On 02/20/2015 06:56 AM, Les Stott wrote:
Hi all,
The following is blocking the ability for me to install a CA replica.
Environment:
RHEL 6.6
IPA 3.0.0-42
PKI 9.0.3-38
On the master the following is happening:
ipa-getcert list
Number of certificates and requests being tracked: 5.
(but it shows no certificate details in the output)
Running “getcert list” shows complete output.
Also, when trying to browse https://master.mydomain.com/ca/ee/ca/getCertChain i
get a failed response. The apache error logs on the master show….
[Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL client cannot
verify your certificate
The reason I am trying to browse that address is because that’s what the
ipa-ca-install setup is failing at (it complains that the CA certificate is not
in proper format, in fact it’s not able to get it at all).
I know from another working ipa setup that ….
Browsing to the above address provides valid xml content and ipa-getcert list
shows certificate details and not just the number of tracked certificates.
Been trying for a long time to figure out the issues without luck.
I would greatly appreciate any help to troubleshoot and resolve the above
issues.
Regards,
Les
Endi or JanC, would you have any advise for Les? To me, it looks like the
Apache does not have proper certificate installed.
My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in total of
8 certs tracked:
# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20141111000002':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=vm-086.example.com,O=EXAMPLE.COM
expires: 2016-11-11 00:00:01 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141111000047':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=vm-086.example.com,O=EXAMPLE.COM
expires: 2016-11-11 00:00:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141111000302':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=vm-086.example.com,O=EXAMPLE.COM
expires: 2016-11-11 00:03:02 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
What is actually in your Apache NSS database?
# certutil -L -d /etc/httpd/alias/
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
