The root cause of the issue is not the update_ra_cert_store message. This routine takes the ipaCert from /etc/httpd/alias and migrates the cert to /var/lib/ipa/ra-agent.key and /var/lib/ipa/ra-agent.pem. When ipa upgrade is performed multiple times, it is expected that ipaCert is not found any more in /etc/httpd/alias and the log is only informative.
The ipaupgrade.log shows that Dogtag failed to start during the upgrade, and this needs to be investigated. Can you share dogtag's logs from /var/log/pki/pki-tomcat/ca/debug? Common causes include IPv6 configuration or the expiration of subsystemCert cert-pki-ca stored in /etc/pki/pki-tomcat/alias.
Debug log shows authentication problem. I assume connection to ldap server
[24/Dec/2017:09:22:32][localhost-startStop-1]: CMS.start(): shutdown server [24/Dec/2017:09:22:32][localhost-startStop-1]: CMSEngine.shutdown() [24/Dec/2017:12:49:47][localhost-startStop-1]: ============================================ [24/Dec/2017:12:49:47][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [24/Dec/2017:12:49:47][localhost-startStop-1]: ============================================ [24/Dec/2017:12:49:47][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [24/Dec/2017:12:49:47][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [24/Dec/2017:12:49:47][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [24/Dec/2017:12:49:47][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [24/Dec/2017:12:49:47][localhost-startStop-1]: CMSEngine: done init id=debug [24/Dec/2017:12:49:47][localhost-startStop-1]: CMSEngine: initialized debug [24/Dec/2017:12:49:47][localhost-startStop-1]: CMSEngine: initSubsystem id=log [24/Dec/2017:12:49:47][localhost-startStop-1]: CMSEngine: ready to init id=log [24/Dec/2017:12:49:47][localhost-startStop-1]: Event filters: [24/Dec/2017:12:49:47][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) [24/Dec/2017:12:49:47][localhost-startStop-1]: Event filters: [24/Dec/2017:12:49:47][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) [24/Dec/2017:12:49:48][localhost-startStop-1]: Event filters: [24/Dec/2017:12:49:48][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: done init id=log [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: initialized log [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: ready to init id=jss [24/Dec/2017:12:49:48][localhost-startStop-1]: JssSubsystem: initializing JSS subsystem [24/Dec/2017:12:49:48][localhost-startStop-1]: JssSubsystem: enabled: true [24/Dec/2017:12:49:48][localhost-startStop-1]: JssSubsystem: NSS database: /var/lib/pki/pki-tomcat/alias/ [24/Dec/2017:12:49:48][localhost-startStop-1]: JssSubsystem: initializing CryptoManager [24/Dec/2017:12:49:48][localhost-startStop-1]: JssSubsystem: initializing SSL [24/Dec/2017:12:49:48][localhost-startStop-1]: JssSubsystem: random: [24/Dec/2017:12:49:48][localhost-startStop-1]: JssSubsystem: - algorithm: pkcs11prng [24/Dec/2017:12:49:48][localhost-startStop-1]: JssSubsystem: - provider: Mozilla-JSS [24/Dec/2017:12:49:48][localhost-startStop-1]: JssSubsystem: initialization complete [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: done init id=jss [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: initialized jss [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine: ready to init id=dbs [24/Dec/2017:12:49:48][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [24/Dec/2017:12:49:48][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem) [24/Dec/2017:12:49:48][localhost-startStop-1]: LdapBoundConnFactory: init [24/Dec/2017:12:49:48][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [24/Dec/2017:12:49:48][localhost-startStop-1]: LdapAuthInfo: init() [24/Dec/2017:12:49:48][localhost-startStop-1]: LdapAuthInfo: init begins [24/Dec/2017:12:49:48][localhost-startStop-1]: LdapAuthInfo: init ends [24/Dec/2017:12:49:48][localhost-startStop-1]: init: before makeConnection errorIfDown is true [24/Dec/2017:12:49:48][localhost-startStop-1]: makeConnection: errorIfDown true [24/Dec/2017:12:49:48][localhost-startStop-1]: TCP Keep-Alive: true [24/Dec/2017:12:49:48][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [24/Dec/2017:12:49:48][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [24/Dec/2017:12:49:48][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [24/Dec/2017:12:49:48][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [24/Dec/2017:12:49:48][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [24/Dec/2017:12:49:48][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca [24/Dec/2017:12:49:48][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host caipa00.domain.prod port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:667) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1175) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1081) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1620) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1215) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1140) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1027) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5038) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5348) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:621) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1835) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Internal Database Error encountered: Could not connect to LDAP server host caipa00.domain.prod port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:689) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1175) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1081) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1620) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1215) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1140) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1027) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5038) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5348) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:621) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1835) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) [24/Dec/2017:12:49:48][localhost-startStop-1]: CMS.start(): shutdown server [24/Dec/2017:12:49:48][localhost-startStop-1]: CMSEngine.shutdown()
I don't see any specific errors in dirsrv logs.
[24/Dec/2017:12:49:31.324355093 -0500] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [24/Dec/2017:12:49:31.335240924 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.336379147 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.337180907 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.337909216 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.338698808 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.339655742 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.340468400 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.341205459 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.341955296 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.342690195 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.343396990 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.344113590 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.344896928 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.345749910 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.346478224 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.347204217 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.351811305 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.353917366 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.354691057 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=prod does not exist [24/Dec/2017:12:49:31.439005530 -0500] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [24/Dec/2017:12:49:31.441377023 -0500] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". [24/Dec/2017:12:49:31.443775775 -0500] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=domain,dc=prod--no CoS Templates found, which should be added before the CoS Definition. [24/Dec/2017:12:49:31.465311235 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/caipa00.domain.prod@domain.prod] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [24/Dec/2017:12:49:31.481211771 -0500] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [24/Dec/2017:12:49:31.482073897 -0500] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [24/Dec/2017:12:49:31.482714388 -0500] - INFO - slapd_daemon - Listening on /var/run/slapd-domain-PROD.socket for LDAPI requests [24/Dec/2017:12:49:31.591660866 -0500] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [24/Dec/2017:12:49:36.644466655 -0500] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=prod [24/Dec/2017:12:49:36.647256243 -0500] - ERR - schema-compat-plugin - Finished plugin initialization.
The error with Could not connect to LDAP server host caipa00.domain.prod port 636 Error netscape.ldap.LDAPException: Authentication failed (49) is usually linked to an expired subsystemCert cert-pki-ca, or a failure when automatic renewal happened.
You can find troubleshooting tips in this blog. Start by checking the expiration date of the cert: $ sudo certutil -L -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca"| grep "Not After"
Here output. Command return valid date
[root@caipa00 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca"| grep "Not After" Not After : Thu Oct 03 01:06:55 2019 [root@caipa00 ~]#
Based on troubleshooting guide key validation fail.
Also CA certificates are different. How to update ldap with right cert
Add all relevant CA certificates to the FreeIPA certificate trust store by using ipa-cacert-manage install. Then run ipa-certupdate an all FreeIPA masters to ensure that each master has the required CA certificates in all of the relevant places (system trust store, http/ldap/Dogtag NSSDBs, etc).
Which cert is need to use for command ipa-cacert-manage install ?
Whatever external CA cert(s) are used in your infrastructure, including intermediate CAs.
We was using generated by freeipa self sign
What is the output of ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso and sudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a?
If the certificates differ, you will need to manually modify the certificate in LDAP using ldapmodify (update the field "userCertificate" with the value found using certutil, and also update the field description with 2;<serial>;<issuer>;<subject> - serial issuer and subject also extracted from certutil output).
See attached file
The 2 certificates differ. In order to fix the issue, you need to run the following command:
$ ldapmodify -h master.domain.com -p 389 -D "cn=directory manager" -w password dn: uid=pkidbuser,ou=people,o=ipaca changetype: modify replace: description description: 2;19;CN=Certificate Authority,O=DOMAIN.PROD;CN=CA Subsystem,O=DOMAIN.PROD - add: usercertificate usercertificate:: <here paste the content obtained from certutil, in a single line, without the header -----BEGIN CERTIFICATE----- and without the footer -----END CERTIFICATE-----
The description attribute needs to contain 2;19;... because the cert in /etc/pki/pki-tomcat/alias has a serial number 19 (can be seen using
), and the new certificate needs to be uploaded into ldap. After that, pki-tomcat should be able to restart and you will be able to re-launch ipa-server-upgrade.
The certificate was renewed Oct 13 01:06:55 2017, you may find more information in the journal explaining why the renewal was not able to proceed till the end:
$ sudo journalctl -u certmonger
Yes, I still need propagate CA cert. I will do it today just was pulled to other task.
Sorry for the delay. You'd need to check on each cert individually to see if the latest is already in LDAP. The caSigningCert should be good for another 19+ years so I wouldn't worry about that, it gets stored separately anyway.
We are closing this bug because we have not received sufficient information to make progress. Please feel free to open this bug again when you are able to provide the required information we requested.
Metadata Update from @rcritten: - Issue close_status updated to: insufficientinfo - Issue status updated to: Closed (was: Open)
4 years ago
I am still unable upload cert to ldap
Can you clarify what the current status is? I'm not sure what it is you are trying to do, what messages you are seeing, etc.
I am trying update ldap with certificate from cert sudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' Because it miss match between store and ldap so will be possible complete upgrade
Ok and flo provided instructions on how to do that. Are they not working?
I can' understand exactly which cert it should be
Yes, if I understand correctly it should one from certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
Metadata Update from @volga629: - Issue status updated to: Open (was: Closed)
4 years ago
I tried update cert.
ldapmodify: invalid format (line 7) entry: "uid=pkidbuser,ou=people,o=ipaca"
The root cause of the issue is not the update_ra_cert_store message. This routine takes the ipaCert from /etc/httpd/alias and migrates the cert to /var/lib/ipa/ra-agent.key and /var/lib/ipa/ra-agent.pem.
When ipa upgrade is performed multiple times, it is expected that ipaCert is not found any more in /etc/httpd/alias and the log is only informative.
The ipaupgrade.log shows that Dogtag failed to start during the upgrade, and this needs to be investigated. Can you share dogtag's logs from /var/log/pki/pki-tomcat/ca/debug? Common causes include IPv6 configuration or the expiration of subsystemCert cert-pki-ca stored in /etc/pki/pki-tomcat/alias.
Debug log shows authentication problem. I assume connection to ldap server
I don't see any specific errors in dirsrv logs.
The error with
Could not connect to LDAP server host caipa00.domain.prod port 636 Error netscape.ldap.LDAPException: Authentication failed (49)
is usually linked to an expired subsystemCert cert-pki-ca, or a failure when automatic renewal happened.You can find troubleshooting tips in this blog. Start by checking the expiration date of the cert:
$ sudo certutil -L -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca"| grep "Not After"
Here output. Command return valid date
Based on troubleshooting guide key validation fail.
Also CA certificates are different. How to update ldap with right cert
Add all relevant CA certificates to the FreeIPA certificate trust store by using
ipa-cacert-manage install
. Then runipa-certupdate
an all FreeIPA mastersto ensure that each master has the required CA certificates in all of the relevant
places (system trust store, http/ldap/Dogtag NSSDBs, etc).
Which cert is need to use for command ipa-cacert-manage install ?
Whatever external CA cert(s) are used in your infrastructure, including intermediate CAs.
We was using generated by freeipa self sign
What is the output of
ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso
andsudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a
?If the certificates differ, you will need to manually modify the certificate in LDAP using ldapmodify (update the field "userCertificate" with the value found using certutil, and also update the field description with 2;<serial>;<issuer>;<subject> - serial issuer and subject also extracted from certutil output).
See attached file
The 2 certificates differ. In order to fix the issue, you need to run the following command:
The description attribute needs to contain 2;19;... because the cert in /etc/pki/pki-tomcat/alias has a serial number 19 (can be seen using
), and the new certificate needs to be uploaded into ldap.
After that, pki-tomcat should be able to restart and you will be able to re-launch
ipa-server-upgrade
.The certificate was renewed Oct 13 01:06:55 2017, you may find more information in the journal explaining why the renewal was not able to proceed till the end:
Yes, I still need propagate CA cert. I will do it today just was pulled to other task.
In store multiply certs
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Which one need update in ldap ?
Sorry for the delay. You'd need to check on each cert individually to see if the latest is already in LDAP. The caSigningCert should be good for another 19+ years so I wouldn't worry about that, it gets stored separately anyway.
We are closing this bug because we have not received sufficient information to make progress. Please feel free to open this bug again when you are able to provide the required information we requested.
Metadata Update from @rcritten:
- Issue close_status updated to: insufficientinfo
- Issue status updated to: Closed (was: Open)
4 years ago
I am still unable upload cert to ldap
Can you clarify what the current status is? I'm not sure what it is you are trying to do, what messages you are seeing, etc.
I am trying update ldap with certificate from cert sudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
Because it miss match between store and ldap so will be possible complete upgrade
Ok and flo provided instructions on how to do that. Are they not working?
I can' understand exactly which cert it should be
Yes, if I understand correctly it should one from certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
Metadata Update from @volga629:
- Issue status updated to: Open (was: Closed)
4 years ago
I tried update cert.
ldapmodify: invalid format (line 7) entry: "uid=pkidbuser,ou=people,o=ipaca"
[root@caipa01 ~]# ldapmodify -h caipa01.networklab.prod -p 389 -D "cn=directory manager" -W
Enter LDAP Password:
dn: uid=pkidbuser,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;19;CN=Certificate Authority,O=DOMAIN.PROD;CN=CA Subsystem,O=DOMAIN.PROD
-
add: usercertificate
usercertificate::
ldapmodify: invalid format (line 7) entry: "uid=pkidbuser,ou=people,o=ipaca"
line 7 is
add: usercertificate
usercertificate::
I updated cert with ldif , but tomcat still having issue
failed to map client certificate to LDAP DN (Could not matching certificate in User's LDAP entry)
Do I need delete all other certs ? I see in list right now 3 certs
Ok I got ldap cert updated. And ran upgrade ok, but right now apache complain about expire cert
[:error] [pid 1131:tid 140309205127168] Server certificate is expired: 'Server-Cert'
Sorry for the delay. Were you able to complete the upgrade?