Hey everyone,
just tried to install freeipa on a hetzner cloud server cause i'm actually looking for alternative to UCS. I still dont get it, why FreeIPA is in need to be reachable on a public net, but thats not the point here.
I have a clean, fresh Fedora 40 with running network, hostname resolves, also reverse dns - behind a OPNsense NAT Gateway with its own ipv4 public ip.
I have opened the Ports 389 & 636
When trying to run ipa-server-install, the following error occurs, where i cant understand why it cant access the LDAP server. I've checked up with nmap - port is open. Further LDAP service seems to run.
Maybe someone has an idea whats going on?
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf INFO: Connecting to LDAP server at ldap://fsn-ipa.domain.tld:389 ERROR: Unable to access LDAP server: ldap://fsn-ipa.domain.tld:389 Traceback (most recent call last): File "<frozen runpy>", line 198, in _run_module_as_main File "<frozen runpy>", line 88, in _run_code File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 987, in <module> main(sys.argv) File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 560, in main check_ds() File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 722, in check_ds verify_ds_configuration() File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 58, in verify_ds_configuration deployer.ds_bind() File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 2442, in ds_bind self.ds_connection.simple_bind_s( File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 248, in simple_bind_s msgid = self.simple_bind(who,cred,serverctrls,clientctrls) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 242, in simple_bind return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 128, in _ldap_call result = func(*args,**kwargs) ^^^^^^^^^^^^^^^^^^^^ ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not connected'}
2024-06-29T10:58:32Z CRITICAL Failed to configure CA instance 2024-06-29T10:58:32Z CRITICAL See the installation logs and the following files/directories for more information: 2024-06-29T10:58:32Z CRITICAL /var/log/pki/pki-tomcat 2024-06-29T10:58:32Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 678, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error raise RuntimeError( RuntimeError: CA configuration failed.
2024-06-29T10:58:32Z DEBUG [error] RuntimeError: CA configuration failed. 2024-06-29T10:58:32Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2024-06-29T10:58:32Z DEBUG File "/usr/lib/python3.12/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() ^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() ^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 360, in run return self.execute() ^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) ^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) ^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 663, in _configure next(executor) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 526, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 523, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) ^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) ^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.12/site-packages/ipaserver/install/server/__init__.py", line 608, in main master_install(self) File "/usr/lib/python3.12/site-packages/ipaserver/install/server/install.py", line 278, in decorated func(installer) File "/usr/lib/python3.12/site-packages/ipaserver/install/server/install.py", line 960, in install ca.install_step_0(False, None, options, custodia=custodia) File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", line 607, in install_step_0 ca.configure_instance( File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 515, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 678, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error raise RuntimeError(
2024-06-29T10:58:32Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. 2024-06-29T10:58:32Z ERROR CA configuration failed. 2024-06-29T10:58:32Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Meikel Bloch via FreeIPA-users wrote:
Hey everyone,
just tried to install freeipa on a hetzner cloud server cause i'm actually looking for alternative to UCS. I still dont get it, why FreeIPA is in need to be reachable on a public net, but thats not the point here.
I have a clean, fresh Fedora 40 with running network, hostname resolves, also reverse dns - behind a OPNsense NAT Gateway with its own ipv4 public ip.
I have opened the Ports 389 & 636
When trying to run ipa-server-install, the following error occurs, where i cant understand why it cant access the LDAP server. I've checked up with nmap - port is open. Further LDAP service seems to run.
Maybe someone has an idea whats going on?
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf INFO: Connecting to LDAP server at ldap://fsn-ipa.domain.tld:389 ERROR: Unable to access LDAP server: ldap://fsn-ipa.domain.tld:389 Traceback (most recent call last): File "<frozen runpy>", line 198, in _run_module_as_main File "<frozen runpy>", line 88, in _run_code File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 987, in <module> main(sys.argv) File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 560, in main check_ds() File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 722, in check_ds verify_ds_configuration() File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 58, in verify_ds_configuration deployer.ds_bind() File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 2442, in ds_bind self.ds_connection.simple_bind_s( File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 248, in simple_bind_s msgid = self.simple_bind(who,cred,serverctrls,clientctrls) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 242, in simple_bind return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 128, in _ldap_call result = func(*args,**kwargs) ^^^^^^^^^^^^^^^^^^^^ ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not connected'}
2024-06-29T10:58:32Z CRITICAL Failed to configure CA instance 2024-06-29T10:58:32Z CRITICAL See the installation logs and the following files/directories for more information: 2024-06-29T10:58:32Z CRITICAL /var/log/pki/pki-tomcat 2024-06-29T10:58:32Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 678, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error raise RuntimeError( RuntimeError: CA configuration failed.
2024-06-29T10:58:32Z DEBUG [error] RuntimeError: CA configuration failed. 2024-06-29T10:58:32Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2024-06-29T10:58:32Z DEBUG File "/usr/lib/python3.12/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() ^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() ^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 360, in run return self.execute() ^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) ^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) ^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 663, in _configure next(executor) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 526, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 523, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) ^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) ^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.12/site-packages/ipaserver/install/server/__init__.py", line 608, in main master_install(self) File "/usr/lib/python3.12/site-packages/ipaserver/install/server/install.py", line 278, in decorated func(installer) File "/usr/lib/python3.12/site-packages/ipaserver/install/server/install.py", line 960, in install ca.install_step_0(False, None, options, custodia=custodia) File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", line 607, in install_step_0 ca.configure_instance( File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 515, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 678, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error raise RuntimeError(
2024-06-29T10:58:32Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. 2024-06-29T10:58:32Z ERROR CA configuration failed. 2024-06-29T10:58:32Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
What do you mean you have "opened ports"? This is all running on the local system so it should have no problem connecting to itself.
rob
https://www.freeipa.org/page/Quick_Start_Guide " The rule about /etc/hosts is that the fully-qualified name must come first. It should look like: 10.0.0.1 server.ipa.test server " fully qualified name? Must be resolveable? reverse lookup of ip needs to fit to hostname? So is 10.0.0.1 a public or private ip example here? My understanding is that this is also about DNAT (own public IPv4 with port forwards to the local system) and not just SNAT to be able to access the outer www. ---------- https://www.freeipa.org/page/Quick_Start_Guide#open-ports-in-the-firewall " Fedora comes with two pre-defined service rules for FreeIPA. One opens Kerberos, HTTP, HTTPS, DNS, NTP and LDAP, the other the same set with LDAPS instead of LDAP (out-of-the box you want LDAP). " This is not very helpful - it would help much more to know what needs to be accessible where - as we operate a NAT gateway with stateful firewall in front of the system. ---------- I really think that I am simply misunderstanding several things here and thus configuring them incorrectly or perhaps something is missing in the gateway/firewall?
Hi,
On Thu, Jul 4, 2024 at 12:04 AM M B via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
https://www.freeipa.org/page/Quick_Start_Guide " The rule about /etc/hosts is that the fully-qualified name must come first. It should look like: 10.0.0.1 server.ipa.test server " fully qualified name? Must be resolveable? reverse lookup of ip needs to fit to hostname? So is 10.0.0.1 a public or private ip example here? My understanding is that this is also about DNAT (own public IPv4 with port forwards to the local system) and not just SNAT to be able to access the outer www.
The example must be adapted to your own machine. What's the machine name and the IP address corresponding to this name?
----------
https://www.freeipa.org/page/Quick_Start_Guide#open-ports-in-the-firewall " Fedora comes with two pre-defined service rules for FreeIPA. One opens Kerberos, HTTP, HTTPS, DNS, NTP and LDAP, the other the same set with LDAPS instead of LDAP (out-of-the box you want LDAP). " This is not very helpful - it would help much more to know what needs to be accessible where - as we operate a NAT gateway with stateful firewall in front of the system.
I really think that I am simply misunderstanding several things here and thus configuring them incorrectly or perhaps something is missing in the gateway/firewall?
Please read https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/ins...
flo
freeipa-users@lists.fedorahosted.org