On 11/28/2016 05:38 PM, Robert Kudyba wrote:
There seems to be a problem either with Kerberos and/or using a self signed certificate vs. Let’s Encrypt. I tried to run the set up script from https://github.com/freeipa/freeipa-letsencrypt and below are some errors and logs.

Within the /etc/httpd/conf.d/ipa.conffile I commented out these directives as I had some Apache redirects that were breaking:

#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off

./setup-le.sh
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin
kinit: Generic preauthentication failure while getting initial credentials

journalctl -u named-pkcs11
-- No entries —

journalctl -u named
-- No entries —

 file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' (No such file or directory)

ldapsearch -Y GSSAPI '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:0))

ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials

In /var/log/krb5kdc.log:

Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional pre-authentication required
Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional pre-authentication required
Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11



Hi,

you're hitting an issue with Let's Encrypt setup.

https://github.com/freeipa/freeipa-letsencrypt/issues/1

unfortunately, I'm not aware of any workaround or solution as of now.

--
Tomas Krizek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to