October 2021 - FreeIPA-users - Fedora Mailing-Lists

RA Agent certificate authorisation fails – how to debug?

by Tomasz Torcz

Hi, I've encountered some authentication problems with my FreeIPA installation, which I've traced to RA Agent certification auth problems. I've done typical steps to verify certs in LDAP and hit a wall. Please suggest further steps. My setup is 2 masters on Fedora 34: freeipa-server-4.9.6-2.fc34.x86_64 pki-base-10.10.6-1.fc34.noarch Steps I've done: First I noticed problems when enabling ACME: $ ipa-acme-manage enable Failed to authenticate to CA REST API The ipa-acme-manage command failed. This is caused by authentication failure (401 return code), which I confirmed using curl: $ curl -X POST https://kaitain.pipebreaker.pl:8443/acme/enable --cert /var/lib/ipa/ra-agent.pem --key /var/lib/ipa/ra-agent.key <!doctype html><html lang="en"><head><title>HTTP Status 401 – Unauthorized</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 401 – Unauthorized</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The request has not been applied because it lacks valid authentication credentials for the target resource.</p><hr class="line" /><h3>Apache Tomcat/9.0.52</h3></body></html> Errors from catalina.out: 02-Oct-2021 16:29:39.618 INFO [https-jsse-nio-8443-exec-6] com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke ExternalAuthenticationValve: authType: null 02-Oct-2021 16:29:39.618 INFO [https-jsse-nio-8443-exec-6] com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke ExternalAuthenticationValve: principal: null 02-Oct-2021 16:29:39.620 INFO [https-jsse-nio-8443-exec-6] com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate PKIAuthenticator: Authenticate with client certificate authentication 02-Oct-2021 16:29:39.620 INFO [https-jsse-nio-8443-exec-6] com.netscape.cms.tomcat.ProxyRealm.authenticate Authenticating certificate chain: 02-Oct-2021 16:29:39.621 INFO [https-jsse-nio-8443-exec-6] com.netscape.cms.tomcat.ProxyRealm.authenticate - CN=IPA RA,O=PIPEBREAKER.PL 02-Oct-2021 16:29:39.621 INFO [https-jsse-nio-8443-exec-6] com.netscape.cms.tomcat.ProxyRealm.authenticate - CN=Certificate Authority,O=PIPEBREAKER.PL 02-Oct-2021 16:29:39.624 INFO [https-jsse-nio-8443-exec-6] com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate PKIAuthenticator: Result: false I've made sure that /var/lib/ipa/ra-agent.pem is the same as in LDAP. $ openssl x509 -in /var/lib/ipa/ra-agent.pem -noout -text | grep Serial Serial Number: 105 (0x69) $ ldapsearch -o ldif_wrap=no -D "cn=directory manager" -W -b o=ipaca "(uid=ipara)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <o=ipaca> with scope subtree # filter: (uid=ipara) # requesting: ALL # # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL userCertificate;binary:: <SNIPPED> cn: ipara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser usertype: agentType sn: ipara uid: ipara userstate: 1 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Then SNIPPED portion is the same data as in /var/lib/ipa/ra-agent.pem. This is the same certificate; serial number matches, too. Certificate is NOT expired: $ openssl x509 -in /var/lib/ipa/ra-agent.pem -noout -dates notBefore=Jun 16 04:34:42 2021 GMT notAfter=Jun 6 04:34:42 2023 GMT What should I do next to resolve this authentication issue? -- Tomasz Torcz Morality must always be based on practicality. tomek(a)pipebreaker.pl — Baron Vladimir Harkonnen

1 year, 11 months

3
19
0 / 0

replica fails - Dogtag CA is not installed

by lejeczek

Hi guys. I'm trying to add replica but process bellies up early with: -> $ ipa-replica-install --setup-dns --setup-kra --no-forwarders Lookup failed: Preferred host c8kubermaster1.private.lot does not provide DNS. Reverse DNS resolution of address 10.3.1.222 (c8kubermaster2.private.lot) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Dogtag CA is not installed. Please install the CA first The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information .. First errors in log I spot: ... 2021-10-27T23:27:06Z DEBUG Starting external process 2021-10-27T23:27:06Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2021-10-27T23:27:06Z DEBUG Process finished, return code=1 2021-10-27T23:27:06Z DEBUG stdout= What is the culprit here? many thanks, L

1 year, 11 months

2
1
0 / 0

pam_sss account Access denied (permission denied)

by Mark Johnson

I've been struggling with this all day and I'm getting nowhere. We're wanting to migrate from a 389-DS authenticated network to FreeIPA. We have a few Linux servers scattered around the world that authenticate against our current 389 directory and we're wanting to do this with minimal changes to these servers. The thought process is to perform LDAP auth against FreeIPA and filter access permissions by way of an LDAP access filter based on group membership as we are currently doing with 389, so we just need to make config changes to sssd to point to the new servers (and install the required certificate to do so). FreeIPA servers are already setup and replicating. Set up a couple of test groups and a handful of test user accounts. I can successfully authenticate these users, but I get a permission denied seemingly at the access filter stage. Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.66.67.69 user=markj Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:account): Access denied for user markj: 6 (Permission denied) Same result for a console login. To test this, I changed the access_provider to 'permit' and I can successfully log in to the server. So, it's as if I'm having issues with my access filter, but everything I've tried is giving me the same result. I've used these same filters in ldapsearch tests and they seem to work fine. For instance, I've created a group called "serveradmins" and placed a couple of users in that group. My sssd.conf ldap_access_filter looks like this: access_provider = ldap ldap_access_filter = memberOf=cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com But that just isn't working. However, if I issue the following, I can see the group members: $ ldapsearch -x -W -LLL -H ldap://ussv4p6004.ipa.domain.com -b cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com -D "uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com" Enter LDAP Password: dn: cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=mark,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com cn: serveradmins objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject ipaUniqueID: 2e489422-36c2-11ec-a8a8-52540031af07 I've tried different groups including the default 'ipausers' group which everyone is a member of but I'm getting nowhere. For the record, here's a snippet from the server audit.log when I fail to login. Not sure if that "PAM:accounting grantors=?" bit where the USER_ACCT fails is indicative of the problem or not but if so, I'm not sure what that means and how to resolve it. However, the same server works on the old 389 directory using LDAP auth - just have no idea what I'm missing. type=USER_AUTH msg=audit(1635321247.300:1039): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.664:1040): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=success' type=USER_ACCT msg=audit(1635321252.855:1041): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.856:1042): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed'

1 year, 11 months

2
5
0 / 0

Group not in compat subtree

by Cyrus

Good morning, I've seen some of the groups present in the compat subgroup, but not all of them. Can anybody provide a hint of what's needed for a group to be present in that subtree?. All of them are internal FreeIPA groups. Regards, CI.-

1 year, 11 months

1
1
0 / 0

Re: Recommendations for completely new IPA and AD

by Yehuda Katz

Not worried about Windows 10 Home. All the machines have Pro. I also have no issues running real Windows Server domain controllers. I do want to be able to use policy features in IPA like HBAC, sudo rules, etc. Will a trust without synced local users cause any issues with that? - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Fri, Oct 22, 2021, 12:42 AM Jonathan Aquilina <jaquilina(a)eagleeyet.net> wrote: > Hi Guys, > > Long time lurker. I can confirm in order to join an AD domain you need at > least win 10 Pro > > The below using Samba isn’t a bad idea in all fairness. The question > becomes though how would you join an windows 10 home machine to the samba > AD controller? > > Regards, > Jonathan > > -----Original Message----- > From: Alexander Bokovoy via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org> > Sent: 22 October 2021 06:32 > To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > Cc: Yehuda Katz <yehuda(a)ymkatz.net>; Alexander Bokovoy < > abokovoy(a)redhat.com> > Subject: [Freeipa-users] Re: Recommendations for completely new IPA and AD > > On to, 21 loka 2021, Yehuda Katz via FreeIPA-users wrote: > >I was asked to set up a completely new network for a non-profit. They > >have a mix of Windows and Linux (mostly Ubuntu) machines. Until now I > >have only used FreeIPA (or RedHat IDM) in a standalone configuration. > >Is there any kind of best practices documentation for this situation? A > >discussion of a sync vs. trust approach? Any known gotchas? > > Things to consider: > - Windows machines cannot be enrolled into FreeIPA, they have to be > enrolled into Active Directory > > - If users are all on Active Directory side, they can login to > FreeIPA-enrolled machines through trust to Active Directory > > - While winsync plugin allows to synchronize users from Active > Directory side to FreeIPA (they become FreeIPA users), this is of > limited functionality and in general not going to live well in future > as we consider deprecating this approach > > It used to be that non-Pro versions of Windows weren't possible to join to > Active Directory. I'd rather checked what is in use before planning it. > > For a non-profit it is probably worth to consider deploying Samba AD as > your Active Directory configuration. > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://link.edgepilot.com/s/353e228f/dztk3XYEi0aFWaiQj6NYgQ?u=https://do... > List Guidelines: > https://link.edgepilot.com/s/5d76def5/Td4UrtlZ6EOnNh9n6-3LKQ?u=https://fe... > List Archives: > https://link.edgepilot.com/s/272b5696/8xmEHAzD_kibpiI-63hpXQ?u=https://li... > Do not reply to spam on the list, report it: > https://link.edgepilot.com/s/0f57d6da/-ls6zhlc-0uuBKO_6RvycA?u=https://pa... >

1 year, 11 months

2
1
0 / 0

Recommendations for completely new IPA and AD

by Yehuda Katz

I was asked to set up a completely new network for a non-profit. They have a mix of Windows and Linux (mostly Ubuntu) machines. Until now I have only used FreeIPA (or RedHat IDM) in a standalone configuration. Is there any kind of best practices documentation for this situation? A discussion of a sync vs. trust approach? Any known gotchas? Thank you, - Y Sent from a device with a very small keyboard and hyperactive autocorrect.

1 year, 11 months

3
2
0 / 0

Account synchronization from AD to FreeIPA

by Zdenek Sobotka

Hello, I would need advice on setting up account synchronization between Windows10 testing instance with AD and FREEIPA. I successfully imported CA certificates for trust between AD and FREEIPA, ran ldapsearch, which I can use to read information from Windows AD. Now I want to synchronize data accounts from AD to FREEIPA, using "ipa-replica-manage connect --winsync". In debug mode, I see that the synchronization is established, and also there is an attempt with data replication. Finally in the end, is written that the replica update "passed successfully". But no AD data was added, when I looked into FREEIPA. Here is the log: ``` [root@freeipa ~]# ipa-replica-manage connect -d --verbose --winsync --no-lookup --binddn="cn=Administrator,cn=Users,dc=ngov,dc=local" --bindpw="H3sl0123456." --cacert=/etc/ipa/ca.crt --passsync="TESTTEST111" WIN-7G3BH6KDDHU.ngov.local Directory Manager password: ipa: DEBUG: Created connection context.ldap2_140493289808392 ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'stop', 'dirsrv(a)TEST-LOCAL.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Stop of dirsrv(a)TEST-LOCAL.service complete ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=Certificate Authority,O=TEST.LOCAL', '-t', 'C,,', '-a', '-f', '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=WIN-7G3BH6KDDHU.ngov.local', '-t', 'C,,', '-a', '-f', '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=ngov-WIN-7G3BH6KDDHU-CA,DC=ngov,DC=local', '-t', 'C,,', '-a', '-f', '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'start', 'dirsrv(a)TEST-LOCAL.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'is-active', 'dirsrv(a)TEST-LOCAL.service '] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120 ipa: DEBUG: waiting for port: 389 ipa: DEBUG: SUCCESS: port: 389 ipa: DEBUG: Start of dirsrv(a)TEST-LOCAL.service complete ipa: DEBUG: Created connection context.ldap2_140493289808392 Added CA certificate /etc/ipa/ca.crt to certificate database for freeipa.TEST.local ipa: INFO: AD Suffix is: DC=ngov,DC=local ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://freeipa.TEST.local:636 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fc7249c2c88> ipa: DEBUG: Add or update replica config cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config ipa: DEBUG: No update to cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config necessary The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local Windows PassSync system account exists, not resetting password ipa: DEBUG: Plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' already 'uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local' in passSyncManagersDNs ipa: DEBUG: Waiting up to 300 seconds for replication (ldaps://freeipa.TEST.local:636) cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config (objectclass=*) ipa: DEBUG: Entry found [LDAPEntry(ipapython.dn.DN('cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config'), {'objectClass': [b'nsDSWindowsReplicationAgreement', b'top'], 'cn': [b'meToWIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaHost': [b'WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=TEST,dc=local'], 'description': [b'me to WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsDS5ReplicaBindDN': [b'cn=Administrator,cn=Users,dc=ngov,dc=local'], 'nsDS5ReplicaTransportInfo': [b'TLS'], 'nsDS5ReplicaBindMethod': [b'simple'], 'nsds7WindowsReplicaSubtree': [b'cn=Users,DC=ngov,DC=local'], 'nsds7DirectoryReplicaSubtree': [b'cn=users,cn=accounts,dc=TEST,dc=local'], 'nsds7NewWinUserSyncEnabled': [b'true'], 'nsds7NewWinGroupSyncEnabled': [b'false'], 'nsds7WindowsDomain': [b'TEST.local'], 'nsDS5ReplicaCredentials': [b'{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUTVaRGxoTVRJNFpDMHhOVGt6TTJZNQ0KTmkwNU9HTTBNR0ZtTXkxaE56TTJaakUwTWdBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRGJXVlFqdEZEY3k1RjFYTEMwT1V2TA==}gjvpjBG5R/xt7jkO7XzRPg=='], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup'], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2021-10-20T10:36:28Z", "message": "Error (0) No replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: Error (0) Replica acquired successfully: Incremental update started: start: 20211020103628: end: 20211020103628 ipa: INFO: Agreement is ready, starting replication . . . ipa: WARNING: This configuration ("--winsync") may imply that the log file contains clear text passwords. Please ensure that these files can be accessed only by trusted accounts. Log files are under /var/lib/dirsrv/slapd-TEST-LOCAL/cldb Starting replication, please wait until this has completed. Update succeeded Connected 'freeipa.TEST.local' to 'WIN-7G3BH6KDDHU.ngov.local' ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 [root@freeipa ~]# ``` I will be happy for any helpful advice. Thanks. -- -------------------------------------------------------------------------------------------------- email: zden2k.sobotka(a)gmail.com

1 year, 11 months

2
3
0 / 0

Can't add replica CA_UNREACHABLE Permission denied

by Евгений Жиряков

Hello. I can't add a replica to exist master server. FreeIPA version is 4.9.2 on CentOS 8 in docker From replica side it looks like this: freeipa-replica_1 | Configuring directory server (dirsrv) freeipa-replica_1 | [1/3]: configuring TLS for DS instance freeipa-replica_1 | [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://ipa1.srv.DOMAIN.com/ipa/json failed request, will retry: 907 (cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied).) freeipa-replica_1 | Your system may be partly configured. freeipa-replica_1 | Run /usr/sbin/ipa-server-install --uninstall to clean up. freeipa-replica_1 | freeipa-replica_1 | FreeIPA server configuration failed. Also, I notice the same error when running command ipa cert-show on master: ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/certs/1': [Errno 13] Permission denied And third place is in web interface Authentication --> Certificate Authorities There are logs from /var/log/httpd/error_log with debug enbled in /etc/ipa/server.conf [Wed Oct 20 19:50:40.730514 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: cert_request('MIIDxzCCAq8CAQAwNzEXMBUGA1UEChMOU1JWLkFTU0FJQS5DT00xHDAaBgNVBAMTE2lwYTIuc3J2LmFzc2FpYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2N8SZVlYlsgslL/CL/951CA1YgLdmhBmV2H0TNfwx9CZJKit1B6dl4HddAz1xWaYhsVTQ1PK0Ph6Hjz1+ura/Hou4XFBUHkAMolxMzmxsGOzkZrlFr5gCH5xWeEn2Rm6RVXy16GS5o3Gxy8zSK4MtlwblVrAstRXaJHZkY9eNwQ1+67OJIB3uDw4XhXGD60aLbcL/tZ5ZLW/lotZeRLHYI4VM1dMhGfsTduYEYFn2QH1cU36UX1EJgCggMWCz9KQX9OZVyA7yBsW0X/5Tfrb6s7LEwgRCYW8FqPWQ0+t4vtVXcWG0BH6bESX1JzwZD9EMd+gQJxXlEUrGO4IP9NTDAgMBAAGgggFJMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBHgYJKoZIhvcNAQkOMYIBDzCCAQswgaQGA1UdEQEBAASBmTCBloITaXBhMi5zcnYuYXNzYWlhLmNvbaA3BgorBgGEAVI3FAIDoCkMJ2xkYXAvaXBhMi5zcnYuYXNzYWlhLmNvbUBTUlYuQVNTQUlBLkNPTaBGBgYrBgEFAgKgPDA6oBAbDlNSVi5BU1NBSUEuQ09NoSYwJKADAgEBoR0wGxsEbGRhcBsTaXBhMi5zcnYuYXNzYWlhLmNvbTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQmDzatkec4N+/l6ECCUA5k35sbkD AyBgkrBgEEAYI3FAIBAQAEIh4gAGMAYQBJAFAAQQBzAGUAcgB2AGkAYwBlAEMAZQByAHQwDQYJKoZIhvcNAQELBQADggEBAIDSuXsB+ZfJBG4eKVSAD1d3fxZErNFnmtqLBYguCBiv+eGANTcfJBoqXpfM8ZK4IvyInF7jiMELZNnwRvSZNrTPfhWGlb8i2fWVU872QTD5qbQ6D/lmD0xbR4PQ6VTSCsskCndrgaK6kFNPtXEPw8Y1RlMVEXUq9BF7H3Zc4aUWp1AbQFXJaZb/F0sRDyKgN4imxnA+odi/hfk7IeLLQG+fqzpooeLDMjV1aAQF9nWfe8Uy0ofbIzDN4FGMH/xvHjId93qC9RLlSzom/VE264FrL2kPZNrShhsfUJnEfj+DV3AYurStJRnpvadU33jwenYmSkmgNCPL/RCa1MzjpQQ=', profile_id='caIPAserviceCert', principal='ldap/ipa2.srv.DOMAIN.com(a)SRV.DOMAIN.COM', add=True, version='2.240') [Wed Oct 20 19:50:40.731430 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest object at 0x7f23fdcbb278>, request_type='pkcs10', profile_id='caIPAserviceCert', cacn='ipa', principal=ipapython.kerberos.Principal('ldap/ipa2.srv.DOMAIN.com(a)SRV.DOMAIN.COM'), add=True, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.731670 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.731745 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.736607 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_show('ipa', chain=False, all=False, version='2.240') [Wed Oct 20 19:50:40.736869 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_show('ipa', rights=False, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.737119 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.737256 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.743096 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request GET https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login [Wed Oct 20 19:50:40.743235 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request body '' [Wed Oct 20 19:50:40.745172 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: httplib request failed: [Wed Oct 20 19:50:40.745202 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.745208 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.745213 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.745218 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.745223 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.745228 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.745233 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.745239 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.745247 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747246 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Oct 20 19:50:40.747275 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.747282 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.747287 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.747292 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.747296 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.747301 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.747306 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.747311 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747316 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] During handling of the above exception, another exception occurred: [Wed Oct 20 19:50:40.747325 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747329 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.747334 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 397, in wsgi_execute [Wed Oct 20 19:50:40.747339 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] result = command(*args, **options) [Wed Oct 20 19:50:40.747343 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747348 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747353 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747358 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747363 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747368 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747373 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 657, in execute [Wed Oct 20 19:50:40.747377 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ca_obj = api.Command.ca_show(ca, all=all, chain=chain)['result'] [Wed Oct 20 19:50:40.747383 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747394 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747399 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747403 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747408 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747413 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747418 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in execute [Wed Oct 20 19:50:40.747423 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] msg = set_certificate_attrs(result['result'], options) [Wed Oct 20 19:50:40.747428 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in set_certificate_attrs [Wed Oct 20 19:50:40.747434 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] with api.Backend.ra_lightweight_ca as ca_api: [Wed Oct 20 19:50:40.747439 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in __enter__ [Wed Oct 20 19:50:40.747445 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method='GET' [Wed Oct 20 19:50:40.747450 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request [Wed Oct 20 19:50:40.747455 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method=method, headers=headers) [Wed Oct 20 19:50:40.747460 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request [Wed Oct 20 19:50:40.747465 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] raise NetworkError(uri=uri, error=str(e)) [Wed Oct 20 19:50:40.747470 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipalib.errors.NetworkError: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied Please help, I spent two days on it already.

1 year, 11 months

2
4
0 / 0

Problems after replacing SSL certificates

by Andreas Bulling

Dear all, I have recently started using FreeIPA (4.8.1 on Ubuntu) and now wanted to replace the original SSL certificates for the web UI and the LDAP server with official ones issued by our university. I've followed the procedure described here (no errors): https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I could confirm in the browser that the certificate for the web UI has been replaced and I therefore assume so has the LDAP certificate. Authentication from other hosts/services using LDAP still works but in the server log file I see errors like these for all hosts in the domain: Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: NEEDED_PREAUTH: host/X@X for krbtgt/X@X, Additional pre-authentication required Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12 Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for krbtgt/X@X Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12 Apr 20 19:57:11 auth krb5kdc[24895]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for ldap/X@X Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12 Also, ipa-certupdate on the respective clients shows ipa-certupdate trying https://X/ipa/json [try 1]: Forwarding 'schema' to json server 'https://X/ipa/json' cannot connect to 'https://X/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) The ipa-certupdate command failed. Also, I can't login to the web UI anymore. I tried ipa-getkeytab -s X -p HTTP/X@X -k /var/lib/ipa/gssproxy/http.keytab on the freeipa server (followed by ipactl restart) but this didn't help. Any idea/suggestions for how to get everything working again? Thanks a lot!

1 year, 11 months

6
15
0 / 0

Can't add replica CA_UNREACHABLE Permission denied

by Евгений Жиряков

Hello. I can't add a replica to exist master server. FreeIPA version is 4.9.2 on CentOS 8 in docker From replica side it looks like this: freeipa-replica_1 | Configuring directory server (dirsrv) freeipa-replica_1 | [1/3]: configuring TLS for DS instance freeipa-replica_1 | [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://ipa1.srv.DOMAIN.com/ipa/json failed request, will retry: 907 (cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied).) freeipa-replica_1 | Your system may be partly configured. freeipa-replica_1 | Run /usr/sbin/ipa-server-install --uninstall to clean up. freeipa-replica_1 | freeipa-replica_1 | FreeIPA server configuration failed. Also, I notice the same error when running command ipa cert-show on master: ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/certs/1': [Errno 13] Permission denied And third place is in web interface Authentication --> Certificate Authorities There are logs from /var/log/httpd/error_log with debug enbled in /etc/ipa/server.conf [Wed Oct 20 19:50:40.730514 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: cert_request('MIIDxzCCAq8CAQAwNzEXMBUGA1UEChMOU1JWLkFTU0FJQS5DT00xHDAaBgNVBAMTE2lwYTIuc3J2LmFzc2FpYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2N8SZVlYlsgslL/CL/951CA1YgLdmhBmV2H0TNfwx9CZJKit1B6dl4HddAz1xWaYhsVTQ1PK0Ph6Hjz1+ura/Hou4XFBUHkAMolxMzmxsGOzkZrlFr5gCH5xWeEn2Rm6RVXy16GS5o3Gxy8zSK4MtlwblVrAstRXaJHZkY9eNwQ1+67OJIB3uDw4XhXGD60aLbcL/tZ5ZLW/lotZeRLHYI4VM1dMhGfsTduYEYFn2QH1cU36UX1EJgCggMWCz9KQX9OZVyA7yBsW0X/5Tfrb6s7LEwgRCYW8FqPWQ0+t4vtVXcWG0BH6bESX1JzwZD9EMd+gQJxXlEUrGO4IP9NTDAgMBAAGgggFJMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBHgYJKoZIhvcNAQkOMYIBDzCCAQswgaQGA1UdEQEBAASBmTCBloITaXBhMi5zcnYuYXNzYWlhLmNvbaA3BgorBgGEAVI3FAIDoCkMJ2xkYXAvaXBhMi5zcnYuYXNzYWlhLmNvbUBTUlYuQVNTQUlBLkNPTaBGBgYrBgEFAgKgPDA6oBAbDlNSVi5BU1NBSUEuQ09NoSYwJKADAgEBoR0wGxsEbGRhcBsTaXBhMi5zcnYuYXNzYWlhLmNvbTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQmDzatkec4N+/l6ECCUA5k35sbkD AyBgkrBgEEAYI3FAIBAQAEIh4gAGMAYQBJAFAAQQBzAGUAcgB2AGkAYwBlAEMAZQByAHQwDQYJKoZIhvcNAQELBQADggEBAIDSuXsB+ZfJBG4eKVSAD1d3fxZErNFnmtqLBYguCBiv+eGANTcfJBoqXpfM8ZK4IvyInF7jiMELZNnwRvSZNrTPfhWGlb8i2fWVU872QTD5qbQ6D/lmD0xbR4PQ6VTSCsskCndrgaK6kFNPtXEPw8Y1RlMVEXUq9BF7H3Zc4aUWp1AbQFXJaZb/F0sRDyKgN4imxnA+odi/hfk7IeLLQG+fqzpooeLDMjV1aAQF9nWfe8Uy0ofbIzDN4FGMH/xvHjId93qC9RLlSzom/VE264FrL2kPZNrShhsfUJnEfj+DV3AYurStJRnpvadU33jwenYmSkmgNCPL/RCa1MzjpQQ=', profile_id='caIPAserviceCert', principal='ldap/ipa2.srv.DOMAIN.com(a)SRV.DOMAIN.COM', add=True, version='2.240') [Wed Oct 20 19:50:40.731430 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest object at 0x7f23fdcbb278>, request_type='pkcs10', profile_id='caIPAserviceCert', cacn='ipa', principal=ipapython.kerberos.Principal('ldap/ipa2.srv.DOMAIN.com(a)SRV.DOMAIN.COM'), add=True, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.731670 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.731745 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.736607 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_show('ipa', chain=False, all=False, version='2.240') [Wed Oct 20 19:50:40.736869 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_show('ipa', rights=False, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.737119 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.737256 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.743096 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request GET https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login [Wed Oct 20 19:50:40.743235 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request body '' [Wed Oct 20 19:50:40.745172 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: httplib request failed: [Wed Oct 20 19:50:40.745202 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.745208 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.745213 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.745218 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.745223 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.745228 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.745233 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.745239 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.745247 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747246 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Oct 20 19:50:40.747275 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.747282 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.747287 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.747292 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.747296 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.747301 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.747306 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.747311 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747316 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] During handling of the above exception, another exception occurred: [Wed Oct 20 19:50:40.747325 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747329 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.747334 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 397, in wsgi_execute [Wed Oct 20 19:50:40.747339 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] result = command(*args, **options) [Wed Oct 20 19:50:40.747343 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747348 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747353 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747358 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747363 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747368 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747373 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 657, in execute [Wed Oct 20 19:50:40.747377 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ca_obj = api.Command.ca_show(ca, all=all, chain=chain)['result'] [Wed Oct 20 19:50:40.747383 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747394 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747399 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747403 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747408 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747413 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747418 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in execute [Wed Oct 20 19:50:40.747423 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] msg = set_certificate_attrs(result['result'], options) [Wed Oct 20 19:50:40.747428 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in set_certificate_attrs [Wed Oct 20 19:50:40.747434 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] with api.Backend.ra_lightweight_ca as ca_api: [Wed Oct 20 19:50:40.747439 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in __enter__ [Wed Oct 20 19:50:40.747445 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method='GET' [Wed Oct 20 19:50:40.747450 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request [Wed Oct 20 19:50:40.747455 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method=method, headers=headers) [Wed Oct 20 19:50:40.747460 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request [Wed Oct 20 19:50:40.747465 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] raise NetworkError(uri=uri, error=str(e)) [Wed Oct 20 19:50:40.747470 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipalib.errors.NetworkError: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied Please help, I spent two days on it already.

1 year, 11 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users October 2021