Dear all, I am using FreeIPA, Version: 4.8.4 on CentOS 8
ipa-client.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-client-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-healthcheck-core.noarch 0.4-4.module_el8.2.0+374+0d2d74a1 @AppStream ipa-server.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-server-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-server-dns.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
Whenever I open the "Authentication" tab in the freeIPA webserver, I get the error "IPA-Error 903: InternalError. An internal error has happend". Retry does not help, within Authentication I can use all tabs, except from the Authentication -> Certificate -> Certificate one. This one gives the error. I can also not search for a certificate. The other areas of Authentication -> Certificate (Certificate Profiles, CA ACLS, Certificate Authorities) work without problems.
As a test I cloned the machine and updated it to the latest CentOS 8 version with a newer freeIPA version on it, but that did not solve the problem and I scrapped this vm and idea again.
Any idea on how to resolve the issue / what could be broken? Which logs and things would be useful to look into?
Thanks a lot for your help and have a nice day
Nico
Nico Maas via FreeIPA-users wrote:
Dear all, I am using FreeIPA, Version: 4.8.4 on CentOS 8
ipa-client.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-client-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-healthcheck-core.noarch 0.4-4.module_el8.2.0+374+0d2d74a1 @AppStream ipa-server.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-server-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream ipa-server-dns.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
Whenever I open the "Authentication" tab in the freeIPA webserver, I get the error "IPA-Error 903: InternalError. An internal error has happend". Retry does not help, within Authentication I can use all tabs, except from the Authentication -> Certificate -> Certificate one. This one gives the error. I can also not search for a certificate. The other areas of Authentication -> Certificate (Certificate Profiles, CA ACLS, Certificate Authorities) work without problems.
As a test I cloned the machine and updated it to the latest CentOS 8 version with a newer freeIPA version on it, but that did not solve the problem and I scrapped this vm and idea again.
Any idea on how to resolve the issue / what could be broken? Which logs and things would be useful to look into?
Thanks a lot for your help and have a nice day
Your CA is not working. I'd look at the log files in /var/log/pki/pki-tomcat/ca
Also be sure the certs are still valid: getcert list | grep expires
rob
Thank you Rob for your help.
I see no expired certificates:
getcert list | grep expires expires: 2022-04-17 16:46:12 CEST expires: unknown expires: unknown expires: unknown expires: unknown expires: 2022-04-06 16:44:19 CEST expires: 2022-04-06 16:44:45 CEST expires: 2022-04-17 16:45:23 CEST expires: 2022-04-17 16:45:47 CEST
I did also not see anything curious in the ca log folder. All services seem to be running, as far as I can see.
On a restart of certmonger I get these errors, but after that its up Jan 12 07:31:05 test.intra certmonger[53276]: 2021-01-12 07:31:05 [53378] Error authenticating to token "NSS Certificate DB". Jan 12 07:31:05 test.intra certmonger[53276]: 2021-01-12 07:31:05 [53378] Error shutting down NSS. Jan 12 07:31:07 test.intra certmonger[53276]: 2021-01-12 07:31:07 [53417] Error authenticating to token "NSS Certificate DB". Jan 12 07:31:07 test.intra certmonger[53276]: 2021-01-12 07:31:07 [53417] Error shutting down NSS. Jan 12 07:31:12 test.intra certmonger[53276]: 2021-01-12 07:31:12 [53447] Error authenticating to token "NSS Certificate DB". Jan 12 07:31:12 test.intra certmonger[53276]: 2021-01-12 07:31:12 [53447] Error shutting down NSS. Jan 12 07:31:17 test.intra certmonger[53276]: 2021-01-12 07:31:17 [53492] Error authenticating to token "NSS Certificate DB". Jan 12 07:31:17 test.intra certmonger[53276]: 2021-01-12 07:31:17 [53492] Error shutting down NSS.
tomcat also answers to a curl on http://test.intra:8080/ca/admin/ca/getStatus with running
Any further ideas? I need to get it back runnig somehow :(!
Thanks a lot
Nico
Thank you all, I could resolve the issue. Problem was a somewhat faulty certificate that a user had loaded into the userCertificate attribute of its LDAP entry.
I could see it by using cat /var/log/httpd/error_log
ValueError: unable to convert the attribute 'usercertificate' value b'-----BEGIN CERTIFICATE-----\nMIIEaDCCA1CgAwIBAgI .... X5xy7CQ==\n-----END CERTIFICATE-----\n' to type <class 'cryptography.x509.base.Certificate'> in LDAP entry 'uid=test-user,cn=users,cn=accounts,dc=test,dc=intra'
removing the userCertificate attribute of this entry got all 3 freeIPA instances back running and the web interface error free.
Thanks,
Nico
Nico Maas via FreeIPA-users wrote:
Thank you all, I could resolve the issue. Problem was a somewhat faulty certificate that a user had loaded into the userCertificate attribute of its LDAP entry.
I could see it by using cat /var/log/httpd/error_log
ValueError: unable to convert the attribute 'usercertificate' value b'-----BEGIN CERTIFICATE-----\nMIIEaDCCA1CgAwIBAgI .... X5xy7CQ==\n-----END CERTIFICATE-----\n' to type <class 'cryptography.x509.base.Certificate'> in LDAP entry 'uid=test-user,cn=users,cn=accounts,dc=test,dc=intra'
removing the userCertificate attribute of this entry got all 3 freeIPA instances back running and the web interface error free.
Do you have any more details on this? Was the 903 thrown only for this user or for all users? I'm interested to know if a bad cert in one user could affect all.
thanks
rob
Hi Rob,
it turned out someone imported a plain text certificate into the binary userCertificate attribute, probably by manual means / direct insert into LDAP. The resulting error was thrown for all users and admins using the Webinterface of freeIPA, so this one certificate completly knocked out the named tab ( Authentication -> Certificate -> Certificate ) for all users and administrators. Only manual removal from ldap via external software brought it back to life.
Best regards,
Nico
Hi Nico,
Hey! Please describe the process of solving this problem in more detail, how to remove such a problematic certificate?
I have exactly the same problem and even #ipa cert-revoke does not work in the console.
Hi Nico,
Hey! Please describe the process of solving this problem in more detail, how to remove such a problematic certificate?
I have exactly the same problem and even #ipa cert-revoke does not work in the console.
Hi, if you know exactly which certificate is causing the problem, you can use ldapmodify to remove the value from the ldap user entry.
ldapmodify -D "cn=directory manager" -W dn: uid=<user>,cn=users,cn=accounts,<base dn> changetype: modify delete: usercertificate usercertificate: <value to be removed>
If you're not comfortable with the ldapmodify tool, there are graphical tools such as ApacheDirectoryStudio that can help. flo
On Wed, Nov 9, 2022 at 8:19 PM Артем Михайлов via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Nico,
Hey! Please describe the process of solving this problem in more detail, how to remove such a problematic certificate?
I have exactly the same problem and even #ipa cert-revoke does not work in the console. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org