On 5/3/19 11:47 AM, H. Frenzel via FreeIPA-users wrote:
Am 03.05.2019 10:18, schrieb Florence Blanc-Renaud via
FreeIPA-users:
> On 5/2/19 7:08 PM, H. Frenzel via FreeIPA-users wrote:
>> What could be wrong here?
> Hi,
> the key is present, its name is just "NSS Certificate
> DB:subsystemCert cert-pki-ca" without any space after the colon. You
> can check the next steps, i.e. is the "subsystemCert cert-pki-ca"
> certificate consistent with the content of the LDAP entry
> uid=pkidbuser,ou=people,o=ipaca.
>
> flo
Tried the ldapsearch and found three userCertificates, one of them
matches with that one in /etc/pki/pki-tomcat/alias:
# ldapsearch -LLL -D 'cn=directory manager' -W -b
uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso
Enter LDAP Password:
dn: uid=pkidbuser,ou=people,o=ipaca
userCertificate:: MIIDbD...
...
.../342g==
userCertificate:: MIIDbj...
...
...xQ4WGL4
userCertificate:: MIIDaT...
...
...PP09A==
description: 2;2684289388;CN=Certificate
Authority,O=EXAMPLE.COM;CN=CA Subsystem,O
=EXAMPLE.COM
seeAlso: CN=CA
Subsystem,O=EXAMPLE.COM
The last one (MIIDaT...PP09A==) is the matching one.
The Serial Number seems to match too:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
cert-pki-ca' | grep -A1 Serial
Serial Number:
00:9f:ff:01:6c
# printf %d, 0x009fff016c
2684289388
What next? Can those other two certificates been removed?
Hi,
it's not a problem if the previous certs are still present in LDAP, you
can keep them here. It looks like the content of the NSSDB and LDAP are
consistent.
A few other things to check:
- Are there any replication conflicts (if you have multiple CA masters)?
$ ldapsearch -D "cn=Directory Manager" -W -b o=ipaca
"(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
- In /etc/pki/pki-tomcat/ca/CS.cfg, the line starting with
'ca.subsystem.cert=' must contain the same cert as 'subsystemCert
cert-pki-ca' in /etc/pki/pki-tomcat/alias
- Are there any specific errors in /var/log/pki/pki-tomcat/ca/debug?
When the CA subsystem properly starts, you should see lines about
'subsystemCert cert-pki-ca' and SSL handshake like the following:
[date][localhost-startStop-1]: ldapconn/PKISocketFactory.makeSSLSocket:
begins
[date][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting
desired cert nickname to: subsystemCert cert-pki-ca
[date][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert
nickname subsystemCert cert-pki-ca
[date][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering!
[date][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca
[date][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired
cert found in list: subsystemCert cert-pki-ca
[date][localhost-startStop-1]: SSLClientCertificateSelectionCB:
returning: subsystemCert cert-pki-ca
[date][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted: begins
[date][localhost-startStop-1]: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
[date][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted:
CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
[date][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted: clientIP=<local IP>
serverIP=<local IP> serverPort=31746
[date][localhost-startStop-1]: SSL handshake happened
[date][localhost-startStop-1]: Established LDAP connection with SSL
client auth to <local hostname>:636
so any error related to subsystemCert cert-pki-ca may help us diagnose.
flo
Thanks in advance & b/r
H.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...