How to make ipa root certificate available system wide
by Kevin Vasko
Hello,
I’m wanting to make our https servers use a trusted certificate within our LAN only. So for example if I have websrv1.ny.example.com when a user uses a machine that’s enrolled into our realm and they visit https://websrv1.ny.example.com they shouldn’t be prompted to accept the self signed certificate.
I think I’m pretty close but I’m missing a small part.
The ipa server is all setup and working. Hosts are enrolled to ipa and have the /etc/ipa/ca.crt.
I have created a service for the http server in IPA. I have obtained a .key file and .crt file for my web server. Those keys for the web server are in the appropriate location and the web server is pointing at the certs correctly.
On my clients when I go to the web servers URl I am no longer getting a “self signed cert” error message in the browser.
That message has now changed to “unverified certificate authority”. Which basically indicates to me that the browser doesn’t know if this certificate authority should/can be trusted.
If i go in the browser (firefox or chrome) in the certificate authority section and import the /etc/ipa/ca.crt i get no errors in the browser about it being unverified.
So my question is, what am I missing to make the /etc/ipa/ca.crt file globally available for browsers to pick up the certificate automatically?
when we enroll a host we simply do
freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir
Accept the defaults, put in the password to enroll and that’s it. Is there something I’m missing?
-Kevin
4 years, 3 months
suggestion for password policy
by Charles Hedrick
The NIST recommendations for passwords say they don’t think character classes and expiration are useful. Instead, they recommend using a blacklist of known common passwords. There’s no way to implement this policy without writing your own plugin. It would be useful for IPA’s password policy to allow you to specify a database of forbidden passwords.
We’ve done this using a plugin, but I’d rather not have to write C code to implement policy.
4 years, 4 months
FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
by Wulf C. Krueger
Hello,
my FreeIPA installation was working well on Fedora 30. After upgrading
to F31, though, it fails to start:
----
# ipactl start
IPA version error: data needs to be upgraded (expected version
'4.8.1-4.fc31', current version '4.8.1-1.fc30')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status
1: 'Job for pki-tomcatd(a)pki-tomcat.service failed because a timeout was
exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service" and
"journalctl -xe" for details.\n')
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
See the upgrade log for more details and/or run
/usr/sbin/ipa-server-upgrade again
Aborting ipactl
----
Logs:
ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log
pki-tomcatd@pki-tomcat log:
https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log
pki-tomcat-ca-debug log:
https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log
So it looks like the LDAP server isn't reachable but its log says it's
running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log
There's nothing listening on ports 389 and 636, though.
Help would be highly appreciated.
Best regards, Wulf
4 years, 4 months
pki-tomcat doesn't start, it can't update certificate
by Serge Barkov
I have a freeipa with two nodes. I have no problem with one of them but on the other one pki-tomcat can't start.
ipacts starts with --ignore-service-failure
and
pki-tomcatd Service: STOPPED
The first thing I found a certificate expired and I changed date back in time before expiration date. ipa-cacert-manage renew says ok but certificate for pki-tomcat doesn't work.
getcert list shows all certificates are well but this one no:
Request ID '20171110140549':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://ipa0.domain.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ipa0.domain.com,O=DOMAIN.COM
expires: 2019-10-31 14:05:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
[root@ipa0 pki-tomcat]# curl https://ipa0.domain.com:8443/ca/agent/ca/profileReview
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 - /ca/agent/ca/profileReview</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/agent/ca/profileReview</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class="lin
e"><h3>Apache Tomcat/8.0.46</h3></bod
What can I do to make pki-tomcat work? How to repair the certificate?
4 years, 4 months
shouldn't freeipa work by default?
by Harald Dunkel
Hi folks,
*ipa help topics* gives me
# ipa help topics
ipa: ERROR: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
# env | egrep LANG\|LC
# echo $?
1
Shouldn't the command line interface work by default? Why not silently
assume UTF-8 and continue?
Printing a warning might be OK.
Regards
Harri
4 years, 4 months
files to omit from backup
by Charles Hedrick
We currently do rsync backups of our server. On an MIT server, you’d want to omit the stash file. But IPA doesn’t use that. Is there anything like that that should be omitted? I’m not sure just how freeipa bootstraps trust when it starts up.
4 years, 4 months
Centos 7 after unroll and join to new server authorization doesn’t work
by Petar Kozić
Hi,
I have one IPA server dirsrv001 and newone dirsrv002
dirsrv001 is old server from where I want to unroll my VPS’s and join to
new server. I do some testing with Ubuntu VPS’s and that works perfect.
I have problem with one Centos 7 server.
I join client to dirsrv002 without problems but when I want to login I
login over ssh but I can’t do sudo. Ask me for pass and than three times
and that is.
Sudo permission on IPA server is configured as well because works on other.
If I run on that Centos client command:
kinit my_username
and when I enter pass everything is ok.
If I check syslog, I get this error:
[sssd[krb5_child[8541]]]: Key version is not available
I found that is problem with /etc/krb5.keytab file. But I tried to unroll
client, move that file and join again, problem was same.
Please, does someone have some idea?
*—*
*Petar Kozić*
4 years, 4 months
"finger" not working to match on names. What am I missing here?
by Russell Jones
Hi all,
I have client machines bound to my FreeIPA domain correctly as best I can
tell. I have noticed however that the "finger" command appears to not be
matching on user's names anymore like it does with my older NIS clients.
Finger appears to only work when passing it the actual username of a user,
not their first or last names.
/etc/nsswitch.conf is configured properly for user matching on the client.
What am I missing?
Thank you!
passwd: files sss
shadow: files sss
group: files sss
#initgroups: files sss
#hosts: db files nisplus nis dns
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss
aliases: files nisplus
sudoers: files sss
4 years, 4 months
Retro Changelog errors
by Mark Lundie
Hi all,
I've run into an issue with RetroCL (I think) on our IPA server. This is the sole master, there is no replication:
# ipa-replica-manage list
<ipa-hostname>: master
The problem appeared during an attempted group rename, but every subsequent attempt to change results in the same error:
[27/Jan/2020:11:29:49.590558266 +0000] - ERR - managed-entries-plugin - mep_rename_managed_entry - Unable to rename managed entry "cn=matstudio2016,cn=groups,cn=accounts,<domain>" to "cn=matstudio,cn=groups,cn=accounts,<domain>" (Already exists).
[27/Jan/2020:11:29:49.897693314 +0000] - ERR - ldbm_back_modrdn - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE
[27/Jan/2020:13:23:16.986652546 +0000] - ERR - DSRetroclPlugin - write_replog_db - An error occured while adding change number 264303, dn = changenumber=264303,cn=changelog: Already exists.
[27/Jan/2020:13:23:16.989427768 +0000] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68]
[27/Jan/2020:13:23:16.993607315 +0000] - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add managed entry "cn=materialsstudio,cn=groups,cn=accounts,<domain>" for origin entry "uid=materialsstudio,cn=users,cn=accounts,<domain>" (Already exists).
[27/Jan/2020:13:23:16.998637893 +0000] - ERR - DSRetroclPlugin - write_replog_db - An error occured while adding change number 264303, dn = changenumber=264303,cn=changelog: Already exists.
[27/Jan/2020:13:23:17.001620504 +0000] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68]
[27/Jan/2020:13:23:17.005510536 +0000] - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add managed entry "cn=materialsstudio,cn=groups,cn=accounts,<domain>" for origin entry "uid=materialsstudio,cn=users,cn=accounts,<domain>" (Already exists).
[27/Jan/2020:13:23:55.016578895 +0000] - ERR - DSRetroclPlugin - write_replog_db - An error occured while adding change number 264302, dn = changenumber=264302,cn=changelog: Already exists.
[27/Jan/2020:13:23:55.020029522 +0000] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68]
I note that the changenumber decreased by 1 as well. Unfortunately the access log has rotated several times since the change, so I can't extract anything from there. My colleague did have a record of the commands that were run:
# ipa user-mod --rename=matstudio matstudio2016
# ipa user-mod --rename=matstudio2016 matstudio
# ipa user-mod --rename=matstudio matstudio2016
There is no group-mod command, so I assume that the group rename attempt was ipa trying to rename the private group matstudio2016 to matstudio, which already existed:
# ipa group-show matstudio2016
Group name: matstudio2016
Description: User private group for matstudio2016
GID: 99999
# ipa group-show matstudio
Group name: matstudio
Description: blanked
GID: 11008
Member users: blanked
I've tried to delete the groups, both via ipa and ldapmodify (tried to remove the mepManagedEntry objectclass and mepManagedBy attribute), but always encounter the changelog error. Alas there is no backup prior to this change from which to restore, so I am trying to fix things online. Thankfully authorisation and authentication is still working for now, but we can't add users, modify groups, etc.
Incidentally, ipa user-show --all --raw returns nothing for either uid, but ldapsearch does. The old user (matstudio2016) and group (matstudio) were migrated at least once from the ipa database of older clusters, possibly twice. I've pulled out the pertinent entries from each record:
# ldapsearch -Y GSSAPI uid=matstudio2016
# matstudio, users, accounts, <domain>
dn: uid=matstudio,cn=users,cn=accounts,<domain>
displayName: MatStudioAccount MatStudioAccount
cn: MatStudioAccount MatStudioAccount
krbCanonicalName: matstudio@<domain>
uidNumber: 99999
gidNumber: 11008
krbPrincipalName: matstudio@<domain>
givenName: MatStudioAccount
homeDirectory: <path-to>/matstudio
ipaUniqueID: 6e8f1900-b044-11e8-be99-00a1dafce440
mepManagedEntry: cn=matstudio2016,cn=groups,cn=accounts,<domain>
memberOf: ipaUniqueID=b7b3447a-b02c-11e8-9fe1-00a1dafce440,cn=hbac,<domain>
uid: matstudio
# ldapsearch -Y GSSAPI uid=matstudio
# matstudio, users, compat, <domain>
dn: uid=matstudio,cn=users,cn=compat,<domain>
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: MatStudioAccount MatStudioAccount
cn: MatStudioAccount MatStudioAccount
uidNumber: 99999
gidNumber: 11008
loginShell: /bin/bash
homeDirectory: <path-to>/matstudio
ipaAnchorUUID:: OklQQTpwcmkuY3NmMy5hbGNlcy5uZXR3b3JrOjZlOGYxOTAwLWIwNDQtMTFlOC
1iZTk5LTAwYTFkYWZjZTQ0MA==
uid: matstudio
I'm scratching my head here; any suggestions will be most gratefully received!
Thanks,
Mark
4 years, 4 months
Upgrade freeipa without CA
by Terry Soucy
Hi Everyone,
I'm in the process of testing a CentOS 6 to CentOS 7 migration of our IPA
servers (ipa-server-3.0.0 to ipa-server-4.6.5). I have successfully added a
4.6.5 IPA server to my 3.0.0 replicas in my testing environment, and
replication is working fine. I have a few aci differences that I'm still
weeding out, but no show stoppers.
When we initially installed freeipa, we were planning on using the CA
capabilities, but have never actually used it after the initial install. My
question is, if we have never used it, can I simply just not worry about
creating a CA replica, and then renew my certificates using an external CA
after the migration is complete?
Thanks in advance
Terry
--
Terry Soucy
Systems Engineering Lead | Salesforce
Mobile: +1.506.609.3247
<http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html>
4 years, 4 months