On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote:
Hi,
my IPA system consists of 2 masters with their own self-signed CAs, one
of them being the certificate renewal master (ipa1). The system has been
running for years and has been migrated from an IPA 3 system.
Since a while, the Web UI logins on ipa1 don't work anymore ("Login
failed due to an unknown reason.").
Web UI logins on the other server (ipa2) work and everything else is
working fine, too, ipactl status reports all services running.
On login attempt:
--- httpd log
[...]
[:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551):
Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[...]
[:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command
'/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
---
--- krb5kdc.log
[...]
Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH:
WELLKNOWN/anonym...@example.com for krbtgt/example....@example.com,
Additional pre-authentication required
Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11
Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA:
WELLKNOWN/anonym...@example.com for krbtgt/example....@example.com,
Failed to verify own certificate (depth 0): certificate has expired
Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11
---
--- ipa-checkcerts.py
IPA version 4.5.4-10.el7.centos.3
Check CA status
Check tracking
Check NSS trust
Check dates
Checking certificates in CS.cfg
Comparing certificates to requests in LDAP
Checking RA certificate
Checking authorities
Checking host keytab
Validating certificates
Checking renewal master
End-to-end cert API test
Checking permissions and ownership
Failures:
Unable to find request for serial 268304391
Unable to find request for serial 268304394
Unable to find request for serial 268304393
Unable to find request for serial 268304392
Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject
CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57
---
--- ipa pkinit-status --all
-----------------
2 servers matched
-----------------
Server name: ipa2.example.com
PKINIT status: enabled
Server name: ipa1.example.com
PKINIT status: enabled
----------------------------
Number of entries returned 2
----------------------------
To my understanding, proper certificate exchange between my two servers
ceased working at some point. How do i track this down and fix it?
Hi,
your issue looks similar to ticket #6792 [1]. Can you check the result
of upgrade in /var/log/ipaupgrade.log?
Also check the output of
$ ipa-pkinit-manage status
and if the files /var/lib/ipa-client/pki/kdc-ca-bundle.pem and
/var/lib/ipa-client/pki/ca-bundle.pem exist, with -rw-r--r-- permissions.
Regarding the certificates, does getcert list show expired certs?
flo
[1] https://pagure.io/freeipa/issue/6792
Mit freundlichen Gruessen/With best regards,
--Daniel.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
