Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
Hi Jeremy,
to enable debugging you can simply create /etc/ipa/server.conf if the file does not exist: # cat /etc/ipa/server.conf [global] debug=True # systemctl restart httpd
The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can examine its content with # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt If the IPA deployment includes an embedded CA, the CA that issued the httpd cert is stored in /etc/ipa/ca.crt and can also be checked with openssl command.
flo
On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville < jeremy_tourville@hotmail.com> wrote:
I think I see the issue but I am unsure what to do to fix it. See below.
To answer your question, yes I did accept the security exception.
Also, I don't see a server.conf file at /etc/ipa so that I may enable debugging. What can you suggest for this issue?
[root@utility ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
[root@utility ~]# kinit admin Password for admin@IDM.NAC-ISSA.ORG:
[root@utility ~]# klist Ticket cache: KCM:0:43616 Default principal: admin@IDM.NAC-ISSA.ORG
Valid starting Expires Service principal 09/07/2021 10:59:23 09/08/2021 10:09:04 krbtgt/ IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG
[root@utility ~]# ipa config-show ipa: ERROR: cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
*From:* Florence Renaud flo@redhat.com *Sent:* Tuesday, September 7, 2021 10:47 AM *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Jeremy Tourville jeremy_tourville@hotmail.com *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
Hi Jeremy, Did you accept the security exception displayed by the browser (I'm trying to eliminate obvious issues)? If nothing is displayed, can you check if ipa command-line is working as expected (for instance do "kinit admin; ipa config-show")? You may want to enable debug logs (add debug=True to the [global] section of /etc/ipa/server.conf and restart httpd service), retry WebUI authentication and check the generated logs in /var/log/http/error_log
flo
On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
OK, Why don't I see anything on the initial login page? All I see is the URL and the fact that the certificate is not trusted. The certificate is not expired yet. Not until Nov 2021. The login in page is mostly solid white with no login or password field. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
/var/lib/ipa/certs/httpd.crt looks valid and has a 3 year validity date starting from Nov 23, 2020
/etc/ipa/ca.crt looks valid and has a 20 year validity date starting from Nov 23, 2020
________________________________ From: Florence Renaud flo@redhat.com Sent: Tuesday, September 7, 2021 11:38 AM To: Jeremy Tourville jeremy_tourville@hotmail.com Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
Hi Jeremy,
to enable debugging you can simply create /etc/ipa/server.conf if the file does not exist: # cat /etc/ipa/server.conf [global] debug=True # systemctl restart httpd
The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can examine its content with # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt If the IPA deployment includes an embedded CA, the CA that issued the httpd cert is stored in /etc/ipa/ca.crt and can also be checked with openssl command.
flo
On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville <jeremy_tourville@hotmail.commailto:jeremy_tourville@hotmail.com> wrote: I think I see the issue but I am unsure what to do to fix it. See below.
To answer your question, yes I did accept the security exception.
Also, I don't see a server.conf file at /etc/ipa so that I may enable debugging. What can you suggest for this issue?
[root@utility ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
[root@utility ~]# kinit admin Password for admin@IDM.NAC-ISSA.ORGmailto:admin@IDM.NAC-ISSA.ORG:
[root@utility ~]# klist Ticket cache: KCM:0:43616 Default principal: admin@IDM.NAC-ISSA.ORGmailto:admin@IDM.NAC-ISSA.ORG
Valid starting Expires Service principal 09/07/2021 10:59:23 09/08/2021 10:09:04 krbtgt/IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORGmailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG
[root@utility ~]# ipa config-show ipa: ERROR: cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
________________________________ From: Florence Renaud <flo@redhat.commailto:flo@redhat.com> Sent: Tuesday, September 7, 2021 10:47 AM To: FreeIPA users list <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> Cc: Jeremy Tourville <jeremy_tourville@hotmail.commailto:jeremy_tourville@hotmail.com> Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
Hi Jeremy, Did you accept the security exception displayed by the browser (I'm trying to eliminate obvious issues)? If nothing is displayed, can you check if ipa command-line is working as expected (for instance do "kinit admin; ipa config-show")? You may want to enable debug logs (add debug=True to the [global] section of /etc/ipa/server.conf and restart httpd service), retry WebUI authentication and check the generated logs in /var/log/http/error_log
flo
On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote: OK, Why don't I see anything on the initial login page? All I see is the URL and the fact that the certificate is not trusted. The certificate is not expired yet. Not until Nov 2021. The login in page is mostly solid white with no login or password field. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi
I think file is /etc/ipa/default.conf
[root@utility ipa]# pwd /etc/ipa
[root@utility ipa]# ls -la total 20 drwxr-xr-x. 7 root root 111 Sep 7 12:46 . drwxr-xr-x. 112 root root 8192 Sep 7 11:11 .. -rw-r--r--. 1 root root 1655 Nov 22 2020 ca.crt drwx------. 2 root root 46 Jun 29 12:47 custodia -rw-r--r--. 1 root root 330 Sep 7 11:10 default.conf drwxr-xr-x. 2 root root 110 Sep 6 06:57 dnssec drwxr-xr-x. 2 root root 53 Jun 29 12:47 html drwxr-xr-x. 2 root root 53 Jun 29 12:47 kdcproxy drwxr-xr-x. 2 root root 74 Jun 29 12:46 nssdb
[root@utility ipa]# cat default.conf [global] host = utility.idm.nac-issa.org basedn = dc=idm,dc=nac-issa,dc=org realm = IDM.NAC-ISSA.ORG domain = idm.nac-issa.org xmlrpc_uri = https://utility.idm.nac-issa.org/ipa/xml ldap_uri = ldapi://%2Fvar%2Frun%2Fslapd-IDM-NAC-ISSA-ORG.socket mode = production enable_ra = True ra_plugin = dogtag dogtag_version = 10 debug=true
IF it is default.conf then I guess I did it correctly. Can you confirm? Maybe the name is different in newest version? I have uploaded the httpd error_log to pastebin for review.
[root@utility ~]# ipa config-show ipa: ERROR: cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
I checked the certs- /var/lib/ipa/certs/httpd.crt looks valid and has a 3 year validity date starting from Nov 23, 2020
/etc/ipa/ca.crt looks valid and has a 20 year validity date starting from Nov 23, 2020
________________________________ From: Florence Renaud flo@redhat.com Sent: Tuesday, September 7, 2021 11:38 AM To: Jeremy Tourville jeremy_tourville@hotmail.com Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
Hi Jeremy,
to enable debugging you can simply create /etc/ipa/server.conf if the file does not exist: # cat /etc/ipa/server.conf [global] debug=True # systemctl restart httpd
The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can examine its content with # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt If the IPA deployment includes an embedded CA, the CA that issued the httpd cert is stored in /etc/ipa/ca.crt and can also be checked with openssl command.
flo
On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville <jeremy_tourville@hotmail.commailto:jeremy_tourville@hotmail.com> wrote: I think I see the issue but I am unsure what to do to fix it. See below.
To answer your question, yes I did accept the security exception.
Also, I don't see a server.conf file at /etc/ipa so that I may enable debugging. What can you suggest for this issue?
[root@utility ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
[root@utility ~]# kinit admin Password for admin@IDM.NAC-ISSA.ORGmailto:admin@IDM.NAC-ISSA.ORG:
[root@utility ~]# klist Ticket cache: KCM:0:43616 Default principal: admin@IDM.NAC-ISSA.ORGmailto:admin@IDM.NAC-ISSA.ORG
Valid starting Expires Service principal 09/07/2021 10:59:23 09/08/2021 10:09:04 krbtgt/IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORGmailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG
[root@utility ~]# ipa config-show ipa: ERROR: cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
________________________________ From: Florence Renaud <flo@redhat.commailto:flo@redhat.com> Sent: Tuesday, September 7, 2021 10:47 AM To: FreeIPA users list <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> Cc: Jeremy Tourville <jeremy_tourville@hotmail.commailto:jeremy_tourville@hotmail.com> Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
Hi Jeremy, Did you accept the security exception displayed by the browser (I'm trying to eliminate obvious issues)? If nothing is displayed, can you check if ipa command-line is working as expected (for instance do "kinit admin; ipa config-show")? You may want to enable debug logs (add debug=True to the [global] section of /etc/ipa/server.conf and restart httpd service), retry WebUI authentication and check the generated logs in /var/log/http/error_log
flo
On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote: OK, Why don't I see anything on the initial login page? All I see is the URL and the fact that the certificate is not trusted. The certificate is not expired yet. Not until Nov 2021. The login in page is mostly solid white with no login or password field. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org
-
Florence Renaud -
Jeremy Tourville