Re: freeipa communication to dogtag broken after certificates expired and ipa-cert-fix run
On Tue, Nov 26, 2019 at 09:46:02AM +0300, Александер Скобельцын wrote:
Of course.
dn: uid=ipara,ou=people,o=ipaca cn: ipara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser userCertificate: MIIDXDCCAkSgAwIBAgIBEDANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKDAZUS VMuUksxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTExMDUwOTI3NTBaFw0yMT EwMjUwOTI3NTBaMCIxDzANBgNVBAoMBlRJUy5SSzEPMA0GA1UEAxMGSVBBIFJBMIIBIjANBgkqhki G9w0BAQEFAAOCAQ8AMIIBCgKCAQEA61dhtR4A8SqnP7t/L3xhg07moXfwvDBD+jOnY45GarO9DM0+ y+YRdJ1duMC7QYcEcvFuVonW2ZhNF4flS4isf7dweMTsHexDz/0sfuEZGNW+yBpDEZUSRMiTDbYYi kGv298Bbp1NmNHiUTayrsA1IlweESPmwR8r67n3qkWG+yIQ8Fz0iFue5GzK97/Gg7i+FJaFCeqaZR UB6RTeM/DPyBG50hLWfqt3CSh2S5J+3Ch9ZtsRM+iEqtE2JNJRAef1VmbufS9xkweg9OAVw1oJrzN 3wP/un3hmceH/DvxFETOk9FmT9AaXf/XCDwptxCJ+A7cV80vwG8zigLYrKpUgQQIDAQABo4GNMIGK MB8GA1UdIwQYMBaAFMLNVVXxp/y1I2CbR7V3sf7Ak/9iMDgGCCsGAQUFBwEBBCwwKjAoBggrBgEFB QcwAYYcaHR0cDovL2lwYS1jYS50aXMucmsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBB YwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAFv2Vl7DIc0s7YCdNmA07 SrM/GIKeDbmgLqzinFqjMEH6/oR6bGqBcwDXr+0ss0lXYz2ndhRbEG1MI52POT/+sbJG48xJyQehd /r+VeWNgMzKRUGQoLLiHctevxn9ugJHLBpxZzgTqm7tG8r/O71JgHlY1u9b7a/j6uXFCjAz5yuu0h EHNYCaAViSwbAUFXu8906qOK087CFr8eFAY6Ng5oNLp8cAEkOQctoe1+Nubns2h5KN/W3fISnjOH/ ATjJo1dsJGdlRN5rlatKpi7ryijXAeA7M5+8WMwF+PIhVBULhFSLXQj3MT4mU5HBp9PJj0n+uyhWY PNrY+sTNX7U3S userstate: 1 usertype: agentType sn: ipara uid: ipara description: 2;16;CN=Certificate Authority,O=TIS.RK;CN=IPA RA,O=TIS.RK userPassword:: e1NTSEE1MTJ9b3dvbTJCcXZQczljaW91OFVVMkFVdWxZUVg4b2FkY0Q0a1MwaDM xS2FkYU0wNTcxaVFGK0M5L213M2hnMHBZNkhBVFlrclBlckJucGtPYTVRWGYzYWZta2haNnRjMVlW
Hi Alexander,
I just noticed what the problem (probably) is. The userCertificate attribute is binary data. It should be represented with TWO colons ("::") after the attribute name, i.e.:
userCertificate:: MII...
Could you please update the LDAP entry and try again?
Thanks, Fraser
Fixed! It just worked like a charm. I payed no attention to field format of UserCertificate, and bad format was confusing dogtag. I saved all ldif files, so I just modified all of them and run ldapmodify again. After that IPA can successfully talk to dogtag, as well as certmonger. And ipa-server-upgrade showed no error while running.
Great thanks for help!
ср, 27 нояб. 2019 г. в 03:57, Fraser Tweedale ftweedal@redhat.com:
On Tue, Nov 26, 2019 at 09:46:02AM +0300, Александер Скобельцын wrote:
Of course.
dn: uid=ipara,ou=people,o=ipaca cn: ipara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser userCertificate: MIIDXDCCAkSgAwIBAgIBEDANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKDAZUS
VMuUksxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTExMDUwOTI3NTBaFw0yMT
EwMjUwOTI3NTBaMCIxDzANBgNVBAoMBlRJUy5SSzEPMA0GA1UEAxMGSVBBIFJBMIIBIjANBgkqhki
G9w0BAQEFAAOCAQ8AMIIBCgKCAQEA61dhtR4A8SqnP7t/L3xhg07moXfwvDBD+jOnY45GarO9DM0+
y+YRdJ1duMC7QYcEcvFuVonW2ZhNF4flS4isf7dweMTsHexDz/0sfuEZGNW+yBpDEZUSRMiTDbYYi
kGv298Bbp1NmNHiUTayrsA1IlweESPmwR8r67n3qkWG+yIQ8Fz0iFue5GzK97/Gg7i+FJaFCeqaZR
UB6RTeM/DPyBG50hLWfqt3CSh2S5J+3Ch9ZtsRM+iEqtE2JNJRAef1VmbufS9xkweg9OAVw1oJrzN
3wP/un3hmceH/DvxFETOk9FmT9AaXf/XCDwptxCJ+A7cV80vwG8zigLYrKpUgQQIDAQABo4GNMIGK
MB8GA1UdIwQYMBaAFMLNVVXxp/y1I2CbR7V3sf7Ak/9iMDgGCCsGAQUFBwEBBCwwKjAoBggrBgEFB
QcwAYYcaHR0cDovL2lwYS1jYS50aXMucmsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBB
YwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAFv2Vl7DIc0s7YCdNmA07
SrM/GIKeDbmgLqzinFqjMEH6/oR6bGqBcwDXr+0ss0lXYz2ndhRbEG1MI52POT/+sbJG48xJyQehd
/r+VeWNgMzKRUGQoLLiHctevxn9ugJHLBpxZzgTqm7tG8r/O71JgHlY1u9b7a/j6uXFCjAz5yuu0h
EHNYCaAViSwbAUFXu8906qOK087CFr8eFAY6Ng5oNLp8cAEkOQctoe1+Nubns2h5KN/W3fISnjOH/
ATjJo1dsJGdlRN5rlatKpi7ryijXAeA7M5+8WMwF+PIhVBULhFSLXQj3MT4mU5HBp9PJj0n+uyhWY
PNrY+sTNX7U3S userstate: 1 usertype: agentType sn: ipara uid: ipara description: 2;16;CN=Certificate Authority,O=TIS.RK;CN=IPA RA,O=TIS.RK userPassword:: e1NTSEE1MTJ9b3dvbTJCcXZQczljaW91OFVVMkFVdWxZUVg4b2FkY0Q0a1MwaDM
xS2FkYU0wNTcxaVFGK0M5L213M2hnMHBZNkhBVFlrclBlckJucGtPYTVRWGYzYWZta2haNnRjMVlW
Hi Alexander,
I just noticed what the problem (probably) is. The userCertificate attribute is binary data. It should be represented with TWO colons ("::") after the attribute name, i.e.:
userCertificate:: MII...
Could you please update the LDAP entry and try again?
Thanks, Fraser
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
Александер Скобельцын