On 2/25/20 4:18 PM, Chris Bacott via FreeIPA-users wrote:
Hello,
I've been searching for resolution on this issue for a while now, but it seems all of
the issues others have encountered were unrelated.
Host OS: CentOS 8.1.1911
All packages up to date.
This is a stock installation of freeipa, nothing tricky like replication or anything. The
system authenticates fine, however when I went to add a host to it, for whatever reason
the client got the hostname wrong, thus samba authentication wasn't working. I deleted
the install on the client, and went to re-install, and it began asking for a password for
the host. I never set one up to my knowledge. So, I went to delete the client host
completely from the server, and that is where I got the above error.
I've examined 'getcert list', no error. I confirmed that all firewalls are
(currently) off, and ports are open. I've examined all logs under /var/log/pki, and
there's no errors that I could find. As far as I can tell, tomcat is working just
fine, all certs are fine, but ipa is saying it cannot connect, getting a 403 forbidden
error. Any insights would be helpful.
Hi,
"ipa host-del" is internally checking if there are any certificates
associated to the host that is being deleted. In order to do this
internal check, it needs to connect to the PKI server. The connection is
authenticated using the RA cert stored in /var/lib/ipa/ra-agent.pem.
To check that this authentication is OK, you can run
$ kinit admin
$ ipa cert-show 1
If this command fails, you need to check that the content of the cert in
/var/lib/ipa/ra-agent.pem is consistent with the entry
uid=ipara,ou=people,o=ipaca:
$ ldapsearch -D cn=directory\ manager -w Secret123 -b
uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no
- the usercertificate attribute must contain the same certificate as the
ra-agent.pem, in a single line and without header/footer, for instance
userCertificate:: MIIDyD...
- the description attribute must have the following content:
description: 2;<serial>;<issuer>;<subject>
with serial issuer and subject identical to the values that could be
seen in ra-agent.pem with
$ openssl x509 -noout -text -in ra-agent.pem
If there is a mismatch, you need to fix the inconsistency. Find which
certificate is the most recent (the one from ldap or the one from
ra-agent.pem file), keep this one and update the other with the right
values.
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...