expired Server-cert
by Serge Krawczenko
Greetings,all
I've been observing multiple issues for some time, unable to enroll new
clients etc.
Finally found out that the possible root cause is the expired Server-Cert
cert-pki-ca and therefore pki-tomcat service won't start
Here's the output of getcert list -d /etc/pki/pki-tomcat/alias/
Request ID '20171204131518':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=....
subject: CN=....
expires: 2022-04-25 17:06:51 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
Other certs in /etc/pki/pki-tomcat/alias/ seem to be ok but this one.
I'd like to understand how to perform the forced update for this one, i
assume it must be renewed automatically though
I tried to invoke post-save command manually but no luck.
Appreciate any ideas
1 hour, 34 minutes
IdM with trust relationship with Samba AD DC - User accounts with passwords expired
by Mateo Duffour
Hi,
We currently have an IdM installation with a trust relationship with a Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user accounts on IdM.
We are having a problem with Samba user acounts that have its passwords expired.
When we try to login with an ubuntu IdM client with one of those accounts, it fails and asks again for password.
The behaviour we are expecting is that Ubuntu should ask for a password change.
Thanks, best regards.
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,... | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido.
3 hours, 21 minutes
Unable to Login using LDAP User
by Damola Azeez
I've installed FreeIPA on all host I manage and everything has been fine until today when had to reboot the whole hosts. Every other host worked except one. checking the log file of the server, i saw the below error
"[sssd[ldap_child[44316]]]: Client 'host/xxx@XXX' not found in Kerberos database"
I've tried uninstalling the IP client and reinstalling it but i still have the same issue.
Host: oracle linux 6.9
IPA server: IPA, version: 4.9.6
4 hours, 26 minutes
SSSD login stopped working on Ubuntu 22.04
by Joyce Babu
I have a FreeIPA installation with many Pop!_OS 21.10 clients. Today I upgraded one of the clients to Pop!_OS 22.04, and I can no longer authenticate with FreeIPA on the upgraded client.
In krb5kdc.log file on the server, I can see the error 'verify failure: Incorrect password in encrypted challenge'
=======
May 17 14:07:43 ipa.myhost.com krb5kdc[301](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.14: NEEDED_PREAUTH: joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM, Additional pre-authentication required
May 17 14:07:43 ipa.myhost.com krb5kdc[301](info): closing down fd 12
May 17 14:07:43 ipa.myhost.com krb5kdc[302](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge
May 17 14:07:43 ipa.myhost.com krb5kdc[302](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.14: PREAUTH_FAILED: joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM, Preauthentication failed
May 17 14:07:43 ipa.myhost.com krb5kdc[302](info): closing down fd 12
=======
If I try the same username/password on a Pop!_OS 21.10 client, I can login successfully and I see the following log message. I tried multiple times with multiple users, and had the same result.
=======
May 17 14:05:51 ipa.myhost.com krb5kdc[299](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.24: NEEDED_PREAUTH: joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM, Additional pre-authentication required
May 17 14:05:51 ipa.myhost.com krb5kdc[299](info): closing down fd 12
May 17 14:05:51 ipa.myhost.com krb5kdc[301](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.24: ISSUE: authtime 1652796351, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM
May 17 14:05:51 ipa.myhost.com krb5kdc[301](info): closing down fd 12
May 17 14:05:51 ipa.myhost.com krb5kdc[300](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.24: ISSUE: authtime 1652796351, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, joyce(a)MYHOST.COM for host/ws024.office-mng.myhost.net(a)MYHOST.COM
May 17 14:05:51 ipa.myhost.com krb5kdc[300](info): closing down fd 12
=======
What changed in Ubuntu 22.04? Could this be due to incompatible encryption type?
4 hours, 31 minutes
RHEL 8.6 and sub ids
by Omar Aloraini
From what I read, with the release of RHEL 8.6, I can use Podman with sub
ids managed by Freeipa.
I managed to generate sub uids and gids for all users. But, I'm unable to
launch containers in rootless mode due to insufficient uids and/or gids.
Perhaps there something missing with PAM or SSSD?
Thanks,
8 hours, 12 minutes
Allowing a user to manage a service's certificates
by Sam Morris
I'm looking into using <https://github.com/guilhem/freeipa-issuer> to
request certificates from FreeIPA on behalf of a (FreeIPA) service.
The project authenticates to the FreeIPA API with a specified username
and password:
<https://github.com/guilhem/freeipa-issuer/blob/174d145616a672b09d3fdb56b2...>
I presume this means that it's only possible for it to authenticate to
the FreeIPA API as a user, as opposed to a host or service.
That being the case, I am trying to lock things down as much as
possible, so that the user is only able to request certificates for a
single service.
I've had a read through Fraiser's excellent blog post
<https://frasertweedale.github.io/blog-redhat/posts/2015-09-02-freeipa-cer...>
which points me towards creating a CA ACL, which I've done.
The CA ACL links together the user, the service and for good measure I
specified the CA and the profile too. But it's not sufficient to allow a
certificate request to work, as when the issuer tries to ask for the
certificate:
Fail to request certificate: ACIError (2100): Insufficient access:
not allowed to perform operations: request certificate
Returning to the blog post, I gather I additionally need to grant the
following two permissions to the user:
* 'Request Certificate'
* 'System: Modify Services'
What I'd like to understand is the scope of these permissions.
Does 'Request certificate' merely unlock the ability to make requests
that are themselves constrained by CA ACLs? That being the case, this
permission alone doesn't let the user request certificates for any other
hosts or services, right?
As for 'System: Modify Services': I guess granting this permission will
allow the user to add certificates to *any* service? In which case, I
suppose I need to create a new privilege that allows the usercertificate
of a particular entry only to be modified. Are there any examples of
this?
Many thanks as always.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
1 day, 8 hours
Freeipa Samba problem: ticket is likely out of date
by fujisan
I'm having trouble accessing a samba share from windows.
In the log file, it says "ticket is likely out of date", it is looking for
kvno 3 and the output of kvno is 4.
How can I update the ticket?
Thanks
Fuji
Server log:
[2022/05/13 12:05:35.353907, 1, pid=252383]
../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code
may provide more information: Request ticket server
cifs/myserver.mydomain.local(a)MYDOMAIN.LOCAL kvno 3 not found in keytab;
ticket is likely out of date]
# kvno cifs/myserver.mydomain.local(a)MYDOMAIN.LOCAL
cifs/myserver.mydomain.local(a)MYDOMAIN.LOCAL: kvno = 4
# net conf list
[global]
create krb5 conf = no
workgroup = MYDOMAIN.LOCAL
netbios name = MYSERVER
realm = MYDOMAIN..LOCAL
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
server role = IPA PRIMARY DOMAIN CONTROLLER
security = user
domain master = yes
domain logons = yes
log level = 2
max log size = 100000
log file = /var/log/samba/log.%m
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
idmap config * : backend = tdb
idmap config * : range = 0 - 0
idmap config MYDOMAIN : backend = sss
idmap config MYDOMAIN : range = 1000 - 201000
max smbd processes = 1000
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN.-LOCAL.socket
ldapsam:trusted = yes
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap ssl = off
ldap suffix = dc=mydomain,dc=local
ldap user suffix = cn=users,cn=accounts
disable spoolss = yes
[myshare]
path = /data/myshare
read only = no
browseable = yes
guest ok = no
create mask = 0644
The pacquages installed are:
samba-4.14.12-0.fc34.x86_64
freeipa-client-common-4.9.6-4.fc34.noarch
freeipa-selinux-4.9.6-4.fc34.noarch
freeipa-common-4.9.6-4.fc34.noarch
freeipa-server-common-4.9.6-4.fc34.noarch
freeipa-healthcheck-core-0.10-1.fc34.noarch
freeipa-client-4.9.6-4.fc34.x86_64
freeipa-server-4.9.6-4.fc34.x86_64
freeipa-server-dns-4.9.6-4.fc34.noarch
freeipa-server-trust-ad-4.9.6-4.fc34.x86_64
freeipa-python-compat-4.9.6-4.fc34.noarch
4 days, 9 hours
SASL to AD via IPA
by Mariusz Stysiak
Hello everyone,
I have a nice and working IPA v3 with trust to AD set up. On one of our smtp servers (with authentication against different LDAP via sssd) I have set a saslauthd service which binds to our ipa server on 636/tcp using credentials and certificate issued for specific ipa user. Sasl works perfectly well as long as I try to authenticate ipa users (who can be found with ipa-user command) even with 2FA enabled, yet it fails if I try to authenticate AD user who was 'imported' into IPA via 'ipa group-add-member' command and 'external group as a member of posix group' method. AD users can be seen using 'id' command and can be allowed to log on linux servers, execute sudo commands based on hbac rules and so on. Even freeradius with OTP works. Alas, no sasl.
I know that probably it would be wiser to set sasl to ask AD directly, but I am just curious if it is possible to make it work via IPA.
Best regards
1 week
freeipa expired certificates
by john john
Hello,
I have a freeipa server (ipa-server-4.5.0-22.el7.centos.x86_64).
Сertificates expired in April 2022 and why certmonger did not renew them is not clear.
getcert list
Request ID '20180510155654':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2024-03-07 17:47:25 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20180510155804':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2024-03-05 17:47:13 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155805':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2024-03-07 17:47:15 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155806':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2024-03-05 17:47:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155807':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-05-10 15:56:32 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155808':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://freeipa.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-15 04:47:25 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155834':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-25 20:55:59 UTC
dns: freeipa.example.com
principal name: ldap/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20180510155907':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-26 06:11:51 UTC
dns: freeipa.example.com
principal name: ldap/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20180510155922':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-25 20:56:54 UTC
principal name: krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180720144614':
status: CA_REJECTED
ca-error: Server at https://freeipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/pb-freeipa(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=cb,dc=com'.).
stuck: yes
key pair storage: type=FILE,location='/etc/pki/tls/private/pb-freeipa.key'
certificate: type=FILE,location='/etc/pki/tls/certs/pb-freeipa.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180720151813':
status: NEED_KEY_GEN_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert',pin set
certificate: type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180720152853':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/freeipa.example.com.key'
certificate: type=FILE,location='/etc/pki/tls/certs/freeipa.example.com.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-25 20:57:24 UTC
dns: freeipa.example.com
principal name: HTTP/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180723075009':
status: NEED_CSR
stuck: no
key pair storage: type=FILE,location='/root/OVPN_CLIENT_1.key'
certificate: type=FILE,location='/root/OVPN_CLIENT_1.pem'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2020-07-23 07:50:10 UTC
dns: freeipa.example.com
principal name: host/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180723075356':
status: CA_REJECTED
ca-error: Server at https://freeipa.example.com/ipa/xml denied our request, giving up: 3009 (RPC failed at server. invalid 'csr': hostname in subject of request 'OVPN_CLIENT_1' does not match name or aliases of principal 'HTTP/freeipa.example.com(a)EXAMPLE.COM').
stuck: yes
key pair storage: type=FILE,location='/root/OVPN_CLIENT_2.key'
certificate: type=FILE,location='/root/OVPN_CLIENT_2.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180723075553':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.).
stuck: no
key pair storage: type=FILE,location='/root/OVPN_CLIENT_3.key'
certificate: type=FILE,location='/root/OVPN_CLIENT_3.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20200514145151':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.).
stuck: no
key pair storage: type=FILE,location='/home/user/vpn-user.key'
certificate: type=FILE,location='/home/user/vpn-user.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-05-15 14:51:52 UTC
dns: freeipa.example.com
principal name: host/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20200514150206':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.).
stuck: no
key pair storage: type=FILE,location='/home/user/freeipa.example.com.key'
certificate: type=FILE,location='/home/user/freeipa.example.com.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-05-15 15:02:07 UTC
dns: freeipa.example.com
principal name: host/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
I tried to update the certificates using the information from the following links:
https://floblanc.wordpress.com/2016/12/06/using-certmonger-to-track-certi...
https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issu...
https://listman.redhat.com/archives/freeipa-users/2017-January/msg00216.html
but it was not possible to update expired certificates.
Please would you tell how to solve the problem.
1 week, 1 day
Broken ipa replica
by Giulio Casella
Hi everyone,
I'm stuck with a broken replica. I had a setup with two ipa server in
replica (ipa-server-4.6.4 on CentOS 7.6), let's say "idc01" and "idc02".
Due to heavy load idc01 crashed many times, and was not working anymore.
So I tried to redo the replica again. At first I tried to
"ipa-replica-manage re-initialize", with no success.
Now I'm trying to redo from scratch the replica setup: on idc02 I
removed the segments (ipa topologysegment-del, for both ca and domain
suffix), on idc01 I removed everything (ipa-server-install --uninstall),
then I joined domain (ipa-client-install), and everything is working so far.
When doing "ipa-replica-install" on idc01 I get:
[...]
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 22 seconds elapsed
[ldap://idc02.my.dom.ain:389] reports: Update failed! Status: [Error
(-11) connection error: Unknown connection error (-11) - Total update
aborted]
And on idc02 (the working server), in
/var/log/dirsrv/slapd-MY-DOM-AIN/errors I find lines stating:
[20/Mar/2019:09:28:06.545187923 +0100] - INFO - NSMMReplicationPlugin -
repl5_tot_run - Beginning total update of replica
"agmt="cn=meToidc01.my.dom.ain" (idc01:389)".
[20/Mar/2019:09:28:26.528046160 +0100] - ERR - NSMMReplicationPlugin -
perform_operation - agmt="cn=meToidc01.my.dom.ain" (idc01:389): Failed
to send extended operation: LDAP error -1 (Can't contact LDAP server)
[20/Mar/2019:09:28:26.530763939 +0100] - ERR - NSMMReplicationPlugin -
repl5_tot_log_operation_failure - agmt="cn=meToidc01.my.dom.ain"
(idc01:389): Received error -1 (Can't contact LDAP server): for total
update operation
[20/Mar/2019:09:28:26.532678072 +0100] - ERR - NSMMReplicationPlugin -
release_replica - agmt="cn=meToidc01.my.dom.ain" (idc01:389): Unable to
send endReplication extended operation (Can't contact LDAP server)
[20/Mar/2019:09:28:26.534307539 +0100] - ERR - NSMMReplicationPlugin -
repl5_tot_run - Total update failed for replica
"agmt="cn=meToidc01.my.dom.ain" (idc01:389)", error (-11)
[20/Mar/2019:09:28:26.561763168 +0100] - INFO - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToidc01.my.dom.ain" (idc01:389):
Replication bind with GSSAPI auth resumed
[20/Mar/2019:09:28:26.582389258 +0100] - WARN - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meToidc01.my.dom.ain" (idc01:389): The remote
replica has a different database generation ID than the local database.
You may have to reinitialize the remote replica, or the local replica.
It seems that idc02 remembers something about the old replica.
Any hint?
Thank you in advance,
Giulio
1 week, 2 days
