks again for your help, > Ben > > On Thu, Sep 5, 2019 at 9:22 PM Fraser Tweedale <ftwee...@redhat.com> wrote: > > > On Thu, Sep 05, 2019 at 09:07:48PM -0000, Ben Rawson via FreeIPA-users > > wrote: > > > I'm having some trouble getting sub-ca signed certificates issued and > > managed by certmonger. The implementation here [ > > https://www.freeipa.org/page/V4/Sub-CAs] describes how that should work. > > I see that the -X option can be passed to ipa-getcert to specify the > > issuer, but every time I create a request with -X specified I get an error. > > > > > > Steps to reproduce: > > > 1. Create a new CA named "Test" through the FreeIPA web UI. > > > > > > 2. Run the following on a host enrolled in freeIPA: > > > ipa-getcert request -k /root/test.key -f /root/test.crt -I "testrequest" > > -X "Test" > > > > > > 3. Run ipa-getcert list and receive the an error message: > > > Request ID 'test': > > > status: CA_REJECTED > > > ca-error: Server at https://ipa02.yyy.com/ipa/xml failed request, > > will retry: 4035 (RPC failed at server. Request failed with status 500: > > Non-2xx response from CA REST API: 500. ). > > > stuck: yes > > > key pair storage: type=FILE,location='/root/test.key' > > > certificate: type=FILE,location='/root/test.crt' > > > CA: IPA > > > issuer: > > > subject: > > > expires: unknown > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > > > > Running FreeIPA 4.6.4 > > > > > Hi Ben, > > > > Have a look at the Dogtag debug log under > > /var/log/pki/pki-tomcat/ca/, and also the system journal, on host > > ipa02.yyy.com. You should see something related to the error above. > > > > What is your topology like? Do you have multiple CA replicas? Are > > the sub-CA signing keys present on ipa02, in the Dogtag NSSDB? > > > > # certutil -d /etc/pki/pki-tomcat/alias -L > > > > Cheers, > > Fraser > > > > > -- > *Ben Rawson * > DevOps Engineer > 614-304-1429 > > <https://oliveai.com/> > 99 E. Main Street > Columbus, OH 43215 > oliveai.com > Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
