Martin Kosek wrote: > On 02/20/2015 06:56 AM, Les Stott wrote: >> Hi all, >> >> The following is blocking the ability for me to install a CA replica. >> >> Environment: >> >> RHEL 6.6 >> >> IPA 3.0.0-42 >> >> PKI 9.0.3-38 >> >> On the master the following is happening: >> >> ipa-getcert list >> >> Number of certificates and requests being tracked: 5. >> >> (but it shows no certificate details in the output) >> >> Running “getcert list” shows complete output. >> >> Also, when trying to browse >> https://master.mydomain.com/ca/ee/ca/getCertChain i >> get a failed response. The apache error logs on the master show…. >> >> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL >> client cannot >> verify your certificate >> >> The reason I am trying to browse that address is because that’s what the >> ipa-ca-install setup is failing at (it complains that the CA >> certificate is not >> in proper format, in fact it’s not able to get it at all). >> >> I know from another working ipa setup that …. >> >> Browsing to the above address provides valid xml content and >> ipa-getcert list >> shows certificate details and not just the number of tracked >> certificates. >> >> Been trying for a long time to figure out the issues without luck. >> >> I would greatly appreciate any help to troubleshoot and resolve the >> above issues. >> >> Regards, >> >> Les > > Endi or JanC, would you have any advise for Les? To me, it looks like > the Apache does not have proper certificate installed. > > My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in > total of 8 certs tracked: > > # ipa-getcert list > Number of certificates and requests being tracked: 8. > Request ID '20141111000002': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=vm-086.example.com,O=EXAMPLE.COM > expires: 2016-11-11 00:00:01 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141111000047': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=vm-086.example.com,O=EXAMPLE.COM > expires: 2016-11-11 00:00:46 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141111000302': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=vm-086.example.com,O=EXAMPLE.COM > expires: 2016-11-11 00:03:02 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > What is actually in your Apache NSS database? > > # certutil -L -d /etc/httpd/alias/ > > Martin >
Remember ipa-getcert is just a shortcut for certificates using the certmonger CA named IPA, so it's more a filter than anything else. I don't know why it wouldn't display any output but I'd file a bug. I think we'd need to see the getcert list output to try to figure out what is going on. As for the SSL error fetching the cert chain I think Martin may be onto something. The request is proxied through Apache. I think the client here might be the Apache proxy client. I believe this command replicates what Apache is doing, you might give it a try on the master. This will get the chain directly from dogtag, bypassing Apache: $ curl -v --cacert /etc/ipa/ca.crt https://`hostname`:9444/ca/ee/ca/getCertChain rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
