Alexander,
Please find output below:
[root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM
Validity
Not Before: Nov 30 18:06:04 2017 GMT
Not After : Nov 30 18:06:04 2018 GMT
Subject: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e1:55:dc:8d:f5:0f:01:f1:75:dd:88:21:53:2e:
...output omitted...
49:b8:c6:59:c3:89:d7:5e:20:a9:81:fe:93:60:b2:
38:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
othername:<unsupported>, othername:<unsupported>
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
81:12:0E:48:6A:43:93:92:03:18:29:D3:3B:E2:71:8B:B4:A9:42:7E
1.3.6.1.4.1.311.20.2:
.".K.D.C.s._.P.K.I.N.I.T._.C.e.r.t.s
Signature Algorithm: sha256WithRSAEncryption
ba:01:72:0b:2f:9d:3f:39:cf:84:be:cd:85:70:08:79:60:9e:
...output omitted...
f4:0d:27:9e:41:bd:71:c9:0d:51:e1:3c:1e:4f:8e:89:71:f3:
e9:fe:40:74
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MRYwFAYDVQQKDA1OSVgu
...output omitted...
ZYDW6cyjBkmRmaelKXZEm81ezY+s9A0nnkG9cckNUeE8Hk+OiXHz6f5AdA==
-----END CERTIFICATE-----
[root@ipa-server-01 ~]#
[root@ipa-server-01 krb5kdc]# rm -f kdc.crt
[root@ipa-server-01 krb5kdc]# rm -f kdc.key
[root@ipa-server-01 krb5kdc]#
[root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@ipa-server-01 krb5kdc]# ls -la
total 20
drwxr-xr-x. 2 root root 82 Dec 4 08:16 .
drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
-rw-r--r-- 1 root root 1298 Dec 4 08:16 cacert.pem
-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
-rw-r--r-- 1 root root 1667 Dec 4 08:16 kdc.crt
-rw------- 1 root root 1704 Dec 4 08:16 kdc.key
[root@ipa-server-01 krb5kdc]#
After certificate update it looks like Web GUI is working.
Thank you so much for your help!
Regards,
Andrey
On 12/4/18, 02:02, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
On ti, 04 joulu 2018, Andrey Ptashnik wrote:
>Alexander,
>
>Thank you for your time,
>
># getcert list -f /var/kerberos/krb5kdc/kdc.crt
>No request found that matched arguments.
>#
>
># ls -la /var/kerberos/krb5kdc/
>total 16
>drwxr-xr-x. 2 root root 82 Dec 3 22:56 .
>drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
>-rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem
>-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
>-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
>-rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt
>-rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key
>#
What does 'openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt' say?
Are you using integrated CA?
If you are using integrated CA, then please move away kdc.crt and
kdc.key and run
ipa-pkinit-manage enable
>
>I used following commands:
>
># yum upgrade ipa-server
># ipa-server-upgrade
>
>to upgrade packages, and agreed to any proposed dependencies (there were
about 90 of them).
>
>Thanks,
>Andrey
>
>
>
>On 12/4/18, 01:28, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
>
>
>
> On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:
> >Dear FreeIPA Team,
> >
> >I have an issue with Web GUI throwing error message "Login failed due
to an unknown reason" when login through Web interface.
> >Other functionality like directory service, DNS and authentication
with ipa-clients seems to work fine.
> >
> >I first spotted this issue in 4.5.0 and tried troubleshooting steps
> >from previous thread, however that did not help. Hoping that issue is
> >solved in higher versions I tried upgrading ipa-server packages via:
> >
> ># yum upgrade ipa-server
> ># ipa-server-upgrade
> >
> >However it did not solve the issue in 4.6.6 and exactly the same
> >behavior I saw in version 4.5.0
> >
> ># rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64
cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64
> >ipa-server-4.6.4-10.el7.centos.x86_64
> >krb5-libs-1.15.1-34.el7.x86_64
> >krb5-server-1.15.1-34.el7.x86_64
> >cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
> >sssd-krb5-1.16.2-13.el7.x86_64
> >httpd-2.4.6-88.el7.centos.x86_64
> >
> ># cat /etc/*release*
> >CentOS Linux release 7.4.1708 (Core)
> Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA
> packages selectively to a version from CentOS 7.6.1810 without updating
> whole distribution to that version, there is no guarantee everything is
> working.
>
>
> >What could be the next troubleshooting step in my case?
> Please show
>
> getcert list -f /var/kerberos/krb5kdc/kdc.crt
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
