Re: subsystemCert appears out of date
by Florence Blanc-Renaud
On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote:
> Hi Flo,
>
> Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate:
>
> [root@red-auth01 ~]# ipa-cert-fix
> Failed to get Server-Cert
> The ipa-cert-fix command failed.
>
Hi,
I failed to notice the first time but there is no tracking for the LDAP
cert that is stored in /etc/dirsrv/slapd-$DOMAIN/. What is the output of
# certutil -L -d /etc/dirsrc/slapd-$DOMAIN
You should see Server-Cert (=the ldap server certificate), or maybe a
different nickname is used?
flo
> From the message log:
> Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
> Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3
> Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
> Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
> Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3
> Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
>
> Any advice?
>
> Marc.
>
> -----Original Message-----
> From: Florence Blanc-Renaud <flo(a)redhat.com>
> Sent: 17 November 2020 10:57
> To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Subject: Re: [Freeipa-users] subsystemCert appears out of date
>
> On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote:
>> Hi Flo,
>>
>> Thanks for the help. Included is the output of all the commands as you
>> requested. These were all run from a single freeIPA server (red-auth01).
>>
>> kinit admin; ipa server-role-find --role "CA server"
>> Password for admin(a)INT.I-NEDA.COM:
>> ----------------------
>> 8 server roles matched
>> ----------------------
>>  Server name: power-auth03.int.i-neda.com  Role name: CA server
>> Â Role status: enabled
>>
>>  Server name: power-auth04.int.i-neda.com  Role name: CA server
>> Â Role status: absent
>>
>>  Server name: red-auth01.int.i-neda.com  Role name: CA server Â
>> Role status: enabled
>>
>>  Server name: red-auth02.int.i-neda.com  Role name: CA server Â
>> Role status: enabled
>>
>>  Server name: red-auth03.int.i-neda.com  Role name: CA server Â
>> Role status: enabled
>>
>>  Server name: red-auth04.int.i-neda.com  Role name: CA server Â
>> Role status: enabled
>>
>>  Server name: white-auth01.int.i-neda.com  Role name: CA server
>> Â Role status: enabled
>>
>>  Server name: white-auth02.int.i-neda.com  Role name: CA server
>> Â Role status: enabled
>> ----------------------------
>> Number of entries returned 8
>> ----------------------------
>>
>>
>> Â kinit admin; ipa config-show | grep "renewal"
>> Password for admin(a)INT.I-NEDA.COM:
>> Â IPA CA renewal master: red-auth01.int.i-neda.com
>>
>>
>> rpm -qa | grep ipa-server
>> ipa-server-common-4.6.8-5.el7.centos.noarch
>> ipa-server-4.6.8-5.el7.centos.x86_64
>> ipa-server-dns-4.6.8-5.el7.centos.noarch
>>
>>
>> getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20171101175244':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>> CA: SelfSign
>> issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>> expires: 2021-08-10 14:04:07 UTC
>> principal name: krbtgt/INT.I-NEDA.COM(a)INT.I-NEDA.COM
>> certificate template/profile: KDCs_PKINIT_Certs pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081853':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigning
>> Cert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigning
>> Cert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=CA Audit,O=INT.I-NEDA.COM
>> expires: 2022-09-16 12:36:41 UTC
>> key usage: digitalSignature,nonRepudiation pre-save command:
>> /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081854':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningC
>> ert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningC
>> ert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM
>> expires: 2022-09-16 12:35:31 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20180722081855':
>> status: CA_UNREACHABLE
>> ca-error: Error 58 connecting to
>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
>> Problem with the local SSL certificate.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCer
>> t cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCer
>> t cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=CA Subsystem,O=INT.I-NEDA.COM
>> expires: 2020-10-24 07:04:35 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081856':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCer
>> t cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCer
>> t cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=Certificate Authority,O=INT.I-NEDA.COM
>> expires: 2040-10-10 07:51:04 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081857':
>> status: CA_UNREACHABLE
>> ca-error: Error 58 connecting to
>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
>> Problem with the local SSL certificate.
>> stuck: no
>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=IPA RA,O=INT.I-NEDA.COM
>> expires: 2020-10-24 07:03:24 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081858':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>> expires: 2021-02-09 11:59:57 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "Server-Cert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20200530130439':
>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
> Hi Marc,
>
> so the current situation is the following:
> - red-auth01 is the renewal master, with multiple replicas hosting the CA role.
> - on this server, 'subsystemCert cert-pki-ca' is expired (expires:
> 2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires:
> 2020-10-24 07:03:24 UTC).
> - there is also an issue with the tracking of the cert used by HTTP
>
> But one of your comments is puzzling me:
>
>> The signing SSL (int.i-neda.com) is a full wildcard block chain that
>> is authorized by a recognised 3rd party. It's worth noting though,
>> that we had some issues with the block chain back in April as the
>> thrid parties block chain expired. So it's possible that this is as a
>> result of that issue, and may require some fettling to resolve. All help is appreciated.
> Did you import the new CA chain at that time using ipa-cacert-manage install / ipa-certupdate?
>
> According to getcert output, the IPA CA is now self-signed. It looks a lot like issue https://pagure.io/freeipa/issue/8176 where the externally-signed IPA CA is renewed/replaced with a self-signed CA.
>
> As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your system. It will be easier to use this tool to fix the server:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>
> Once the systems are up again, you can switch back to an externally-signed ipa CA:
> - import the external CA chain using ipa-cacert-manage install + run ipa-certupdate on all the ipa nodes
> - switch to externally-signed CA with ipa-cacert-manage renew --external-ca command
> (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...)
>
> HTH,
> flo
>>
>> My current tempory work around is to set the local clock of the OS
>> back by over a month so the server belives the expired CA's are still valid.
>>
>> Kind Regards,
>>
>> Marc.
>> ----------------------------------------------------------------------
>> --
>> *From:* Florence Blanc-Renaud <flo(a)redhat.com>
>> *Sent:* 16 November 2020 14:35
>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> *Cc:* Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>
>> *Subject:* Re: [Freeipa-users] subsystemCert appears out of date On
>> 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
>>> Hi All,
>>>
>>> My subsystem cert appears to have gone out of date, and Iââ,¬â"¢m
>>> unable to get it to update. This has become an issue on my production
>>> environment, and my current work around has been to take the system
>>> date back by a month. Iââ,¬â"¢ve tried the cert renew tool, but this
>>> doesnââ,¬â"¢t seem to have updated this cert.
>>>
>>> Is anyone able to point me in the right direction to be able to
>>> update this specific certificate as Iââ,¬â"¢ve been unable to find anything online.
>>>
>>> [auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
>>> 'subsystemCert cert-pki-ca'
>>>
>>> Certificate:
>>>
>>>  Ã, Ã, Ã, Data:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Version: 3 (0x2)
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Serial Number: 42 (0x2a)
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256
>>> With RSA Encryption
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM"
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Validity:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Not Before: Sun Nov 04
>>> 08:04:35 2018
>>>
>>> Not After : Sat Oct 24 07:04:35 2020
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM"
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject Public Key Info:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Public Key Algorithm:
>>> PKCS #1 RSA Encryption
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, RSA Public Key:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Modulus:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Ã, Ã, 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Exponent: 65537 (0x10001)
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signed Extensions:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate
>>> Authority Key Identifier
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key ID:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> d5:08:c0:3a
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Authority
>>> Information Access
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Method: PKIX Online
>>> Certificate Status Protocol
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Location:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, URI: "http://ipa-ca.int.i-neda.com/ca/ocsp"
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate Key
>>> Usage
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Critical: True
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Usages: Digital
>>> Signature
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Ã, Ã, Non-Repudiation
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Ã, Ã, Key Encipherment
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Ã, Ã, Data Encipherment
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Extended Key
>>> Usage
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS
>>> Web Server Authentication Certificate
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS
>>> Web Client Authentication Certificate
>>>
>>>  Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA
>>> Encryption
>>>
>>>  Ã, Ã, Ã, Signature:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51
>>>
>>>  Ã, Ã, Ã, Fingerprint (SHA-256):
>>>
>>>
>>> 4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1:
>>> 15:13:92:D3:7A:3D:F8:54:44
>>>
>>>  Ã, Ã, Ã, Fingerprint (SHA1):
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> 03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6
>>>
>>>  Ã, Ã, Ã, Mozilla-CA-Policy: false (attribute missing)
>>>
>>>  Ã, Ã, Ã, Certificate Trust Flags:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, SSL Flags:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Email Flags:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Object Signing Flags:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>
>>> Thanks for the help,
>>>
>>> Marc.
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedo
>>> rahosted.org
>>>
>> Hi Marc,
>>
>> we need more information in order to help you:
>> - do you have multiple master/replicas with the CA role:
>> # kinit admin; ipa server-role-find --role "CA server"
>>
>> - which server is the renewal master:
>> # kinit admin ; ipa config-show | grep "renewal"
>>
>> - which version is installed:
>> # rpm -qa | grep ipa-server
>>
>> - Is the subsystemCert cert-pki-ca the only expired certificate:
>> # getcert list
>>
>> flo
>>
>
3 years, 4 months
Certificate operation cannot be completed: Unable to communicate with CMS (403)
by Corey Devenport
Setup:
Cluster of 3 FreeIPA Masters with one as the CA Renewal Master
ipa version 4.8.4
Problem:
One of our certs for one of our servers recently expired, but it was supposed to auto-renew. Looking into the issue I found that I couldn't access any certs via CLI or the webUI. When trying to do either, I get the following error:
IPA Error 4301: CertificateOperationError
Certificate operation cannot be completed: Unable to communicate with CMS (403)
After doing some research it seems the issue may be with the IPA RA, though I found a userCertificate in the LDAP that was issued the same day as the one being used by the ipa server (it had the userCertificate being used by the ipa server as well as another userCertificate, both have the same dates, but different certificates), changing the ra-agent.pem did not seem to solve any problems.
Looking in /var/log/pki/pki-tomcat/ca/debug I found the following errors:
WARNING: CertProcessor: No authenticator credentials required
SEVERE: AgentCertAuthentication: No SSL Client Certs Found
SEVERE: CAProcessor: authentication error: Invalid Credential.
I'm a little lost and not sure what to do next, any help would be greatly appreciated.
3 years, 4 months
freeIPA / DNS Override
by Nico Maas
Dear all,
I have a freeIPA instance which is also connected to upstream / internet DNS servers, but mostly working in a local network which is for most parts seperated from the internet, using a DNS like company.local - where also freeIPA is using this as a kerberos realm. However, we got also domains at the - not freeIPA controlled company.com - and especially some names like testsystem.company.com which are hosted internally in our network and are exposed via DMZ and NAT, so they get different IP addresses. We now would like to have the system test1.company.com not only be available via test1.company.com (with external IP) or test1.company.local (with internal IP), but with the external DNS name and internal IP - so we'd need to somehow rewrite the DNS Name to another IP.
Is there a possibility, other than local hosts files etc - to just rewrite one DNS entry in the server? It is important that the rest of the upstream DNS is untouched (i.e. the rest of the company.com names are served as ususally)
Kind regards and thanks,
Nico
3 years, 4 months
mixed versions freeIPA domain
by lejeczek
hi guys,
I have a working domain off Centos 7's VERSION: 4.6.8,
API_VERSION: 2.237 and now I'm adding Centos 8's VERSION:
4.8.4, API_VERSION: 2.235.
Adding Centos 8 replica worked okey and now with on that new
replica/master:
$ ipa-ca-install
I get:
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated
time: 3 minutes
[1/27]: creating certificate server db
[2/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 8 seconds elapsed
Update succeeded
[3/27]: creating ACIs for admin
[4/27]: creating installation admin user
[5/27]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to
configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwodqkt5b']
returned non-zero exit status 1: 'Notice: Trust flag u is
set automatically if the private key is present.\nWARNING:
Unable to modify o=ipaca: netscape.ldap.LDAPException: error
result (20); Type or value exists\nERROR: Exception: Server
unreachable due to SSL error: [SSL: WRONG_VERSION_NUMBER]
wrong version number (_ssl.c:897)\n File
"/usr/lib/python3.6/site-packages/pki/server/pkispawn.py",
line 562, in main\n scriptlet.spawn(deployer)\n File
"/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 836, in spawn\n
request_timeout=status_request_timeout,\n File
"/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py",
line 911, in wait_for_startup\n raise Exception(\'Server
unreachable due to SSL error: %s\' % reason) from exc\n\n')
ipaserver.install.dogtaginstance: CRITICAL See the
installation logs and the following files/directories for
more information:
ipaserver.install.dogtaginstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
and I wonder if it fails because it should, because these
two versions will not! work together or the problem of some
other cause not related to the fact different versions are used?
Many thanks, L.
3 years, 4 months
FreeIPA 4.6 and ACME
by chriz.r@web.de
Hey,
we are currently running FreeIPA 4.6.8 on CentOS 7 and found out to manage our Certificates in a Kubernetes Cluster FreeIPA now Supports ACME as a service.
On CentOS 7 However ACME is not available in the current FreeIPA package.
Has anyone found a viable alternative to ACME or a way to install the acme create/deploy plugin für FreeIPA in CentOS 7?
Thanks in advance!
3 years, 4 months
Freeipa-client authentication against AD
by kotelnikova9314@gmail.com
Hello all,
sorry if this question was already several times discussed, nevertheless, i am stuck with setting up a trust between FreeIPA and AD.
To be more precise, the one way Trus is setup and i can log in into Freeipa server with AD credentials.
I have also a bunch of servers with ipa-client configured and i am able to login to them with Freeipa accounts, but not ADs.
1) Did i understood correctly, that clients should "somehow" authenticate to AD via Freeipa? Or do they need to contact directly AD?
2) If the clients should be configured to talk to AD, which configurations are needed?
3) The way i am trying to login is as follows:
> ssh -v -l ad_user@ad_domain hostname
4) In logs i have such errors during authentication:
sshd[11294]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.45.33.1 user=ad_user@ad_domain
sshd[11294]: pam_sss(sshd:auth): received for user ad_user@ad_domain: 6 (Permission denied)
sshd[11290]: error: PAM: Authentication failure for ad_user@ad_domain from 10.45.33.1
sshd[11290]: Connection closed by authenticating user user_ad@ad_domain 10.45.33.1 port 40108 [preauth]
Thanks in advance!
3 years, 4 months
DNS issue with CNAME and dnsmasq forwards
by Boris Behrens
Hi,
I have a very strange problem:
I would like to add a CNAME to the IPA DNS server, that resolves to an
internal domain which is forwarded from our central DNSmasq to our consul.
I created a zone called test.boris and added a CNAME record
cname.test.boris IN CNAME cname.stage.consul.
The DNSmasq config forwards consul to 10.1.2.3:8600.
When I now query for the cname.test.boris. I get
cname.test.boris. in CNAME cname.stage.consul.
cname.stage.consul. NXDOMAIN.
After some debugging I came to the conclusion that the NXDOMAIN response
comes from freeIPA which tries to resolv this, but consul. is not in the
world wide root zone it does not work.
Now I added a forward zone which tells IPA to forward this request back to
DNSmasq.
In the TCP dump I can trace the package and I see that DNSmasq send the
correct address back to freeIPA which answers with an empty A record.
What am I doing wrong?
--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im
groüen Saal.
3 years, 4 months
Problems after updating to OL 8.3 (Ootpa)
by Ronald Wimmer
After upgrading our IPA servers AD user resolution seems to have stopped
working.
id myADUser says:
id: ‘myADUser’: no such user
Why? The log say:
==> /var/log/sssd/sssd_nss.log <==
(2020-11-18 9:09:59): [nss] [accept_fd_handler] (0x0400): Client
[0x55b92cb403e0][26] connected!
(2020-11-18 9:09:59): [nss] [sss_cmd_get_version] (0x0200): Received
client version [1].
(2020-11-18 9:09:59): [nss] [sss_cmd_get_version] (0x0200): Offered
version [1].
(2020-11-18 9:09:59): [nss] [nss_getby_name] (0x0400): Input name: myADUser
(2020-11-18 9:09:59): [nss] [cache_req_send] (0x0400): CR #0: New
request 'User by name'
(2020-11-18 9:09:59): [nss] [cache_req_process_input] (0x0400): CR #0:
Parsing input name [myADUser]
(2020-11-18 9:09:59): [nss] [sss_parse_name_for_domains] (0x0200): name
'myADUser' matched without domain, user is myADUser
(2020-11-18 9:09:59): [nss] [nss_get_object_send] (0x0400): Client
[0x55b92cb403e0][26]: sent cache request #0
(2020-11-18 9:09:59): [nss] [cache_req_set_name] (0x0400): CR #0:
Setting name [myADUser]
(2020-11-18 9:09:59): [nss] [cache_req_select_domains] (0x0400): CR #0:
Performing a multi-domain search
(2020-11-18 9:09:59): [nss] [cache_req_search_domains] (0x0400): CR #0:
Search will check the cache and check the data provider
(2020-11-18 9:09:59): [nss] [cache_req_set_domain] (0x0400): CR #0:
Using domain [implicit_files]
(2020-11-18 9:09:59): [nss] [cache_req_prepare_domain_data] (0x0400):
CR #0: Preparing input data for domain [implicit_files] rules
(2020-11-18 9:09:59): [nss] [cache_req_search_send] (0x0400): CR #0:
Looking up myADUser@implicit_files
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0:
Checking negative cache for [myADUser@implicit_files]
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0:
[myADUser@implicit_files] is not present in negative cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser@implicit_files] in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser@implicit_files] was not found in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_dp] (0x0400): CR #0:
Looking up [myADUser@implicit_files] in data provider
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser@implicit_files] in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser@implicit_files] was not found in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache_add_to_domain]
(0x0400): CR #0: Adding [myADUser@implicit_files] to negative cache
(2020-11-18 9:09:59): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/implicit_files/myADUser@implicit_files] to negative cache
(2020-11-18 9:09:59): [nss] [cache_req_set_domain] (0x0400): CR #0:
Using domain [org.mydomain.at]
(2020-11-18 9:09:59): [nss] [cache_req_prepare_domain_data] (0x0400):
CR #0: Preparing input data for domain [org.mydomain.at] rules
(2020-11-18 9:09:59): [nss] [cache_req_search_send] (0x0400): CR #0:
Looking up myADUser(a)org.mydomain.at
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0:
Checking negative cache for [myADUser(a)org.mydomain.at]
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0:
[myADUser(a)org.mydomain.at] is not present in negative cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)org.mydomain.at] in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)org.mydomain.at] was not found in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_dp] (0x0400): CR #0:
Looking up [myADUser(a)org.mydomain.at] in data provider
(2020-11-18 9:09:59): [nss] [sss_dp_get_account_send] (0x0400):
Creating request for
[org.mydomain.at][0x1][BE_REQ_USER][name=myADUser@org.mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <==
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[dp_get_account_info_send] (0x0200): Got request for
[0x1][BE_REQ_USER][name=myADUser(a)org.mydomain.at]
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
DP Request [Account #1]: New request. Flags [0x0001].
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=myADUser))][cn=Default Trust
View,cn=views,cn=accounts,dc=linux,dc=mydomain,dc=at].
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[ipa_s2n_get_acct_info_send] (0x0400): Sending request_type:
[REQ_FULL_WITH_MEMBERS] for trust user [myADUser] to IPA server
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: No such object(32), (null).
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_search_by_name]
(0x0400): No such entry
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_done] (0x0400):
DP Request [Account #1]: Request handler finished [0]: Success
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400):
DP Request [Account #1]: Receiving request data.
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): DP Request [Account #1]: Request removed.
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <==
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)org.mydomain.at] in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)org.mydomain.at] was not found in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache_add_to_domain]
(0x0400): CR #0: Adding [myADUser(a)org.mydomain.at] to negative cache
(2020-11-18 9:09:59): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/org.mydomain.at/myADUser(a)org.mydomain.at] to negative cache
(2020-11-18 9:09:59): [nss] [cache_req_set_domain] (0x0400): CR #0:
Using domain [linux.mydomain.at]
(2020-11-18 9:09:59): [nss] [cache_req_prepare_domain_data] (0x0400):
CR #0: Preparing input data for domain [linux.mydomain.at] rules
(2020-11-18 9:09:59): [nss] [cache_req_search_send] (0x0400): CR #0:
Looking up myADUser(a)linux.mydomain.at
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0:
Checking negative cache for [myADUser(a)linux.mydomain.at]
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0:
[myADUser(a)linux.mydomain.at] is not present in negative cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)linux.mydomain.at] in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)linux.mydomain.at] was not found in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_dp] (0x0400): CR #0:
Looking up [myADUser(a)linux.mydomain.at] in data provider
(2020-11-18 9:09:59): [nss] [sss_dp_get_account_send] (0x0400):
Creating request for
[linux.mydomain.at][0x1][BE_REQ_USER][name=myADUser@linux.mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <==
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[dp_get_account_info_send] (0x0200): Got request for
[0x1][BE_REQ_USER][name=myADUser(a)linux.mydomain.at]
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
DP Request [Account #2]: New request. Flags [0x0001].
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[sdap_search_user_next_base] (0x0400): Searching for users with base
[cn=accounts,dc=linux,dc=mydomain,dc=at]
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=myADUser)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=linux,dc=mydomain,dc=at].
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_search_by_name]
(0x0400): No such entry
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_search_by_name]
(0x0400): No such entry
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending
request
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_done] (0x0400):
DP Request [Account #2]: Request handler finished [0]: Success
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400):
DP Request [Account #2]: Receiving request data.
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): DP Request [Account #2]: Request removed.
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <==
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)linux.mydomain.at] in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)linux.mydomain.at] was not found in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache_add_to_domain]
(0x0400): CR #0: Adding [myADUser(a)linux.mydomain.at] to negative cache
(2020-11-18 9:09:59): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/linux.mydomain.at/myADUser(a)linux.mydomain.at] to negative cache
(2020-11-18 9:09:59): [nss] [cache_req_set_domain] (0x0400): CR #0:
Using domain [buero.mydomain.at]
(2020-11-18 9:09:59): [nss] [cache_req_prepare_domain_data] (0x0400):
CR #0: Preparing input data for domain [buero.mydomain.at] rules
(2020-11-18 9:09:59): [nss] [cache_req_search_send] (0x0400): CR #0:
Looking up myADUser(a)buero.mydomain.at
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0:
Checking negative cache for [myADUser(a)buero.mydomain.at]
(2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0:
[myADUser(a)buero.mydomain.at] is not present in negative cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)buero.mydomain.at] in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)buero.mydomain.at] was not found in cache
(2020-11-18 9:09:59): [nss] [cache_req_search_dp] (0x0400): CR #0:
Looking up [myADUser(a)buero.mydomain.at] in data provider
(2020-11-18 9:09:59): [nss] [sss_dp_get_account_send] (0x0400):
Creating request for
[buero.mydomain.at][0x1][BE_REQ_USER][name=myADUser@buero.mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <==
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[dp_get_account_info_send] (0x0200): Got request for
[0x1][BE_REQ_USER][name=myADUser(a)buero.mydomain.at]
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
DP Request [Account #3]: New request. Flags [0x0001].
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=myADUser))][cn=Default Trust
View,cn=views,cn=accounts,dc=linux,dc=mydomain,dc=at].
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(2020-11-18 9:09:59): [be[linux.mydomain.at]]
[ipa_s2n_get_acct_info_send] (0x0400): Sending request_type:
[REQ_FULL_WITH_MEMBERS] for trust user [myADUser] to IPA server
(2020-11-18 9:09:59): [be[linux.mydomain.at]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: No such object(32), (null).
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_search_by_name]
(0x0400): No such entry
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_done] (0x0400):
DP Request [Account #3]: Request handler finished [0]: Success
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400):
DP Request [Account #3]: Receiving request data.
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): DP Request [Account #3]: Request removed.
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <==
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)buero.mydomain.at] in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)buero.mydomain.at] was not found in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_ncache_add_to_domain]
(0x0400): CR #0: Adding [myADUser(a)buero.mydomain.at] to negative cache
(2020-11-18 9:10:00): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/buero.mydomain.at/myADUser(a)buero.mydomain.at] to negative cache
(2020-11-18 9:10:00): [nss] [cache_req_set_domain] (0x0400): CR #0:
Using domain [mydomain.at]
(2020-11-18 9:10:00): [nss] [cache_req_prepare_domain_data] (0x0400):
CR #0: Preparing input data for domain [mydomain.at] rules
(2020-11-18 9:10:00): [nss] [cache_req_search_send] (0x0400): CR #0:
Looking up myADUser(a)mydomain.at
(2020-11-18 9:10:00): [nss] [cache_req_search_ncache] (0x0400): CR #0:
Checking negative cache for [myADUser(a)mydomain.at]
(2020-11-18 9:10:00): [nss] [cache_req_search_ncache] (0x0400): CR #0:
[myADUser(a)mydomain.at] is not present in negative cache
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)mydomain.at] in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)mydomain.at] was not found in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_dp] (0x0400): CR #0:
Looking up [myADUser(a)mydomain.at] in data provider
(2020-11-18 9:10:00): [nss] [sss_dp_get_account_send] (0x0400):
Creating request for
[mydomain.at][0x1][BE_REQ_USER][name=myADUser@mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <==
(2020-11-18 9:10:00): [be[linux.mydomain.at]]
[dp_get_account_info_send] (0x0200): Got request for
[0x1][BE_REQ_USER][name=myADUser(a)mydomain.at]
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
DP Request [Account #4]: New request. Flags [0x0001].
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(2020-11-18 9:10:00): [be[linux.mydomain.at]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=myADUser))][cn=Default Trust
View,cn=views,cn=accounts,dc=linux,dc=mydomain,dc=at].
(2020-11-18 9:10:00): [be[linux.mydomain.at]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(2020-11-18 9:10:00): [be[linux.mydomain.at]]
[ipa_s2n_get_acct_info_send] (0x0400): Sending request_type:
[REQ_FULL_WITH_MEMBERS] for trust user [myADUser] to IPA server
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: No such object(32), (null).
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_search_by_name]
(0x0400): No such entry
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_done] (0x0400):
DP Request [Account #4]: Request handler finished [0]: Success
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400):
DP Request [Account #4]: Receiving request data.
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): DP Request [Account #4]: Request removed.
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <==
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)mydomain.at] in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)mydomain.at] was not found in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_ncache_add_to_domain]
(0x0400): CR #0: Adding [myADUser(a)mydomain.at] to negative cache
(2020-11-18 9:10:00): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/mydomain.at/myADUser(a)mydomain.at] to negative cache
(2020-11-18 9:10:00): [nss] [cache_req_set_domain] (0x0400): CR #0:
Using domain [tk.mydomain.at]
(2020-11-18 9:10:00): [nss] [cache_req_prepare_domain_data] (0x0400):
CR #0: Preparing input data for domain [tk.mydomain.at] rules
(2020-11-18 9:10:00): [nss] [cache_req_search_send] (0x0400): CR #0:
Looking up myADUser(a)tk.mydomain.at
(2020-11-18 9:10:00): [nss] [cache_req_search_ncache] (0x0400): CR #0:
Checking negative cache for [myADUser(a)tk.mydomain.at]
(2020-11-18 9:10:00): [nss] [cache_req_search_ncache] (0x0400): CR #0:
[myADUser(a)tk.mydomain.at] is not present in negative cache
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)tk.mydomain.at] in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)tk.mydomain.at] was not found in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_dp] (0x0400): CR #0:
Looking up [myADUser(a)tk.mydomain.at] in data provider
(2020-11-18 9:10:00): [nss] [sss_dp_get_account_send] (0x0400):
Creating request for
[tk.mydomain.at][0x1][BE_REQ_USER][name=myADUser@tk.mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <==
(2020-11-18 9:10:00): [be[linux.mydomain.at]]
[dp_get_account_info_send] (0x0200): Got request for
[0x1][BE_REQ_USER][name=myADUser(a)tk.mydomain.at]
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
DP Request [Account #5]: New request. Flags [0x0001].
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(2020-11-18 9:10:00): [be[linux.mydomain.at]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=myADUser))][cn=Default Trust
View,cn=views,cn=accounts,dc=linux,dc=mydomain,dc=at].
(2020-11-18 9:10:00): [be[linux.mydomain.at]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(2020-11-18 9:10:00): [be[linux.mydomain.at]]
[ipa_s2n_get_acct_info_send] (0x0400): Sending request_type:
[REQ_FULL_WITH_MEMBERS] for trust user [myADUser] to IPA server
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: No such object(32), (null).
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_search_by_name]
(0x0400): No such entry
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_done] (0x0400):
DP Request [Account #5]: Request handler finished [0]: Success
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400):
DP Request [Account #5]: Receiving request data.
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): DP Request [Account #5]: Request removed.
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(2020-11-18 9:10:00): [be[linux.mydomain.at]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <==
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Looking up [myADUser(a)tk.mydomain.at] in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0:
Object [myADUser(a)tk.mydomain.at] was not found in cache
(2020-11-18 9:10:00): [nss] [cache_req_search_ncache_add_to_domain]
(0x0400): CR #0: Adding [myADUser(a)tk.mydomain.at] to negative cache
(2020-11-18 9:10:00): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/tk.mydomain.at/myADUser(a)tk.mydomain.at] to negative cache
(2020-11-18 9:10:00): [nss] [cache_req_process_result] (0x0400): CR #0:
Finished: Not found
(2020-11-18 9:10:00): [nss] [client_recv] (0x0200): Client disconnected!
3 years, 4 months
certlist shows ca-error after upgrade
by Cody Ashe-McNalley
Hi All,
My primary CA's httpd and slapd certs show a 'ca-error' warning "4027 (RPC failed at server. The search criteria was not specific enough. Expected 1 and found 2."
RHEL 7.9
ipa-server-4.6.8-5.el7.x86_64
CA and DNS enabled
Request ID '20180927235641':
status: CA_UNREACHABLE
ca-error: Server at https://<ipaserver>/ipa/xml failed request, will retry: 4027 (RPC failed at server. The search criteria was not specific enough. Expected 1 and found 2.).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<DOMAIN>',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-<DOMAIN>/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-<DOMAIN>',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<DOMAIN>
subject: CN=<ipaserver>,O=<DOMAIN>
expires: 2022-05-05 23:59:26 UTC
principal name: ldap/<ipaserver>@<DOMAIN>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv <DOMAIN>
track: yes
auto-renew: yes
Request ID '20180927235642':
status: CA_UNREACHABLE
ca-error: Server at https://<ipaserver>/ipa/xml failed request, will retry: 4027 (RPC failed at server. The search criteria was not specific enough. Expected 1 and found 2.).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<DOMAIN>
subject: CN=<ipaserver>,O=<DOMAIN>
expires: 2022-05-05 23:59:25 UTC
principal name: HTTP/<ipaserver>@<DOMAIN>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Advice and experience would be greatly appreciated.
Best regards,
Cody
3 years, 4 months
Disable self service for TOTP tokens
by Kevin Cassar
Hi all,
In my setup I have TOTP (software token) enabled, and it works as intended. My only concern is, that I want only the "admin" to be able to generate software tokens, that they later can assign to users.
Essentially, I want to do away with user-managed tokens, and only have administrator-managed tokens. I was wondering if such a thing is possible?
Thank you.
3 years, 4 months