Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert
by Erling Andersen
Hi,
We have a problem connecting with CA REST API (403).
Any ideas how to troubleshoot?
Setup: IPA 4.9.8 on CentOS Stream 8, two IPA CA servers
Only looking at the CA renewal master (ipa1.example.com)
# ipa cert-show 1
ipa: DEBUG: trying https://ipa1.example.com/ipa/session/json
ipa: ERROR: Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)
# pki-healthcheck
Internal server error 403 Client Error: 403 for url: http://ipa1.example.com:80/ca/rest/securityDomain/domainInfo
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "58153e6c-98ed-4264-a622-e8f6e23d58ca",
"when": "20220809080611Z",
"duration": "0.164052",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
}
]
LDAP and IPA RA appear to have identical certificates and serial number:
# ldapsearch -LLL -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca userCertificate description
dn: uid=ipara,ou=people,o=ipaca
userCertificate:: MIID...Ovix8
description: 2;1878982672;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM
# openssl x509 -text -in /var/lib/ipa/ra-agent.pem
Serial Number: 1878982672 (0x6fff0010)
Validity
Not Before: Aug 8 10:02:19 2022 GMT
Not After : Jul 28 10:02:19 2024 GMT
-----BEGIN CERTIFICATE-----
MIID...Ovix8
-----END CERTIFICATE-----
PKI appear to have identical certificates in LDAP and /etc/pki/pki-tomcat/alias:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' |grep Serial
Serial Number: 1878982665 (0x6fff0009)
# ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso
dn: uid=pkidbuser,ou=people,o=ipaca
userCertificate:: MIID...eluPug==
description: 2;1878982665;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM
seeAlso: CN=CA Subsystem,O=EXAMPLE.COM
And, the certificate in CS.cfg appears to match the caSigningCert in LDAP:
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
ca.signing.cert=MIID...yfc5a
# ldapsearch -LLL -D 'cn=directory manager' -W \
-b 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com'
dn: cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
userCertificate:: MIID...yfc5a
Additional details:
# ldapsearch -LLL -D 'cn=directory manager' -W -b ou=authorities,ou=ca,o=ipaca
dn: ou=authorities,ou=ca,o=ipaca
ou: authorities
objectClass: top
objectClass: organizationalUnit
dn: cn=58d7a049-ada3-4146-b39a-84aa1b6f4add,ou=authorities,ou=ca,o=ipaca
authoritySerial: 1878982673
description: Host authority
authorityDN: CN=Certificate Authority,O=EXAMPLE.COM
authorityEnabled: TRUE
authorityKeyNickname: caSigningCert cert-pki-ca
authorityID: 58d7a049-ada3-4146-b39a-84aa1b6f4add
cn: 58d7a049-ada3-4146-b39a-84aa1b6f4add
objectClass: authority
objectClass: top
# ldapsearch -LLL -D 'cn=directory manager' -W -b cn=ipa,cn=cas,cn=ca,dc=example,dc=com
dn: cn=ipa,cn=cas,cn=ca,dc=example,dc=com
cn: ipa
ipaCaId: 58d7a049-ada3-4146-b39a-84aa1b6f4add
ipaCaSubjectDN: CN=Certificate Authority,O=EXAMPLE.COM
objectClass: top
objectClass: ipaca
ipaCaIssuerDN: CN=Certificate Authority,O=EXAMPLE.COM
description: IPA CA
# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
EXAMPLE.COM IPA CA CTu,Cu,Cu
EXAMPLE.COM IPA CA CTu,Cu,Cu
# certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'EXAMPLE.COM IPA CA'
3 certificates
# certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca'
3 certificates (identical with above 3 certificates)
# pki ca-cert-show 1878982672
Serial Number: 0x6fff0010
Subject DN: CN=IPA RA,O=EXAMPLE.COM
Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM
Status: VALID
Not Valid Before: Mon Aug 08 12:02:19 CEST 2022
Not Valid After: Sun Jul 28 12:02:19 CEST 2024
1 year, 9 months
External group membership stuck
by Matthew Harlum
Hi,
I had an issue with group membership being stuck, I had some AD users in an external group which I had then added to the Admin group but when I removed this external group the users retained their Admin group even after deleting the SSSD cache completely on the server/client and restarting SSD, IPA etc and even after leaving it for a few weeks while I vacationed.
I took a look in LDAP and could not see any membership of the group except for the Admin user.
On a whim I removed the ipaNTSecurityIdentifier and the ipaNTGroupAttrs attribute from the Admin group and then re-added it exactly as it was and found that the problem was solved however I'm struggling to understand how that could be?
I would like to understand how that would fix anything? It seems like it would be completely unrelated.
1 year, 9 months
Is there a way to force client sync with the server?
by lol lol
I have an IPA client on a host and an IPA server in a VM running on the same host.
Essentially, when I boot the machine, client does not sync with the server at boot as the vm stars later.
Then I have issues like this one:
I add a new user and I can log in as them on other clients, but not on that one.
Is there a command to force sync client with the server?
Or what services should I restart? I tried restarting SSSD but it doesn't resync.
Thanks.
1 year, 9 months
Multiple user authencation domains on same server
by Minecraft Chest1
I have a FreeIPA server for my local lab domain (lets say lab.domain-a.com) which works fine. I have another domain (domain-b.net) which I would like an LDAP server for. I would like to use FreeIPA for domain-b.net as well, but I do not want to spin up another server for domain-b.net as of right now. Does FreeIPA have a way for me to setup more then one Kerberos realm and LDAP domains? In other words, can one FreeIPA server have LDAP objects in either "dc=lab,dc=domain-a,dc=com" or "dc=domain-b,dc=org" and Kerberos realms for "LAB.DOMAIN-A.COM" and "DOMAIN-B.COM"?
I do not need to have the same objects in both domains/realms, although that would be a nice feature. As I understand it, I am basically asking for two FreeIPA instances on the same server. Is this possible as of right now? If so, how would I go about setting this up?
Just to clarify, I am not asking for multiple DNS zones, I am asking for independent Kerberos Realms and LDAP domain components.
1 year, 9 months
Restricting Binddn to a specific group
by Entrepreneur AJ
Hi everyone,
I am wandering if there is a way to restrict a user that is purely for
binding an external application to only be able to search within a group
but enforced at the ipa server level.
For example, we use Odoo ERP it has an LDAP module which we want to be
able to restrict the users that login to the group lets call it
"odoo-users" for example.
Now if I bind to a normal user or heavens forbid the admin user it could
potentially source users that I don't want to have access. Odoo does
allow query filters like most LDAP implementations but it would be too
easy for someone to change the query filter for my liking.
I looked at permissions and feel this may be the way to go but from what
i can see the documentation is abandoned in favor of the RHEL handbook.
(We use Fedora 36 on VPS's).
Does anyone have any pointers on how I can securely implement this on
the server side to ensure that anyone else can't override the users
available on the external application?
1 year, 9 months
Ubuntu 20.04 client can't find names for some group IDs
by Ranbir
Hi Everyone,
I migrated an Ubuntu 20.04 client from NIS authentication to an
AlmaLinux 9 IdM domain. I purged the NIS package, installed the
freeipa-client, successfully enrolled it into the domain and now when I
login via ssh, I get these messages:
groups: cannot find name for group ID 1762200513
groups: cannot find name for group ID 1762213360
groups: cannot find name for group ID 1762225405
groups: cannot find name for group ID 1762243097
groups: cannot find name for group ID 1762243100
groups: cannot find name for group ID 1762263161
groups: cannot find name for group ID 1762313267
groups: cannot find name for group ID 1762313342
groups: cannot find name for group ID 1762313405
groups: cannot find name for group ID 1762358745
I can lookup the group names from an idm server. Also, I think this
groups lookup problem is the cause of slow logins on this Ubuntu
client.
On other clients, I get similar messages when I use the "groups"
command to see which groups I'm a member of.
I've never experienced this before in an idm environment. What's
causing the issue?
--
Ranbir
1 year, 9 months
List quieter these days
by Ranbir
Hi All,
Has anyone else noticed the list is a lot quieter then it used to be?
There's much less engagement from the devs and users are replying more
often to themselves. That's what I've noticed anyway. Maybe I'm wrong,
but it sure looks that way to me.
Is using freeipa or IdM in one of the RHEL derivatives still a good
option? I'm asking myself that question often now.
Note: my freeipa mail list archive goes back to 2015-12-06 (the day I
joined) so it's easy to see the progression/changes in mail list
behaviour.
--
Ranbir
1 year, 9 months
certutil: Could not find cert: YYDEVOPS.COM IPA CA
by roy liang
> roy liang via FreeIPA-users wrote:
>
> Like I've said, there is no documentation for this, a system that is
> unrenewable because of a missing library.
>
> I do have another suggestion on something to try. It's a bit half-baked
> and who knows, you may have already tried it.
>
> I'd strongly urge trying this on a clone of your production CA.
>
> IIRC you can go back in time where all the certs are valid and the CA is
> operational, right? If so, do that. If not you're still going to be
> stuck and you can stop reading.
>
> Bring up a new server one running CentOS or RHEL, and set time back on
> it as well. Preferably running 4.6.8 (RHEL 7). This is the closest to
> your current version.
>
> Install it as a client with -N to skip syncing time, then run
> ipa-replica-install -N for the same reason. If you get that far, try
> running ipa-ca-install. This may well give you a working CA. At that
> point you'd set it as a the CA renewal master, etc (see the RHEL docs)
> and you'd be back in business.
>
> There would be more to do afterward but lets not get ahead of ourselves.
>
> rob
After libnsspem.so is added to Ubuntu16.04, all expired certificates pass the change time and the test is renewed normally. However, there are new problems during the IPA-replica-install test. The details are as follows:
ipa-client-install --domain=hiido.host.yydevops.com --realm=YYDEVOPS.COM --server=ipa-test-65-188.hiido.host.yydevops.com
Everything is all right ....
root@fs-hiido-dn-12-65-18:/home/liangrui# ipa-replica-install
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/43]: creating directory server user
[2/43]: creating directory server instance
[3/43]: restarting directory server
[4/43]: adding default schema
[5/43]: enabling memberof plugin
[6/43]: enabling winsync plugin
[7/43]: configuring replication version plugin
[8/43]: enabling IPA enrollment plugin
[9/43]: enabling ldapi
[10/43]: configuring uniqueness plugin
[11/43]: configuring uuid plugin
[12/43]: configuring modrdn plugin
[13/43]: configuring DNS plugin
[14/43]: enabling entryUSN plugin
[15/43]: configuring lockout plugin
[16/43]: configuring topology plugin
[17/43]: creating indices
[18/43]: enabling referential integrity plugin
[19/43]: configuring certmap.conf
[20/43]: configure autobind for root
[21/43]: configure new location for managed entries
[22/43]: configure dirsrv ccache
[23/43]: enabling SASL mapping fallback
[24/43]: restarting directory server
[25/43]: creating DS keytab
[26/43]: retrieving DS Certificate
[27/43]: restarting directory server
ipa : CRITICAL Failed to restart the directory server. See the installation log for details.
[error] SystemExit: 1
ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
#cat /var/log/ipareplica-install.log
....
2022-08-08T09:14:29Z DEBUG stdout=
2022-08-08T09:14:29Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/dirsrv/ds.keytab
2022-08-08T09:14:29Z DEBUG duration: 1 seconds
2022-08-08T09:14:29Z DEBUG [26/43]: retrieving DS Certificate
2022-08-08T09:14:29Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2022-08-08T09:14:29Z DEBUG Starting external process
2022-08-08T09:14:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -L -n YYDEVOPS.COM IPA CA -a
2022-08-08T09:14:29Z DEBUG Process finished, return code=255
2022-08-08T09:14:29Z DEBUG stdout=
2022-08-08T09:14:29Z DEBUG stderr=certutil: Could not find cert: YYDEVOPS.COM IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
2022-08-08T09:14:29Z DEBUG Starting external process
2022-08-08T09:14:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -N -f /etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt
2022-08-08T09:14:29Z DEBUG Process finished, return code=0
2022-08-08T09:14:29Z DEBUG stdout=
2022-08-08T09:14:29Z DEBUG stderr=
2022-08-08T09:14:29Z DEBUG Starting external process
2022-08-08T09:14:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -A -n YYDEVOPS.COM IPA CA -t CT,C,C -a
2022-08-08T09:14:29Z DEBUG Process finished, return code=0
2022-08-08T09:14:29Z DEBUG stdout=
2022-08-08T09:14:29Z DEBUG stderr=
2022-08-08T09:14:29Z DEBUG Starting external process
2022-08-08T09:14:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -A -n YYDEVOPS.COM IPA CA -t CT,C,C -a
2022-08-08T09:14:29Z DEBUG Process finished, return code=0
2022-08-08T09:14:29Z DEBUG stdout=
2022-08-08T09:14:29Z DEBUG stderr=
2022-08-08T09:14:29Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2022-08-08T09:14:34Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1)
2022-08-08T09:14:34Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-YYDEVOPS-COM.socket from SchemaCache
2022-08-08T09:14:34Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-YYDEVOPS-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f36a4433e60>
2022-08-08T09:14:34Z DEBUG duration: 5 seconds
2022-08-08T09:14:34Z DEBUG [27/43]: restarting directory server
2022-08-08T09:14:34Z DEBUG Starting external process
2022-08-08T09:14:34Z DEBUG args=/bin/systemctl --system daemon-reload
2022-08-08T09:14:35Z DEBUG Process finished, return code=0
2022-08-08T09:14:35Z DEBUG stdout=
2022-08-08T09:14:35Z DEBUG stderr=
2022-08-08T09:14:35Z DEBUG Starting external process
2022-08-08T09:14:35Z DEBUG args=/bin/systemctl restart dirsrv(a)YYDEVOPS-COM.service
2022-08-08T09:14:36Z DEBUG Process finished, return code=0
2022-08-08T09:14:36Z DEBUG stdout=
2022-08-08T09:14:36Z DEBUG stderr=
2022-08-08T09:14:36Z DEBUG Starting external process
2022-08-08T09:14:36Z DEBUG args=/bin/systemctl is-active dirsrv(a)YYDEVOPS-COM.service
2022-08-08T09:14:36Z DEBUG Process finished, return code=3
2022-08-08T09:14:36Z DEBUG stdout=failed
2022-08-08T09:14:36Z DEBUG stderr=
2022-08-08T09:14:36Z DEBUG Starting external process
2022-08-08T09:14:36Z DEBUG args=/bin/systemctl is-active dirsrv(a)YYDEVOPS-COM.service
2022-08-08T09:14:36Z DEBUG Process finished, return code=3
2022-08-08T09:14:36Z DEBUG stdout=failed
2022-08-08T09:14:36Z DEBUG stderr=
2022-08-08T09:14:36Z CRITICAL Failed to restart the directory server. See the installation log for details.
2022-08-08T09:14:36Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 625, in __restart_instance
self.restart(self.serverid)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 619, in restart
raise e
SystemExit: 1
2022-08-08T09:14:36Z DEBUG [error] SystemExit: 1
2022-08-08T09:14:36Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, in run
cfgr.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 310, in run
self.execute()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 332, in execute
for nothing in self._executor():
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 586, in _configure
next(executor)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 63, in _install
for nothing in self._installer(self.parent):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 1652, in main
promote(self)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 375, in decorated
func(installer)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 1359, in promote
promote=True, pkcs12_info=dirsrv_pkcs12_info)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 125, in install_replica_ds
promote=promote,
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 399, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 625, in __restart_instance
self.restart(self.serverid)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 619, in restart
raise e
2022-08-08T09:14:36Z DEBUG The ipa-replica-install command failed, exception: SystemExit: 1
2022-08-08T09:14:36Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
#less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors
[08/Aug/2022:17:14:36 +0800] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[08/Aug/2022:17:14:36 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[08/Aug/2022:17:14:36 +0800] - SSL failure: None of the cipher are valid
[08/Aug/2022:17:14:36 +0800] - ERROR: SSL2 Initialization Failed. Disabling SSL2.
[08/Aug/2022:17:14:36 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up
[08/Aug/2022:17:14:36 +0800] - Can't find certificate Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database.
[08/Aug/2022:17:14:36 +0800] - Can't get private key from cert Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database.
[08/Aug/2022:17:14:36 +0800] - Error: unable to initialize attrcrypt system for userRoot
[08/Aug/2022:17:14:36 +0800] - start: Failed to start databases, err=-1 BDB0092 Unknown error: -1
[08/Aug/2022:17:14:36 +0800] - Failed to start database plugin ldbm database
[08/Aug/2022:17:14:36 +0800] - WARNING: ldbm instance userRoot already exists
[08/Aug/2022:17:14:36 +0800] - ldbm_config_read_instance_entries: failed to add instance entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config
[08/Aug/2022:17:14:36 +0800] - ldbm_config_load_dse_info: failed to read instance entries
[08/Aug/2022:17:14:36 +0800] - start: Loading database configuration failed
[08/Aug/2022:17:14:36 +0800] - Failed to start database plugin ldbm database
[08/Aug/2022:17:14:36 +0800] - Error: Failed to resolve plugin dependencies
[08/Aug/2022:17:14:36 +0800] - Error: betxnpreoperation plugin 7-bit check is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin Account Usability Plugin is not started
[08/Aug/2022:17:14:36 +0800] - Error: accesscontrol plugin ACL Plugin is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin ACL preoperation is not started
[08/Aug/2022:17:14:36 +0800] - Error: betxnpreoperation plugin Auto Membership Plugin is not started
[08/Aug/2022:17:14:36 +0800] - Error: object plugin Class of Service is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin deref is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin HTTP Client is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin IPA DNS is not started
[08/Aug/2022:17:14:36 +0800] - Error: object plugin IPA Lockout is not started
[08/Aug/2022:17:14:36 +0800] - Error: betxnpostoperation plugin IPA MODRDN is not started
[08/Aug/2022:17:14:36 +0800] - Error: object plugin IPA Topology Configuration is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin IPA UUID is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin ipa-winsync is not started
[08/Aug/2022:17:14:36 +0800] - Error: extendedop plugin ipa_enrollment_extop is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin ipaUniqueID uniqueness is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin krbCanonicalName uniqueness is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin krbPrincipalName uniqueness is not started
[08/Aug/2022:17:14:36 +0800] - Error: database plugin ldbm database is not started
[08/Aug/2022:17:14:36 +0800] - Error: object plugin Legacy Replication Plugin is not started
[08/Aug/2022:17:14:36 +0800] - Error: betxnpreoperation plugin Linked Attributes is not started
[08/Aug/2022:17:14:36 +0800] - Error: betxnpreoperation plugin Managed Entries is not started
[08/Aug/2022:17:14:36 +0800] - Error: betxnpostoperation plugin MemberOf Plugin is not started
[08/Aug/2022:17:14:36 +0800] - Error: object plugin Multimaster Replication Plugin is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin netgroup uniqueness is not started
[08/Aug/2022:17:14:36 +0800] - Error: betxnpostoperation plugin referential integrity postoperation is not started
[08/Aug/2022:17:14:36 +0800] - Error: object plugin Roles Plugin is not started
[08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin sudorule name uniqueness is not started
[08/Aug/2022:17:14:36 +0800] - Error: object plugin USN is not started
[08/Aug/2022:17:14:36 +0800] - Error: object plugin Views is not started
[08/Aug/2022:17:14:36 +0800] - Error: extendedop plugin whoami is not started
root@fs-hiido-dn-12-65-18:/var/log/dirsrv/slapd-YYDEVOPS-COM# certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
YYDEVOPS.COM IPA CA CT,C,C
YYDEVOPS.COM IPA CA CT,C,C
root@fs-hiido-dn-12-65-18:/var/log/dirsrv/slapd-YYDEVOPS-COM# certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -L -n YYDEVOPS.COM IPA CA -a
certutil: Could not find cert: YYDEVOPS.COM
: PR_FILE_NOT_FOUND_ERROR: File not found
root@fs-hiido-dn-12-65-18:/var/log/dirsrv/slapd-YYDEVOPS-COM# certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -L -n 'YYDEVOPS.COM IPA CA' -a
-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIBEzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxZWURF
Vk9QUy5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDA3
MzExNzExMzlaFw00MDA3MzExNzExMzlaMDcxFTATBgNVBAoMDFlZREVWT1BTLkNP
TTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAvKlmpaCuohS3WQgnG2Ppzr56MCpjTyJgPifDZpvC
NkRCS+MtqaRKC2NX2E8oZjQAqbkUaeVfduuTL7BmTQgblm29mfKEGWtQiezNbp2k
X20xzRqRV85P7Vz1H+mGLUFb3WbKcFPFlWNqKwxPcpQi49ajACwjHaXBu+dtjT5D
wTuV1tQskwl17x1r858DoW1L9OwwXT08f7zIWwdUaENwZKBhVBntA4se1Zow0euC
KQOy1z9x1PQPhmVuHf8xqZnqHC7de95/k1JWBe8pa0k8EKKJ0SckI8siX7cSViKx
rSC/yR5pn7Q4GuN6cT7epayO/voWStaKK0NnjMO/Ue6ShQIDAQABo4G7MIG4MB8G
A1UdIwQYMBaAFLk6xAYxQbKeq6CoTqaaCAV6VJc/MB0GA1UdDgQWBBS5OsQGMUGy
nqugqE6mmggFelSXPzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjBV
BggrBgEFBQcBAQRJMEcwRQYIKwYBBQUHMAGGOWh0dHA6Ly9pcGEtdGVzdC02NS0x
ODguaGlpZG8uaG9zdC55eWRldm9wcy5jb206ODAvY2Evb2NzcDANBgkqhkiG9w0B
AQsFAAOCAQEAWQ27Ct/fKQ6AUg4szZ5zvoQ3H94GCxExQZRPhkx48XJnHF2mrAkd
zlvUBOZ1HSAaB7ym4svjnrjVIC/BhjXH2k7BvfSCDJlkm5IP7J2DIJ+czvduRftz
c+4TXOIJ14u5PY+Bcn4BHQ1iR1erR1LGaHa6G9IzbYVtNmY5gWHokFOcRbQmduLl
ddZPlkdujWU8WxdXzuULBgfnHSFoNB8SATFo686RTmflAPG0So72LhzF4ElFm1An
dUIftRc4PvS7DtQD7VVSc86VhCJVIGTCOx/BfbI05JP8HXQDYjBSUIezCH8rjOhu
HA89ijC2ULSXBOdmtOddGxuc72wSjeqMVQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxZWURF
Vk9QUy5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDA3
MzExNjU2NDZaFw00MDA3MzExNjU2NDZaMDcxFTATBgNVBAoMDFlZREVWT1BTLkNP
TTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAvKlmpaCuohS3WQgnG2Ppzr56MCpjTyJgPifDZpvC
NkRCS+MtqaRKC2NX2E8oZjQAqbkUaeVfduuTL7BmTQgblm29mfKEGWtQiezNbp2k
X20xzRqRV85P7Vz1H+mGLUFb3WbKcFPFlWNqKwxPcpQi49ajACwjHaXBu+dtjT5D
wTuV1tQskwl17x1r858DoW1L9OwwXT08f7zIWwdUaENwZKBhVBntA4se1Zow0euC
KQOy1z9x1PQPhmVuHf8xqZnqHC7de95/k1JWBe8pa0k8EKKJ0SckI8siX7cSViKx
rSC/yR5pn7Q4GuN6cT7epayO/voWStaKK0NnjMO/Ue6ShQIDAQABo4G7MIG4MB8G
A1UdIwQYMBaAFLk6xAYxQbKeq6CoTqaaCAV6VJc/MA8GA1UdEwEB/wQFMAMBAf8w
DgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBS5OsQGMUGynqugqE6mmggFelSXPzBV
BggrBgEFBQcBAQRJMEcwRQYIKwYBBQUHMAGGOWh0dHA6Ly9pcGEtdGVzdC02NS0x
ODguaGlpZG8uaG9zdC55eWRldm9wcy5jb206ODAvY2Evb2NzcDANBgkqhkiG9w0B
AQsFAAOCAQEAQcgq+Tm9Mqxy0Kk1eX/E7/7B0sa8WoeNFTpIweyeZEQdJyxQwe3T
gQeDBZsP6meqscWTgsmxNdm9bCpPlBnPThbGNgHsdmLzCQvpLDU1cn7BQs+jFoNJ
YC9g+eIzhFAw3E63WG//0VJyPkOOXrXc3o2QCqKHBZFrnn2YpYqXJN/bqN2rLwHS
s5NOuK7Q70kq6etz+T9o+s5uM2A3RYTiPen4SY9kKkcMJ1CKyh6YatRUV0o7kTvA
0it2cFc74mIdsqb91VgYL+kzKTIIWH88OZYaMIWxj60gGBntKyF61RlCnhW94GQw
SkdKwEAIXTJTMJwk849tbGwi7Tk4MOT5pA==
-----END CERTIFICATE-----
root@fs-hiido-dn-12-65-18:/var/log/dirsrv/slapd-YYDEVOPS-COM#
According to the log output, are the quotes missing, so the name cannot be found, or are there two (YYDEVOPS.COM IPA CA) names, so the service cannot be replicated?
/var/log/ipareplica-install.log
2022-08-08T09:14:29Z DEBUG stderr=certutil: Could not find cert: YYDEVOPS.COM IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
1 year, 9 months
CA, tomcat java.lang.Exception: Missing Serial Number
by lol lol
Hello, I have recently made a post about a problem I had accessing certificates via web interface.
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
With Florence we have identified that the problem is related to tomcat.
However before I was able to view my certificates that were in MONITORING mode with pki ca-cert-show command.
Now now it hangs forever and errors out saying that the serial number is missing. Is there a fix to this?
pki -v ca-cert-show
INFO: PKI options: -v
INFO: PKI command: ca-cert-show ca-cert-show
INFO: Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -cp /usr/share/pki/lib/* -Dcom.redhat.fips=false -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -v ca-cert-show
INFOS: Server URL: https://ipa.domain.priv:8443
INFOS: NSS database: /root/.dogtag/nssdb
INFOS: Message format: null
INFOS: Command: ca-cert-show
INFOS: Module: ca
INFOS: Initializing NSS
INFOS: Using internal token
INFOS: Module: cert
INFOS: Module: show
java.lang.Exception: Missing Serial Number.
at com.netscape.cmstools.ca.CACertShowCLI.execute(CACertShowCLI.java:68)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:357)
at org.dogtagpki.cli.CLI.execute(CLI.java:357)
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
at org.dogtagpki.cli.CLI.execute(CLI.java:357)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701)
ERROR: Command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -cp /usr/share/pki/lib/* -Dcom.redhat.fips=false -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -v ca-cert-show
1 year, 9 months
Freeipa automount fails on login.
by Sami Hulkko
Hi,
I have a home folders shared at server.foo.org on folder
/srv/home/foo.org and I can mount this share on client.foo.org with
kerberos security.
/etc/export is:
/srv/home/foo.org
*(rw,sec=krb5:krb5i:krb5p,sync,no_root_squash,no_subtree_check)
On Freeipa server under Network Services I have:
default
under it :
auto.master that has /home/foo.org key and auto.home mount information.
auto.home has:
* -fstype=nfs4,rw,sec=krb5 server.foo.org:/srv/home/foo.org/&
So, NFS share mount on manual mount command with Kerberos5 security. Yet
the automount fails on login. I don't see any error on config.
SH
1 year, 9 months
