Running a FreeIPA cluster, the master has fallen over and refuses to get back up:
Failed to read data from service file: Unknown error when retrieving list of services from LDAP: Insufficient access: SASL(-4): no mechanism available: (Unknown authentication method)
I was wondering where the best place for logs is to get myself out of this hole, as it's the "super master" i'd rather not have to delete it, promote another, etc etc.
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
I am having trouble with ntpd on my IPA server. For whatever reason,
chrony seems to work when I manually stop ntpd.
I would like to remove ntpd as an IPA-managed service. I found an old
thread on this list that says I need to remove:
Assuming that this is correct, how do I do that?
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
We have FreeIPA running on Ubuntu 16.04 since about two years
now. For the last few day we see these messages in the log
Oct 22 17:32:14 ipasrv certmonger: 2018-10-22 17:32:14  Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3
Where should I start looking to recover from this?
I am looking at using FreeIPA without CA, using external signed certificates, reading the documentations it looks possible using —dirsrv-certfile, —http-cert-file and —point-certfile. Should I just create a CSR for the hostname by by hand and get it signed? Also is there any good reason for having different certs for http, ldap and pkinit? Can I just use one certificate for all services and for all servers and replicas using Subject Alternative Names?
I have issued a certificate for an AWS ELB.
The certificate is attached to a psedo-host and service named lb.example.com.
There is a certificate and the certificate ID is 21.
The certificate was created on the FreeIPA server.
(as indicated here https://www.redhat.com/archives/freeipa-users/2015-September/msg00127.html)
I also created 2 more certificates for the back-end servers, installed them and the work just fine when I connect directly to the back-end server.
However, when I connect thought the LB browsers are complaining because the back-end certificate does not contain the DNS name of the LB.
So, I revoked the previous certificates and tried to re-create them via:
sudo ipa-getcert request -f ~/certificates/certs/http_certificate.pem -k ~/certificates/keys/host_key.key -K HTTP/$(hostname -f) -N CN=$(hostname),O=EXAMPLE.COM -g 2048 -D lb.example.com -D host01.example.com -D aws-host01-example.com -D webserver01.example.com
(The command was executed on the back-end servers in order to avoid transferring the files)
The request fails with this error:
ca-error: Server at https://ipa01.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name 'lb.example.com'.).
Do I get this error because there is a certificate for this service already? If so, how can I bypass this?
If it's not possible, I will recreate the LB certificate and add all DNS names in that, but it's less than ideal since if I add a new server in the future, I will need to re-issue the certificate.