Hello,
I'm having various problem on our FreeIPA setup, like can not establish new replica server or add a client anymore. Initially we had certificate issue, then we upgraded the Master FreeIPA server (CentOS 7.0.146) to FreeIPA v4.4.0) few months back.
On master server it shows up 4 entries for IPA CA certificate. Is this normal?
[root@ds01 ~]# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C
thank you,
regards,
Bhavin
Bhavin Vaidya via FreeIPA-users wrote:
Hello,
I'm having various problem on our FreeIPA setup, like can not establish new replica server or add a client anymore. Initially we had certificate issue, then we upgraded the Master FreeIPA server (CentOS 7.0.146) to FreeIPA v4.4.0) few months back.
On master server it shows up 4 entries for IPA CA certificate. Is this normal?
[root@ds01 ~]# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPIEXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C
The question is: are these all different certificates (and why)? I assume someone ran ipa-cacert-manage renew a bunch of times.
Multiple entries in itself shouldn't be a problem.
I assume this is related to your client install issues. You may be able to get away with having just the latest CA cert stored in LDAP to avoid this.
rob
On 10/12/2017 03:29 AM, Rob Crittenden via FreeIPA-users wrote:
Bhavin Vaidya via FreeIPA-users wrote:
Hello,
I'm having various problem on our FreeIPA setup, like can not establish new replica server or add a client anymore. Initially we had certificate issue, then we upgraded the Master FreeIPA server (CentOS 7.0.146) to FreeIPA v4.4.0) few months back.
On master server it shows up 4 entries for IPA CA certificate. Is this normal?
[root@ds01 ~]# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C
The question is: are these all different certificates (and why)? I assume someone ran ipa-cacert-manage renew a bunch of times.
Multiple entries in itself shouldn't be a problem.
I assume this is related to your client install issues. You may be able to get away with having just the latest CA cert stored in LDAP to avoid this.
I saw this last night and my first thought was this shouldn't happen because certutil enforces nickname uniqueness.
We would like to verify what each cert is, specifically it's issuer and serial number. But we can't ask certutil to show us the details of a cert because you must pass the -n nickname flag to certutil so it can find the cert to display. But since the nicknames are not unique you can't do that. This is why certutil (and any low level NSS API that adds a cert to the db) demands name uniqueness.
Are the names listed with -L truly unique? It looks like you edited them.
Thank you Ron and Jon.
Jon, yes they are unique, I just replaced first word on each line.
I will have to find out how to find these certificates in LDAP and keep all but latest as Rob suggested.
Regards,
Bhavin
________________________________ From: John Dennis jdennis@redhat.com Sent: Thursday, October 12, 2017 6:10 AM To: FreeIPA users list Cc: Bhavin Vaidya; Rob Crittenden Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries
On 10/12/2017 03:29 AM, Rob Crittenden via FreeIPA-users wrote:
Bhavin Vaidya via FreeIPA-users wrote:
Hello,
I'm having various problem on our FreeIPA setup, like can not establish new replica server or add a client anymore. Initially we had certificate issue, then we upgraded the Master FreeIPA server (CentOS 7.0.146) to FreeIPA v4.4.0) few months back.
On master server it shows up 4 entries for IPA CA certificate. Is this normal?
[root@ds01 ~]# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPIEXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C EXAMPLE.COM IPA CA CT,C,C
The question is: are these all different certificates (and why)? I assume someone ran ipa-cacert-manage renew a bunch of times.
Multiple entries in itself shouldn't be a problem.
I assume this is related to your client install issues. You may be able to get away with having just the latest CA cert stored in LDAP to avoid this.
I saw this last night and my first thought was this shouldn't happen because certutil enforces nickname uniqueness.
We would like to verify what each cert is, specifically it's issuer and serial number. But we can't ask certutil to show us the details of a cert because you must pass the -n nickname flag to certutil so it can find the cert to display. But since the nicknames are not unique you can't do that. This is why certutil (and any low level NSS API that adds a cert to the db) demands name uniqueness.
Are the names listed with -L truly unique? It looks like you edited them.
-- John
freeipa-users@lists.fedorahosted.org
-
Bhavin Vaidya -
John Dennis -
Rob Crittenden