Cody Ashe-McNalley via FreeIPA-users wrote:
Hi All,
My primary CA's httpd and slapd certs show a 'ca-error' warning "4027
(RPC failed at server. The search criteria was not specific enough. Expected 1 and found
2."
RHEL 7.9
ipa-server-4.6.8-5.el7.x86_64
CA and DNS enabled
Request ID '20180927235641':
status: CA_UNREACHABLE
ca-error: Server at https://<ipaserver>/ipa/xml failed request, will retry:
4027 (RPC failed at server. The search criteria was not specific enough. Expected 1 and
found 2.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-<DOMAIN>',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-<DOMAIN>/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-<DOMAIN>',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<DOMAIN>
subject: CN=<ipaserver>,O=<DOMAIN>
expires: 2022-05-05 23:59:26 UTC
principal name: ldap/<ipaserver>@<DOMAIN>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv <DOMAIN>
track: yes
auto-renew: yes
Request ID '20180927235642':
status: CA_UNREACHABLE
ca-error: Server at https://<ipaserver>/ipa/xml failed request, will retry:
4027 (RPC failed at server. The search criteria was not specific enough. Expected 1 and
found 2.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<DOMAIN>
subject: CN=<ipaserver>,O=<DOMAIN>
expires: 2022-05-05 23:59:25 UTC
principal name: HTTP/<ipaserver>@<DOMAIN>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Advice and experience would be greatly appreciated.
I suspect replication conflict entries. I'd suggest starting with:
$ kinit admin
$ ldapseach -LLL -Y GSSAPI -b cn=services,cn=accounts,$BASEDN
'(krbprincipalname=ldap/<ipaserver>@DOMAIN)'
Similar for the HTTP principal.
rob