ipa-replica-install (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired
by rui liang
new freeipa(4.3) client ipa-replica-install unsuccessful
root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# cat 20220607091036
id=20220607091036
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_next_type=UNSPECIFIED
key_next_gen_type=RSA
key_next_size=0
key_next_gen_size=2048
key_preserve=0
key_storage_type=NSSDB
key_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM
key_token=NSS Certificate DB
key_nickname=Server-Cert
key_pin_file=/etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt
key_perms=0
key_pubkey=3082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001
key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001
key_generated_date=20220607091036
key_requested_count=1
key_issued_count=0
cert_storage_type=NSSDB
cert_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM
cert_nickname=Server-Cert
cert_perms=0
cert_is_ca=0
cert_ca_path_length=0
cert_no_ocsp_check=0
last_need_notify_check=19700101000000
last_need_enroll_check=19700101000000
template_subject=fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com
template_principal=ldap/fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com(a)YYDEVOPS.COM
template_is_ca=0
template_ca_path_length=0
template_no_ocsp_check=0
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDsDCCApgCAQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5o
aWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKuuYTLOJ1CYrnODMPRQhvcfcluAxDA07bqM89ml0XUV9LB7JAnA1Ft0
iFhwzki9Fp1e4dBiYshSkdaSUFvXiV/Ql1T10YbdBQnc9iBkmELzev/UX9EkrkCY
hVdDDCN8WY9Jy4RWMN8MHOEr6050ylJ4OYcwCU54aHlLdfb1cvIF0FZ+xQnjXtt8
smqvjEcTyCjrge45oT91aACVhcPB66NYM8fzBpFYCrwNhYEQl+dPzVArpzcJs1Cn
TIy+1katAaQOTXGv5/u9Eblr0KGXXiZ8VKoafCnF7yDjSeIAz8xYvXSEl9/ynsh7
SjmhIbbHlXOgxZlD8ceYFpHNAcRLZ10CAwEAAaCCATAwJQYJKoZIhvcNAQkUMRge
FgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggEFBgkqhkiG9w0BCQ4xgfcwgfQwgcEG
A1UdEQEBAASBtjCBs6BQBgorBgEEAYI3FAIDoEIMQGxkYXAvZnMtaGlpZG8taXBh
LWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbUBZWURFVk9QUy5DT02g
XwYGKwYBBQICoFUwU6AOGwxZWURFVk9QUy5DT02hQTA/oAMCAQGhODA2GwRsZGFw
Gy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29t
MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFmNcihY2hfR8EtJHZbaKlJPQAvN
MA0GCSqGSIb3DQEBCwUAA4IBAQBkxhUjn13xm66r2vBWLjUu74PeuhTvmChkLxQN
0XWrf8OJ6rl6Lcf4RQYQe6E4xJ6yyVGdM8kPaFQ7W7SYli95r5tVn4LpENYCTewb
q/tqWWLjcgRdk/hBrSknyCBEY1Idf0krbIEJK2vGqbi5ajFZhjlTQ2uiec0k7Wls
EpVFcGkFpgsFBuKKeO3H+Xj+2+w29jnkwXrmu6N4FKh+ikFDQBzy2pO6u/+pIvqq
9QTpx517GWuLwze4vcIa6xtBAuiq40+A00tWi5exmYCNi7rxpvI56zAvtvN9vMbP
gqfDTBOhPx/4f3WFqAmfWZcGWSmw+xOQzhqPhMxj5Q5cWDsS
-----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrrmEyzidQmK5zgzD0UIb3H3JbgMQwNO26jPPZpdF1FfSweyQJwNRbdIhYcM5IvRadXuHQYmLIUpHWklBb14lf0JdU9dGG3QUJ3PYgZJhC83r/1F/RJK5AmIVXQwwjfFmPScuEVjDfDBzhK+tOdMpSeDmHMAlOeGh5S3X29XLyBdBWfsUJ417bfLJqr4xHE8go64HuOaE/dWgAlYXDweujWDPH8waRWAq8DYWBEJfnT81QK6c3CbNQp0yMvtZGrQGkDk1xr+f7vRG5a9Chl14mfFSqGnwpxe8g40niAM/MWL10hJff8p7Ie0o5oSG2x5VzoMWZQ/HHmBaRzQHES2ddAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAOegGLgw81dvQa4LfvEybdeiTwKke9SnXfalpsWoGOsFx8arsLvhihDL0Ai3ZKeVjJTNlq9+1klq2AfAC7s9xC5oIK3YyFVvzSIAhwxiBvAtBe8KwwVfZnNB0HKroXIkn0JrGlyb1fheePSKIZCs1THwFigYSp3MTo0j3wNSFKgusJ+7RH0sLYO/5AwJ4JrqO4xPLz7rSfDbMgep7Qg+Ylv2YIXGecH2Hft/0LLchxbbCJd2OnKNvEW+wyotVwG4v8XPaSBT2aiKuFcD5gMY3clbeTv7tIwuH1K27R0cSiJZKAznMCuB2MhMi+CWRlvCYfS8nyqwziOnYRG3SZa7MLg==
scep_tx=23408524965258346450630507198266950287255212778687783181270846979351580813985
minicert=MIIDDjCCAfagAwIBAAIgM8DBb8vrkCLtVakYwBoCDvE3QB7kwQiBV5zAfRCoqqEwDQYJKoZIhvcNAQELBQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTAiGA8yMDIyMDYwNzAwMDAwMFoYDzIxMjIwNjA3MDAwMDAwWjA5MTcwNQYDVQQDEy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq65hMs4nUJiuc4Mw9FCG9x9yW4DEMDTtuozz2aXRdRX0sHskCcDUW3SIWHDOSL0WnV7h0GJiyFKR1pJQW9eJX9CXVPXRht0FCdz2IGSYQvN6/9Rf0SSuQJiFV0MMI3xZj0nLhFYw3wwc4SvrTnTKUng5hzAJTnhoeUt19vVy8gXQVn7FCeNe23yyaq+MRxPIKOuB7jmhP3VoAJWFw8Hro1gzx/MGkVgKvA2FgRCX50/NUCunNwmzUKdMjL7WRq0BpA5Nca/n+70RuWvQoZdeJnxUqhp8KcXvIONJ4gDPzFi9dISX3/KeyHtKOaEhtseVc6DFmUPxx5gWkc0BxEtnXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCcQSS8v0lkknnYfvPhfBZjyzb9RiszlRVxIj1aZQxum2O3EXI49yhBytL5cz39NjdDMmcn0DS1OlU+y4270Wfb3KiNDvuDfoY7hvahOLQNU+hKAVx13PU7uGQU+3SjOR+FtR2e9gX7QQ3aRjoH+dmm3ys4sS9CN7gnnzw9uVC59+g0snz9iFMV+gFVl/16PSX4F+zJqxna84RIIbBTqfQ00pkB230LmbWKuLxh8CCJHWi9x61a4ZWU25hHMZgP6YoWv3rrrzdZvDscb9Qffp7QPV+II
tzeyGhVKRwZ1tlwMyzrTHAMYixDNS5Ejhr5P/NjSnpDAul/Kw01NKoIe4OI
state=CA_UNREACHABLE
autorenew=1
monitor=1
ca_name=IPA
submitted=20220607091038
ca_error=Server at https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:443/ca/eeca/...': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# ^C
root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests#
root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests#
root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# less 20220607091036
id=20220607091036
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_next_type=UNSPECIFIED
key_next_gen_type=RSA
key_next_size=0
key_next_gen_size=2048
key_preserve=0
key_storage_type=NSSDB
key_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM
key_token=NSS Certificate DB
key_nickname=Server-Cert
key_pin_file=/etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt
key_perms=0
key_pubkey=3082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001
key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001
key_generated_date=20220607091036
key_requested_count=1
key_issued_count=0
cert_storage_type=NSSDB
cert_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM
cert_nickname=Server-Cert
cert_perms=0
cert_is_ca=0
cert_ca_path_length=0
cert_no_ocsp_check=0
last_need_notify_check=19700101000000
last_need_enroll_check=19700101000000
template_subject=fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com
template_principal=ldap/fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com(a)YYDEVOPS.COM
template_is_ca=0
template_ca_path_length=0
template_no_ocsp_check=0
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDsDCCApgCAQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5o
aWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKuuYTLOJ1CYrnODMPRQhvcfcluAxDA07bqM89ml0XUV9LB7JAnA1Ft0
iFhwzki9Fp1e4dBiYshSkdaSUFvXiV/Ql1T10YbdBQnc9iBkmELzev/UX9EkrkCY
hVdDDCN8WY9Jy4RWMN8MHOEr6050ylJ4OYcwCU54aHlLdfb1cvIF0FZ+xQnjXtt8
smqvjEcTyCjrge45oT91aACVhcPB66NYM8fzBpFYCrwNhYEQl+dPzVArpzcJs1Cn
TIy+1katAaQOTXGv5/u9Eblr0KGXXiZ8VKoafCnF7yDjSeIAz8xYvXSEl9/ynsh7
SjmhIbbHlXOgxZlD8ceYFpHNAcRLZ10CAwEAAaCCATAwJQYJKoZIhvcNAQkUMRge
FgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggEFBgkqhkiG9w0BCQ4xgfcwgfQwgcEG
A1UdEQEBAASBtjCBs6BQBgorBgEEAYI3FAIDoEIMQGxkYXAvZnMtaGlpZG8taXBh
LWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbUBZWURFVk9QUy5DT02g
XwYGKwYBBQICoFUwU6AOGwxZWURFVk9QUy5DT02hQTA/oAMCAQGhODA2GwRsZGFw
Gy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29t
MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFmNcihY2hfR8EtJHZbaKlJPQAvN
MA0GCSqGSIb3DQEBCwUAA4IBAQBkxhUjn13xm66r2vBWLjUu74PeuhTvmChkLxQN
0XWrf8OJ6rl6Lcf4RQYQe6E4xJ6yyVGdM8kPaFQ7W7SYli95r5tVn4LpENYCTewb
q/tqWWLjcgRdk/hBrSknyCBEY1Idf0krbIEJK2vGqbi5ajFZhjlTQ2uiec0k7Wls
EpVFcGkFpgsFBuKKeO3H+Xj+2+w29jnkwXrmu6N4FKh+ikFDQBzy2pO6u/+pIvqq
9QTpx517GWuLwze4vcIa6xtBAuiq40+A00tWi5exmYCNi7rxpvI56zAvtvN9vMbP
gqfDTBOhPx/4f3WFqAmfWZcGWSmw+xOQzhqPhMxj5Q5cWDsS
-----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrrmEyzidQmK5zgzD0UIb3H3JbgMQwNO26jPPZpdF1FfSweyQJwNRbdIhYcM5IvRadXuHQYmLIUpHWklBb14lf0JdU9dGG3QUJ3PYgZJhC83r/1F/RJK5AmIVXQwwjfFmPScuEVjDfDBzhK+tOdMpSeDmHMAlOeGh5S3X29XLyBdBWfsUJ417bfLJqr4xHE8go64HuOaE/dWgAlYXDweujWDPH8waRWAq8DYWBEJfnT81QK6c3CbNQp0yMvtZGrQGkDk1xr+f7vRG5a9Chl14mfFSqGnwpxe8g40niAM/MWL10hJff8p7Ie0o5oSG2x5VzoMWZQ/HHmBaRzQHES2ddAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAOegGLgw81dvQa4LfvEybdeiTwKke9SnXfalpsWoGOsFx8arsLvhihDL0Ai3ZKeVjJTNlq9+1klq2AfAC7s9xC5oIK3YyFVvzSIAhwxiBvAtBe8KwwVfZnNB0HKroXIkn0JrGlyb1fheePSKIZCs1THwFigYSp3MTo0j3wNSFKgusJ+7RH0sLYO/5AwJ4JrqO4xPLz7rSfDbMgep7Qg+Ylv2YIXGecH2Hft/0LLchxbbCJd2OnKNvEW+wyotVwG4v8XPaSBT2aiKuFc...skipping...
key_pin_file=/etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt
key_perms=0
key_pubkey=3082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001
key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001
key_generated_date=20220607091036
key_requested_count=1
key_issued_count=0
cert_storage_type=NSSDB
cert_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM
cert_nickname=Server-Cert
cert_perms=0
cert_is_ca=0
cert_ca_path_length=0
cert_no_ocsp_check=0
last_need_notify_check=19700101000000
last_need_enroll_check=19700101000000
template_subject=fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com
template_principal=ldap/fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com(a)YYDEVOPS.COM
template_is_ca=0
template_ca_path_length=0
template_no_ocsp_check=0
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDsDCCApgCAQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5o
aWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKuuYTLOJ1CYrnODMPRQhvcfcluAxDA07bqM89ml0XUV9LB7JAnA1Ft0
iFhwzki9Fp1e4dBiYshSkdaSUFvXiV/Ql1T10YbdBQnc9iBkmELzev/UX9EkrkCY
hVdDDCN8WY9Jy4RWMN8MHOEr6050ylJ4OYcwCU54aHlLdfb1cvIF0FZ+xQnjXtt8
smqvjEcTyCjrge45oT91aACVhcPB66NYM8fzBpFYCrwNhYEQl+dPzVArpzcJs1Cn
TIy+1katAaQOTXGv5/u9Eblr0KGXXiZ8VKoafCnF7yDjSeIAz8xYvXSEl9/ynsh7
SjmhIbbHlXOgxZlD8ceYFpHNAcRLZ10CAwEAAaCCATAwJQYJKoZIhvcNAQkUMRge
FgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggEFBgkqhkiG9w0BCQ4xgfcwgfQwgcEG
A1UdEQEBAASBtjCBs6BQBgorBgEEAYI3FAIDoEIMQGxkYXAvZnMtaGlpZG8taXBh
LWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbUBZWURFVk9QUy5DT02g
XwYGKwYBBQICoFUwU6AOGwxZWURFVk9QUy5DT02hQTA/oAMCAQGhODA2GwRsZGFw
Gy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29t
MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFmNcihY2hfR8EtJHZbaKlJPQAvN
MA0GCSqGSIb3DQEBCwUAA4IBAQBkxhUjn13xm66r2vBWLjUu74PeuhTvmChkLxQN
0XWrf8OJ6rl6Lcf4RQYQe6E4xJ6yyVGdM8kPaFQ7W7SYli95r5tVn4LpENYCTewb
q/tqWWLjcgRdk/hBrSknyCBEY1Idf0krbIEJK2vGqbi5ajFZhjlTQ2uiec0k7Wls
EpVFcGkFpgsFBuKKeO3H+Xj+2+w29jnkwXrmu6N4FKh+ikFDQBzy2pO6u/+pIvqq
9QTpx517GWuLwze4vcIa6xtBAuiq40+A00tWi5exmYCNi7rxpvI56zAvtvN9vMbP
gqfDTBOhPx/4f3WFqAmfWZcGWSmw+xOQzhqPhMxj5Q5cWDsS
-----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrrmEyzidQmK5zgzD0UIb3H3JbgMQwNO26jPPZpdF1FfSweyQJwNRbdIhYcM5IvRadXuHQYmLIUpHWklBb14lf0JdU9dGG3QUJ3PYgZJhC83r/1F/RJK5AmIVXQwwjfFmPScuEVjDfDBzhK+tOdMpSeDmHMAlOeGh5S3X29XLyBdBWfsUJ417bfLJqr4xHE8go64HuOaE/dWgAlYXDweujWDPH8waRWAq8DYWBEJfnT81QK6c3CbNQp0yMvtZGrQGkDk1xr+f7vRG5a9Chl14mfFSqGnwpxe8g40niAM/MWL10hJff8p7Ie0o5oSG2x5VzoMWZQ/HHmBaRzQHES2ddAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAOegGLgw81dvQa4LfvEybdeiTwKke9SnXfalpsWoGOsFx8arsLvhihDL0Ai3ZKeVjJTNlq9+1klq2AfAC7s9xC5oIK3YyFVvzSIAhwxiBvAtBe8KwwVfZnNB0HKroXIkn0JrGlyb1fheePSKIZCs1THwFigYSp3MTo0j3wNSFKgusJ+7RH0sLYO/5AwJ4JrqO4xPLz7rSfDbMgep7Qg+Ylv2YIXGecH2Hft/0LLchxbbCJd2OnKNvEW+wyotVwG4v8XPaSBT2aiKuFcD5gMY3clbeTv7tIwuH1K27R0cSiJZKAznMCuB2MhMi+CWRlvCYfS8nyqwziOnYRG3SZa7MLg==
scep_tx=23408524965258346450630507198266950287255212778687783181270846979351580813985
minicert=MIIDDjCCAfagAwIBAAIgM8DBb8vrkCLtVakYwBoCDvE3QB7kwQiBV5zAfRCoqqEwDQYJKoZIhvcNAQELBQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTAiGA8yMDIyMDYwNzAwMDAwMFoYDzIxMjIwNjA3MDAwMDAwWjA5MTcwNQYDVQQDEy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq65hMs4nUJiuc4Mw9FCG9x9yW4DEMDTtuozz2aXRdRX0sHskCcDUW3SIWHDOSL0WnV7h0GJiyFKR1pJQW9eJX9CXVPXRht0FCdz2IGSYQvN6/9Rf0SSuQJiFV0MMI3xZj0nLhFYw3wwc4SvrTnTKUng5hzAJTnhoeUt19vVy8gXQVn7FCeNe23yyaq+MRxPIKOuB7jmhP3VoAJWFw8Hro1gzx/MGkVgKvA2FgRCX50/NUCunNwmzUKdMjL7WRq0BpA5Nca/n+70RuWvQoZdeJnxUqhp8KcXvIONJ4gDPzFi9dISX3/KeyHtKOaEhtseVc6DFmUPxx5gWkc0BxEtnXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCcQSS8v0lkknnYfvPhfBZjyzb9RiszlRVxIj1aZQxum2O3EXI49yhBytL5cz39NjdDMmcn0DS1OlU+y4270Wfb3KiNDvuDfoY7hvahOLQNU+hKAVx13PU7uGQU+3SjOR+FtR2e9gX7QQ3aRjoH+dmm3ys4sS9CN7gnnzw9uVC59+g0snz9iFMV+gFVl/16PSX4F+zJqxna84RIIbBTqfQ00pkB230LmbWKuLxh8CCJHWi9x61a4ZWU25hHMZgP6YoWv3rrrzdZvDscb9Qffp7QPV+II
tzeyGhVKRwZ1tlwMyzrTHAMYixDNS5Ejhr5P/NjSnpDAul/Kw01NKoIe4OI
state=CA_UNREACHABLE
autorenew=1
monitor=1
ca_name=IPA
submitted=20220607091038
ca_error=Server at https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:443/ca/eeca/...': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
Tested several servers are the same, should be ca expired problem
What do I need to do to replicate this situation?
1 year, 3 months
Syncing AD to IPA users
by Ronald Wimmer
We managed to use IPA users as AIX users in our environment.
Preferrably, we would like to use users from an AD group directly what
does not seem to be possible without SSSD for AIX, right?
As an alternative it would be great to synchronize users in a specific
AD group to IPA users. I already have a draft of a python script in mind
that could do the job.
Is there any way go synchronize a user's password from AD?
Cheers,
Ronald
1 year, 3 months
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
by Ronald Wimmer
Today I tried to update one of our Keycloaks from version 12 to 18.
Everything looked good except Kerberos login. I am using the exact same
keytab file I used in KC version 12 but in version 18 I do get this:
May 24 23:18:36 kc001.linux.mydomain.at kc.sh[8164]: 2022-05-24
23:18:36,996 WARN
[org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(executor-thread-2) SPNEGO login failed:
java.security.PrivilegedActionException: GSSException: Failure
unspecified at GSS-API level (Mechanism level: Checksum failed)
Any ideas what might be the cause?
Cheers,
Ronald
1 year, 3 months
[SSSD] Announcing SSSD 2.7.1
by Pavel Březina
# SSSD 2.7.1
The SSSD team is proud to announce the release of version 2.7.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.7.1
See the full release notes at:
https://sssd.io/release-notes/sssd-2.7.1.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* SSSD can now handle multi-valued RDNs if a unique name must be
determined with the help of the RDN.
### Important fixes
* A regression in `pam_sss_gss` module causing a failure if `KRB5CCNAME`
environment variable was not set was fixed.
### Packaging changes
* `sssd-ipa` doesn't require `sssd-idp` anymore
### Configuration changes
* New option `implicit_pac_responder` to control if the PAC responder is
started for the IPA and AD providers, default is `true`.
* New option `krb5_check_pac` to control the PAC validation behavior.
* multiple `crl_file` arguments can be used in the
`certificate_verification` option.
1 year, 3 months
Wildcard certificate
by Bret Wortman
I'm trying to create a wildcard certificate to use with some elasticsearch ECE systems and it's not working quite right yet. I found Fraser's blog at https://frasertweedale.github.io/blog-redhat/posts/2017-02-20-freeipa-wil... and followed the directions there. After installing the cert chain on my ES servers, when I connect over the web I'm getting an SSL_ERROR_BAD_CERT_DOMAIN error, even though the cert contains:
Subject Name
Organization OUR.NET 201804300753
Common Name *.elastic.our.net
Issuer Name
Organization OUR.NET 201804300753
Common Name Certificate Authority
Validity
Not Before Tue, 07 Jun 2022 14:48:08 GMT
Not After Fri, 07 Jun 2024 14:48:08 GMT
Subject Alt Names
DNS Name zsece01.our.net
DNS Name zsece02.our.net
DNS Name zsece013our.net
:
I've tried including elastic.our.net as an alt name too and it didn't prevent the error. What am I missing?
--
Bret Wortman
bret.wortman(a)damascusgrp.com
1 year, 3 months
Cert Errors when trying to delete a host or view certs in UI.
by Russ Long
When I attempt to delete a host (non-ipa server host, just a client), I get the following error:
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (403)
When I go to Authentication -> Certificates, I get this error:
An error has occurred (IPA Error 4301: CertificateOperationError)
I see this old thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
I tried the suggestions there, however I'm unable to make this work.
Certmonger is running, and not showing any errors. SSL Certs all show monitored, are not expired, and are not stuck.
All IPA services are running.
IPA-healthcheck shows several errors regarding a 403 when connecting to the CA Rest API.
This is only a single-server install in my homelab, but rather than destroying it and starting over I'd really like to figure out what's up.
1 year, 3 months
PSA: Change in Firefox related to host names and its impact on IPA
by Rob Crittenden
Heads up about a change in Firefox v101.0 that can affect some
deployments of freeIPA.
https://www.mozilla.org/en-US/firefox/101.0/releasenotes reads:
"Removed "subject common name" fallback support from certificate
validation. This fallback mode was previously enabled only for manually
installed certificates. The CA Browser Forum Baseline Requirements have
required the presence of the "subjectAltName" extension since 2012, and
use of the subject common name was deprecated in RFC 2818."
This has been a long time coming. RFC2818 contains this:
https://datatracker.ietf.org/doc/html/rfc2818#section-3.1
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
It is probably a safe assumption that other browsers will soon follow suit.
If you don't use the IPA CA then you need to verify that the
certificates, from Let's Encrypt for example, contain a DNS Subject
Alternative Name (SAN) (LE should already). If not then you need to work
with the provider(s) to reissue new ones.
Installations with an IPA CA has enabled a DNS SAN for the Apache and
389 certificates since 4.5.1 so newer deployments should be unaffected
by this.
To confirm that the current IPA-issued certificates, including an IPA CA
signed as a subordinate by an external CA, contain a SAN:
For IPA 4.6 and earlier:
# getcert list -d /etc/httpd/alias -n Server-Cert
# getcert list -d /etc/dirsrv/slapd-<REALM> -n Server-Cert
For IPA 4.7 and later:
# getcert list -f /var/lib/ipa/certs/httpd.crt
# getcert list -d /etc/dirsrv/slapd-<REALM> -n Server-Cert
Included in the output for each cert should be a line like:
dns: ipa.example.test
Where ipa.example.test is the hostname of the machine.
If it isn't you can use certmonger to add a DNS SAN and reissue an
existing certificate with:
# getcert resubmit -i <certmonger_request_id> -D $(hostname)
If you aren't using an IPA CA then it is still possible to verify but it
is slightly more complicated because the certificate nickname(s) may be
different.
For IPA 4.6 and earlier:
# grep NSSNickname /etc/httpd/conf.d/nss.conf
# certutil -L -d /etc/httpd/alias -n "<the value from above>"
# grep nsSSLPersonalitySSL /etc/dirsrv/slapd-REALM/dse.ldif
# certutil -L -d /etc/dirsrv/slapd-REALM -n "<the value from above>"
The output for each should contain something like:
Name: Certificate Subject Alt Name
DNS name: "ipa.example.test"
Where ipa.example.test is the hostname of the machine.
For IPA 4.7 and later:
# grep SSLCertificateFile /etc/httpd/conf.d/ssl.conf
# openssl x509 -noout -text -in "<the value from above>"
The output should contain something like:
X509v3 Subject Alternative Name:
DNS:ipa.example.test
# grep nsSSLPersonalitySSL /etc/dirsrv/slapd-REALM/dse.ldif
# certutil -L -d /etc/dirsrv/slapd-REALM -n "<the value from above>"
The output for each should contain something like:
Name: Certificate Subject Alt Name
DNS name: "ipa.example.test"
Where ipa.example.test is the hostname of the machine.
If not you'll need to contact the issuing CA to get a replacement with a
DNS SAN.
rob
1 year, 3 months
SSSD login stopped working on Ubuntu 22.04
by Joyce Babu
I have a FreeIPA installation with many Pop!_OS 21.10 clients. Today I upgraded one of the clients to Pop!_OS 22.04, and I can no longer authenticate with FreeIPA on the upgraded client.
In krb5kdc.log file on the server, I can see the error 'verify failure: Incorrect password in encrypted challenge'
=======
May 17 14:07:43 ipa.myhost.com krb5kdc[301](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.14: NEEDED_PREAUTH: joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM, Additional pre-authentication required
May 17 14:07:43 ipa.myhost.com krb5kdc[301](info): closing down fd 12
May 17 14:07:43 ipa.myhost.com krb5kdc[302](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge
May 17 14:07:43 ipa.myhost.com krb5kdc[302](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.14: PREAUTH_FAILED: joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM, Preauthentication failed
May 17 14:07:43 ipa.myhost.com krb5kdc[302](info): closing down fd 12
=======
If I try the same username/password on a Pop!_OS 21.10 client, I can login successfully and I see the following log message. I tried multiple times with multiple users, and had the same result.
=======
May 17 14:05:51 ipa.myhost.com krb5kdc[299](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.24: NEEDED_PREAUTH: joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM, Additional pre-authentication required
May 17 14:05:51 ipa.myhost.com krb5kdc[299](info): closing down fd 12
May 17 14:05:51 ipa.myhost.com krb5kdc[301](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.24: ISSUE: authtime 1652796351, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM
May 17 14:05:51 ipa.myhost.com krb5kdc[301](info): closing down fd 12
May 17 14:05:51 ipa.myhost.com krb5kdc[300](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.24: ISSUE: authtime 1652796351, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, joyce(a)MYHOST.COM for host/ws024.office-mng.myhost.net(a)MYHOST.COM
May 17 14:05:51 ipa.myhost.com krb5kdc[300](info): closing down fd 12
=======
What changed in Ubuntu 22.04? Could this be due to incompatible encryption type?
1 year, 4 months
krbPrincipalExpiration and ssh keys
by Jim Kinney
It seems if valid ssh keys exist, the expired account status doesn't block login with ssh keys. Any operation that touches a password is blocking.
Is there a pam setting in sshd that needs tweaking to deny access if account is expired?
--
Computers amplify human error
Super computers are really cool
1 year, 4 months
keytab encryption settings
by G H
I got FreeIPA up and running but am having trouble getting it working with apache, I tried both mod_auth_mellon and mod_auth_gssapi. My goal is to have something that 1) attempts kerberos 2) falls back to user/pass auth.
For mod_auth_gssapi, I am able to get get SSO working with my local Firefox, but the fallback HTTPBasic auth fails. Opening a private firefox window (to break kerberos) and entering my username/pass I get the following Apache log error:
GSS ERROR gss_init_sec_context(): [Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
Apache config is:
<Location />
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/http.keytab
GssapiBasicAuth On
GssapiBasicAuthMech krb5
Require valid-user
</Location>
Okay, so I moved to mod_auth_mellon (SAML auth via Keycloak via FreeIPA). With this one I got username/pass auth working, but kerberos does not work. I followed the instructions here: https://jdennis.fedorapeople.org/doc/mellon-install/mellon-install-guide....
Keycloak reports the below message when I *require* kerberos auth (over username/passwd):
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96)
So I think something might be wrong with my keytab file. Lots of posts around the internet are about Windows AD and say to enable AES encryption for that service, but I do not see such an option in FreeIPA.
So am I missing something with the encryption settings ?
Here is my keytab creation command: ipa-getkeytab -s freeipa.example.com -p HTTP/keycloak.example.com -k /tmp/client1.keytab
And here is the result:
[root@freeipa ~]# klist -e -k /tmp/client1.keytab
Keytab name: FILE:/tmp/client1.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/keycloak.example.com(a)EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 HTTP/keycloak.example.com(a)EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 year, 4 months
