October 2020 - FreeIPA-users - Fedora Mailing-Lists

Re: Renewing a failed to auto-renewal certificate

by Stuart McRobert

Dear flo, Thanks for the helpful links. To check whether replication is possible between the three freeipa servers, via the web interface on each, I have successfully created three new users: + On server 1 create a new user 1 and check they appear on servers 2 & 3 - yes + On server 2 create a new user 2 and check they appear on servers 1 & 3 - yes + On server 3 create a new user 3 and check they appear on servers 1 & 2 - yes Then for each user remove them from a different server to where they were created. This worked as expected. However I do appear to have one user whose information failed to correctly replicate some time ago, causing an inconsistency that I am uncertain on the best way to fix. On server 1 via web attempt to view this specific user: Operations Error Some operations failed. XXX: user not found which should be displayed as a preserved user entry but lacks any details shown other than the "user login". On server 2 this user appears as an active user, with details, status disabled. On server 3 this user appears as a preserved user, with full details, and a note I added to the Class field a few days ago to see whether it would then just replicate but failed. In logs, searching for the user in question on server 1 ./httpd/error_log:[Sun Sep 20 10:34:14.256333 2020] [wsgi:error] [pid 29637] [remote IP_ADDRESS:56930] ipa: INFO: [jsonserver_session] sm@OUR_DOMAIN: user_find(u'USER_XXX', sizelimit=0, version=u'2.215', pkey_only=True): SUCCESS ./httpd/error_log:[Sun Sep 20 10:34:28.721951 2020] [wsgi:error] [pid 29637] [remote IP_ADDRESS:56932] ipa: INFO: [jsonserver_session] sm@OUR_DOMAIN: user_find(u'USER_XXX', preserved=True, sizelimit=0, version=u'2.215', pkey_only=True): SUCCESS ./httpd/error_log:[Sun Sep 20 10:34:28.738772 2020] [wsgi:error] [pid 29636] [remote IP_ADDRESS:56932] ipa: INFO: sm@OUR_DOMAIN: batch: user_show(u'USER_XXX', no_members=True): NotFound ./httpd/error_log:[Sun Sep 20 10:34:28.738952 2020] [wsgi:error] [pid 29636] [remote IP_ADDRESS:56932] ipa: INFO: [jsonserver_session] sm@OUR_DOMAIN: batch(({u'params': ((u'USER_XXX',), {u'no_members': True}), u'method': u'user_show'},), version=u'2.215'): SUCCESS Which just confirms what was seen via the web interface. Next go looking in /var/log/dirsrv/slapd-OUR-DOMAIN/errors and find lots of these messages: [20/Sep/2020:11:18:12.449932996 +0100] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=caToserver2" (server2:389): CSN 5bb473ef000000070000 not found, we aren't as up to date, or we purged [20/Sep/2020:11:18:12.452051936 +0100] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=caToserver2" (server2:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. [20/Sep/2020:11:18:15.479226915 +0100] - ERR - agmt="cn=caToserver2" (server2:389) - clcache_load_buffer - Can't locate CSN 5bb473ef000000070000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [20/Sep/2020:11:18:15.481677959 +0100] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=caToserver2" (server2:389): CSN 5bb473ef000000070000 not found, we aren't as up to date, or we purged [20/Sep/2020:11:18:15.483458741 +0100] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=caToserver2" (server2:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. But is that the only CSN found to be missing, seems to be based on this search: grep -v 5bb473ef000000070000 ./dirsrv/slapd-OUR-DOMAIN/errors | grep -v "If the error persists" 389-Directory/1.3.6.6 B2017.145.2031 server1.OUR-DOMAIN:636 (/etc/dirsrv/slapd-OUR-DOMAIN) [18/Sep/2020:05:57:26.038958649 +0100] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=meToserver3" (server3:389): Unable to parse the response to the endReplication extended operation. [18/Sep/2020:17:45:55.236862951 +0100] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=caToserver2" (server2:389): Unable to parse the response to the endReplication extended operation. Turning next to server 2 and the dirsrv logs there, lots of messages of the form: [17/Sep/2020:19:33:24.075845464 +0100] - ERR - DSRetroclPlugin - delete_changerecord: could not delete change record 6773158 (rc: 32) [17/Sep/2020:19:33:24.076296207 +0100] - ERR - DSRetroclPlugin - delete_changerecord: could not delete change record 6773159 (rc: 32) [17/Sep/2020:19:33:24.077311010 +0100] - ERR - DSRetroclPlugin - delete_changerecord: could not delete change record 6773160 (rc: 32) [17/Sep/2020:19:33:24.077830624 +0100] - ERR - DSRetroclPlugin - delete_changerecord: could not delete change record 6773161 (rc: 32) [19/Sep/2020:19:59:28.091654453 +0100] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=meToserver1" (server1:389): Unable to parse the response to the endReplication extended operation. Finally for server 3, dirsrv logs appear to be more about getting started after certificate problems the other day, rather than issues seen on the other servers, but this server does appear to display the user fully as would be desired everywhere. Our old version appears to lack the 389 command dsconf so not been able to use that to help. Summary: + Replication appears to work for e.g. new users + I guess one entry has failed to be replicated correctly causing the inconsistent state on the other two servers + This should ideally be corrected to avoid further issues??? + Uncertain about the best way to do this, suggestions very welcome as first time fixing such problems and I don't want to make it any worse, after all replications seems to be working for everything else. Thanks Best wishes Stuart

11 months, 3 weeks

2
1
0 / 0

OK_AS_DELEGATE by default

by Ronald Wimmer

Is it possible to set this flag by default for all new IPA hosts? Cheers, Ronald

11 months, 3 weeks

3
5
0 / 0

Replica not renewing IPA certificates

by Roderick Johnstone

Hi This is freeipa (ipa-server-4.6.5-11.el7_7.3.x86_64) on RHEL7 with freeipa's own internal CA. One of my ipa server replicas (host3) has not renewed its IPA system certificates and is now showing ca-error: Invalid cookie: u'' in the 'getcert list' output for certificates: "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca", "subsystemCert cert-pki-ca", and the certificate in the file /var/lib/ipa/ra-agent.pem As far as I can see, the sequence of events has been as follows: host3 noticed the certificates needed renewing at 30 Jan 2020 05:37 and certmonger initiated a renewal. The state of those certificates went from MONITORING to CA_WORKING but the certificates were not renewed. The CA renewal master (host1) noticed its same set of certificates (plus "Server-Cert cert-pki-ca") needed renewing at 30 Jan 2020 07:28 and renewed them successfully. Another replica (host2) noticed that its certificates needed renewing at 30 Jan 2020 07:32 and renewed them successfully. At 30 Jan 13:37 on host3 the certificates needing to be renewed went from CA_WORKING back to MONITORING, but 'getcert list' now shows them with: ca-error: Invalid cookie: u'' and they still haven't renewed. I haven't seen certmonger attempt to try the renewal again on host3 (nothing from certmonger in /var/log/messages since 30 Jan 13:37). While I could try a getcert resubmit on host3 to force it to try again, I'd like to know if what I am seeing is the expected behaviour when a replica tried to renew certificates before the renewal master. How long should I have to wait till certmonger on host3 tries again? - I couldn't find any reference to how often certmonger tries the renewal. Rob Crittenden's freeipa-healthcheck script is now showing the following for host3: ERROR: ipahealthcheck.ipa.certs.IPARAAgent: RA agent description does not match 2;16;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM in LDAP and 2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM expected ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040924: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040920: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040921: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040922: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040923: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040925: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040927: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180926040926: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.ipa.certs.IPACertRevocation.20180831064406: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ERROR: ipahealthcheck.dogtag.ca.DogtagCertsConnectivityCheck: Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) Each of host1, host2 and host3 are showing serial number 16 in ldap using: ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca description At this stage I'm not sure whether this will resolve itself when certmonger tries to renew certificates again or whether I need to be more proactive. I'm happy to supply more logs as necessary. Thanks Roderick

11 months, 3 weeks

3
3
0 / 0

Re: SSL/TLS Server Support for TLDv1.0 on port(s) other than 443

by Ian Pilcher

On 10/1/20 12:42 PM, Auerbach, Steven via FreeIPA-users wrote: > What is the proper way to change the overall openssl configuration to > set the ssl_min toTLSv1.2? https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html You can see your current settings with: ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=encryption,cn=config' -- ======================================================================== In Soviet Russia, Google searches you! ========================================================================

11 months, 3 weeks

1
0
0 / 0

SSL/TLS Server Support for TLDv1.0 on port(s) other than 443

by Auerbach, Steven

I have been able to force NSSProtocol to TLSv1.2 on the web service of this IPA server in the nss.conf. But I am receiving a Threat Assessment Hit (SecureWorks) that TLSv1.0 is open on port 636/TCP. I attempted to manually edit the /etc/dirsrv/slapd-<domain>/dse.ldif file, but once I made that change it broke the 389Directory and it would not start. What is the proper way to change the overall openssl configuration to set the ssl_min toTLSv1.2? Thanks. Steven Auerbach Assistant Director of Information Systems Information Technology & Security State University System of Florida Board of Governors 325 W. Gaines Street Tallahassee, Florida 32399 (850) 245-9592 www.flbog.edu<http://www.flbog.edu/>

11 months, 3 weeks

1
0
0 / 0

Modify LDAP/HTTP to add alternative names

by Willie Lima

Hi guys, I have 12 freeipa servers deployed with integrated DNS and CA (realm and domain int.example.com). I would like to make a DNS round-robin, for instance: request ldap.int.example.com and forward for one of the servers and also an external domain ldap.example.com The problem is with the certificate, the TLS handshake fails because there's no alternative name with ldap.int.example.com or ldap.example.com. I read the redhat documentation about certificate manipulation, but I got very confused in fact how it works. How can I do that? Are there another recommendation?

11 months, 3 weeks

4
8
0 / 0

2021

2020

2019

2018

2017

FreeIPA-users October 2020