Hi Florence,
On Thu, 20 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote:
On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote:
> my IPA system consists of 2 masters with their own self-signed CAs, one of
> them being the certificate renewal master (ipa1). The system has been
> running for years and has been migrated from an IPA 3 system.
>
> Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed
> due to an unknown reason.").
>
> Web UI logins on the other server (ipa2) work and everything else is
> working fine, too, ipactl status reports all services running.
>
> On login attempt:
>
> --- httpd log
> [...]
> [:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception
> occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
> [...]
> [:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command
> '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X
> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
> non-zero exit status 1
> ---
>
> --- krb5kdc.log
> [...]
> Dec 20 16:06:54
ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes
> {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH:
> WELLKNOWN/ANONYMOUS(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM,
> Additional pre-authentication required
> Dec 20 16:06:54
ipa1.example.com krb5kdc[15517](info): closing down fd 11
> Dec 20 16:06:54
ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes
> {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA:
> WELLKNOWN/ANONYMOUS(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Failed
> to verify own certificate (depth 0): certificate has expired
> Dec 20 16:06:54
ipa1.example.com krb5kdc[15518](info): closing down fd 11
> ---
>
> --- ipa-checkcerts.py
> IPA version 4.5.4-10.el7.centos.3
> Check CA status
> Check tracking
> Check NSS trust
> Check dates
> Checking certificates in CS.cfg
> Comparing certificates to requests in LDAP
> Checking RA certificate
> Checking authorities
> Checking host keytab
> Validating certificates
> Checking renewal master
> End-to-end cert API test
> Checking permissions and ownership
> Failures:
> Unable to find request for serial 268304391
> Unable to find request for serial 268304394
> Unable to find request for serial 268304393
> Unable to find request for serial 268304392
> Subject
O=EXAMPLE.COM,CN=ipa2.example.com and template subject
>
CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57
> ---
>
> --- ipa pkinit-status --all
> -----------------
> 2 servers matched
> -----------------
> Server name:
ipa2.example.com
> PKINIT status: enabled
>
> Server name:
ipa1.example.com
> PKINIT status: enabled
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
> To my understanding, proper certificate exchange between my two servers
> ceased working at some point. How do i track this down and fix it?
>
your issue looks similar to ticket #6792 [1]. Can you check the result of
upgrade in /var/log/ipaupgrade.log?
Also check the output of
$ ipa-pkinit-manage status
and if the files /var/lib/ipa-client/pki/kdc-ca-bundle.pem and
/var/lib/ipa-client/pki/ca-bundle.pem exist, with -rw-r--r-- permissions.
Regarding the certificates, does getcert list show expired certs?
flo
[1]
https://pagure.io/freeipa/issue/6792
---
$ ipa-pkinit-manage status
PKINIT is enabled
---
There are no expired certificates, kdc-ca-bundle.pem and ca-bundle.pem
exist with proper permissions, but I found something in ipaupgrade.log:
---
2018-09-12T13:37:18Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -f
/etc/httpd/alias/pwdfile.txt
2018-09-12T13:37:19Z DEBUG Process finished, return code=0
2018-09-12T13:37:19Z DEBUG stdout=
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
EXAMPLE.COM IPA CA CT,C,C
2018-09-12T13:37:19Z DEBUG stderr=
2018-09-12T13:37:19Z DEBUG Starting external process
2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n
EXAMPLE.COM
IPA CA -a -f /etc/httpd/alias/pwdfile.txt
2018-09-12T13:37:19Z DEBUG Process finished, return code=0
2018-09-12T13:37:19Z DEBUG stdout=
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
2018-09-12T13:37:19Z DEBUG stderr=
2018-09-12T13:37:19Z DEBUG Executing upgrade plugin: update_ra_cert_store
2018-09-12T13:37:19Z DEBUG raw: update_ra_cert_store
2018-09-12T13:37:19Z DEBUG raw: ca_is_enabled(version=u'2.228')
2018-09-12T13:37:19Z DEBUG ca_is_enabled(version=u'2.228')
2018-09-12T13:37:19Z DEBUG Starting external process
2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n ipaCert -a -f
/etc/httpd/alias/pwdfile.txt
2018-09-12T13:37:19Z DEBUG Process finished, return code=255
2018-09-12T13:37:19Z DEBUG stdout=
2018-09-12T13:37:19Z DEBUG stderr=certutil: Could not find cert: ipaCert
: PR_FILE_NOT_FOUND_ERROR: File not found
[...]
---
Mit freundlichen Gruessen/With best regards,
--Daniel.