Adam Lewis wrote:
Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.
getcert list shows :
ca-error: Server at
"https://ipa.local.domain:9443/ca/agent/ca/profileProcess"; replied: 1:
Authentication Error
And the debug log shows:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.
I'd look at the lines above that for clues, and check the 389-ds access
log. I assume it is finding an entry for uid=ipara, right?
The way the auth works as I understand it is dogtag first compares the
serial number, issuer and subject of the provided certificate with the
description attribute in the entry it finds in LDAP. Then it compares
the full certificate. If things match up then you are authenticated. It
then does some authorization work.
For reference, mine looks like:
dn: uid=ipara,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: ipara
sn: ipara
cn: ipara
usertype: agentType
userstate: 1
userCertificate::
MIIDbTCCAlWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtH
[snip]
o0i1CCw1v++2tgvHiiZEEeeuOEMGEdXZfv4Xw=
description: 2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA
RA,O=EXAMPLE.COM
Those appear to be the most significant messages. I'm disconnected so
getting the full log info is difficult. If it's the only way let me know
and I'll see what I can do. Worst case it'll just take me a while to
re-type it.
Understood.
Thanks
On Mon, Aug 1, 2016 at 3:11 PM, Rob Crittenden <[email protected]
<mailto:[email protected]>> wrote:
Adam Lewis wrote:
Yup, It's just the text string. I don't know how much this
matters but
when I ran the start-tracking for the ipaCert it didn't generate
a new
certificate. I'm still working off of serial number 7, which is what
it's been since we installed IPA. Is there some way/reason for me to
generate a whole new ipaCert?
certmonger will take care of that when renewal happens.
Did you go back in time to when this cert was valid?
rob
Thanks
On Mon, Aug 1, 2016 at 3:00 PM, Rob Crittenden
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
Adam Lewis wrote:
If you mean the usercertificate value from the ldapsearch
command, then
yes. That value matches the value from the certutil output.
The usercertificate in LDAP had the BEGIN/END stripped, right?
I'll cc a couple of the dogtag developers to see what they
think.
rob
Thanks
On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>> wrote:
Adam Lewis wrote:
A quick update. We did some digging on the
segfault
problem and
I think
it was due to having to update the trusts on
the CA
cert. So we
updated
the certmonger package and certmonger now
starts again.
However we're kind of back to square one where
we are still
getting the
AUTH_FAIL messages in the debug log.
I have verified that the ipara entry's serial
number
and cert
match the
serial number and cert from the one in
/etc/httpd/alias.
How about the certificate PEM? Does it match the
usercertificate in
the dogtag LDAP server?
rob
Any other ideas?
Thanks!
On Mon, Aug 1, 2016 at 9:17 AM, Adam Lewis
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>> wrote:
Rob,
Thanks for pointing me in the right
direction.
However after
following the instructions in the above
mentioned
doc I
noticed a
few things that are odd and have a new
problem.
The first
odd thing
I noticed is that when I run service
pki-cad status it
shows that my
PKI Subsystem Type is "CA Clone (Security
Domain)"
Shouldn't that say something like "CA
Master"?
Second, when I ran the "ipa-getcert
resubmit -I [ID]"
commands they
all produced the same AUTH_FAIL message
in the
debug log.
Now the new problem...after pressing on and
restarting things
certmonger fails to start with a segfault.
Starting certmonger: /bin/bash: line 1: 64935
Segmentation
fault /usr/sbin/certmonger -S -p
/var/run
certmonger.pid
Thanks!
On Thu, Jul 28, 2016 at 3:36 PM, Rob
Crittenden
<[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>>
wrote:
Lewis, Adam M CIV NSWCDD, H11 wrote:
We are currently dead in the
water. Our
OCSP, CA
Audit, CA
Subsystem, and IPA RA certs
expired as of
7/23/16.
I found
and followed the instructions to
the letter
(http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0)
however the CA Subsystem and IPA
RA certs
will not
renew.
I've backdated the server to make
sure the
system
was within
the renewal window, but that has
not help.
Those are the wrong instructions.
You want this instead,
https://access.redhat.com/solutions/643753
A bunch of it is for 2.2 but it isn't
exactly
noted
which parts.
A general rule is that you
don't/shouldn't
need to directly
tweak the dogtag configuration or do
any of the
start-tracking
work (though you may want to verify
that what/if
anything you
changed from that wrong doc).
When I run getcert list it reports:
Ca-error: Sever at
"https://<fqdn>:9443/ca/agent/ca/profileProcess"
replied: 1:
Authentication Error
for both the IPA RA and CA
Subsystem certs
The debug log shows:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.
The place to start is to get the
serial # of
the ipaCert:
# certutil -L -d /etc/httpd/alias -n
ipaCert
|grep Serial
Now get the user from the dogtag LDAP
server:
# ldapsearch -h `hostname` -p 7389 -x -D
'cn=directory
manager'
-W -b uid=ipara,ou=People,o=ipaca
description
The format is 2;<serial number>;<issuer
subject>;<subject>
See if the serial # matches ipaCert. I'm
guessing it won't.
Follow the instructions on the page I
cited to
update
the entry
with the current certificate and serial #
values. That
should
get you going.
rob
We are kind of in deep doo-doo
until this gets
resolved.
We are running
ipa-server-3.0.0-47.el6_7.2
on RHEL 6.5
Any thoughts?
Thanks!
Adam M. Lewis
--
Manage your subscription for the
Freeipa-users
mailing
list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more
info on the
project
--
Adam M. Lewis
[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643 <tel:540-412-8643> <tel:540-412-8643
<tel:540-412-8643>> <tel:540-412-8643 <tel:540-412-8643>
<tel:540-412-8643 <tel:540-412-8643>>>
<tel:540-412-8643 <tel:540-412-8643> <tel:540-412-8643
<tel:540-412-8643>>
<tel:540-412-8643 <tel:540-412-8643>
<tel:540-412-8643 <tel:540-412-8643>>>>
--
Adam M. Lewis
[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643 <tel:540-412-8643> <tel:540-412-8643
<tel:540-412-8643>> <tel:540-412-8643 <tel:540-412-8643>
<tel:540-412-8643 <tel:540-412-8643>>>
--
Adam M. Lewis
[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643 <tel:540-412-8643> <tel:540-412-8643
<tel:540-412-8643>>
--
Adam M. Lewis
[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643 <tel:540-412-8643>
--
Adam M. Lewis
[email protected] <mailto:[email protected]>
10807 Allie Place
Fredericksburg, VA 22408
540-412-8643
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
