<https://wordpress.com/comment/floblanc.wordpress.com/14848>
Hi, I'm replying to the same questions posted on my blog: > Hi floblanc, > > Thank you for the reply, > > I have a few queries, can you please clarify > > 1. should we run ipa-cert-update on IPA master server also and then after > on all IPA replica server and their clients ? > Yes, ipa-certupdate has to be run on all the machines enrolled into IPA. > 2. Do we need to consider only one common name i.e. “cn=directory manager” > as we have two one is LADP and other one is for HTTP > > dbm:/etc/dirsrv/slapd-IPA-ONMOBILE-COM/ > dbm:/etc/httpd/alias > > ldapsearch -D “cn=directory manager” -W -b > cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com > “(&(objectClass=ipaCertificate)(objectClass=pkiCA))” > Refer to ldapsearch man page to understand the options: - the -D "cn=directory manager" option means that the LDAP operations will be authenticated with the user Directory Manager. When you installed the first IPA server with ipa-server-install, this user was created with the password provided with ipa-server-install -p|--ds-password DM_PASSWORD. - the -W option means "prompt for password" - the -b option specifies a search base. The CA certificates are stored below cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com, the search needs to target this search base - “(&(objectClass=ipaCertificate)(objectClass=pkiCA))” is the search filter allowing to find CA certificates This single search allows to retrieve all the CA certificates, one ldap entry for each certificate. > Any other common name for HTTP: > > ldapsearch -D “cn=?” -W -b > cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com > “(&(objectClass=ipaCertificate)(objectClass=pkiCA))” > > Or else this is the only query to search the ipaCertificate in whole ldap > database? > > if i want to search the all occurrence of this invalid certificate in the > whole server/database, how can we achieve this > > 3. I have a infrastructure with one IPA master and 13 IPA Replicas, if i > delete the certificate in IPA Master and run ipa-certupdate, and again run > ipa-certupdate on 13 IPA Replica servers, and its clients, i hope there > will not be any issue after changes and also pki-tomcatd.target service > will be running > If the LDAP entry corresponding to the certificate is deleted on the IPA master, the replication will propagate this deletion to the other replicas. This means the entry will be removed from all the LDAP servers. When ipa-certupdate is run, the list of CA certificates is refreshed (re-read from LDAP) and updated on the local NSS Databases. HTH, flo > Or do you suggest any other better way without any impact on services > further as it is production setup > > Note: As we deleted last time then pki-tomcat.target service was stopped > and not started [we didn’t run ipa-certupdate on IPA Master] > > How can we check all occurrence of this invalid certificate in IPA master > server > On Tue, Aug 30, 2022 at 8:09 PM Polavarapu Manideep Sai via FreeIPA-users < [email protected]> wrote: > Hi Rob, > > Can you please help me on this > > Regards > ManideepSai > > -----Original Message----- > From: Rob Crittenden <[email protected]> > Sent: Tuesday, August 30, 2022 11:36 PM > To: FreeIPA users list <[email protected]> > Cc: Polavarapu Manideep Sai <[email protected]> > Subject: Re: [Freeipa-users] Free IPA Replica server retrieving two > certificates from the IPA master server while installing IPA replica and > installation fails > > > CAUTION. This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > > Polavarapu Manideep Sai via FreeIPA-users wrote: > > Hi Team, > > > > > > > > Need help from freeipa, > > > > > > > > Free IPA Replica server retrieving two certificates from the IPA master > > server while installing IPA replica and installation fails > > > > > > > > please check the below issue and let us know the fix and please let us > > know if any more details required > > > > > > > > Master server: aaa01 > > > > Replica server1: dir01 (currently installing replica server ) > > > > Replica server2: dirus02 (which was a replica server previously that has > > been removed from replication) > > > > > > > > > > > > As noticed while installing ipa replica server, replica server > > retrieving two certificates from the master server, and saving it in > > /etc/ipa/ca.crt in this process at the stage Configuring the web > > interface (httpd) we got the below error i.e. > > > > > > > > ipa-replica-install command failed, exception: CalledProcessError: > > Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t > > ,, -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 > > > > > > > > =============================================== > > > > > > > > While installing Replica /var/log/ipaclient-install.log > > > > --------------------------------------------------- > > > > > > > > 2022-08-15T13:52:08Z DEBUG stderr= > > > > 2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from > > aaa01.ipa.subdomain.com > > > > 2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache > > url=ldap://aaa01.ipa.subdomain.com:389 > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17fe812440> > > > > 2022-08-15T13:52:11Z INFO Successfully retrieved CA cert > > > > > > > > Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > > > Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > > > Valid From: 2018-04-12 14:15:30 > > > > Valid Until: 2038-04-12 14:15:30 > > > > > > > > Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM > > > > Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > > > Valid From: 2019-01-21 11:54:13 > > > > Valid Until: 2021-01-21 11:54:13 > > > > > > > > 2022-08-15T13:52:11Z DEBUG Starting external process > > > > 2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s > > aaa01.ipa.subdomain.com -b dc=ipa,dc=example,dc=com -h > > dirpav01-tfln-mdr1-omes.ipa.subdomain.com > > > > 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 > > > > 2022-08-15T13:52:15Z DEBUG stdout= > > > > 2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and > > stored in: /etc/krb5.keytab > > > > Certificate subject base is: O=IPA.SUBDOMAIN.COM > > > > > > > > 2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM > > > > 2022-08-15T13:52:15Z DEBUG Starting external process > > > > 2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy > > > > 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 > > > > 2022-08-15T13:52:15Z DEBUG stdout= > > > > > > > > ================================== > > > > > > > > > > > > > > > > While installing replica /var/log/ipareplica-install.log > > > > -------------------------------------------------- > > > > > > > > 2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP > > > > 2022-08-15T15:07:11Z DEBUG Loading Index file from > > '/var/lib/ipa/sysrestore/sysrestore.index' > > > > 2022-08-15T15:07:11Z DEBUG Starting external process > > > > 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d > > dbm:/etc/httpd/alias -A -n IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f > > /etc/httpd/alias/pwdfile.txt > > > > 2022-08-15T15:07:11Z DEBUG Process finished, return code=0 > > > > 2022-08-15T15:07:11Z DEBUG stdout= > > > > 2022-08-15T15:07:11Z DEBUG stderr= > > > > 2022-08-15T15:07:11Z DEBUG Starting external process > > > > 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d > > dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f > > /etc/httpd/alias/pwdfile.txt > > > > 2022-08-15T15:07:12Z DEBUG Process finished, return code=255 > > > > 2022-08-15T15:07:12Z DEBUG stdout= > > > > 2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to > > token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to > > database. > > > > > > > > 2022-08-15T15:07:12Z DEBUG Traceback (most recent call last): > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 567, in start_creation > > > > run_step(full_msg, method) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 557, in run_step > > > > > > > > > > > > Observation in Master server(aaa01) ldap database : > > > > ======================================= > > > > > > > > [root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | > > grep "ipaCertSubject" > > > > ipaCertSubject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > > > ipaCertSubject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM > > > > [root@aaa01~]# > > > > > > > > ==================== > > > > We could see this certificate > > "CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM" in IPA master server > > GUI as well we have revoked it too , but still it retrieves the same > > and installation got fails everytime > > > > > > > > ================= > > > > > > > > In ideal case while installing replica it has to retrieve only one > > certificate i.e. CN=Certificate Authority,O=IPA.SUBDOMAIN.COM but this > > case it retrieves > > > > > > > > > > > > Please let us know if any more details required and let us know how can > > we fix this issue, without impact on whole setup > > > > > > > > > > > > ipaCertIssuerSerial > > > > > > > > ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 > > [which is a valid certificate] > > > > ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ > > invalid certificate retrieves from ipa master while installing ipa > replica] > > > > > > > > > > > > > > > > [root@aaa01]# ipa cert-show > > > > > > > > Serial number: 32 > > > > Issuing CA: ipa > > > > Certificate: > > > MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQ > > > > > DDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT > > > > > 05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQE > > > > > BBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5 > > > > > jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ > > > > > 1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCT > > > > > BEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNp > > > > > aAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbx > > > > > q1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w== > > > > > > > > Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM > > > > Subject DNS name: dirus02.ipa.subdomain.com > > > > Subject UPN: HTTP/[email protected] > > > > Subject Kerberos principal name: > > HTTP/[email protected] > > > > Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > > > Not Before: Mon Jan 21 11:54:13 2019 UTC > > > > Not After: Thu Jan 21 11:54:13 2021 UTC > > > > Serial number: 32 > > > > Serial number (hex): 0x20 > > > > Revoked: True > > > > Revocation reason: 2 > > > > [root@aaa01~]# > > The CA certificates are stored in LDAP under > cn=certificates,cn=ipa,cn=etc,dc=example,dc=test (substitute your own > basedn). > > Find the incorrect entry and use ldapdelete to remove it. If you aren't > very familiar with LDAP command-line tools then something like Apache > Directory Studio may be a better choice. > > rob > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or any > action or omission taken by you in reliance on it, is prohibited and may be > unlawful. Please immediately contact the sender if you have received this > message in error. Further, this e-mail may contain viruses and all > reasonable precaution to minimize the risk arising there from is taken by > OnMobile. OnMobile is not liable for any damage sustained by you as a > result of any virus in this e-mail. All applicable virus checks should be > carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
