Untrusted Peer certificate after CA renewal
by Stéphane Mehat
This is my first post, so I hope I don’t add too much details to my questions, but we spent so much time on that issue that I feel like I need to provide as much detail as possible 😉
We need your help !!!
After weeks of reading and attempt to fix our certificates, we can't find what is wrong.
Not sure if that is a freeIPA issue or just conflict between ipa-tomcat and openssl on same server. After CA and other certificate renewal, we are having bunch of issues.
We used to be able to install client and create replica, but in our attempt to create a new CA replica, and after upgrading to most recent versions and renewing certificates, including CA certificates,
we still truggle to get certificates to be trusted.
Both LDAP and HTTPd certificates don't renew with same error in certmonger: "ipa-getcert resubmit -i 20180228054516"
status: CA_UNREACHABLE
ca-error: Server at https://ds01.EXAMPLE.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ds01.EXAMPLE.com:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1783)).
We went through the great tutorial from Flo, trying to debug this.
https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issu...
All certificates looks fine and current, even both Ldapd and HTTPd. We added the ipaCert in the NSS DB as it was gone after upgrade to IPAv4.5, but that did not fix the issue.
[root@ds01 ~]# certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa ##key1## ipaCert
< 1> rsa ##key2## NSS Certificate DB:Server-Cert
Certificate in "certutil -L -d /etc/httpd/alias/ -n ipaCert -a" is different than ca.crt, but same as
dn: uid=ipara,ou=people,o=ipaca
ca.crt is registered in the LDAP at:
dn: cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=EXAMPLE,dc=com
Only thing that we can found with expired certificates is entry:
[root@ds01 ~]# ldapsearch -LLL -D 'cn=directory manager' -W -b uid=admin,ou=people,o=ipaca
That shows one userPassword, and 2 different userCertificate that are expired several year ago with description:
description: 2;6;CN=Certificate Authority,O=EXAMPLE.COM;CN=ipa-ca-agent,O=EXAMPLE.COM
description: 2;268304414;CN=Certificate Authority,O=EXAMPLE.COM;E=admin(a)EXAMPLE.com,CN=CS Administrator,UID=admin,OU=ca,O=EXAMPLE.COM,C=US
Not sure if this is an old V3 LDAP entry, not used in V4 or if that is the culprit and how to fix it??
We tried 'SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview<https://%60hostname%60:8443/ca/agent/ca/profileReview>'
recommended by https://rcritten.wordpress.com/
But still same trust issue.
Our issue seems similar than the one discribed in:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
So we tried to reset the trust flag, but that did not fix the issue for us.
Looking at the error_log we have:
[:error] [pid 14205] ipa: INFO: [jsonserver_session] admin(a)EXAMPLE.COM<mailto:admin@EXAMPLE.COM>: ca_find(None, version=u'2.228'): SUCCESS
[:error] [pid 14205] ipa: DEBUG: Destroyed connection context.ldap2_94559091634256
[:warn] [pid 14208] [client 192.168.10.217:63438] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin(a)EXAMPLE.COM<mailto:/var/run/ipa/ccaches/admin@EXAMPLE.COM>)!, referer: https://ds01.EXAMPLE.com/ipa/ui/
We have both openldap and pki-tomecat on that master, not sure if that is what is creating issue since renewal of CA or if CRL used to be another server.
Any Idea of what could be wrong here?
Answer is probably as easy as adding one of the certificate to the NSS trust database, but not sure which one. :-(
###################
Here is what we get when installing client:
[root@ds12 ~]# ipa-client-install
Skip ds12.EXAMPLE.com: LDAP server is not responding, unable to verify if this is an IPA server
Discovery was successful!
Client hostname: ds12.EXAMPLE.com
Realm: EXAMPLE.COM
DNS Domain: EXAMPLE.com
IPA Server: ds01.EXAMPLE.com
BaseDN: dc=EXAMPLE,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for admin(a)EXAMPLE.COM<mailto:admin@EXAMPLE.COM>:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: 2014-08-03 19:28:18
Valid Until: 2034-08-03 19:28:18
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: Peer's certificate issuer has been marked as not trusted by the user.
[root@ds01 alias]# ipa config-show
Certificate Subject base: O=EXAMPLE.COM
IPA masters: ds01.EXAMPLE.com, ds02.EXAMPLE.com, ds03.EXAMPLE.com
IPA CA servers: ds01.EXAMPLE.com, ds03.EXAMPLE.com
IPA NTP servers: ds01.EXAMPLE.com, ds02.EXAMPLE.com
IPA CA renewal master: ds01.EXAMPLE.com
[root@ds01 ~]# ipa server-role-find --role "AD trust controller"
----------------------
3 server roles matched
----------------------
Server name: ds01.EXAMPLE.com
Role name: AD trust controller
Role status: absent
Server name: ds02.EXAMPLE.com
Role name: AD trust controller
Role status: absent
Server name: ds03.EXAMPLE.com
Role name: AD trust controller
Role status: absent
----------------------------
Number of entries returned 3
----------------------------
[root@ds01 ~]# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20180228053337':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=ds01.EXAMPLE.com,O=EXAMPLE.COM
subject: CN=ds01.EXAMPLE.com,O=EXAMPLE.COM
expires: 2019-03-07 06:24:12 UTC
principal name: krbtgt/EXAMPLE.COM(a)EXAMPLE.COM<mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM>
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180228054506':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-02-25 04:27:49 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180228054507':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:28:38 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180228054508':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:31:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180228054509':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-03-07 03:47:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180228054510':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2018-06-15 23:15:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20180228054511':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ds01.EXAMPLE.com,O=EXAMPLE.COM
expires: 2018-12-16 21:02:44 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180228054512':
status: CA_UNREACHABLE
ca-error: Server at https://ds01.EXAMPLE.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ds01.EXAMPLE.com:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1783)).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ds01.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-03-07 08:49:36 UTC
principal name: ldap/ds01.EXAMPLE.com(a)EXAMPLE.COM<mailto:ldap/ds01.EXAMPLE.com@EXAMPLE.COM>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20180228054516':
status: CA_UNREACHABLE
ca-error: Server at https://ds01.EXAMPLE.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ds01.EXAMPLE.com:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1783)).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ds01.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-03-07 08:49:51 UTC
principal name: HTTP/ds01.EXAMPLE.com(a)EXAMPLE.COM<mailto:HTTP/ds01.EXAMPLE.com@EXAMPLE.COM>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@ds01 ~]# certutil -L -d /etc/httpd/alias/ -n ipaCert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1342111857 (0x4fff0071)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=EXAMPLE.COM"
Validity:
Not Before: Sat Jun 25 23:15:23 2016
Not After : Fri Jun 15 23:15:23 2018
Subject: "CN=IPA RA,O=EXAMPLE.COM"
[..]
Location:
URI: "http://ds01.EXAMPLE.com:80/ca/ocsp"
[..]
Mozilla-CA-Policy: false (attribute missing)
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
###################################
[root@ds01 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview<https://%60hostname%60:8443/ca/agent/ca/profileReview>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to ds01.EXAMPLE.com port 8443 (#0)
* Trying 192.168.10.146...
* Connected to ds01.EXAMPLE.com (192.168.10.146) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias/
* CAfile: /etc/ipa/ca.crt
CApath: none
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Server certificate:
* subject: CN=ds01.EXAMPLE.com,O=EXAMPLE.COM
* start date: Dec 26 21:02:44 2016 GMT
* expire date: Dec 16 21:02:44 2018 GMT
* common name: ds01.EXAMPLE.com
* issuer: CN=Certificate Authority,O=EXAMPLE.COM
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Steph
6 years, 1 month
Re: Changing CA certificate subject name post-install
by Kirk VanOpdorp
I have an external CA that I need to renew due to the root CA expiring soon
and they grumbled at the CA subject last time and I suggested I would look
into changing it. I don't see any route via the ipa-cacert-manage renew to
change the subject but I'd be up for investigating if you have any general
guidance on what may be involved to get it to work. I don't know if there
are a lot of things tied to the CA subject in the inner workings of the
system that may result in unexpected results but I can work through that
also and provide feedback.
6 years, 1 month
replication broken
by Andrew Meyer
So for some reason yesterday my replication broke. Checked out the logs and found this:Mar 20 14:16:02 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 20 14:16:02 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 20 14:16:02 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 20 14:17:02 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 20 14:17:02 freeipa01 systemd: Started IPA key daemon.Mar 20 14:17:02 freeipa01 systemd: Starting IPA key daemon...Mar 20 14:17:05 freeipa01 ipa-dnskeysyncd: ipa : INFO LDAP bind...Mar 20 14:17:05 freeipa01 ipa-dnskeysyncd: ipa : INFO Commencing sync processMar 20 14:17:05 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BINDMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 20 14:17:09 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 20 14:17:09 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 20 14:17:09 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 20 14:17:39 freeipa01 su: (to root) gatewayblend on pts/0Mar 20 14:17:39 freeipa01 dbus[742]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)Mar 20 14:17:39 freeipa01 dbus-daemon: dbus[742]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)Mar 20 14:17:39 freeipa01 dbus[742]: [system] Successfully activated service 'org.freedesktop.problems'Mar 20 14:17:39 freeipa01 dbus-daemon: dbus[742]: [system] Successfully activated service 'org.freedesktop.problems'Mar 20 14:18:09 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 20 14:18:09 freeipa01 systemd: Started IPA key daemon.Mar 20 14:18:09 freeipa01 systemd: Starting IPA key daemon...Mar 20 14:18:13 freeipa01 ipa-dnskeysyncd: ipa : INFO LDAP bind...Mar 20 14:18:13 freeipa01 ipa-dnskeysyncd: ipa : INFO Commencing sync processMar 20 14:18:13 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BINDMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 20 14:18:17 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 20 14:18:17 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 20 14:18:17 freeipa01 systemd: ipa-dnskeysyncd.service failed.
The service says its working just fine:[root@myserver ~]# sudo systemctl status ipa -l● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: active (exited) since Tue 2018-03-20 19:08:00 UTC; 11min ago Process: 17633 ExecStop=/usr/sbin/ipactl stop (code=exited, status=0/SUCCESS) Process: 17725 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS) Main PID: 17725 (code=exited, status=0/SUCCESS) CGroup: /system.slice/ipa.service
Mar 20 19:08:00 myserver.mydomain.com ipactl[17725]: Starting krb5kdc ServiceMar 20 19:08:00 myserver.mydomain.com ipactl[17725]: Starting kadmin ServiceMar 20 19:08:00 myserver.mydomain.com ipactl[17725]: Starting named ServiceMar 20 19:08:00 myserver.mydomain.com ipactl[17725]: Starting httpd ServiceMar 20 19:08:00 myserver.mydomain.com ipactl[17725]: Starting ipa-custodia ServiceMar 20 19:08:00 myserver.mydomain.com ipactl[17725]: Starting ntpd ServiceMar 20 19:08:00 myserver.mydomain.com ipactl[17725]: Starting pki-tomcatd ServiceMar 20 19:08:00 myserver.mydomain.com ipactl[17725]: Starting ipa-otpd ServiceMar 20 19:08:00 myserver.mydomain.com ipactl[17725]: Starting ipa-dnskeysyncd ServiceMar 20 19:08:00 myserver.mydomain.com systemd[1]: Started Identity, Policy, Audit.[root@myserver ~]#
Should I pull replication from another server or is there a simpler way to fix this?
Thanks,Andrew
6 years, 1 month
Login popups on WebUI login screen
by Kristian Petersen
I just setup a new FreeIPA server and get an authentication popups on the
page every time it loads and I have to cancel two of them before I get to
the regular IPA web UI login. How can I fix this issue?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
6 years, 1 month
Auto create NFS home folders on IPA Server.
by TomK
Hey Guy's,
For newly added AD or IPA users, is there a way to automatically create
the user folders on the FreeIPA server under say /nfs/home/bill, for
example so that when the remote client logs in, it sees the NFS mounted
folder?
Instructions that I can find right now require precreating the folders.
Need them precreated via the FreeIPA master servers anytime someone
attempts to login on a client using their AD credentials. Is this
possible? Assume the NFS server will be local to the FreeIPA masters.
Found steps like the one below but step 5) still requires pre creation
of the folders.
https://www.redhat.com/archives/freeipa-users/2016-May/msg00380.html
https://serverfault.com/questions/705039/how-to-automate-directory-creati...
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
6 years, 1 month
Fedora 27 and IPA - install timeout?
by Kat
Hi
Any ideas - VirtualBox - Fedora 27 server 4 CPUs and 4G ram (started at
2+2) and it STILL dies at trying to restart the CA and fails after 300.0s
I have systems smaller than this running FreeIPA, so I can't believe it
is a resource? Maybe a Fedora thing? Is there some way to increase the
timeout? It just seems crazy that I need to allocate so much of my
machine - I remember on older versions I ran it with 2 CPUs on 1G.
:-(
K
6 years, 1 month
IPA Deployment Recommendations - No. of servers per datacenter
by Ronald Wimmer
Hi,
the IPA deployment recommendations say "Generally it is recommended to
have at least 2-3 replicas in each datacenter". Is this also true if the
vast majority of users are external ones (coming from Active Directory)?
Our AD holds up to 60000 users and we prefer mapping AD groups instead
of single users. Apart from mapped AD groups and users real IPA users
will probably stay below 100.
Regards,
Ronald
6 years, 1 month
nss_getpwnam: name 'tom@my.dom@localdomain' does not map into domain 'nix.my.dom'
by TomK
Hey Guy's,
Getting below message which in turn fails to list proper UID / GID on
NFSv4 mounts from within an unprivileged account. All files show up with
owner and group as nobody / nobody when viewed from the client.
Is there a way to structure /etc/idmapd.conf to allow for proper UID /
GID resolution? Or perhaps another solution?
[root@client01 etc]# cat /etc/idmapd.conf|grep -v "#"| sed -e "/^$/d"
[General]
Verbosity = 7
Domain = nix.my.dom
[Mapping]
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = ldap-server.local.domain.edu
LDAP_base = dc=local,dc=domain,dc=edu
[root@client01 etc]#
Mount looks like this:
nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4
(rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80)
/var/log/messages
Mar 6 00:17:27 client01 nfsidmap[14396]: key: 0x3f2c257b type: uid
value: tom@my.dom(a)localdomain timeout 600
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
'tom@my.dom(a)localdomain' domain 'nix.my.dom': resulting localname '(null)'
Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
'tom@my.dom(a)localdomain' does not map into domain 'nix.my.dom'
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final return
value is -22
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
'nobody(a)nix.my.dom' domain 'nix.my.dom': resulting localname 'nobody'
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final return
value is 0
Mar 6 00:17:27 client01 nfsidmap[14398]: key: 0x324b0048 type: gid
value: tom@my.dom(a)localdomain timeout 600
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final return
value is -22
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final return
value is 0
Mar 6 00:17:31 client01 systemd-logind: Removed session 23.
Result of:
systemctl restart rpcidmapd
/var/log/messages
-------------------
Mar 5 23:46:12 client01 systemd: Stopping Automounts filesystems on
demand...
Mar 5 23:46:13 client01 systemd: Stopped Automounts filesystems on demand.
Mar 5 23:48:51 client01 systemd: Stopping NFSv4 ID-name mapping service...
Mar 5 23:48:51 client01 systemd: Starting Preprocess NFS configuration...
Mar 5 23:48:51 client01 systemd: Started Preprocess NFS configuration.
Mar 5 23:48:51 client01 systemd: Starting NFSv4 ID-name mapping service...
Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: using domain:
nix.my.dom
Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: Realms list:
'NIX.MY.DOM'
Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: using
domain: nix.my.dom
Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: Realms
list: 'NIX.MY.DOM'
Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: loaded
plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch
Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: loaded plugin
/lib64/libnfsidmap/nsswitch.so for method nsswitch
Mar 5 23:48:51 client01 rpc.idmapd[14118]: Expiration time is 600 seconds.
Mar 5 23:48:51 client01 systemd: Started NFSv4 ID-name mapping service.
Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.nametoid/channel
Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.idtoname/channel
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
6 years, 1 month
Questions about SSL certificates
by Jonathan Vaughn
Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and custom
built things that manage our PKI and so on, to FreeIPA (which looks like it
can probably cover all our needs), and had a couple of SSL related
questions.
1) It looks like improvements are proposed for being able to generate
certificates from the web UI :
https://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation#...
Does anyone know the status of such plans? I see some work was done over
the past year but I haven't been able to find anything obviously related to
adding such ability to the web UI. Having to use the command line tools is
not the end of the world, but being able to do it from the web UI would
make things easier sometimes ... I tried installing the latest release in a
Fedora VM but didn't see any way to generate the CSR itself from the Web UI.
2) What is the correct / recommended way to issue certificates to users for
use with OpenVPN? We would have both site to site VPNs which I assume would
be issued similar to a regular service/web server SSL certificate, as well
as certificates for individual users. Do we add the users
laptops/workstations as hosts in FreeIPA and then issue regular certs for
them that way, or is there a way to issue a cert for a user and tie it to
their identity (versus their laptop/workstation 's identity) ? Also, is
there a specific certificate 'profile' that should be used?
Thanks in advance
6 years, 1 month
Release notes for freeIPA 4.6.90.pre1
by Rob Crittenden
The FreeIPA team would like to announce the FreeIPA 4.6.90.pre1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 28 and rawhide will be available in the Fedora repositories.
== Highlights in 4.6.90.pre1 ==
This release changes from using mod_nss for the Apache TLS engine to
using mod_ssl. Upgrading will move the certificates and keys from
/etc/httpd/alias to /var/lib/ipa/certs/.
=== Known Issues ===
Upgrading from Fedora 27 to Fedora 28 is not well tested yet. We do
*NOT* recommend upgrading at this time.
=== Bug fixes ===
FreeIPA 4.6.90.pre1 is a preview release for the features delivered as a
part of 4.7.0.
There are more than 30 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
We do *NOT* recommend upgrading at this time.
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7411 Simplify CA, TLS and bytes warning configuration of LDAP connections
* 7409 Upgrade fails in CAless installation due to missing CA
* 7397 ipa host-add --ip-address... returns Internal error when
forward-policy=none is defined
* 7394 file conflicts between python2-mod_wsgi and freeipa-server
* 7393 Installing 4.6.3-1 in rawhide/F28 fails with DuplicateEntry
enabling TLS in 389-ds
* 7390 cert-request: issuance of malformed certificate causes IPA
Internal Error
* 7389 F-27 upgrade to 4.6.3-1 fails with KRA update
* 7383 user-add: user creation proceeds when password is wrong
* 7380 Possible regression for limited OTP characters in host-add
* 7374 IPA 'Generate OTP' option in web gui does not show OTP code when
no reverse zone is managed
* 7371 uninstalling replica leaves orphained data in ldap
* 7359 [RFE] extend topology plugin to clean up a removed replica ldap/
principal
* 7357 IntegrationTests do not fail even if the uninstall process fails
* 7335 Integration tests are not collecting all logs
* 7313 trust integration tests need to override test_establish_trust
method when using different trust-add options
* 7311 Update ui_driver to allow set path for geckodriver.log
* 7310 Integration tests don't collect logs from other replicas
* 7309 Integration tests: CA-less -> CA-ful promotion; post-promotion checks
* 7304 double ca acl provoke console error.
* 7302 test_external_ca: add selfsigned > external_ca > selfsigned test case
* 7301 Drop dependency on Python nose
* 7300 test_x509: test very long OID
* 7278 Run WebUI unit test in TravisCI
* 7274 ipa-replica-install fails with PIN error [ CA-less environment ]
* 7263 Typo in login screen
* 7258 typo in accounts menu
* 7246 Report CA Subject DN and subject base before installing.
* 7240 ipa-dnskeysyncd broken (and ipactl doesn't tell)
* 7225 CLI: view command / plugin help in pager
* 7224 Logging: ipa-replica-conncheck is missing a /n
* 7207 ipa-server-install should prevent installations with single label
domains
* 7201 ipa-replica-manage re-initialize TypeError: 'NoneType' object
does not support item assignment
* 7012 Users can delete their last active OTP token
* 5813 ipa-kra-install disrupts bind-dyndb-ldap
* 5638 Port client code to Python 3
* 4853 Utilize system-wide crypto-policies
* 3757 [RFE] Allow IPA to use either mod_ssl or mod_nss
== Detailed changelog since 4.6.3 ==
=== Alexander Bokovoy (13) ===
* ipaserver/plugins/trust.py: pep8 compliance
* trust: detect and error out when non-AD trust with IPA domain name exists
* ipaserver/plugins/trust.py; fix some indenting issues
* ipa-extdom-extop: refactor nsswitch operations
* test_dns_plugin: cope with missing IPv6 in Travis
* travis-ci: collect logs from cmocka tests
* ipa-kdb: override krb5.conf when testing KDC code in cmocka
* adtrust: filter out subdomains when defining our topology to AD
* ipa-replica-manage: implicitly ignore initial time skew in force-sync
* ds: ignore time skew during initial replication step
* Make sure upgrade also checks for IPv6 stack
* OTP import: support hash names with HMAC- prefix
* dsinstance: Restore context after changing dse.ldif
=== Abhijeet Kasurde (3) ===
* Trivial typo fix.
* ipatests: Fix interactive prompt in ca_less tests
* tests: correct usage of hostname in logger in tasks
=== Alexander Koksharov (4) ===
* Fix replica_promotion-domlevel0 test failures
* preventing ldap principal to be deleted
* ensuring 389-ds plugins are enabled after install
* kra-install: better warning message
=== Amit Kuma (4) ===
* Removing extra spaces present in man ipa-server-install
* ipa-advise for smartcards updated
* Custom ca-subject logging
* Documenting kinit_lifetime in /etc/ipa/default.conf
=== Aleksei Slaikovskii (12) ===
* test_backup_and_restore.py Fix logging
* Enable and start oddjobd after ipa-restore if it's not running.
* Fixing translation problems
* test_backup_and_restore.py AssertionError fix
* ipalib/frontend.py output_for_cli loops optimization
* View plugin/command help in pager
* ipa-restore: Set umask to 0022 while restoring
* Prevent installation with single label domains
* Add a notice to restart ipa services after certs are installed
* Fix TypeError while ipa-restore is restoring a backup
* ipaclient.plugins.dns: Cast DNS name to unicode
* Less confusing message for PKINIT configuration during install
=== Christian Heimes (91) ===
* Move DNS related files to server-dns package
* Silence GCC warning in ipa_extdom
* Silence GCC warning in ipa-kdb
* Remove unused modutils wrappers from NSS/CertDB
* Update /etc/ipa/nssdb in client scripts
* NSS: Force restore of SELinux context
* NSSDB: Let certutil decide its default db type
* Prepare migration of mod_nss NSSDB to sql format
* certmonger: Use explicit storage format
* Remove deprecated -p option from ipa-dns-install
* Add mocked test for named crypto policy update
* Upgrade named.conf to include crypto policy
* Use system-wide crypto-policies on Fedora
* Add better CalledProcessError and run() logging
* freeipa-server no longer supports i686 arch on F28
* ipa-custodia-checker now uses python3 shebang
* Unified ldap_initialize() function
* Fix multiple uninstallation of server
* Fix i18n test for Chinese translation
* Run API and ACI under Python 2 and 3
* Generate same API.txt under Python 2 and 3
* Replace wsgi package conflict with config file
* Restart named-pkcs11 after KRA installation
* Update existing 389-DS cn=RSA,cn=encryption config
* Replace hard-coded paths with path constants
* Bump python-ldap version to fix syncrepl bug
* Bump SELinux policy for DNSSEC
* ipa-server-upgrade now checks custodia server keys
* DNSSEC code cleanup
* DNSSEC: Reformat lines to address PEP8 violations
* Decode ODS commands
* Run DNSSEC under Python 3
* More DNSSEC house keeping
* Remove unused PyOpenSSL from spec file
* Give ODS socket a bit of time
* Require dbus-python on F27
* Fix pylint error in ipapython/dn.py
* Lower python-ldap requirement for F27
* ipa-run-tests: make --ignore absolute, too
* Sort external schema files
* LGTM: unnecessary else in for loop
* LGTM: Use explicit string concatenation
* LGTM: raise handle_not_found()
* LGTM: Fix multiple use before assignment
* LGTM: Remove redundant assignment
* LGTM: Fix exception in permission_del
* LGTM: Membership test with a non-container
* LGTM: Name unused variable in loop
* LGTM: Use of exit() or quit()
* LGTM: Silence unmatchable dollar
* Make fastlint even faster
* ipa-run-tests: replace chdir with plugin
* Include ipa_krb5.h without util prefix
* Custodia uninstall: Don't fail when LDAP is down
* Require python-ldap 3.0.0b2
* Use pylint 1.7.5 with fix for bad python3 import
* Vault: Add argument checks to encrypt/decrypt
* Fix pylint warnings inconsistent-return-statements
* Travis: Add workaround for missing IPv6 support
* Replace nose with unittest and pytest
* Add safe DirectiveSetter context manager
* More log in verbs
* Address more 'to login'
* Fix grammar error: Log out
* Fix grammar in login screen
* Add make targets for fast linting and testing
* Add marker needs_ipaapi and option to skip tests
* Add python_requires to Python package metadata
* Remove Custodia keys on uninstall
* NSSDB: use preferred convert command
* Skip test_rpcclient_context in client tests
* Update to python-ldap 3.0.0
* Update builddep command to install Python 3 and tox deps
* Add workaround for pytest 3.3.0 bug
* Fix dict iteration bug in dnsrecord_show
* Reproducer for bug in structured dnsrecord_show
* Use Python 3 on Travis
* Prevent installation of Py2 and Py3 mod_wsgi
* Require UTF-8 fs encoding
* libotp: add libraries after objects
* Run tox tests for PyPI packages on Travis
* Support sqlite NSSDB
* Py3: Fix vault tests
* Test script for ipa-custodia
* ipa-custodia: use Dogtag's alias/pwdfile.txt
* Use namespace-aware meta importer for ipaplatform
* Remove ignore_import_errors
* Backup ipa-custodia conf and keys
* Py3: fix fetching of tar files
* Use os.path.isfile() and isdir()
* Block PyOpenSSL to prevent SELinux execmem in wsgi
=== David Kupka (2) ===
* schema: Fix internal error in param-{find,show} with nonexistent object
* tests: Add LDAP URI to ldappasswd explicitly
=== Felipe Barreto (25) ===
* Fixing cleanup process in test_caless
* WebUI Tests: changing the ActionsChains.move_to_element to a new approach
* WebUI Tests: fixing test_user.py::test_test_noprivate_posix
* WebUI Tests: Changing how the initial load process is done
* WebUI Tests: fixing test_range test case
* WebUI Tests: changing how the login screen is detected
* WebUI Tests: refactoring login method to be more readable
* WebUI Tests: fixing test_navigation
* WebUI Tests: fixing test_group
* WebUI Tests: fixing test_hbac
* Check if replication agreement exist before enable/disable it
* Make IntegrationTest fail if an error happened during uninstall
* IntegrationTests now collects logs from all test methods
* Fixing vault-add-member to be compatible with py3
* Fixing test_backup_and_restore assert to do not rely on the order
* Fixing test_testconfig with proper asserts
* Warning the user when using a loopback IP as forwarder
* Removing replica-s4u2proxy.ldif since it's not used anymore
* Fix log capture when running pytests_multihosts commands
* Checks if replica-s4u2proxy.ldif should be applied
* Fixing tox and pylint errors
* Fixing param-{find,show} and output-{find,show} commands
* Checks if Dir Server is installed and running before IPA installation
* Changing idoverrideuser-* to treat objectClass case insensitively
* Fixing how sssd.conf is updated when promoting a client to replica
=== François Cami (1) ===
* 10-config.update: remove nsslapd-sasl-max-buffer-size override as
https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389
Directory Server.
=== Florence Blanc-Renaud (23) ===
* ipa-restore: remove /etc/httpd/conf.d/nss.conf
* ipa-server-install: handle error when calling kdb5_util create
* ipa host-add: do not raise exception when reverse record not added
* ACI: grant access to admins group instead of admin user
* 389-ds OTP lasttoken plugin: Add unit test
* User must not be able to delete his last active otp token
* ipa host-add --ip-address: properly handle NoNameservers
* test_integration: backup custodia conf and keys
* Idviews: fix objectclass violation on idview-add
* Improve help message for ipa trust-add --range-type
* Fix ca less IPA install on fips mode
* Fix ipa-replica-install when key not protected by PIN
* Fix ipa-restore (python2)
* ipa-getkeytab man page: add more details about the -r option
* Py3: fix ipa-replica-conncheck
* Fix ipa-replica-conncheck when called with --principal
* py3: fix ipa cert-request --database ...
* ipa-cacert-manage renew: switch from ext-signed CA to self-signed
* ipa-server-upgrade: do not add untracked certs to the request list
* ipa-server-upgrade: fix the logic for tracking certs
* Fix ipa-server-upgrade with server cert tracking
* Python3: Fix winsync replication agreement
* Fix ipa config-mod --ca-renewal-master
=== Fraser Tweedale (38) ===
* upgrade: remove fix_trust_flags procedure
* ldap2: fix implementation of can_add
* ipaldap: allow GetEffectiveRights on individual operations
* Update IPA CA issuer DN upon renewal
* cert-request: avoid internal error when cert malformed
* Improve warning message for malformed certificates
* Don't use admin cert during KRA installation
* Add uniqueness constraint on CA ACL name
* Add tests for installutils.set_directive
* installutils: refactor set_directive
* pep8: reduce line lengths in CAInstance.__enable_crl_publish
* Prevent set_directive from clobbering other keys
* install: report CA Subject DN and subject base to be used
* ipa_certupdate: avoid classmethod and staticmethod
* Run certupdate after promoting to CA-ful deployment
* ipa-ca-install: run certupdate as initial step
* CertUpdate: make it easy to invoke from other programs
* renew_ra_cert: fix update of IPA RA user entry
* Re-enable some KRA installation tests
* Use correct version of Python in RPM scripts
* Remove caJarSigningCert profile and related code
* CertDB: remove unused method issue_signing_cert
* Remove XPI and JAR MIME types from httpd config
* Remove mention of firefox plugin after CA-less install
* Add missing space in ipa-replica-conncheck error
* ipa-cacert-manage: avoid some duplicate string definitions
* ipa-cacert-manage: handle alternative tracking request CA name
* Add tests for external CA profile specifiers
* ipa-cacert-manage: support MS V2 template extension
* certmonger: add support for MS V2 template
* certmonger: refactor 'resubmit_request' and 'modify'
* ipa-ca-install: add --external-ca-profile option
* install: allow specifying external CA template
* Remove duplicate references to external CA type
* cli: simplify parsing of arbitrary types
* py3: fix pkcs7 file processing
* ipa-pki-retrieve-key: ensure we do not crash
* issue_server_cert: avoid application of str to bytes
=== Ganna Kaihorodova (1) ===
* Overide trust methods for integration tests
=== John Morris (1) ===
* Increase dbus client timeouts during CA install
=== Martin Basti (3) ===
* py3: bindmgr: fix iteration over bytes
* py3: ipa-dnskeysyncd: fix bytes issues
* py3: set samba dependencies
=== Michal Reznik (27) ===
* test_caless: adjust try/except to capture also IOError
* ipa_tests: test signing request with subca on replica
* tests: ca-less to ca-full - remove certupdate
* ipa_tests: test subca key replication
* test_caless: add SAN extension to other certs
* prci: run full external_ca test suite
* tests: move CA related modules to pytest_plugins
* test_external_ca: selfsigned->ext_ca->selfsigned
* test_tasks: add sign_ca_and_transport() function
* paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
* test_caless: test PKINIT install and anchor update
* test_renewal_master: add ipa csreplica-manage test
* test_cert_plugin: check if SAN is added with default profile
* test_help: test "help" command without cache
* test_x509: test very long OID
* test_batch_plugin: fix py2/3 failing assertion
* test_vault: increase WAIT_AFTER_ARCHIVE
* test_caless: fix http.p12 is not valid
* test_caless: fix TypeError on domain_level compare
* manpage: ipa-replica-conncheck - fix minor typo
* test_external_dns: add missing test cases
* test_caless: open CA cert in binary mode
* test_forced_client: decode get_file_contents() result
* tests: add host zone with overlap
* tests_py3: decode get_file_contents() result
* test_caless: add caless to external CA test
* test_external_ca: switch to python-cryptography
=== Mohammad Rizwan Yusuf (5) ===
* Before the fix, when ipa-backup was called for the first time, the
LDAP database exported to
/var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif
is called for this and it runs under root, hence files were owned by root.
* Updated the TestExternalCA with the functions introduced for the steps
of external CA installation.
* When the dirsrv service, which gets started during the first
ipa-server-install --external-ca phase, is not running when the second
phase is run with --external-cert-file options, the ipa-server-install
command fail.
* IANA reserved IP address can not be used as a forwarder. This test
checks if ipa server installation throws an error when 0.0.0.0 is
specified as forwarder IP address.
* ipatest: replica install with existing entry on master
=== Nathaniel McCallum (3) ===
* Revert "Don't allow OTP or RADIUS in FIPS mode"
* Increase the default token key size
* Fix OTP validation in FIPS mode
=== Petr Čech (2) ===
* tests: Mark failing tests as failing
* ipatests: Fix on logs collection
=== Petr Vobornik (8) ===
* webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes
* Revert "temp commit to run the affected tests"
* temp commit to run the affected tests
* webui:tests: close big notifications in realm domains tests
* webui:tests: realm domain add with DNS check
* webui:tests: move DNS test data to separate file
* fastcheck: do not test context in pycodestyle
* browser config: cleanup after removal of Firefox extension
=== Pavel Vomacka (16) ===
* WebUI: make keytab tables on service and host pages writable
* Include npm related files into Makefile and .gitignore
* Update jsl.conf in tests subfolder
* Edit TravisCI conf files to run WebUI unit tests
* Update README about WebUI unit tests
* Update tests
* Create symlink to qunit.js
* Update jsl to not warn about module in Gruntfile
* Add Gruntfile and package.json to ui directory
* Update QUnit CSS file to 2.4.1
* Update qunit.js to version 2.4.1
* Extend ui_driver to support geckodriver log_path
* WebUI: make Domain Resolution Order writable
* WebUI: Fix calling undefined method during reset passwords
* WebUI: remove unused parameter from get_whoami_command
* Adds whoami DS plugin in case that plugin is missing
=== Rob Crittenden (24) ===
* Don't try to backup CS.cfg during upgrade if CA is not configured
* Don't return None on mismatched interactive passwords
* Update smart_card_auth advise script for mod_ssl
* Add value in set_directive after a commented-out version
* Don't backup nss.conf on upgrade with the switch to mod_ssl
* Enable upgrades from a mod_nss-installed master to mod_ssl
* Convert ipa-pki-proxy.conf to use mod_ssl directives
* Remove main function from the certmonger library
* Use mod_ssl instead of mod_nss for Apache TLS for new installs
* Fix detection of KRA installation so upgrades can succeed
* Move Requires: pythonX-sssdconfig into conditional
* Log contents of files created or modified by IPAChangeConf
* Don't manually generate default.conf in server, use IPAChangeConf
* Enable ephemeral KRA requests
* Make the path to CS.cfg a class variable
* Run server upgrade in ipactl start/restart
* If the cafile is not present or readable then raise an exception
* Add test to ensure that properties are being set in rpcclient
* Use the CA chain file from the RPC context
* Fix cert-find for CA-less installations
* Use 389-ds provided method for file limits tuning
* Collect group membership without a size limit
* Add exec to /var/lib/ipa/sysrestore for install status inquiries
* Use TLS for the cert-find operation
=== Robbie Harwood (2) ===
* Log errors from NSS during FIPS OTP key import
* ipa-kdb: support KDB DAL version 7.0
=== Rishabh Dave (1) ===
* ipa-ca-install: mention REPLICA_FILE as optional in help
=== Sumit Bose (1) ===
* ipa-kdb: reinit trusted domain data for enterprise principals
=== Sumit Bose (2) ===
* ipa-kdb: update trust information in all workers
* ipa-kdb: use magic value to check if ipadb is used
=== John L (1) ===
* Remove special characters in host_add random OTP generation
=== Stanislav Laznicka (71) ===
* Backup HTTPD's mod_ssl config and cert-key pair
* vault: fix vault-retrieve to a file
* Backup ssl.conf when migrating from mod_nss
* Move HTTPD cert/key pair to /var/lib/ipa/certs
* httpinstance fixup: remove commented-out lines
* httpinstance: fix publishing of CA cert
* httpinstance: verify priv key belongs to certificate
* httpinstance: backup mod_nss conf instead of just removing it
* service: rename import_ca_certs_* to export_*
* fixup: add ipa-rewrite.conf to ssl.conf on upgrade
* Make ipa-server-certinstall store HTTPD cert in a file
* certupdate: don't update HTTPD NSS db
* x509: Fix docstring of write_certificate()
* x509: Remove unused argument of load_certificate_from_file()
* httpinstance: handle supplied PKCS#12 files in installation
* mod_ssl migration: fix upload_cacrt.py plugin
* Fix FileStore.backup_file() not to backup same file
* Have all the scripts run in python 3 by default
* replica_prepare: Remove the correct NSS DB files
* Add a helpful comment to ca.py:install_check()
* Don't allow OTP or RADIUS in FIPS mode
* caless tests: decode cert bytes in debug log
* caless tests: make debug log of certificates sensible
* Add indexing to improve host-find performance
* Add the sub operation for fqdn index config
* x509: remove subject_base() function
* x509: remove the strip_header() function
* py3: pass raw entries to LDIFWriter
* ipatests: use python3 if built with python3
* PRCI: use a new template for py3 testing
* travis: pep8 changes to pycodestyle
* csrgen_ffi: cast the DN value to unsigned char *
* Remove pkcs10 module contents
* Add tests for CertificateSigningRequest
* parameters: introduce CertificateSigningRequest
* parameters: relax type checks
* csrgen: update docstring for py3
* csrgen: accept public key info as Bytes
* csrgen_ffi: pass bytes where "char *" is required
* p11-kit: add serial number in DER format
* travis: make tests fail if pep8 does not pass
* Remove the `message` attribute from exceptions
* rpc: don't decode cookie_string if it's None
* Don't write p11-kit EKU extension object if no EKU
* pylint: fix missing module
* travis: run the same tests in python2/3
* certmap testing: fix wrong cert construction
* ldap2: don't use decode() on str instance
* client: fix retrieving certs from HTTP
* uninstall: remove deprecation warning
* ldif: handle attribute names as strings
* pkinit: don't fail when no pkinit servers found
* pkinit: fix sorting dictionaries
* travis: remove "fast" from "makecache fast"
* Change Travis CI container to FreeIPA-owned
* Change the requirements for pylint in wheel
* rpcserver: don't call xmlserver.Command
* secrets: disable relative-imports for custodia
* pylint: disable __hash__ for some classes
* install.util: disable no-value-for-parameter
* pylint: make unsupported-assignment-operation check local
* sudocmd: fix unsupported assignment
* pylint: Iterate through dictionaries
* parameters: convert Decimal.precision to int
* dcerpc: disable unbalanced-tuple-unpacking
* dcerpc: refactor assess_dcerpc_exception
* pylint: fix no-member in schema plugin
* csrgen: fix incorrect codec for pyasn BitString
* pylint: fix not-context-manager false positives
* travis: temporary workaround for Travis CI
* Travis: archive logs of py3 jobs
=== Thierry Bordaz (1) ===
* 389-ds-base crashed as part of ipa-server-intall in ipa-uuid
=== Tibor Dudlák (1) ===
* Do not check deleted files with `make fastlint`
=== Timo Aaltonen (2) ===
* ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
* Move config templates from install/conf to install/share
=== Tomas Krizek (19) ===
* py3 dnssec: convert hexlify to str
* py3: bindmgr: fix bytes issues
* prci: bump ci-master-f27 template to 1.0.2
* prci: define testing topologies
* prci: start testing PRs on fedora 27
* py3 spec: remove python2 dependencies from server-trust-ad
* py3 spec: remove python2 dependencies from freeipa-server
* py3 spec: use proper python2 package names
* ipatests: fix circular import for collect_logs
* ipatests: collect logs for external_ca test suite
* prci: add external_ca test
* ldap: limit the retro changelog to dns subtree
* spec: bump 389-ds-base to 1.3.7.6-1
* ipatests: set default 389-ds log level to 0
* prci: update F26 template
* spec: bump python-pyasn1 to 0.3.2-2
* prci: use f26 template for master
* VERSION: set 4.6 git snapshot
* Contributors.txt: update
=== Thorsten Scherf (1) ===
* Add debug option to ipa-replica-manage and remove references to
api_env var.
6 years, 1 month