Jeremy Tourville wrote: > [root@utility certs]# ipa-certupdate > cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) > The ipa-certupdate command failed. > > Sort of a bad catch 22 I guess?
Yeah, I was afraid of that. Let's walk through it. Try a simple command for another data point. I'm not sure what we'd do with this but it will exercise the system-wide trust as well: $ curl https://`hostname`/ Rebuilding the CA trust db may help # update-ca-trust I suppose also look for AVCs in case something is way out-of-whack: # ausearch -m AVC -ts recent ipa-healthcheck may be something to try as well but you're likely to get a crapton of false positives since it can't talk to the web interface. rob > > ------------------------------------------------------------------------ > *From:* Rob Crittenden <[email protected]> > *Sent:* Friday, September 10, 2021 9:09 AM > *To:* Jeremy Tourville <[email protected]>; FreeIPA users > list <[email protected]> > *Cc:* Florence Renaud <[email protected]> > *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after > running ipa-dns-install? (Was - Unable to start directory server after > updates) > > Jeremy Tourville wrote: >> Now I understand how to test the cert(s) after re-reading your comments >> Rob and Flo 🙂 >> >> [root@utility certs]# openssl verify -verbose -show_chain -CAfile >> /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt >> /var/lib/ipa/certs/httpd.crt: OK >> Chain: >> depth=0: O = IDM.NAC-ISSA.ORG, CN = utility.idm.nac-issa.org (untrusted) >> depth=1: O = IDM.NAC-ISSA.ORG, CN = Certificate Authority > > I'd try running ipa-certupdate. I have the feeling some of the > system-wide certificates are out-of-sync. > > rob > >> >> >> ------------------------------------------------------------------------ >> *From:* Jeremy Tourville <[email protected]> >> *Sent:* Thursday, September 9, 2021 5:45 PM >> *To:* FreeIPA users list <[email protected]> >> *Cc:* Florence Renaud <[email protected]>; Rob Crittenden <[email protected]> >> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >> running ipa-dns-install? (Was - Unable to start directory server after >> updates) >> >> Oh wait!!! Which set of certs do I need to test against for my >> certificate chain? >> I realized I didn't include the proper path when testing. It should be >> something like- >> >> # openssl verify -verbose -show_chain -CAfile <path to root or >> intermediate cert> /etc/ipa/ca.crt >> # openssl verify -verbose -show_chain -CAfile <path to root or >> intermediate cert> /var/lib/ipa/certs/httpd.crt >> >> This would give you output (presuming you are using the correct set of >> certs) >> /etc/ipa/ca.crt: OK >> /var/lib/ipa/certs/httpd.crt: OK >> >> Which path contains the intermediate or root CA certs I need to test >> against? >> >> [root@utility ~]# ls -la | find / -name *.crt >> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt >> /etc/pki/ca-trust/source/ca-bundle.legacy.crt >> /etc/pki/tls/certs/ca-bundle.crt >> /etc/pki/tls/certs/ca-bundle.trust.crt >> /etc/pki/tls/certs/localhost.crt >> /etc/pki/pki-tomcat/alias/ca.crt >> /etc/ipa/ca.crt >> /etc/dirsrv/ssca/ca.crt >> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt >> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt >> /var/lib/ipa/certs/httpd.crt >> /var/kerberos/krb5kdc/kdc.crt >> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt >> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt >> /usr/share/ipa/html/ca.crt >> >> >> ------------------------------------------------------------------------ >> *From:* Jeremy Tourville <[email protected]> >> *Sent:* Thursday, September 9, 2021 3:13 PM >> *To:* FreeIPA users list <[email protected]> >> *Cc:* Florence Renaud <[email protected]>; Rob Crittenden <[email protected]> >> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >> running ipa-dns-install? (Was - Unable to start directory server after >> updates) >> >>>>>It isn't complaining that the certificate isn't valid, it's complaining >> that it isn't trusted. >> Thanksfor pointing out my mistake. I'm wearing some egg on my face. I >> was thinking about it wrong at the time of my reply. >> >> I attempted to verify trust- >> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile >> /etc/ipa/ca.crt >> ^C >> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile >> /var/lib/ipa/certs/httpd.crt >> ^C >> >> As you can see, no output, so yeah, they are not trusted. >> >>>>Where did httpd.crt come from/what issuer? >> I recall not using a 3rd party CA. The certs were just self-signed when >> the ipa server was initially built. I never did replace the certs as it >> wasn't required for our situation. >> >> Next steps I guess would be to generate some new certs? Thoughts? >> >> ------------------------------------------------------------------------ >> *From:* Rob Crittenden <[email protected]> >> *Sent:* Thursday, September 9, 2021 12:53 PM >> *To:* FreeIPA users list <[email protected]> >> *Cc:* Florence Renaud <[email protected]>; Jeremy Tourville >> <[email protected]> >> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >> running ipa-dns-install? (Was - Unable to start directory server after >> updates) >> >> Jeremy Tourville via FreeIPA-users wrote: >>> /var/lib/ipa/certs/httpd.crt >>> looks valid and has a 3 year validity date starting from Nov 23, 2020 >>> >>> /etc/ipa/ca.crt >>> looks valid and has a 20 year validity date starting from Nov 23, 2020 >> >> It isn't complaining that the certificate isn't valid, it's complaining >> that it isn't trusted. You also need to look at the signer and ensure >> that the system trusts it globally. Where did httpd.crt come from/what >> issuer? >> >> You might try running: >> >> openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt >> /var/lib/ipa/certs/httpd.crt >> >> See the default.conf(5) man page for a description of default.conf, >> server.conf, etc. In this case server is a context so the configuration >> only applies there. >> >> rob >> >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Florence Renaud <[email protected]> >>> *Sent:* Tuesday, September 7, 2021 11:38 AM >>> *To:* Jeremy Tourville <[email protected]> >>> *Cc:* FreeIPA users list <[email protected]> >>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >>> running ipa-dns-install? (Was - Unable to start directory server after >>> updates) >>> >>> Hi Jeremy, >>> >>> to enable debugging you can simply create /etc/ipa/server.conf if the >>> file does not exist: >>> # cat /etc/ipa/server.conf >>> [global] >>> debug=True >>> # systemctl restart httpd >>> >>> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can >>> examine its content with >>> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt >>> If the IPA deployment includes an embedded CA, the CA that issued the >>> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with >>> openssl command. >>> >>> flo >>> >>> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> I think I see the issue but I am unsure what to do to fix it. See >>> below. >>> >>> To answer your question, yes I did accept the security exception. >>> >>> Also, I don't see a server.conf file at /etc/ipa so that I may >>> enable debugging. What can you suggest for this issue? >>> >>> >>> [root@utility ~]# ipactl status >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> named Service: RUNNING >>> httpd Service: RUNNING >>> ipa-custodia Service: RUNNING >>> pki-tomcatd Service: RUNNING >>> smb Service: RUNNING >>> winbind Service: RUNNING >>> ipa-otpd Service: RUNNING >>> ipa-ods-exporter Service: STOPPED >>> ods-enforcerd Service: RUNNING >>> ipa-dnskeysyncd Service: RUNNING >>> ipa: INFO: The ipactl command was successful >>> >>> [root@utility ~]# kinit admin >>> Password for [email protected] <mailto:[email protected]>: >>> >>> [root@utility ~]# klist >>> Ticket cache: KCM:0:43616 >>> Default principal: [email protected] >>> <mailto:[email protected]> >>> >>> Valid starting Expires Service principal >>> 09/07/2021 10:59:23 09/08/2021 10:09:04 >>> krbtgt/[email protected] >>> <mailto:[email protected]> >>> >>> [root@utility ~]# ipa config-show >>> ipa: ERROR: cannot connect to >>> 'https://utility.idm.nac-issa.org/ipa/json': [SSL: >>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Florence Renaud <[email protected] <mailto:[email protected]>> >>> *Sent:* Tuesday, September 7, 2021 10:47 AM >>> *To:* FreeIPA users list <[email protected] >>> <mailto:[email protected]>> >>> *Cc:* Jeremy Tourville <[email protected] >>> <mailto:[email protected]>> >>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken >>> after running ipa-dns-install? (Was - Unable to start directory >>> server after updates) >>> >>> Hi Jeremy, >>> Did you accept the security exception displayed by the browser (I'm >>> trying to eliminate obvious issues)? >>> If nothing is displayed, can you check if ipa command-line is >>> working as expected (for instance do "kinit admin; ipa config-show")? >>> You may want to enable debug logs (add debug=True to the [global] >>> section of /etc/ipa/server.conf and restart httpd service), retry >>> WebUI authentication and check the generated logs in >>> /var/log/http/error_log >>> >>> flo >>> >>> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users >>> <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> OK, >>> Why don't I see anything on the initial login page? >>> All I see is the URL and the fact that the certificate is not >>> trusted. The certificate is not expired yet. Not until Nov 2021. >>> The login in page is mostly solid white with no login or >>> password field. >>> _______________________________________________ >>> FreeIPA-users mailing list -- >>> [email protected] >>> <mailto:[email protected]> >>> To unsubscribe send an email to >>> [email protected] >>> <mailto:[email protected]> >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> >>>https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam on the list, report it: >>> https://pagure.io/fedora-infrastructure >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam on the list, report it: >>> https://pagure.io/fedora-infrastructure >>> >> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
