If you mean the usercertificate value from the ldapsearch command, then yes. That value matches the value from the certutil output.
Thanks On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden <[email protected]> wrote: > Adam Lewis wrote: > >> A quick update. We did some digging on the segfault problem and I think >> it was due to having to update the trusts on the CA cert. So we updated >> the certmonger package and certmonger now starts again. >> However we're kind of back to square one where we are still getting the >> AUTH_FAIL messages in the debug log. >> I have verified that the ipara entry's serial number and cert match the >> serial number and cert from the one in /etc/httpd/alias. >> > > How about the certificate PEM? Does it match the usercertificate in the > dogtag LDAP server? > > rob > > >> Any other ideas? >> >> Thanks! >> >> On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis <[email protected] >> <mailto:[email protected]>> wrote: >> >> Rob, >> Thanks for pointing me in the right direction. However after >> following the instructions in the above mentioned doc I noticed a >> few things that are odd and have a new problem. The first odd thing >> I noticed is that when I run service pki-cad status it shows that my >> PKI Subsystem Type is "CA Clone (Security Domain)" >> Shouldn't that say something like "CA Master"? >> Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they >> all produced the same AUTH_FAIL message in the debug log. >> >> Now the new problem...after pressing on and restarting things >> certmonger fails to start with a segfault. >> Starting certmonger: /bin/bash: line 1: 64935 Segmentation >> fault /usr/sbin/certmonger -S -p /var/run certmonger.pid >> >> Thanks! >> >> On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden <[email protected] >> <mailto:[email protected]>> wrote: >> >> Lewis, Adam M CIV NSWCDD, H11 wrote: >> >> We are currently dead in the water. Our OCSP, CA Audit, CA >> Subsystem, and IPA RA certs expired as of 7/23/16. I found >> and followed the instructions to the letter >> ( >> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0 >> ) >> however the CA Subsystem and IPA RA certs will not renew. >> I've backdated the server to make sure the system was within >> the renewal window, but that has not help. >> >> >> Those are the wrong instructions. >> >> You want this instead, https://access.redhat.com/solutions/643753 >> >> A bunch of it is for 2.2 but it isn't exactly noted which parts. >> A general rule is that you don't/shouldn't need to directly >> tweak the dogtag configuration or do any of the start-tracking >> work (though you may want to verify that what/if anything you >> changed from that wrong doc). >> >> When I run getcert list it reports: >> Ca-error: Sever at >> "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1: >> Authentication Error >> for both the IPA RA and CA Subsystem certs >> >> The debug log shows: >> SignedAuditEventFactory: create() >> >> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA >> RA,O=MISS.ION] authentication failure >> ReviewReqServlet: Invalid Credential. >> >> >> The place to start is to get the serial # of the ipaCert: >> >> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial >> >> Now get the user from the dogtag LDAP server: >> >> # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' >> -W -b uid=ipara,ou=People,o=ipaca description >> >> The format is 2;<serial number>;<issuer subject>;<subject> >> >> See if the serial # matches ipaCert. I'm guessing it won't. >> Follow the instructions on the page I cited to update the entry >> with the current certificate and serial # values. That should >> get you going. >> >> rob >> >> >> >> We are kind of in deep doo-doo until this gets resolved. >> >> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5 >> >> Any thoughts? >> >> Thanks! >> >> Adam M. Lewis >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> >> -- >> Adam M. Lewis >> [email protected] <mailto:[email protected]> >> 10807 Allie Place >> Fredericksburg, VA 22408 >> 540-412-8643 <tel:540-412-8643> >> >> >> >> >> >> -- >> Adam M. Lewis >> [email protected] <mailto:[email protected]> >> 10807 Allie Place >> Fredericksburg, VA 22408 >> 540-412-8643 >> >> >> >> >> > -- Adam M. Lewis [email protected] 10807 Allie Place Fredericksburg, VA 22408 540-412-8643
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
