Hi Team ,
FreeIPA server version :- 4.6.8
I was trying securing freeipa-server with-lets-encrypt-ssl-certificate and in between the process i noticed that http suddenly failed , Iam listing down the steps that i followed so far (not complete as httpd got dead in between ) .
Iam fairly new to FreeIPA so would appreciate Some help or guidance here . Thanks
1. Taken backup of /var/lib/ipa/ 2. Make directory mkdir freeipa-certs 3. cd freeipa-certs
4. Performed below step to get Lets Encrypt CA
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do curl -o $CERT "https://letsencrypt.org/certs/$CERT" done
5. Install Let’s Encrypt CA certificates into FreeIPA certificate store:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do ipa-cacert-manage install $CERT done
######## Output of step 5 #########
Installing CA certificate, please wait Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=R3,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=E1,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=R4,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=E2,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful ############################################
6. Update local IPA certificate databases with certificates from the server: sudo ipa-certupdate
At below Stage httpd seems failing :
############# Output of Step 6 ################################## [gp185132@idm canary-freeipa-certs]$ sudo ipa-certupdate trying https://idm.ncrcanary.apibox.ml/ipa/json [try 1]: Forwarding 'schema' to json server 'https://idm.ncrcanary.apibox.ml/ipa/json' trying https://idm.ncrcanary.apibox.ml/ipa/session/json [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://idm.ncrcanary.apibox.ml/ipa/session/json' [try 1]: Forwarding 'ca_find/1' to json server 'https://idm.ncrcanary.apibox.ml/ipa/session/json' Command '/bin/systemctl restart httpd.service' returned non-zero exit status 1 ###########################################################
GAURAV Pande via FreeIPA-users wrote:
Hi Team ,
FreeIPA server version :- 4.6.8
I was trying securing freeipa-server with-lets-encrypt-ssl-certificate and in between the process i noticed that http suddenly failed , Iam listing down the steps that i followed so far (not complete as httpd got dead in between ) .
Iam fairly new to FreeIPA so would appreciate Some help or guidance here . Thanks
Taken backup of /var/lib/ipa/
Make directory mkdir freeipa-certs
cd freeipa-certs
Performed below step to get Lets Encrypt CA
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do curl -o $CERT "https://letsencrypt.org/certs/$CERT" done
- Install Let’s Encrypt CA certificates into FreeIPA certificate store:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do ipa-cacert-manage install $CERT done
######## Output of step 5 #########
Installing CA certificate, please wait Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=R3,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=E1,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=R4,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=E2,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful ############################################
- Update local IPA certificate databases with certificates from the server:
sudo ipa-certupdate
At below Stage httpd seems failing :
############# Output of Step 6 ################################## [gp185132@idm canary-freeipa-certs]$ sudo ipa-certupdate trying https://idm.ncrcanary.apibox.ml/ipa/json [try 1]: Forwarding 'schema' to json server 'https://idm.ncrcanary.apibox.ml/ipa/json' trying https://idm.ncrcanary.apibox.ml/ipa/session/json [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://idm.ncrcanary.apibox.ml/ipa/session/json' [try 1]: Forwarding 'ca_find/1' to json server 'https://idm.ncrcanary.apibox.ml/ipa/session/json' Command '/bin/systemctl restart httpd.service' returned non-zero exit status 1 ###########################################################
You need to look to see why httpd failed to start, either in its own logs or in the journal.
rob
Hi ,
Thanks for reply on Journal its saying below error , but there is no pre-exisitng process running on port 80/443 :-
[gp185132@idm ~]$ sudo netstat -tulnp | grep -w 80 [gp185132@idm ~]$ [gp185132@idm ~]$ sudo netstat -tulnp | grep -w 443
############################################################################ -- Unit httpd.service has begun starting up. Mar 23 14:08:02 idm ipa-httpd-kdcproxy[17150]: ipa: INFO: KDC proxy enabled Mar 23 14:08:02 idm ipa-httpd-kdcproxy[17150]: ipa-httpd-kdcproxy: INFO KDC proxy enabled Mar 23 14:08:02 idm httpd[17155]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443 Mar 23 14:08:03 idm systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Mar 23 14:08:03 idm systemd[1]: Failed to start The Apache HTTP Server. -- Subject: Unit httpd.service has failed ##############################################################################
GAURAV Pande via FreeIPA-users wrote:
Hi ,
Thanks for reply on Journal its saying below error , but there is no pre-exisitng process running on port 80/443 :-
[gp185132@idm ~]$ sudo netstat -tulnp | grep -w 80 [gp185132@idm ~]$ [gp185132@idm ~]$ sudo netstat -tulnp | grep -w 443
############################################################################ -- Unit httpd.service has begun starting up. Mar 23 14:08:02 idm ipa-httpd-kdcproxy[17150]: ipa: INFO: KDC proxy enabled Mar 23 14:08:02 idm ipa-httpd-kdcproxy[17150]: ipa-httpd-kdcproxy: INFO KDC proxy enabled Mar 23 14:08:02 idm httpd[17155]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443 Mar 23 14:08:03 idm systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Mar 23 14:08:03 idm systemd[1]: Failed to start The Apache HTTP Server. -- Subject: Unit httpd.service has failed ##############################################################################
This is very little to go on. Apache thinks there is a duplicate port but isn't a process listening there so I can only assume something is messed with the Apache config.
Perhaps check the syntax and show the vhosts with:
httpd -t -D DUMP_VHOSTS
And as I suggested earlier, look in the Apache logs for any insights.
rob
Hi ,
Thanks for further suggestion regarding seeing apache logs i see two types of logs under /var/log/httpd
1. ssl_error_log which seems to give ID related error in certificate :
############################################################ [gp185132@idm log]$ sudo cat httpd/ssl_error_log [Wed Mar 23 08:44:14.684239 2022] [ssl:warn] [pid 13553] AH01909: RSA certificate configured for idm.ncrcanary.apibox.ml:443 does NOT include an ID which matches the server name [Wed Mar 23 08:49:22.362213 2022] [ssl:warn] [pid 13679] AH01909: RSA certificate configured for idm.ncrcanary.apibox.ml:443 does NOT include an ID which matches the server name [Wed Mar 23 08:55:53.069305 2022] [ssl:warn] [pid 13892] AH01909: RSA certificate configured for idm.ncrcanary.apibox.ml:443 does NOT include an ID which matches the server name [Wed Mar 23 08:57:14.441821 2022] [ssl:warn] [pid 14033] AH01909: RSA certificate configured for idm.ncrcanary.apibox.ml:443 does NOT include an ID which matches the server name [Wed Mar 23 08:59:57.786261 2022] [ssl:warn] [pid 14146] AH01909: RSA certificate configured for idm.ncrcanary.apibox.ml:443 does NOT include an ID which matches the server name [Wed Mar 23 09:18:42.689416 2022] [ssl:warn] [pid 15255] AH01909: RSA certificate configured for idm.ncrcanary.apibox.ml:443 does NOT include an ID which matches the server name [Wed Mar 23 09:19:29.917671 2022] [ssl:warn] [pid 15451] AH01909: RSA certificate configured for idm.ncrcanary.apibox.ml:443 does NOT include an ID which matches the server name [Wed Mar 23 09:22:29.840935 2022] [ssl:warn] [pid 15810] AH01909: RSA certificate configured for idm.ncrcanary.apibox.ml:443 does NOT include an ID which matches the server name [Wed Mar 23 14:08:02.931798 2022] [ssl:warn] [pid 17155] AH01909: RSA certificate configured for idm.ncrcanary.apibox.ml:443 does NOT include an ID which matches the server name ##########################################################################
2. error_log which seems to give again some SSL library related errors :
########################################################################### [Tue Mar 22 07:41:25.693398 2022] [:error] [pid 19198] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:26.101011 2022] [:error] [pid 19199] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:26.117640 2022] [:error] [pid 19197] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:36.192522 2022] [:error] [pid 19196] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:36.195377 2022] [:error] [pid 19599] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:36.854208 2022] [:error] [pid 19198] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:38.271086 2022] [:error] [pid 19196] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:38.272939 2022] [:error] [pid 19197] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:38.275932 2022] [:error] [pid 19599] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:39.163366 2022] [:error] [pid 19197] SSL Library Error: -12224 SSL peer had some unspecified issue with the certificate it received [Tue Mar 22 07:41:55.013672 2022] [:error] [pid 19191] ipa: INFO: Starting new HTTP connection (1): idm.ncrcanary.apibox.ml [Tue Mar 22 07:41:55.019100 2022] [:error] [pid 19191] ipa: INFO: Starting new HTTPS connection (1): idm.ncrcanary.apibox.ml [Tue Mar 22 07:41:55.381375 2022] [:error] [pid 19192] ipa: INFO: admin@NCRCANARY.APIBOX.ML: batch: i18n_messages(): SUCCESS [Tue Mar 22 07:41:55.857491 2022] [:error] [pid 19192] ipa: INFO: admin@NCRCANARY.APIBOX.ML: batch: config_show(): SUCCESS [Tue Mar 22 07:41:55.861885 2022] [:error] [pid 19192] ipa: INFO: admin@NCRCANARY.APIBOX.ML: batch: whoami(): SUCCESS [Tue Mar 22 07:41:55.862651 2022] [:error] [pid 19192] ipa: INFO: admin@NCRCANARY.APIBOX.ML: batch: env(None): SUCCESS [Tue Mar 22 07:41:55.865040 2022] [:error] [pid 19192] ipa: INFO: admin@NCRCANARY.APIBOX.ML: batch: dns_is_enabled(): SUCCESS [Tue Mar 22 07:41:55.866606 2022] [:error] [pid 19192] ipa: INFO: admin@NCRCANARY.APIBOX.ML: batch: trustconfig_show(): NotFound [Tue Mar 22 07:41:55.868070 2022] [:error] [pid 19192] ipa: INFO: admin@NCRCANARY.APIBOX.ML: batch: domainlevel_get(): SUCCESS [Tue Mar 22 07:41:55.870723 2022] [:error] [pid 19192] ipa: INFO: admin@NCRCANARY.APIBOX.ML: batch: ca_is_enabled(): SUCCESS [Tue Mar 22 07:41:55.873373 2022] [:error] [pid 19192] ipa: INFO: admin@NCRCANARY.APIBOX.ML: batch: vaultconfig_show(): InvocationError [Tue Mar 22 07:41:55.874109 2022] [:error] [pid 19192] ipa: INFO: [jsonserver_session] admin@NCRCANARY.APIBOX.ML: batch(i18n_messages(), config_show(), whoami(), env(None), dns_is_enabled(), trustconfig_show(), domainlevel_get(), ca_is_enabled(), vaultconfig_show()): SUCCESS [Tue Mar 22 07:41:56.700011 2022] [:warn] [pid 19199] [client 165.225.57.169:57663] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@NCRCANARY.APIBOX.ML)!, referer: https://idm.ncrcanary.apibox.ml/ipa/ui/ [Tue Mar 22 07:41:56.701426 2022] [:warn] [pid 19195] [client 165.225.57.169:2175] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@NCRCANARY.APIBOX.ML)!, referer: https://idm.ncrcanary.apibox.ml/ipa/ui/ [Tue Mar 22 07:41:56.702696 2022] [:warn] [pid 19198] [client 165.225.57.169:57652] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@NCRCANARY.APIBOX.ML)!, referer: https://idm.ncrcanary.apibox.ml/ipa/ui/ [Tue Mar 22 07:41:57.581666 2022] [:error] [pid 19193] ipa: INFO: [jsonserver_session] admin@NCRCANARY.APIBOX.ML: json_metadata(None, None, object=u'all', version=u'2.237'): SUCCESS [Tue Mar 22 07:41:57.725610 2022] [:error] [pid 19194] ipa: INFO: [jsonserver_session] admin@NCRCANARY.APIBOX.ML: user_show/1(u'admin', all=True, version=u'2.237'): SUCCESS [Tue Mar 22 07:41:58.827210 2022] [:error] [pid 19191] ipa: INFO: [jsonserver_session] admin@NCRCANARY.APIBOX.ML: json_metadata(None, None, command=u'all', version=u'2.237'): SUCCESS [Tue Mar 22 07:42:01.124469 2022] [:warn] [pid 19198] [client 165.225.57.169:57652] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@NCRCANARY.APIBOX.ML)!, referer: https://idm.ncrcanary.apibox.ml/ipa/ui/ ########################################################################
Also here is the output of command asked :
[gp185132@idm ~]$ sudo httpd -t -D DUMP_VHOSTS VirtualHost configuration: *:443 is a NameVirtualHost default server idm.ncrcanary.apibox.ml (/etc/httpd/conf.d/nss.conf:81) port 443 namevhost idm.ncrcanary.apibox.ml (/etc/httpd/conf.d/nss.conf:81) port 443 namevhost idm.ncrcanary.apibox.ml (/etc/httpd/conf.d/ssl.conf:56)
Hi,
it looks like your machine has configured both nss.conf and ssl.conf and they are conflicting. IPA started using mod_ssl instead of mod_nss in IPA 4.7.0+ (see the Release notes: https://www.freeipa.org/page/Releases/4.7.0#mod_ssl).
Which version of IPA are you using? Depending on it you will have to uninstall either mod_ssl or mod_nss. HTH, flo
On Thu, Mar 24, 2022 at 7:10 AM GAURAV Pande via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Also here is the output of command asked :
[gp185132@idm ~]$ sudo httpd -t -D DUMP_VHOSTS VirtualHost configuration: *:443 is a NameVirtualHost default server idm.ncrcanary.apibox.ml (/etc/httpd/conf.d/nss.conf:81) port 443 namevhost idm.ncrcanary.apibox.ml (/etc/httpd/conf.d/nss.conf:81) port 443 namevhost idm.ncrcanary.apibox.ml (/etc/httpd/conf.d/ssl.conf:56) _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
A new thread it indicated they are running 4.6.8. They need to either remove mod_ssl or change the mod_ssl port, ideally the first because while mod_nss and mod_ssl can co-exist in most cases this is likely to not work with IPA because only one SSL module can own the proxy SSL support.
freeipa-letsencrypt does not support RHEL 7-based systems.
rob
Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
it looks like your machine has configured both nss.conf and ssl.conf and they are conflicting. IPA started using mod_ssl instead of mod_nss in IPA 4.7.0+ (see the Release notes: https://www.freeipa.org/page/Releases/4.7.0#mod_ssl).
Which version of IPA are you using? Depending on it you will have to uninstall either mod_ssl or mod_nss. HTH, flo
On Thu, Mar 24, 2022 at 7:10 AM GAURAV Pande via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Also here is the output of command asked : [gp185132@idm ~]$ sudo httpd -t -D DUMP_VHOSTS VirtualHost configuration: *:443 is a NameVirtualHost default server idm.ncrcanary.apibox.ml <http://idm.ncrcanary.apibox.ml> (/etc/httpd/conf.d/nss.conf:81) port 443 namevhost idm.ncrcanary.apibox.ml <http://idm.ncrcanary.apibox.ml> (/etc/httpd/conf.d/nss.conf:81) port 443 namevhost idm.ncrcanary.apibox.ml <http://idm.ncrcanary.apibox.ml> (/etc/httpd/conf.d/ssl.conf:56) _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Florence , Rob
FreeIPA Version is : 4.6.8
Apologies if i might sound stupid here but iam kinda confuse , could you let me know what exactly needs removal and how can i remove it or command via yum ?
Also regarding statement : "freeipa-letsencrypt does not support RHEL 7-based systems" could you let me know what OS this repo will support and is it FreeIPA limitation or Let's Encrypt (which i doubt the later one)
Thanks
GAURAV Pande via FreeIPA-users wrote:
Hi Florence , Rob
FreeIPA Version is : 4.6.8
Apologies if i might sound stupid here but iam kinda confuse , could you let me know what exactly needs removal and how can i remove it or command via yum ?
I don't know what you've done. I assume you installed certbot which requires mod_ssl, so you installed that too. The problem is that IPA in RHEL 7 uses mod_nss so now you have two crypto providers.
mod_nss doesn't use PEM files so you'd need to use ipa-server-certinstall to load the LE cert and key into IPA.
Removing mod_ssl is trivial: rpm -e mod_ssl (or yum erase if you prefer)
That should also remove /etc/httpd/conf.d/ssl.conf but you'll want to confirm it. Just removing the file is not sufficient because mod_ssl will re-create it the next time the package is updated.
Also regarding statement : "freeipa-letsencrypt does not support RHEL 7-based systems" could you let me know what OS this repo will support and is it FreeIPA limitation or Let's Encrypt (which i doubt the later one)
To be clear, freeipa-letsencrypt was created for our own purposes and we open sourced as we do most things but it has absolute bare bones support. It is not meant to, and will never, be the swiss army knife of LE installs with IPA.
It isn't supported in RHEL 7 because we never needed it in RHEL 7. There are no plans to add support and in fact even a contribution would likely not be accepted since it would most probably atrophy.
rob
Hi Rob ,
Thanks for prompt reply but i see the repo using dnf command and installing certbot client as well under intial setup script so my query still remain's on what OS version can we run this repo regardless of the support?
GAURAV Pande via FreeIPA-users wrote:
Hi Rob ,
Thanks for prompt reply but i see the repo using dnf command and installing certbot client as well under intial setup script so my query still remain's on what OS version can we run this repo regardless of the support?
If you want to use freeipa-letsencrypt then as Flo said, you need IPA 4.7.0+. RHEL-8 and 9 (and related rebuild distributions) use 4.9.x so you should be ok with either (at least once 9 is released). Or Fedora 34+.
rob
Okay Rob so i guess Centos 8 base should also work then , just checking ?
On Thu, Mar 24, 2022 at 4:43 PM GAURAV Pande via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Okay Rob so i guess Centos 8 base should also work then , just checking ?
Yes, CentOS 8 should work. flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Thanks Flo & Rob on helping here.
freeipa-users@lists.fedorahosted.org