Hi,

Did you check the permissions of the ra-agent certificate files?

# ls -lZ /var/lib/ipa/ra-agent.*
-r--r-----. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1704 May 31  2022 /var/lib/ipa/ra-agent.key
-r--r-----. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1395 May 31  2022 /var/lib/ipa/ra-agent.pem

The files must be readable by IPA framework.

flo

On Wed, Dec 14, 2022 at 12:10 PM junhou he via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hi ,
I checked again and it matches
ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b uid=ipara,ou=people,o=ipaca description usercertificate
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=WINGON.HK;CN=IPA RA,O=WINGON.HK
usercertificate:: MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5HT04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYwMjMzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0GA1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk70qnab7kJNH3Equt/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21JoNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfjeMFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1eoNLlqKGEv7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSeuT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPHR9/tcAd+gWVGNXB4QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2BwLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgECYHyiR1dLog9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN8lkVCOcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk2t11xYeB4edgqdU6lpr2
 3p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1JytbLekVl/uIB79qS5+PIjTBtm8WiC0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6yWL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1FwjMZbN+c/DA3Fp9HWUv97h6clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qGFvga2K18zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4rmNeM1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg==

cat /var/lib/ipa/ra-agent.pem
-----BEGIN CERTIFICATE-----
MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5H
T04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYw
MjMzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0G
A1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk
70qnab7kJNH3Equt/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21J
oNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfje
MFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1eoNLlqKGEv
7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSe
uT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPH
R9/tcAd+gWVGNXB4QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2B
wLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lw
YS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAww
CgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgECYHyiR1dLo
g9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN
8lkVCOcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk
2t11xYeB4edgqdU6lpr23p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1
JytbLekVl/uIB79qS5+PIjTBtm8WiC0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6y
WL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1FwjMZbN+c/DA3Fp9HWUv97h6
clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qGFvga2K18
zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4
rmNeM1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg==
-----END CERTIFICATE-----

thanks,
junhou
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue