Ipa ca install Certificate With Nickname Ipacert is Present in etc httpd alias Cannot Continue
Login to comment on this ticket.
Source: https://pagure.io/freeipa/issue/7336
Главная страница
/ Ipa ca install Certificate With Nickname Ipacert is Present in etc httpd alias Cannot Continue
The root cause of the issue is not the update_ra_cert_store message. This routine takes the ipaCert from /etc/httpd/alias and migrates the cert to /var/lib/ipa/ra-agent.key and /var/lib/ipa/ra-agent.pem.
When ipa upgrade is performed multiple times, it is expected that ipaCert is not found any more in /etc/httpd/alias and the log is only informative.
The ipaupgrade.log shows that Dogtag failed to start during the upgrade, and this needs to be investigated. Can you share dogtag's logs from /var/log/pki/pki-tomcat/ca/debug? Common causes include IPv6 configuration or the expiration of subsystemCert cert-pki-ca stored in /etc/pki/pki-tomcat/alias.
Debug log shows authentication problem. I assume connection to ldap server
I don't see any specific errors in dirsrv logs.
The error with
Could not connect to LDAP server host caipa00.domain.prod port 636 Error netscape.ldap.LDAPException: Authentication failed (49)is usually linked to an expired subsystemCert cert-pki-ca, or a failure when automatic renewal happened.You can find troubleshooting tips in this blog. Start by checking the expiration date of the cert:
$ sudo certutil -L -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca"| grep "Not After"Here output. Command return valid date
Based on troubleshooting guide key validation fail.
Also CA certificates are different. How to update ldap with right cert
Add all relevant CA certificates to the FreeIPA certificate trust store by using
ipa-cacert-manage install. Then runipa-certupdatean all FreeIPA mastersto ensure that each master has the required CA certificates in all of the relevant
places (system trust store, http/ldap/Dogtag NSSDBs, etc).
Which cert is need to use for command ipa-cacert-manage install ?
Whatever external CA cert(s) are used in your infrastructure, including intermediate CAs.
We was using generated by freeipa self sign
What is the output of
ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlsoandsudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a?If the certificates differ, you will need to manually modify the certificate in LDAP using ldapmodify (update the field "userCertificate" with the value found using certutil, and also update the field description with 2;<serial>;<issuer>;<subject> - serial issuer and subject also extracted from certutil output).
See attached file
The 2 certificates differ. In order to fix the issue, you need to run the following command:
The description attribute needs to contain 2;19;... because the cert in /etc/pki/pki-tomcat/alias has a serial number 19 (can be seen using
), and the new certificate needs to be uploaded into ldap.
After that, pki-tomcat should be able to restart and you will be able to re-launch
ipa-server-upgrade.The certificate was renewed Oct 13 01:06:55 2017, you may find more information in the journal explaining why the renewal was not able to proceed till the end:
Yes, I still need propagate CA cert. I will do it today just was pulled to other task.
In store multiply certs
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Which one need update in ldap ?
Sorry for the delay. You'd need to check on each cert individually to see if the latest is already in LDAP. The caSigningCert should be good for another 19+ years so I wouldn't worry about that, it gets stored separately anyway.
We are closing this bug because we have not received sufficient information to make progress. Please feel free to open this bug again when you are able to provide the required information we requested.
Metadata Update from @rcritten:
- Issue close_status updated to: insufficientinfo
- Issue status updated to: Closed (was: Open)
4 years ago
I am still unable upload cert to ldap
Can you clarify what the current status is? I'm not sure what it is you are trying to do, what messages you are seeing, etc.
I am trying update ldap with certificate from cert sudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
Because it miss match between store and ldap so will be possible complete upgrade
Ok and flo provided instructions on how to do that. Are they not working?
I can' understand exactly which cert it should be
Yes, if I understand correctly it should one from certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
Metadata Update from @volga629:
- Issue status updated to: Open (was: Closed)
4 years ago
I tried update cert.
ldapmodify: invalid format (line 7) entry: "uid=pkidbuser,ou=people,o=ipaca"
[root@caipa01 ~]# ldapmodify -h caipa01.networklab.prod -p 389 -D "cn=directory manager" -W
Enter LDAP Password:
dn: uid=pkidbuser,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;19;CN=Certificate Authority,O=DOMAIN.PROD;CN=CA Subsystem,O=DOMAIN.PROD
-
add: usercertificate
usercertificate::
ldapmodify: invalid format (line 7) entry: "uid=pkidbuser,ou=people,o=ipaca"
line 7 is
add: usercertificate
usercertificate::
I updated cert with ldif , but tomcat still having issue
failed to map client certificate to LDAP DN (Could not matching certificate in User's LDAP entry)
Do I need delete all other certs ? I see in list right now 3 certs
Ok I got ldap cert updated. And ran upgrade ok, but right now apache complain about expire cert
[:error] [pid 1131:tid 140309205127168] Server certificate is expired: 'Server-Cert'
Sorry for the delay. Were you able to complete the upgrade?