No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
by roy liang
https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip...
I'm going to try this scheme instead of CA
Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you
1:Generate ca-key ca-cert
#openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
2: Generate certificate signing request:
#openssl req -new -key ca-key -out csr.csr
3:Generate pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem
4:install freeipa
root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert
Installing CA certificate, please wait
CA certificate successfully installed
5:install http.pem
root@migration-ipa-65:~/test_ca# ipa-server-certinstall \
> --dirman-pass xxx \
> --http /root/test_ca/http.pem --pin xxx
No server certificates found in /root/test_ca/http.pem
The ipa-server-certinstall command failed.
1 year, 9 months
No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
by roy liang
https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip...
I'm going to try this scheme instead of CA
Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you
1:Generate ca-key ca-cert
#openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
2: Generate certificate signing request:
#openssl req -new -key ca-key -out csr.csr
3:Generate pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem
4:install freeipa
root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert
Installing CA certificate, please wait
CA certificate successfully installed
5:install http.pem
root@migration-ipa-65:~/test_ca# ipa-server-certinstall \
> --dirman-pass xxx \
> --http /root/test_ca/http.pem --pin xxx
No server certificates found in /root/test_ca/http.pem
The ipa-server-certinstall command failed.
1 year, 9 months
No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
by roy liang
https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip...
I'm going to try this scheme instead of CA
Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you
1:Generate ca-key ca-cert
#openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
2: Generate certificate signing request:
#openssl req -new -key ca-key -out csr.csr
3:Generate pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem
4:install freeipa
root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert
Installing CA certificate, please wait
CA certificate successfully installed
5:install http.pem
root@migration-ipa-65:~/test_ca# ipa-server-certinstall \
> --dirman-pass xxx \
> --http /root/test_ca/http.pem --pin xxx
No server certificates found in /root/test_ca/http.pem
The ipa-server-certinstall command failed.
1 year, 9 months
No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
by roy liang
https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip...
I'm going to try this scheme instead of CA
Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you
1:Generate ca-key ca-cert
#openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
2: Generate certificate signing request:
#openssl req -new -key ca-key -out csr.csr
3:Generate pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem
4:install freeipa
root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert
Installing CA certificate, please wait
CA certificate successfully installed
5:install http.pem
root@migration-ipa-65:~/test_ca# ipa-server-certinstall \
> --dirman-pass xxx \
> --http /root/test_ca/http.pem --pin xxx
No server certificates found in /root/test_ca/http.pem
The ipa-server-certinstall command failed.
1 year, 9 months
No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.
by roy liang
https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip...
I'm going to try this scheme instead of CA
Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you
1:Generate ca-key ca-cert
#openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
2: Generate certificate signing request:
#openssl req -new -key ca-key -out csr.csr
3:Generate pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem
4:install freeipa
root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert
Installing CA certificate, please wait
CA certificate successfully installed
5:install http.pem
root@migration-ipa-65:~/test_ca# ipa-server-certinstall \
> --dirman-pass xxx \
> --http /root/test_ca/http.pem --pin xxx
No server certificates found in /root/test_ca/http.pem
The ipa-server-certinstall command failed.
1 year, 9 months
keycloak - the other way around?
by lejeczek
Hi guys.
I've only stumbled upon whole Keycloak thing thus go easy on
me please. I wonder if Keycload can be a "provider" to
freeIPA in some way?
One such a scenario where I think Keycloak might be a golden
egg - if it worked that is - is as a "middle-man" for user
base between(or from to) AD and freeIPA when full & legit
trust is not possible. Does that make sense?
many thanks, L.
1 year, 9 months
FreeIPA Replica Install Command Failed
by Yannick Djomo
I am out of options here when trying to promote the client to the replica on CentOS 8 Stream.
Any guidance will be really helpful.
[root@ipa02 ~]# ipa-replica-install--skip-conncheck
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30
SeCo
[1/38]: creating directory server instance
Validate installation settings
Create file system structures
Perform SELinux labeling ...
Create database backend: dc=mydomain, dc=com
Perform post-installation tasks
[2/38]: tune 1dbm plugin
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configure password logging
[7/38]: configuring replication version plugin
[8/38]: enabling IPA enrollment plugin
[9/38]: configuring uniqueness plugin
[10/38]: configuring uuid plugin
[11/38]: configuring modrdn plugin
[12/38]: configuring DNS plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: configuring topology plugin
[16/38]: creating indices
[17/38]: enabling referential integrity plugin
[18/38]: configuring certmap. conf
[19/38]: configure new location for managed entries
[20/38]: configure dirsrv cache and keytab
[21/38]: enabling SAL mapping fallback
[22/38]: restarting directory server
[23/38]: creating DS keytab
[24/38]: ignore time skew for initial replication
[25/38]: setting up initial replication
Starting replication, please wait until this has completed
[error] SERVER_DOWN: {'result': -1,
"desC.
"Can't contact DAP server
Your system may be partly configured.
Run /usr/sbin/ipa-server-install--uninstalltocleanup
{'result': -1, "desc’: "Can't contact LDAP server” errno': 4. 'ctrls': Ll, L, 'into': 'Interrupted system call’}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install--uninstalltocleanup
{'result': -1, "desc’: "Can't contact LDAP server”, 'errno': 4. 'ctrls': Ll, ‘info’: ‘Interrupted system call’}
The ipa-replica-install command failed. See /var/log/ipareplica-install.log
1 year, 9 months
Re: certmonger Error 77 Problem with the SSL CA cert
by liangrui@yy.com
a new Cert for the pki-tomcat. It was not easy, but now I have a new
There is a specific deployment, I test found that the rollback time was renewed, however it did not take effect,
my env freeipa4.3 Ubuntu16.04
liangrui(a)yy.com
1 year, 10 months
Re: FreeIPA Replica Install Command Failed
by Yannick Djomo
Hi Rob,
Thank you for your response.
I have checked the ports, and yes firewall is on; however, we have added the replica to the server rules to have them communicate.
Do you have another recommendation that we can apply?
Best,
YD.
CONFIDENTIALITY NOTICE
This e-mail message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, any disclosure, distribution or other use of this e-mail message or attachments is prohibited. If you have received this e-mail message in error, please delete and notify the sender immediately. Thank you.
1 year, 10 months
freeipa/certmonger for openvpn user certificates
by Patrick Spinler
Hi,
I'm setting up an openvpn server and I'd like to use our already existing FreeIPA CA to issue user keys/certs for openvpn's use. Since our OpenVPN box is a freeipa client, I thought it'd be nice to use certmonger to issue and keep up to date these certs.
Ergo, I've created a certificate profile:
pat@apex-freeipa ~$ ipa certprofile-show --all OpenVPNUserCert
dn: cn=OpenVPNUserCert,cn=certprofiles,cn=ca,dc=int,dc=apexmw,dc=com
Profile ID: OpenVPNUserCert
Profile description: OpenVPN User Certificates
Store issued certificates: FALSE
objectclass: ipacertprofile, top
And also a CA acl. For experimentation (and working vs our test freeipa) I've left this as wide open as I can:
[pat@apex-freeipa ~]$ ipa caacl-show --all OpenVPN_User_Certificate_ACL
dn: ipaUniqueID=6dde33a6-7849-11e9-aa05-525400b52c7b,cn=caacls,cn=ca,dc=int,dc=apexmw,dc=com
ACL name: OpenVPN_User_Certificate_ACL
Enabled: TRUE
CA category: all
Profile category: all
User category: all
Host category: all
Service category: all
ipauniqueid: 6dde33a6-7849-11e9-aa05-525400b52c7b
objectclass: ipaassociation, ipacaacl
Then, on my openvpn server, I ask for a cert for use for one of my users (myself, in this case):
root@apex-openvpn:~# ipa-getcert request -f /etc/openvpn/client/pat.crt -k /etc/openvpn/client/pat.key -r -N 'CN=pat,O=INT.APEXMW.COM' -K pat -g 4096 --profile OpenVPNUserCert
New signing request "20190603014016" added.
But, it fails due to an access err vs the 'userCertificate' attribute of my account:
root@apex-openvpn:~# ipa-getcert list
(...snippy snip excess...)
Request ID '20190603014016':
status: CA_REJECTED
ca-error: Server at https://apex-freeipa.int.apexmw.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com'.).
stuck: yes
key pair storage: type=FILE,location='/etc/openvpn/client/pat.key'
certificate: type=FILE,location='/etc/openvpn/client/pat.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
If I look at the dirsrv log, here's the accesses I see for this request (trimmed off the date/time to make the lines a _little_ shorter):
root@apex-freeipa slapd-INT-APEXMW-COM# grep conn=178 access | cut -d' ' -f3-
conn=178 fd=114 slot=114 connection from 10.10.200.1 to 10.10.200.1
conn=178 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
conn=178 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0025554208 dn="fqdn=apex-openvpn.int.apexmw.com,cn=computers,cn=accounts,dc=int,dc=apexmw,dc=com"
conn=178 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
conn=178 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0001319554
conn=178 op=2 SRCH base="cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL
conn=178 op=2 RESULT err=0 tag=101 nentries=1 etime=0.0000979573
conn=178 op=3 SRCH base="cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL
conn=178 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0000736730
conn=178 op=4 SRCH base="cn=cas,cn=ca,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaca)(cn=ipa))" attrs=""
conn=178 op=4 RESULT err=0 tag=101 nentries=1 etime=0.0000499142
conn=178 op=5 SRCH base="cn=ipa,cn=cas,cn=ca,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaCaId ipaCaSubjectDN cn ipaCaIssuerDN description"
conn=178 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0000482726
conn=178 op=6 SRCH base="cn=apex-freeipa.int.apexmw.com,cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(ipaConfigString=enabledService)(cn=CA))" attrs=ALL
conn=178 op=6 RESULT err=0 tag=101 nentries=1 etime=0.0000950646 notes=U
conn=178 op=7 SRCH base="cn=accounts,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=krbprincipalaux)(krbPrincipalName=pat(a)INT.APEXMW.COM))" attrs=ALL
conn=178 op=7 RESULT err=0 tag=101 nentries=1 etime=0.0002747849
conn=178 op=8 EXT oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin"
conn=178 op=8 RESULT err=0 tag=120 nentries=0 etime=0.0000135034
conn=178 op=9 SRCH base="cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass"
conn=178 op=9 RESULT err=0 tag=101 nentries=1 etime=0.0000932668 - entryLevelRights: none
conn=178 op=10 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="distinguishedName"
conn=178 op=10 RESULT err=0 tag=101 nentries=1 etime=0.0000640289
conn=178 op=11 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="telephoneNumber ipaSshPubKey uid krbCanonicalName ipatokenRadiusUserName ipaUserAuthType krbPrincipalExpiration homeDirectory nsAccountLock usercertificate;binary title loginShell uidNumber mail ipaCertMapData memberOf memberofindirect krbPrincipalName givenName gidNumber sn ou userClass ipatokenRadiusConfigLink"
conn=178 op=11 RESULT err=0 tag=101 nentries=1 etime=0.0001401737
conn=178 op=12 SRCH base="dc=int,dc=apexmw,dc=com" scope=2 filter="(|(member=uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com)(memberUser=uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com)(memberHost=uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com))" attrs=""
conn=178 op=12 RESULT err=0 tag=101 nentries=7 etime=0.0001492344 notes=P pr_idx=0 pr_cookie=-1
conn=178 op=13 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(userPassword=*)" attrs="userPassword"
conn=178 op=13 RESULT err=0 tag=101 nentries=1 etime=0.0000524838
conn=178 op=14 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
conn=178 op=14 RESULT err=0 tag=101 nentries=1 etime=0.0000597589
conn=178 op=15 SRCH base="ipaUniqueID=80b23b30-6a0c-11e9-baa3-525400b52c7b,cn=sudorules,cn=sudo,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="cn"
conn=178 op=15 RESULT err=0 tag=101 nentries=1 etime=0.0000379744
conn=178 op=16 SRCH base="ipaUniqueID=5fb3a640-705a-11e9-aa05-525400b52c7b,cn=hbac,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="cn"
conn=178 op=16 RESULT err=0 tag=101 nentries=1 etime=0.0000337904
conn=178 op=17 SRCH base="cn=caacls,cn=ca,dc=int,dc=apexmw,dc=com" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="serviceCategory cn ipaMemberCertProfile ipaMemberCa ipaCertProfileCategory memberUser userCategory hostCategory memberHost ipaEnabledFlag ipaCaCategory memberService description"
conn=178 op=17 RESULT err=0 tag=101 nentries=2 etime=0.0001647058
conn=178 op=18 EXT oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin"
conn=178 op=18 RESULT err=0 tag=120 nentries=0 etime=0.0000138321
conn=178 op=19 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="userCertificate"
conn=178 op=19 RESULT err=0 tag=101 nentries=1 etime=0.0001475052 - entryLevelRights: none
conn=178 op=20 UNBIND
conn=178 op=20 fd=114 closed - U1
To begin with, I note that this session does a BIND with 'dn=""', right at the beginning, it's essentially an anonymous bind, yah?
That operation near the end, here:
op=17 SRCH base="cn=caacls,cn=ca,dc=int,dc=apexmw,dc=com" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))"
seems like it might be kinda key. and indeed, if I attempt to run this by hand as an anonymous bind, I get no results:
root@apex-freeipa slapd-INT-APEXMW-COM# ldapsearch -x -h localhost -b dc=int,dc=apexmw,dc=com -s sub "(|(objectClass=ipaassociation)(objectClass=ipacaacl))"
# extended LDIF
#
# LDAPv3
# base <dc=int,dc=apexmw,dc=com> with scope subtree
# filter: (|(objectClass=ipaassociation)(objectClass=ipacaacl))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
It's only if I run this as an _authenticated_ bind, that I can find my ACL:
root@apex-freeipa slapd-INT-APEXMW-COM# ldapsearch -x -D "cn=Directory Manager" -W -h localhost -b dc=int,dc=apexmw,dc=com -s sub "(&(objectClass=ipaassociation)(objectClass=ipacaacl))" cn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=int,dc=apexmw,dc=com> with scope subtree
# filter: (&(objectClass=ipaassociation)(objectClass=ipacaacl))
# requesting: cn
#
# c98b740c-6903-11e9-ad1b-525400b52c7b, caacls, ca, int.apexmw.com
dn: ipaUniqueID=c98b740c-6903-11e9-ad1b-525400b52c7b,cn=caacls,cn=ca,dc=int,dc
=apexmw,dc=com
cn: hosts_services_caIPAserviceCert
# 6dde33a6-7849-11e9-aa05-525400b52c7b, caacls, ca, int.apexmw.com
dn: ipaUniqueID=6dde33a6-7849-11e9-aa05-525400b52c7b,cn=caacls,cn=ca,dc=int,dc
=apexmw,dc=com
cn: OpenVPN_User_Certificate_ACL
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Is this (using certmonger to auto-issue signed certs/keys for my openvpn users) going to be essentially impossible to do, here? Do I need to go a more traditional route of creating a seperate keystore/certdb, issuing a CSR, and feeding that to FreeIPA to sign?
Any advice appreciated, and thanks in advance,
-- Pat
1 year, 10 months
