[Freeipa-users] Re: pki-tomcatd Service: STOPPED

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

the KDC cert does not contain any SAN extension, which reminds me of the
issue related to browsers requesting a SAN extension. Which browser are you
using to login to the WebUI?
Is the command line working? For instance:
# kinit admin
# ipa user-find

flo

On Wed, Jan 29, 2025 at 3:05 PM Nacho Marti via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi Florence,
>
> I am attaching you the output:
>
> [root@ipa-replica01 ~]# openssl x509 -noout -text -in
> /var/kerberos/krb5kdc/kdc.crt
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 268370083 (0xfff00a3)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: O=TEST.PRIVATE, CN=Certificate Authority
>         Validity
>             Not Before: Jan  9 16:52:09 2025 GMT
>             Not After : Jan 10 16:52:09 2027 GMT
>         Subject: O=TEST.PRIVATE, CN=ipa-replica01.test.private
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     00:c1:2c:6a:e8:1z:0c:c5:87:40:00:59:f7:6d:0c:
>                     03:f5:84:11:fd:ff:35:78:49:cc:13:xd:cc:df:66:
>                     fc:bd:8a:e7:c6:51:3z:35:63:01:41:e4:fd:09:48:
>                     29:e3:32:05:df:0c:ad:d1:ef:5d:a5:18:c9:6e:6c:
>                     3d:f3:08:18:41:c7:05:a8:c8:69:49:60:7e:6d:5a:
>                     bf:81:0e:f2:73:8e:1c:c5:57:32:fb:d2:39:88:0f:
>                     73:c1:0b:b4:20:d1:ce:04:c0:bf:42:25:57:7c:58:
>                     bd:c9:47:53:ba:31:00:08:b3:87:31:12:38:24:00:
>                     c3:55:94:a4:5f:2d:b2:46:ff:b6:53:ef:52:fa:08:
>                     81:26:z5:6a:b9:8c:90:85:82:a1:60:67:28:0d:c0:
>                     3f:a0:dd:d7:f1:f0:a0:c9:8e:5d:c2:3f:e1:0c:42:
>                     bd:be:cf:d8:88:7e:46:77:9b:96:6c:30:be:84:8d:
>                     a8:44:9b:71:25:ca:3c:af:74:d4:b1:07:b2:19:d6:
>                     f4:73:18:83:13:4f:2b:96:53:97:25:48:df:a8:6f:
>                     48:a4:e8:0d:0d:d1:53:28:e7:7e:95:12:41:48:da:
>                     11:d6:2e:e2:9f:ea:f1:58:0a:d4:2a:36:71:81:ca:
>                     08:87:d4:61:0c:fc:d6:6f:a3:34:b3:fe:40:fd:33:
>                     78:35
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Authority Key Identifier:
>
> keyid:7C:B3:E1:1C:30:D3:A8:16:0D:75:B5:65:FA:70:5B:D3:3B:94:B0:63
>
>             Authority Information Access:
>                 OCSP - URI:http://ipa-ca.test.private/ca/ocsp
>
>             X509v3 Key Usage: critical
>                 Digital Signature, Non Repudiation, Key Encipherment, Data
> Encipherment
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, 1.3.6.1.5.2.3.5
>             X509v3 CRL Distribution Points:
>
>                 Full Name:
>                   URI:http://ipa-ca.test.private/ipa/crl/MasterCRL.bin
>                 CRL Issuer:
>                   DirName: O = ipaca, CN = Certificate Authority
>
>             X509v3 Subject Key Identifier:
>                 5A:E3:7D:86:D8:10:72:B6:9F:89:06:06:25:1B:C6:CB:1A:FB:A6:AC
>     Signature Algorithm: sha256WithRSAEncryption
>          51:b7:9d:00:2e:90:b3:08:02:ba:40:4d:be:f9:f4:e2:18:a8:
>          9e:b4:44:03:c3:02:9d:06:7f:72:b7:0c:29:45:f7:d6:a4:6f:
>          af:8a:78:c1:bb:08:ab:26:f0:92:5e:15:fb:16:27:52:1a:b3:
>          73:c1:8d:80:ec:fe:f8:e5:c3:1e:84:c3:b0:4a:f1:67:1d:9c:
>          f4:0e:9a:05:2d:ea:90:30:72:c3:3d:16:70:f9:10:43:f9:1c:
>          e4:c2:c4:0d:63:d6:60:03:c6:62:0c:59:7f:d2:bb:ac:90:76:
>          97:7d:f5:f4:a6:5e:bc:9b:79:4b:90:08:87:5a:46:1d:b8:3e:
>          7f:50:86:88:f3:e2:c3:ca:75:a2:41:f0:c8:a3:31:c7:ae:03:
>          74:ad:c8:3d:87:d9:65:54:ca:7a:d1:b8:6a:6e:7e:2d:d6:5b:
>          a4:4d:b3:89:be:45:dc:42:af:c4:b2:b5:d4:30:54:61:52:71:
>          e9:d5:38:2d:b0:18:5c:0c:5c:1c:73:26:1d:1a:31:f5:48:53:
>          b3:3b:e4:de:71:83:ce:b3:44:05:bb:e6:2f:81:01:a9:69:91:
>          2b:03:ec:a9:b1:c2:1d:69:bd:0c:9c:30:4a:b3:51:9f:46:8e:
>          b7:aa:36:19:5f:fe:2e:bc:5b:54:bc:43:0d:94:38:50:81:ee:
>          a5:49:7b:97
>
> Thanks in advance,
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue