Also just tried to change password again.. I see where I missed a dc= entry.. fixed that.
Enter "new" password (which is what is existing on the other server), enter it again.. enter dirsrv (LDAP) password.. kicks back Result: Operations error (1) \ Additional info: Failed to update password On Thu, Apr 13, 2023 at 1:48 PM Justen Long <[email protected]> wrote: > One go back.. when I tried to run "ipa-certupdate" on the other hosts > (clients), it points to hiipa03 and fails for SSL still.. so, hoping once I > get the cert updated on THAT server, that all restores to its okay state. > > On Thu, Apr 13, 2023 at 1:46 PM Justen Long <[email protected]> > wrote: > >> Quick update and answers to your questions. >> >> We have two IPA servers, both masters, hiipa03 and hiipa04. >> >> hiipa04, I was able to set the time back, run the ipa-ca-cert-manage and >> update the CA (minimally, but enough to accept the new cert).. >> ipa-certupdate ran fine on it. Then, ran ipa-server-certinstall on it, and >> it took. Website loads, can log into it, do some user management stuff.. >> can't run "ipa-replica-manage list" as it kicks an error for sslv3 >> handshake failure.. but was trying that to remove hiipa03 and copy 04 to 03 >> somehow, maybe? >> >> hiipa03 is still giving me grief. Set the time using timedatectl, >> verified ntp is off and 'date' reports properly. I had tried to follow >> this: >> https://computingforgeeks.com/reset-freeipa-admin-password-as-root-user-on-linux/ >> when it wasn't accepting the admin password.. it failed saying object not >> found. So, I try 'kinit admin' again, with the new password I tried.. says >> its expired. Type it in, type in a new password.. and then it failed saying >> "kinit: Password change failed while getting initial credentials" >> >> On Thu, Apr 13, 2023 at 1:40 PM Rob Crittenden <[email protected]> >> wrote: >> >>> Justen Long wrote: >>> > I'm getting closer... it's not recognizing my admin password for IPA, >>> or >>> > for my personal account with admin rights now.. but no more SSL >>> errors.. >>> > just can't run ipa-certupdate without the proper kerberos creds.. >>> >>> By not recognizing your password I assume you mean kinit is failing? Is >>> the KDC running? I assume 389-ds is running? All restarted after time >>> became stable in the past? >>> >>> rob >>> >>> > >>> > On Thu, Apr 13, 2023 at 12:51 PM Justen Long <[email protected] >>> > <mailto:[email protected]>> wrote: >>> > >>> > Following up, I see the date command just changed it momentarily... >>> > using timedatectl and will report back. >>> > >>> > On Thu, Apr 13, 2023 at 12:31 PM Justen Long >>> > <[email protected] <mailto:[email protected]>> wrote: >>> > >>> > Rob, >>> > >>> > I entered 'date --date="7 April 2023", verified it updated the >>> > system time appropriately. Restarted dirsrv, ipa-custodia, >>> > ipa-otpd, httpd.. krb5kdc and kadmin failed. Still, tried to >>> > send ipa cert-update, and it popped the same SSL Certificate >>> > Verify Failed error. >>> > >>> > On Thu, Apr 13, 2023 at 11:32 AM Rob Crittenden >>> > <[email protected] <mailto:[email protected]>> wrote: >>> > >>> > Justen Long wrote: >>> > > Additionally, is there any way to force the CA cert >>> update >>> > to be >>> > > recognized? When I run it to update the CA chain, >>> > everything is >>> > > verified.. but /etc/ipa/ca.crt didn't reflect the >>> change.. >>> > so I manually >>> > > populated it by copying over the guts of the CA bundle >>> to the >>> > > /etc/ipa/ca.crt before trying to install the new server >>> > cert and it >>> > > still doesn't recognize it as trusted although the issuer >>> > is the same >>> > > and within the CA bundle. >>> > >>> > This is going to sound weird, but I'd just go back in time >>> > to April 10, >>> > restart all services but ntp (which will reset the time) >>> and >>> > then the >>> > commands should work. Once the certs are updated and >>> > working, return to >>> > present time. >>> > >>> > rob >>> > >>> > > >>> > > On Thu, Apr 13, 2023 at 6:20 AM Justen Long >>> > <[email protected] <mailto:[email protected]> >>> > > <mailto:[email protected] >>> > <mailto:[email protected]>>> wrote: >>> > > >>> > > Rob, >>> > > >>> > > Apologies for the delay in response. Once I'm home, I >>> > don't have >>> > > access to the information readily available to >>> respond >>> > with. Here is >>> > > the information you requested: >>> > > >>> > > The version of IPA we are using is 4.6.8, rpm >>> > specifically for us is >>> > > ipa-server-4.6.8-5.el7.centos.12.x86_64 and we are >>> > using CentOS 7.9 >>> > > currently with plans to move to RHEL9 within the next >>> > year or so. >>> > > >>> > > Unfortunately, 'ipa config-show' doesn't work. It >>> > populates the same >>> > > error stating "ipa: ERROR: cannot connect to >>> > > 'https://ipaServer/ipa/json': [SSL: >>> > CERTIFICATE_VERIFY_FAILED] >>> > > certificate verify failed (_ssl.c:618). >>> > >>> > The smack heard around the world was my head hitting my >>> > desk. Of course >>> > this command failed. >>> > >>> > > >>> > > We have ~50 hosts connected via IPA. We have two IPA >>> > servers, one as >>> > > a replica of the other. >>> > > >>> > > 'getcert list' only shows 1 certificate. It's state >>> is >>> > "MONITORING" >>> > > and seems related to kerberos. >>> > > >>> > > As far as I know, we don't use IPA CA-issued >>> > certificates. I recall >>> > > seeing errors yesterday stating CA wasn't enabled on >>> > our servers. We >>> > > have always used 3rd party CAs to my knowledge. >>> > > >>> > > -justen >>> > > >>> > > On Wed, Apr 12, 2023 at 2:42 PM Rob Crittenden >>> > <[email protected] <mailto:[email protected]> >>> > > <mailto:[email protected] >>> > <mailto:[email protected]>>> wrote: >>> > > >>> > > Justen Long via FreeIPA-users wrote: >>> > > > Thanks in advance for your replies.. I've spent >>> > 7 hours >>> > > looking through posts here and trying >>> > everything... I'm stuck. >>> > > > >>> > > > Background: I am a System Administrator in a >>> closed, >>> > > classified environment. Unfortunately, I cannot >>> > post logging >>> > > here, but I can refer to them as needed. >>> > > > >>> > > > I inherited this system from someone who >>> > departed the program >>> > > a year or so ago. Fast forward to today, the >>> > server certs >>> > > expired yesterday. Admittedly, I'm unfamiliar (or >>> > was) with the >>> > > certificate update process for IPA servers. On a >>> > typical server, >>> > > we replace the old cert and restart the httpd >>> > services; however, >>> > > I realize this cannot work with IPA servers now. >>> > > > >>> > > > Additionally to all of this, the CA chain >>> > updated 6 months ago. >>> > > > >>> > > > I ran ipa-cacert-manage to update the CA chain. >>> > When trying to >>> > > run ipa-certupdate, I received errors for an >>> > invalid server >>> > > certificate (it expired on 11 April 2023). It >>> > simply won't >>> > > connect to the web server. HTTPD failed as well, >>> > so I had to add >>> > > "NSSEnforceValidCerts off" to the nss.conf file >>> > for HTTPD to >>> > > start. Still, no dice. >>> > > > >>> > > > I've ran ipa-server-certinstall for the new >>> > cert/key as well, >>> > > and it fails saying its not trusted ("Peer's >>> > certificate issuer >>> > > is not trusted [certutil: certificate is invalid: >>> > Peer's >>> > > Certificate issuer is not recognized] Please run >>> > > ipa-cacert-manage install and ipa-certupdate to >>> > install the CA >>> > > certificate.... which, as reported above, can't >>> > complete. >>> > > > >>> > > > I'm at a total loss here... and really >>> > struggling being new to >>> > > all this and trying my best to keep it afloat. >>> Any >>> > help would be >>> > > GREATLY appreciated! >>> > > >>> > > Let's gather some information first. >>> > > >>> > > What version of IPA is this, on what >>> distribution? >>> > > >>> > > IPA designates one server to be the "renewal >>> > master" which >>> > > handles the >>> > > renewals. The output of `ipa config-show` should >>> > tell you >>> > > (depending on >>> > > version). That's the server you want to work on. >>> > > >>> > > How many servers in your topology and how many >>> > have a CA installed? >>> > > >>> > > Does `getcert list` show a set of 8-10 tracked >>> > certificates? >>> > > What are >>> > > the states? >>> > > >>> > > You mention ipa-server-certinstall. Are you using >>> > 3rd party >>> > > certificates >>> > > in addition to IPA CA-issued certificates or was >>> > that just an >>> > > attempt to >>> > > get things working again? >>> > > >>> > > rob >>> > > >>> > >>> >>>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
