Hello all,
Has anyone seen this issue? We've tried to generate a new CA and SSL Cert.
IPA v.3.0.0-50
# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # ipa-replica-prepare --ip-address=10.10.xx.xx rtlvxl0055.test.local Directory Manager (existing master) password:
Preparing replica for rtlvxl0055.test.local from ldap-srv.domain.com Creating SSL certificate for the Directory Server preparation of replica failed: cannot connect to 'https://ldap-srv.domain..com:9444/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file. cannot connect to 'https://ldap-srv.domain..com:xxxx/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file. File "/usr/sbin/ipa-replica-prepare", line 490, in <module> main()
File "/usr/sbin/ipa-replica-prepare", line 361, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb raise e
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # uname -r 2.6.32-642.3.1.el6.x86_64 root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM #
Kind regards, Vin
Vinny Del Signore via FreeIPA-users wrote:
Hello all,
Has anyone seen this issue? We've tried to generate a new CA and SSL Cert.
*IPA v.3.0.0-50 *
# *rpm -qa | grep ipa-server* ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM #*ipa-replica-prepare --ip-address=10.10.xx.xx rtlvxl0055.test.local* Directory Manager (existing master) password:
Preparing replica for rtlvxl0055.test.local from ldap-srv.domain.com Creating SSL certificate for the Directory Server *preparation of replica failed: cannot connect to 'https://ldap-srv.domain..com:9444/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file.* *cannot connect to 'https://ldap-srv.domain..com:xxxx/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file.* File "/usr/sbin/ipa-replica-prepare", line 490, in <module> main()
File "/usr/sbin/ipa-replica-prepare", line 361, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb raise e
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # uname -r 2.6.32-642.3.1.el6.x86_64 root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM #
See if your CA is up, look for a running tomcat process, ensure that the certs aren't expired: getcert list | grep expires, check the debug log in /var/log/pki/<something>/debug
rob
Hi Rob,
Please see below. Notice "Failed to create jss service: java.lang.SecurityException: Unable to initialize security library".
# getcert list | grep expires expires: 2018-10-23 09:34:16 UTC expires: 2018-10-23 09:33:16 UTC expires: 2018-10-23 09:33:16 UTC expires: 2018-10-24 09:33:15 UTC expires: 2018-10-23 09:33:16 UTC expires: 2019-03-03 19:54:22 UTC expires: 2019-03-03 19:54:22 UTC expires: 2019-03-03 19:54:22 UTC expires: unknown root bioldap-p1 /var/log/pki-ca
# ps -ef | grep tomcat pkiuser 18739 1 0 13:02 ? 00:00:04 /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons -daemon.jar -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start root 20364 14505 0 13:23 pts/3 00:00:00 grep tomcat root bioldap-p1 /var/log/pki-ca #
[31/May/2017:13:02:04][main]: ============================================ [31/May/2017:13:02:04][main]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [31/May/2017:13:02:04][main]: ============================================ Failed to create jss service: java.lang.SecurityException: Unable to initialize security library at com.netscape.cmscore.security.JssSubsystem.init(JssSubsystem.java:272) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:306) at com.netscape.certsrv.apps.CMS.init(CMS.java:153) at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4738) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
# getcert list (notice the last one) Number of certificates and requests being tracked: 9. Request ID '20141211093329': status: CA_UNREACHABLE ca-error: Error 35 connecting to https://bioldap-p1.DOMAIN.COM:9443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Audit,O=DOMAIN.COM expires: 2018-10-23 09:34:16 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141211093330': status: CA_UNREACHABLE ... ... Request ID '20161223074657': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert' CA: IPA issuer: subject: expires: unknown pre-save command:
# tail -f access [31/May/2017:12:55:13 -0500] conn=3 op=0 BIND dn="cn=Directory Manager" method=128 version=2 [31/May/2017:12:55:13 -0500] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [31/May/2017:12:55:13 -0500] conn=3 op=1 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessi onEntry)" attrs="cn" [31/May/2017:12:55:13 -0500] conn=3 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [31/May/2017:12:55:13 -0500] conn=3 op=2 UNBIND [31/May/2017:12:55:13 -0500] conn=3 op=2 fd=64 closed - U1 [31/May/2017:12:57:03 -0500] conn=4 fd=64 slot=64 connection from 10.106.178.59 to 10.106.178.56 [31/May/2017:12:57:03 -0500] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [31/May/2017:12:57:03 -0500] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [31/May/2017:12:57:03 -0500] conn=4 op=-1 fd=64 closed - SSL peer cannot verify your certificate.
# tail -f errors [31/May/2017:12:48:42 -0500] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [31/May/2017:12:48:42 -0500] - Listening on All Interfaces port 7390 for LDAPS requests [31/May/2017:12:48:42 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:48:42 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-biogendb-p2.wgap.ibm.com-pki-ca" (biogend ion bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8054:You are attempting to import a cert wi erial as an existing cert, but that is not the same cert.) [31/May/2017:12:48:45 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:48:51 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:49:03 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:49:27 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:50:15 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 [31/May/2017:12:51:51 -0500] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 ^C
From: Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Vinny Del Signore vdel@us.ibm.com, Rob Crittenden rcritten@redhat.com Date: 05/31/2017 01:07 PM Subject: [Freeipa-users] Re: cannot connect ...Encountered end of file.
Vinny Del Signore via FreeIPA-users wrote:
Hello all,
Has anyone seen this issue? We've tried to generate a new CA and SSL
Cert.
*IPA v.3.0.0-50 *
# *rpm -qa | grep ipa-server* ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM #*ipa-replica-prepare --ip-address=10.10.xx.xx rtlvxl0055.test.local* Directory Manager (existing master) password:
Preparing replica for rtlvxl0055.test.local from ldap-srv.domain.com Creating SSL certificate for the Directory Server *preparation of replica failed: cannot connect to 'https://ldap-srv.domain..com:9444/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file.* *cannot connect to 'https://ldap-srv.domain..com:xxxx/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file.* File "/usr/sbin/ipa-replica-prepare", line 490, in <module> main()
File "/usr/sbin/ipa-replica-prepare", line 361, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb raise e
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # uname -r 2.6.32-642.3.1.el6.x86_64 root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM # cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM #
See if your CA is up, look for a running tomcat process, ensure that the certs aren't expired: getcert list | grep expires, check the debug log in /var/log/pki/<something>/debug
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Folks,
We are trying to use G Suite's GCDS to sync users and passwords from our Freeipa server running on a CentOS server.
The sync appears *mostly* working and when the sync is executed, it registers that a user has changed their password and *claims* it's made the modification change.
The issue is that the password doesn't change in G Suite. I *think* it's a password hash issue at this point.
The GCDS application says that the hashing it accepts are MD5, SHA1, or Clear Text (unfortunately Google only accepts these old options). I've been trying to do ldapsearch dumps to see if I can get an idea of the password hash Freeipa users, but I haven't had any luck.
I did see an article from this forum published in Feb of 2015 (https://www.redhat.com/archives/freeipa-users/2015-February/msg00187.html) that says Freeipa uses a salted sha256 hash.
From the following freeipa-users article (https://www.redhat.com/archives/freeipa-users/2010-March/msg00044.html) it looks like I have to add SHA1 as a hash option to the server if I want to get things working. I'd like to try this on my test server to see if that's actually the issue on why the gsync is failing to update changed passwords.
I've been looking around, but since I'm fairly new using freeipa, I'm not sure how to add a hash to the server. If you can please point me to some documentation that shows me how to add SHA1 as a password hash, I'd be grateful.
I understand the insecure nature of moving to SHA1 and I've emailed Google to see if they support anything better, but management wants the Freeipa server to sync accounts and passwords to Google, so I have to make this work.
Has anyone gotten Freeipa to sync it's passwords to G Suite?
If I get this working, I'm happy to share the config with you so some other poor soul doesn't have to stumble through the configuration.
Thanks!
On to, 22 kesä 2017, Janet Houser via FreeIPA-users wrote:
Hi Folks,
We are trying to use G Suite's GCDS to sync users and passwords from our Freeipa server running on a CentOS server.
The sync appears *mostly* working and when the sync is executed, it registers that a user has changed their password and *claims* it's made the modification change.
Do you really need to sync passwords to G Suite as opposed to allow users to authenticate against FreeIPA when using G Suite apps?
If the latter is your goal, then I'd recommend looking into federation instead. For example, https://ipsilon-project.org/doc/example/google-apps.html
freeipa-users@lists.fedorahosted.org