I reviewed all the cert files to see which ones were updated after running ipa-cacert-manage renew
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/pki/pki-tomcat/alias/ca.crt are the only two that updated. Which ones should update? -r--r--r--. 1 root root 251562 Sep 10 14:09 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt lrwxrwxrwx. 1 root root 59 Oct 26 2020 /etc/pki/ca-trust/source/ca-bundle.legacy.crt -> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt lrwxrwxrwx. 1 root root 49 Aug 11 2020 /etc/pki/tls/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 55 Aug 11 2020 /etc/pki/tls/certs/ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. 1 root root 3964 Nov 7 2020 /etc/pki/tls/certs/localhost.crt -rw-r--r--. 1 pkiuser pkiuser 3192 Sep 10 14:22 /etc/pki/pki-tomcat/alias/ca.crt -rw-r--r--. 1 root root 1655 Nov 22 2020 /etc/ipa/ca.crt -rw-rw----. 1 root root 1943 Nov 22 2020 /etc/dirsrv/ssca/ca.crt -rw-rw----. 1 dirsrv root 2129 Nov 22 2020 /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt -rw-rw----. 1 dirsrv root 1943 Nov 22 2020 /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt -rw-------. 1 root root 1927 Nov 22 2020 /var/lib/ipa/certs/httpd.crt -rw-r--r--. 1 root root 1874 Nov 22 2020 /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root 0 Aug 11 2020 /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt -rw-r--r--. 1 root root 0 Aug 11 2020 /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt -rw-r--r--. 1 root root 1655 Nov 22 2020 /usr/share/ipa/html/ca.crt ________________________________ From: Rob Crittenden <[email protected]> Sent: Friday, September 10, 2021 9:49 AM To: Jeremy Tourville <[email protected]>; FreeIPA users list <[email protected]> Cc: Florence Renaud <[email protected]> Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates) Jeremy Tourville wrote: > [root@utility certs]# curl https://utility.idm.nac-issa.org/ > curl: (60) SSL certificate problem: self signed certificate in > certificate chain > More details here: https://curl.haxx.se/docs/sslcerts.html > > curl failed to verify the legitimacy of the server and therefore could not > establish a secure connection to it. To learn more about this situation and > how to fix it, please visit the web page mentioned above. > > [root@utility certs]# update-ca-trust > > [root@utility certs]# ausearch -m AVC -ts recent > <no matches> > > [root@utility certs]# ipa-healthcheck > -bash: ipa-healthcheck: command not found I should have mentioned, try the curl after running update-ca-trust. ipa-healthcheck is not installed by default, you'd need to install the {free}ipa-healthcheck package. rob > > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden <[email protected]> > *Sent:* Friday, September 10, 2021 9:33 AM > *To:* Jeremy Tourville <[email protected]>; FreeIPA users > list <[email protected]> > *Cc:* Florence Renaud <[email protected]> > *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after > running ipa-dns-install? (Was - Unable to start directory server after > updates) > > Jeremy Tourville wrote: >> [root@utility certs]# ipa-certupdate >> cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL: >> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) >> The ipa-certupdate command failed. >> >> Sort of a bad catch 22 I guess? > > Yeah, I was afraid of that. > > Let's walk through it. Try a simple command for another data point. I'm > not sure what we'd do with this but it will exercise the system-wide > trust as well: > > $ curl https://`hostname`/ > > Rebuilding the CA trust db may help > > # update-ca-trust > > I suppose also look for AVCs in case something is way out-of-whack: > > # ausearch -m AVC -ts recent > > ipa-healthcheck may be something to try as well but you're likely to get > a crapton of false positives since it can't talk to the web interface. > > rob > >> >> ------------------------------------------------------------------------ >> *From:* Rob Crittenden <[email protected]> >> *Sent:* Friday, September 10, 2021 9:09 AM >> *To:* Jeremy Tourville <[email protected]>; FreeIPA users >> list <[email protected]> >> *Cc:* Florence Renaud <[email protected]> >> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >> running ipa-dns-install? (Was - Unable to start directory server after >> updates) >> >> Jeremy Tourville wrote: >>> Now I understand how to test the cert(s) after re-reading your comments >>> Rob and Flo 🙂 >>> >>> [root@utility certs]# openssl verify -verbose -show_chain -CAfile >>> /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt >>> /var/lib/ipa/certs/httpd.crt: OK >>> Chain: >>> depth=0: O = IDM.NAC-ISSA.ORG, CN = utility.idm.nac-issa.org (untrusted) >>> depth=1: O = IDM.NAC-ISSA.ORG, CN = Certificate Authority >> >> I'd try running ipa-certupdate. I have the feeling some of the >> system-wide certificates are out-of-sync. >> >> rob >> >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Jeremy Tourville <[email protected]> >>> *Sent:* Thursday, September 9, 2021 5:45 PM >>> *To:* FreeIPA users list <[email protected]> >>> *Cc:* Florence Renaud <[email protected]>; Rob Crittenden >>> <[email protected]> >>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >>> running ipa-dns-install? (Was - Unable to start directory server after >>> updates) >>> >>> Oh wait!!! Which set of certs do I need to test against for my >>> certificate chain? >>> I realized I didn't include the proper path when testing. It should be >>> something like- >>> >>> # openssl verify -verbose -show_chain -CAfile <path to root or >>> intermediate cert> /etc/ipa/ca.crt >>> # openssl verify -verbose -show_chain -CAfile <path to root or >>> intermediate cert> /var/lib/ipa/certs/httpd.crt >>> >>> This would give you output (presuming you are using the correct set of >>> certs) >>> /etc/ipa/ca.crt: OK >>> /var/lib/ipa/certs/httpd.crt: OK >>> >>> Which path contains the intermediate or root CA certs I need to test >>> against? >>> >>> [root@utility ~]# ls -la | find / -name *.crt >>> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt >>> /etc/pki/ca-trust/source/ca-bundle.legacy.crt >>> /etc/pki/tls/certs/ca-bundle.crt >>> /etc/pki/tls/certs/ca-bundle.trust.crt >>> /etc/pki/tls/certs/localhost.crt >>> /etc/pki/pki-tomcat/alias/ca.crt >>> /etc/ipa/ca.crt >>> /etc/dirsrv/ssca/ca.crt >>> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt >>> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt >>> /var/lib/ipa/certs/httpd.crt >>> /var/kerberos/krb5kdc/kdc.crt >>> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt >>> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt >>> /usr/share/ipa/html/ca.crt >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Jeremy Tourville <[email protected]> >>> *Sent:* Thursday, September 9, 2021 3:13 PM >>> *To:* FreeIPA users list <[email protected]> >>> *Cc:* Florence Renaud <[email protected]>; Rob Crittenden >>> <[email protected]> >>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >>> running ipa-dns-install? (Was - Unable to start directory server after >>> updates) >>> >>>>>>It isn't complaining that the certificate isn't valid, it's complaining >>> that it isn't trusted. >>> Thanksfor pointing out my mistake. I'm wearing some egg on my face. I >>> was thinking about it wrong at the time of my reply. >>> >>> I attempted to verify trust- >>> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile >>> /etc/ipa/ca.crt >>> ^C >>> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile >>> /var/lib/ipa/certs/httpd.crt >>> ^C >>> >>> As you can see, no output, so yeah, they are not trusted. >>> >>>>>Where did httpd.crt come from/what issuer? >>> I recall not using a 3rd party CA. The certs were just self-signed when >>> the ipa server was initially built. I never did replace the certs as it >>> wasn't required for our situation. >>> >>> Next steps I guess would be to generate some new certs? Thoughts? >>> >>> ------------------------------------------------------------------------ >>> *From:* Rob Crittenden <[email protected]> >>> *Sent:* Thursday, September 9, 2021 12:53 PM >>> *To:* FreeIPA users list <[email protected]> >>> *Cc:* Florence Renaud <[email protected]>; Jeremy Tourville >>> <[email protected]> >>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >>> running ipa-dns-install? (Was - Unable to start directory server after >>> updates) >>> >>> Jeremy Tourville via FreeIPA-users wrote: >>>> /var/lib/ipa/certs/httpd.crt >>>> looks valid and has a 3 year validity date starting from Nov 23, 2020 >>>> >>>> /etc/ipa/ca.crt >>>> looks valid and has a 20 year validity date starting from Nov 23, 2020 >>> >>> It isn't complaining that the certificate isn't valid, it's complaining >>> that it isn't trusted. You also need to look at the signer and ensure >>> that the system trusts it globally. Where did httpd.crt come from/what >>> issuer? >>> >>> You might try running: >>> >>> openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt >>> /var/lib/ipa/certs/httpd.crt >>> >>> See the default.conf(5) man page for a description of default.conf, >>> server.conf, etc. In this case server is a context so the configuration >>> only applies there. >>> >>> rob >>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Florence Renaud <[email protected]> >>>> *Sent:* Tuesday, September 7, 2021 11:38 AM >>>> *To:* Jeremy Tourville <[email protected]> >>>> *Cc:* FreeIPA users list <[email protected]> >>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after >>>> running ipa-dns-install? (Was - Unable to start directory server after >>>> updates) >>>> >>>> Hi Jeremy, >>>> >>>> to enable debugging you can simply create /etc/ipa/server.conf if the >>>> file does not exist: >>>> # cat /etc/ipa/server.conf >>>> [global] >>>> debug=True >>>> # systemctl restart httpd >>>> >>>> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can >>>> examine its content with >>>> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt >>>> If the IPA deployment includes an embedded CA, the CA that issued the >>>> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with >>>> openssl command. >>>> >>>> flo >>>> >>>> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville >>>> <[email protected] <mailto:[email protected]>> wrote: >>>> >>>> I think I see the issue but I am unsure what to do to fix it. See >>>> below. >>>> >>>> To answer your question, yes I did accept the security exception. >>>> >>>> Also, I don't see a server.conf file at /etc/ipa so that I may >>>> enable debugging. What can you suggest for this issue? >>>> >>>> >>>> [root@utility ~]# ipactl status >>>> Directory Service: RUNNING >>>> krb5kdc Service: RUNNING >>>> kadmin Service: RUNNING >>>> named Service: RUNNING >>>> httpd Service: RUNNING >>>> ipa-custodia Service: RUNNING >>>> pki-tomcatd Service: RUNNING >>>> smb Service: RUNNING >>>> winbind Service: RUNNING >>>> ipa-otpd Service: RUNNING >>>> ipa-ods-exporter Service: STOPPED >>>> ods-enforcerd Service: RUNNING >>>> ipa-dnskeysyncd Service: RUNNING >>>> ipa: INFO: The ipactl command was successful >>>> >>>> [root@utility ~]# kinit admin >>>> Password for [email protected] <mailto:[email protected]>: >>>> >>>> [root@utility ~]# klist >>>> Ticket cache: KCM:0:43616 >>>> Default principal: [email protected] >>>> <mailto:[email protected]> >>>> >>>> Valid starting Expires Service principal >>>> 09/07/2021 10:59:23 09/08/2021 10:09:04 >>>> krbtgt/[email protected] >>>> <mailto:[email protected]> >>>> >>>> [root@utility ~]# ipa config-show >>>> ipa: ERROR: cannot connect to >>>> 'https://utility.idm.nac-issa.org/ipa/json': [SSL: >>>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Florence Renaud <[email protected] <mailto:[email protected]>> >>>> *Sent:* Tuesday, September 7, 2021 10:47 AM >>>> *To:* FreeIPA users list <[email protected] >>>> <mailto:[email protected]>> >>>> *Cc:* Jeremy Tourville <[email protected] >>>> <mailto:[email protected]>> >>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken >>>> after running ipa-dns-install? (Was - Unable to start directory >>>> server after updates) >>>> >>>> Hi Jeremy, >>>> Did you accept the security exception displayed by the browser (I'm >>>> trying to eliminate obvious issues)? >>>> If nothing is displayed, can you check if ipa command-line is >>>> working as expected (for instance do "kinit admin; ipa config-show")? >>>> You may want to enable debug logs (add debug=True to the [global] >>>> section of /etc/ipa/server.conf and restart httpd service), retry >>>> WebUI authentication and check the generated logs in >>>> /var/log/http/error_log >>>> >>>> flo >>>> >>>> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users >>>> <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> OK, >>>> Why don't I see anything on the initial login page? >>>> All I see is the URL and the fact that the certificate is not >>>> trusted. The certificate is not expired yet. Not until Nov 2021. >>>> The login in page is mostly solid white with no login or >>>> password field. >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- >>>> [email protected] >>>> <mailto:[email protected]> >>>> To unsubscribe send an email to >>>> [email protected] >>>> <mailto:[email protected]> >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam on the list, report it: >>>> https://pagure.io/fedora-infrastructure >>>> >>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam on the list, report it: >>>> https://pagure.io/fedora-infrastructure >>>> >>> >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
