December 2019 - FreeIPA-users - Fedora Mailing-Lists

Re: Issues with certificates: X509: KEY_VALUES_MISMATCH

by Rob Crittenden

Dmitri Moudraninets wrote: > Hi Rob, > > I recovered the key file. Restarted FreeIPA and certmonger. Now issue > looks different: > image.png > > Subjects disappeared. If I click on a certificate 29 I see this: > cannot connect to > 'https://freeipa.corp.mydomain.de:443/ca/agent/ca/displayBySerial': > [Errno 13] Permission denied Set the same ownership/permissions on the key as you did the cert and run restorecon on it. rob > > пн, 25 нояб. 2019 г. в 13:58, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com>>: > > Dmitri Moudraninets wrote: > > Hi Rob, > > > > > > > > I did the following: > > I removed original ra-agent.pem and ra-agent key > > and > > openssl x509 -in /root/debug.cert -out /var/lib/ipa/ra-agent.pem > > chown root:ipaapi /var/lib/ipa/ra-agent.pem > > chmod 0440 /var/lib/ipa/ra-agent.pem > > restorecon /var/lib/ipa/ra-agent.pem > > You removed the key!? I sure hope you have a backup of it. > > Put it back and I think that will resolve things. > > > > > Successfully restarted FreeIPA: > > Directory Service: RUNNING > > krb5kdc Service: RUNNING > > kadmin Service: RUNNING > > named Service: RUNNING > > httpd Service: RUNNING > > ipa-custodia Service: RUNNING > > ntpd Service: RUNNING > > pki-tomcatd Service: RUNNING > > smb Service: RUNNING > > winbind Service: RUNNING > > ipa-otpd Service: RUNNING > > ipa-dnskeysyncd Service: RUNNING > > ipa: INFO: The ipactl command was successful > > The agent cert is not required for the CA to operate. > > > Now GUI shows different error: > > cannot connect to > > 'https://freeipa.corp.mydomain.de:443/ca/agent/ca/displayBySerial': > > [Errno 2] No such file or directory > > > > > > [root@freeipa ~]# getcert list -f /var/lib/ipa/ra-agent.pem > > Number of certificates and requests being tracked: 16. > > Request ID '20180912151611': > > status: NEED_CSR > > stuck: no > > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE> > > subject: CN=IPA RA,O=CORP.MYDOMAIN.DE <http://CORP.MYDOMAIN.DE> > <http://CORP.MYDOMAIN.DE> > > expires: 2019-11-25 15:32:12 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > This shows that the certificate has the right subject now which is good > but you removed its private key so it won't work. > > rob > > > > > сб, 23 нояб. 2019 г. в 20:26, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>: > > > > Dmitri Moudraninets wrote: > > > Hi Rob, > > > > > > ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=directory manager' -W > > > -b uid=ipara,ou=People,o=ipaca usercertificate > > > > > > shows me the following: > > > > > > Issuer: O=CORP.MYDOMAIN.DE <http://CORP.MYDOMAIN.DE> > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE>, > > > CN=Certificate Authority > > > Validity > > > Not Before: Dec 5 15:32:12 2017 GMT > > > Not After : *Nov 25 15:32:12 2019* GMT > > > > > > It's going to expire on Monday. Can it be a problem? > > > > You didn't provide the cert subject so I can't be sure this is > the right > > cert. If it contains CN = IPA RA then it is. > > > > And yes, it expires in two days. What you'd need to do is > restore it per > > my previous instruction into /var/lib/ipa/ra-agent.pem on the > renewal > > master (ipa config-show to see which one it is). > > > > Then run: > > > > # getcert resubmit -f /var/lib/ipa/ra-agent.pem > > > > That should renew the cert. > > > > On the other masters I'd run the same command and that may fix > things > > there as well. > > > > rob > > > > > I tried this command: > > > openssl x509 -text -in /var/lib/ipa/ra-agent.pem > > > > > > and it shows the following: > > > Certificate: > > > Data: > > > Version: 3 (0x2) > > > Serial Number: 28 (0x1c) > > > Signature Algorithm: sha256WithRSAEncryption > > > Issuer: O=CORP.MYDOMAIN.DE <http://CORP.MYDOMAIN.DE> > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE>, > > > CN=Certificate Authority > > > Validity > > > Not Before: Oct 29 10:39:47 2019 GMT > > > Not After : Oct 29 09:39:47 2021 GMT > > > Subject: O=CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> <http://CORP.MYDOMAIN.DE>, CN=dmud > > > Subject Public Key Info: > > > Public Key Algorithm: rsaEncryption > > > Public-Key: (2048 bit) > > > Modulus: > > > > 00:ba:09:81:99:9b:17:99:07:5a:10:28:c8:7a:03: > > > ... > > > > 18:db:02:ce:b4:66:ce:5a:e9:12:af:d3:da:bf:f7: > > > 66:5f > > > Exponent: 65537 (0x10001) > > > X509v3 extensions: > > > X509v3 Authority Key Identifier: > > > keyid:D2:...70:BF > > > > > > X509v3 Subject Key Identifier: > > > DE:...:51:0A > > > X509v3 Subject Alternative Name: > > > email:dmud@corp.mydomain.de > <mailto:email%3Admud@corp.mydomain.de> > > <mailto:email%3Admud@corp.mydomain.de > <mailto:email%253Admud@corp.mydomain.de>> > > > <mailto:email%3Admud@corp.mydomain.de > <mailto:email%253Admud@corp.mydomain.de> > > <mailto:email%253Admud@corp.mydomain.de > <mailto:email%25253Admud@corp.mydomain.de>>> > > > Authority Information Access: > > > OCSP - > URI:http://ipa-ca.corp.mydomain.de/ca/ocsp > > > > > > > > > I did nothing to /var/lib/ipa/ra-agent.pem yet. > > > > > > > > > чт, 21 нояб. 2019 г. в 16:54, Rob Crittenden > <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>: > > > > > > Dmitri Moudraninets wrote: > > > > Hi Rob, > > > > > > > > Yes both masters are failing the same way. Output > of openssl > > x509 > > > -noout > > > > -modulus -in /var/lib/ipa/ra-agent.pem is the same on both > > masters. > > > > Output of openssl rsa -noout -modulus -in > > /var/lib/ipa/ra-agent.key is > > > > also the same on both masters. But the output of the first > > command is > > > > not the same as the output of the second command. > > > > > > > > I can't remember that I troubleshoot any other > problems but we > > > tried to > > > > generate some personal certificates for some users. > Also we > > tried to > > > > generate certificates with key files for some of our > internal > > > services. > > > > We did that for the first time and it worked at the > end. Also I > > > changed > > > > the admin password not so long ago. > > > > > > > > > > > > Below you can find the output of the requested commands: > > > > > > > > > > > > [root@second_master ~]# getcert list -f > > /var/lib/ipa/ra-agent.pem > > > > Number of certificates and requests being tracked: 9. > > > > Request ID '20180912151730': > > > > status: MONITORING > > > > stuck: no > > > > key pair storage: > type=FILE,location='/var/lib/ipa/ra-agent.key' > > > > certificate: > type=FILE,location='/var/lib/ipa/ra-agent.pem' > > > > CA: dogtag-ipa-ca-renew-agent > > > > issuer: CN=Certificate Authority,O=CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE> > > > <http://CORP.MYDOMAIN.DE> > > > > <http://CORP.MYDOMAIN.DE> > > > > subject: CN=dmud,O=CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE> <http://CORP.MYDOMAIN.DE> > > > <http://CORP.MYDOMAIN.DE> > > > > *<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< I see a username here. > > Does it have > > > > to be like that?* > > > > expires: 2021-10-29 09:39:47 UTC > > > > email: dmud(a)corp.mydomain.de > <mailto:dmud@corp.mydomain.de> <mailto:dmud@corp.mydomain.de > <mailto:dmud@corp.mydomain.de>> > > <mailto:dmud@corp.mydomain.de <mailto:dmud@corp.mydomain.de> > <mailto:dmud@corp.mydomain.de <mailto:dmud@corp.mydomain.de>>> > > > <mailto:dmud@corp.mydomain.de > <mailto:dmud@corp.mydomain.de> <mailto:dmud@corp.mydomain.de > <mailto:dmud@corp.mydomain.de>> > > <mailto:dmud@corp.mydomain.de <mailto:dmud@corp.mydomain.de> > <mailto:dmud@corp.mydomain.de <mailto:dmud@corp.mydomain.de>>>> > > > > key usage: > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert_pre > > > > post-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert > > > > track: yes > > > > auto-renew: yes > > > > > > Right, someone overwrote the RA agent certificate. > > > > > > Look to see if the user entry in the CA has the right cert: > > > > > > $ ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=directory > manager' > > -W -b > > > uid=ipara,ou=People,o=ipaca usercertificate > > > > > > Put the base64 value of the usercertificate attribute into a > > file and > > > add a prefix/suffix around it: > > > > > > -----BEGIN CERTIFICATE----- > > > MII....blah= > > > -----END CERTIFICATE----- > > > > > > $ openssl x509 -text -in /path/to/file > > > > > > If the Subject is O = CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE> <http://CORP.MYDOMAIN.DE>, CN > > > = IPA RA then that's a good > > > start. Also look at the expires date to be sure it is > still valid. > > > > > > Assuming that is ok then re-run the openssl modulus commands > > to ensure > > > they are the same. > > > > > > Assuming that too is ok then you have the proper, valid RA > > agent cert. > > > In that case I'd move the current file out of the way, who > > knows what it > > > is, then run: > > > > > > # openssl x509 -in /path/to/file -out > > /var/lib/ipa/ra-agent.pem (just to > > > properly format the agent cert) > > > # chown root:ipaapi /var/lib/ipa/ra-agent.pem > > > # chmod 0440 /var/lib/ipa/ra-agent.pem > > > # restorecon /var/lib/ipa/ra-agent.pem > > > > > > Then try something like: ipa cert-show 1 > > > > > > This will exercise the RA agent cert and as long as you > don't > > get an > > > error back things are working again. > > > > > > The cert is common among all masters so you can copy the > file > > to your > > > other master(s), ensuring proper ownership, permissions and > > SELinux > > > context. > > > > > > rob > > > > > > > > > > > > -- > > > WBR > > > Dmitry > > > > > > > > -- > > With best regards/Mit freundlichen Grüßen > > > > Moudraninets Dmitry, RHCSA > > http://www.linkedin.com/in/moudraninets > > http://www.xing.com/profile/Dmitry_Mudraninets > > > > -- > With best regards/Mit freundlichen Grüßen > > Moudraninets Dmitry, RHCSA > http://www.linkedin.com/in/moudraninets > http://www.xing.com/profile/Dmitry_Mudraninets

4 days, 12 hours

2
6
0 / 0

FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start

by Wulf C. Krueger

Hello, my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start: ---- # ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl ---- Logs: ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log There's nothing listening on ports 389 and 636, though. Help would be highly appreciated. Best regards, Wulf

2 weeks, 2 days

6
24
0 / 0

WARNING Could not update DNS SSHFP records.

by Ron Blom

Hi, We have problems with client’s registering dns records at enrollment. Most of the time all works ok but about 10% of the machines don’t create the A records or the SHHFP records. Sometimes they don’t create both. In the ipaclient-install.log we see the following on machines that doesn’t create the records. In this example the creation of the A records succeeded but the creation of the SSHFP records failed with the following error: 2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub 2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub 2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub 2019-12-20T13:19:51Z INFO [try 1]: Forwarding 'host_mod' to json server 'https://freeipa-002.ipa.cloud/ipa/session/json' 2019-12-20T13:19:51Z DEBUG HTTP connection keep-alive (freeipa-002.ipa.cloud) 2019-12-20T13:19:51Z DEBUG received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=tR1VkWrpjmoNh7aZDYiPzXSwFlkhsp1ENg%2b5y8orMo9P7EkiLQXey11TH9wIgc2xJjJ2xdly2hFyi6v58o2HhzEeQBi%2fcR%2flZ7nwFv8VX3WxCSwS%2beDVSu7%2f%2fjsSB%2b1NzyVHTNe5jkJK9pGXL1nR7QMtNrV2gFY7RyFrJns50dEC%2fi5C%2fEn0BgZAE4aLAiThG4SW3iGc0bfOGy%2bDpAGE17XzB8G978uKpqqHGC9aFDmMmXVFCfpwHoIWoBtJctgy7y6Q97rJnpkjbe2heYMwLQFbDkrTRlrjSDfla0XXCNvd7in6zEu0MZloOXqyXHiu;path=/ipa;httponly;secure;']' 2019-12-20T13:19:51Z DEBUG storing cookie 'ipa_session=MagBearerToken=tR1VkWrpjmoNh7aZDYiPzXSwFlkhsp1ENg%2b5y8orMo9P7EkiLQXey11TH9wIgc2xJjJ2xdly2hFyi6v58o2HhzEeQBi%2fcR%2flZ7nwFv8VX3WxCSwS%2beDVSu7%2f%2fjsSB%2b1NzyVHTNe5jkJK9pGXL1nR7QMtNrV2gFY7RyFrJns50dEC%2fi5C%2fEn0BgZAE4aLAiThG4SW3iGc0bfOGy%2bDpAGE17XzB8G978uKpqqHGC9aFDmMmXVFCfpwHoIWoBtJctgy7y6Q97rJnpkjbe2heYMwLQFbDkrTRlrjSDfla0XXCNvd7in6zEu0MZloOXqyXHiu;' for principal host/adm-sdrn6419-2062.aal.ipa.cloud(a)RINIS.CLOUD 2019-12-20T13:19:51Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2019-12-20T13:19:51Z DEBUG debug update delete adm-sdrn6419-2062.aal.ipa.cloud. IN SSHFP show send update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 1 1 6134C7CDE12FDDFA33A068A273941697928FBCD7 update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 1 2 2F41772E6CAD9C328730BFCED0E27350A6C20DE8499E60158635ED8419BF2022 update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 3 1 FFE99F20A5C32D857535D13425A7F85F3A63E198 update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 3 2 D2C7FC741E834D4E1FE51B7867AFA2D34D0685C769D9019D98093E01C8312118 update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 4 1 ED5416B39F419E4F631AB6C9A9CFC0139907232E update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 4 2 7794DBAA391B2939476EDD3A0173162F9CD3BBE1E16B52754BB8C6B56DA26435 show send 2019-12-20T13:19:51Z DEBUG Starting external process 2019-12-20T13:19:51Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2019-12-20T13:19:51Z DEBUG Process finished, return code=1 2019-12-20T13:19:51Z DEBUG stdout=Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: adm-sdrn6419-2062.aal.ipa.cloud. 0 ANY SSHFP Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22636 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3648384014.sig-freeipa-001.ipa.cloud. ANY TKEY ;; ADDITIONAL SECTION: 3648384014.sig-freeipa-001.ipa.cloud. 0 ANY TKEY gss-tsig. 1576847991 1576847991 3 NOERROR 677 YIICoQYJKoZIhvcSAQICAQBuggKQMIICjKADAgEFoQMCAQ6iBwMFACAA AACjggGCYYIBfjCCAXqgAwIBBaENGwtSSU5JUy5DTE9VRKIpMCegAwIB AaEgMB4bA0ROUxsXYWRtLWFhYS0wMDEucmluaXMuY2xvdWSjggE3MIIB M6ADAgESoQMCAQKiggElBIIBIWJzJaNElw4aQs2ZFHDopnUdH6vqowdG ojmiCBIpmgFjPsHEl98zY+UX6OqfF3ovB/uMAuCF1eq3spIRtPjb7hUO +lva9UtuvUJSV0pT9WI1B0ROZxzspkBQmZEYLRUCACxjW3Kw1F123ryy Ga4JJ4cROOFf1GtTdEW3CmIJLlyKqWXDFSQzgnqvP/acb0mQIr0Wid6P DJFaxYmm+uRHw5KBTg7hjeAQPFwgZxNdardv9hUvfhzElxtOK0Kj3ZDy 9lFdpemEtO+osfnwrwyX28xWGLZds/Gfpy0kfdihkUxT082eTWNftaE7 dX0LOb46j9sbMAFDbgHESCkXq5VFRBmtotnf3SRru/eBQFdbYq0/o/oY PCmaTJ4HSymhjbkrVVqkgfAwge2gAwIBEqKB5QSB4tPwDLt7qpKesLJg lGFXpoNqHOsGlFheQslzzkcWzjgoJDDRSJtjoaLgLFv0cITj+rr4dXcu tdMNESwRObXQofsbO9E0HYfZWijSDEIVJlXETm+x8ca4Qf938u3RHV/U +ZXmepZIBnMR4d70Vo+vz6CuXt0+HI0Dh6ot2whzX5g0MWHI0SfJElhO pgWN59uMUC4E8HtLzNEoWljX25acK3mi8ZBgq8iFihfObfEP0Xmx11NE Gru9QOiwMoxRUblws44U3sNOFRUgF9Ua3kKWXEfJ4wpPC3GwdMUajMkr V3wCXBc= 0 2019-12-20T13:19:51Z DEBUG stderr=Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13244 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;adm-sdrn6419-2062.aal.ipa.cloud. IN SOA ;; AUTHORITY SECTION: aal.ipa.cloud. 0 IN SOA freeipa-001.ipa.cloud. hostmaster.aal.ipa.cloud. 1576848002 3600 60 1209600 60 Found zone name: aal.ipa.cloud The master is: freeipa-001.ipa.cloud start_gssrequest Found realm from ticket: RINIS.CLOUD send_gssrequest recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22636 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;3648384014.sig-freeipa-001.ipa.cloud. ANY TKEY ;; ANSWER SECTION: 3648384014.sig-freeipa-001.ipa.cloud. 0 ANY TKEY gss-tsig. 0 0 3 BADNAME 0 0 dns_tkey_gssnegotiate: TKEY is unacceptable 2019-12-20T13:19:51Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2019-12-20T13:19:51Z WARNING Could not update DNS SSHFP records. When I run the nsupdate command manually after enrollment it will succeed and add the missing records. any ideas?

1 month

3
2
0 / 0

Server-Cert cert-pki-ca was expired and wasn't renewed automatically

by luckydog xf

Hi, I have 2 nodes of IPA system. The 'Server-Cert cert-pki-ca' of master node was expired unexpectedly. Based on https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf, this cert is for HTTS( pki-tomcat), AKA Dogtag website. As it was expired, Dogtag is OOS, either. Right now, those services are not running, --- pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED --- This is /var/log/pki/pki-tomcat/ca/selftests.log --------------------- 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peers Certificate has expired. 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! ----------------- And /var/log/pki/pki-tomcat/ca/debug ------------ [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-ca, SSLServer) [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(Server-Cert cert-pki-ca, true, SSLServer) [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. ----------------- Output from certutil: ------- Issuer: "CN=Certificate Authority,O=IPA.PTHL.HK" Validity: Not Before: Tue Nov 21 08:43:11 2017 Not After : Mon Nov 11 08:43:11 2019 Subject: "CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK" ---------- This certificate was expired, so here comes the point, 1. Why ipa cert-mon did monitor and renew it? So weired. getcert list | grep tomcat -i does not return this certificate. 2. How to fix it? it's renewal master by 'ipa config-show | grep 'IPA CA renewal master' 1) I reset the clock during the valid period, and restart services. it failed. 2) I plan to renew or recreate a Server-Cert since my CA is still valid, but I'm not sure it's doable and don't know how. Not sure it's a bug or not, my slave node is good, both are running freeipa v4.6.4. Thanks a lot.

1 month, 1 week

5
25
0 / 0

How to allow users to manage their own certs

by Michael Plemmons

We have a need where we want to allow a user to submit their own CSR to generate their own SSL certificate and to be able to download their own certificate. I get the following error: Insufficient access: Principal 'testplem(a)MGMT.EXAMPLE.COM' is not permitted to use CA 'ipa' with profile 'IECUserRoles' for certificate issuance. Here are the permissions I have setup. * Create a new Privilege called SelfService * Add the following permissions to the SelfService Privilege * Request Certificate (FreeIPA builtin permission) * Retrieve Certificates from the CA (FreeIPA builtin permission) * UserSelfSerivceCertificate (custom permission) * ReadCAProfile (custom permission) * ReadIPACA (custom permission) * Create Role called SelfService * Attach the SelfService Privilege to this Role * I then attach that Role to a test user. I am sure I am missing other permissions but I am not sure what. If there is already documentation that explains how to do this I am happy to reference that. If not, what else am I missing. ============ dn: cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermRight: write ipaPermRight: add ipaPermTargetFilter: (objectclass=posixaccount) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: UserSelfSerivceCertificate objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: usercertificate ============ dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermBindRuleType: permission ipaPermTarget: cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co m ipaPermRight: read ipaPermRight: search ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadCAProfile objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacertprofilestoreissued ipaPermIncludedAttr: objectclass ============ dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermTargetFilter: (objectclass=ipaca) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadIPACA objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacaid ipaPermIncludedAttr: ipacaissuerdn ipaPermIncludedAttr: ipacasubjectdn ipaPermIncludedAttr: objectclass Thank you for any insight you are able to provide. -- *Mike Plemmons * Senior Infrastructure Engineer 614-427-2411 <https://oliveai.com/> 99 E. Main Street Columbus, OH 43215 oliveai.com Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>

1 month, 2 weeks

2
2
0 / 0

Looking for a way to get a list of users that can log in to a server

by White, Daniel E. (GSFC-770.0)[NICS]

Ideally, a command/script I can run on each host that outputs a list of users that can log in to that host. I found this: FreeIPA Issue #7199 [RFE] Central report that will show who can access which systems (attestation)<https://pagure.io/freeipa/issue/7199> and followed it upstream to this BugZilla Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation)<https://bugzilla.redhat.com/show_bug.cgi?id=1492993> which says it is targeted for RHEL 8 ! Is there any way to do this in the meantime ? I can get a list of users, but how do I get to the HBAC rules to filter them ? ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

1 month, 3 weeks

2
2
0 / 0

How to Connect to FreeIPA Web UI with AD DC Users?

by Alex Kobin

Just installed a FreeIPA server on Centos7 already did the all trust by the guides and seems that everything is working and i can connect with *admin* user on the Web UI and i can SSH to FreeIPA server with AD user that in specific Security Group only. But i want to connect on the Web UI with the AD Users to the FreeIPA console(*for now i can only connect with the admin user which I prescribed during FreeIPA installation*), what do i need to do that the users from AD DC that in specific group can connect with their credentials to FreeIPA on the Web UI? Thanks Best Regards -- Alex Kobin *System/Security Engineer* alex.kobin(a)sizmek.com <greg.wasson(a)sizmek.com> *Herzliya, IL*

1 month, 3 weeks

2
1
0 / 0

LE SSl on replica server

by Petar Kozić

I have strange problem on replication server. I set master server and I generate and set Let's encrypt. On replica server I do same step but when I try to install pk12 I get error about invalid credentials. For private key unlock password I using weak pass which I set in the proces of generated pk12 in step before. Directory Manager password is right, because when I do: ldapsearch -x -D "cn=directory manager" -w mypassword -s base -b "" "objectclass=*" I get this, which mean DM pass is ok. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL # . . . . lastusn: 2382 changeLog: cn=changelog firstchangenumber: 0 lastchangenumber: 0 ipatopologypluginversion: 1.0 ipatopologyismanaged: on ipaDomainLevel: 1 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 When I try to install cert: ipa-server-certinstall -w /path/to/.pk12 I get this error: ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 110, in run api.Backend.ldap2.connect(bind_pw=self.options.dirman_password) File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 175, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1142, in simple_bind bind_dn, bind_password, server_controls, client_controls) File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1030, in error_handler raise errors.ACIError(info="%s %s" % (info, desc)) ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ACIError: Insufficient access: Invalid credentials ipapython.admintool: ERROR: Insufficient access: Invalid credentials ipapython.admintool: ERROR: The ipa-server-certinstall command failed. *—* *Petar Kozić*

1 month, 3 weeks

2
1
0 / 0

Letsencrypt and IPA

by Petar Kozić

Hi folks, I have one IPA server in production for my small environment. There I set Let’s Encrypt CA root and issue .p12 cert without problem. Now, I want to install FreeIPA on VPS, but I have problem with Let’s encrypt SSL. I can’t import SSL. First, I imported CA certficates: ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer ipa-certupdate -v That’s all ok. But than, I generate new p12 with command: openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 -certfile fullchain.pem Than, ask me for pass and that all is ok. When I run: ipa-server-certinstall -w ipa.p12 -v ask me for Directory pass and pass which I enter in step above, than I get error: ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', '/tmp/tmpauWQ5Z/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] ipapython.ipautil: DEBUG: Process finished, return code=10 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: PR_FILE_NOT_FOUND_ERROR: File not found ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 116, in run self.replace_http_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 156, in replace_http_cert host_name=api.env.host File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1151, in load_pkcs12 raise ScriptError(str(e)) ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Failed to load ipa.p12 ipapython.admintool: ERROR: Failed to load ipa.p12 ipapython.admintool: ERROR: The ipa-server-certinstall command failed. Some ideas ? *—* *Petar Kozić* System Administrator *mobile: *+381 6 <callto:+381%2060%2006%2088%20008>4 83 44 310 *e-mail:* petar.kozic(a)mint.rs Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija

1 month, 3 weeks

2
5
0 / 0

IPA AD Trust - The attempted logon is invalid. This is either due to a bad username or authentication information.

by Kevin Olbrich

Hi! This is my first FreeIPA setup that needs to be trusted against AD. I spent some hours to debug my issue but I need some help: root@auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com --admin administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted logon is invalid. This is either due to a bad username or authentication information." (both may be "None") I've also tried "administrator(a)intra.example.com" as well as another administrative account with domain admin privileges. The password is 100% fine and works for ldapadmin (windows tool) as well as windows logons. DNS is also fine: I set up forwarding of "intra.example.com" from IPA to the AD domain and reverse "auth.example.com" from AD to IPA. WORKS: ldapsearch -H ldap://192.168.80.1:389 -x -W -D " administrator(a)intra.example.com" -b "dc=intra,dc=example,dc=com" -d8 Environment: Debian Sid, FreeIPA 4.7.2 Did I miss something? What am I doing wrong here? Kind regards Kevin

1 month, 4 weeks

2
4
0 / 0

2020

2019

2018

2017

FreeIPA-users December 2019