Problem:After upgrading the centrifydc agent to version 19.6 on a Solaris 11.x machine, the
svc:/system/ca-certificates:default service goes into a degraded state, due to duplicate certificates in the certificate store.
root@server02:~$ svcs -xv
svc:/system/ca-certificates:default (CA Certificates Service)
State: degraded since October 22, 2019 at 10:11:00 AM MDT
Reason: Degraded by service method: "Duplicate CA certificates /etc/certs/CA/Acme_Root_Certification_Authority.pem and /etc/certs/CA/trust_3AF427FE720C3AD144068DE81E57EFBG931267A1.pem both link to /etc/openssl/certs/0123456.1. ."
See: http://support.oracle.com/msg/SMF-8000-VE
See: man -M /usr/share/man -s 5openssl x509v3_config
See: /var/svc/log/system-ca-certificates:default.log
Impact: Some functionality provided by the service may be unavailable.
Cause:In the 19.6 release, Centrify added a group policy mapper script for the agent to put AD certificates into the default Solaris cerificate store (
/etc/certs/CA/), as this is needed for MFA to work correctly. In previous versions of CentrifyDC, the AD certificates were not put the correct location and had to be manually added.
Currently, the group policy mapper script does not check to see if the same certificate exists before adding it to the certificate store, thus potentially causing the
svc:/system/ca-certificates:default service to go into a degraded state due to duplicate certificates.
Workaround:1. If using Multi-Factor Authentication (MFA) , remove the duplicate certificate that is not from coming from AD via the CentrifyDC agent. The certs from Centrify will be named with the following naming syntax,
trust_<certThumbprint>.pem
Example:
trust_3AF427FE720C3AD144068DE81E57EFBG931267A1.pem
or
2. If not using Centrify MFA, the mapper script to pull down certificates from AD can be disabled.
See
KB-11019: How to disable Group Policy mapper script of DirectControl agent for steps to disable the mapper script.
On Solaris the mapper script is:
/usr/share/centrifydc/mappers/machine/solaris_certgp.pl
Resolution:This will be fixed in a future release of Centrify Infrastructure Services.