On 11/29/2016 10:50 AM, Tomas Krizek wrote:
On 11/28/2016 05:38 PM, Robert Kudyba wrote:
There seems to be a problem either with Kerberos and/or using a self
signed certificate vs. Let’s Encrypt. I tried to run the set up
script from https://github.com/freeipa/freeipa-letsencrypt and below
are some errors and logs.
Within the /etc/httpd/conf.d/ipa.conffile I commented out
these directives as I had some Apache redirects that were breaking:
#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa
application-group=ipa
#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off
./setup-le.sh
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user. (visit
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
kinit admin
kinit: Generic preauthentication failure while getting initial
credentials
journalctl -u named-pkcs11
-- No entries —
journalctl -u named
-- No entries —
file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run'
(No such file or directory)
ldapsearch -Y GSSAPI
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (No Kerberos
credentials available (default cache: KEYRING:persistent:0))
ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials
In /var/log/krb5kdc.log:
Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23
25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain,
Additional pre-authentication required
Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23
25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain,
Additional pre-authentication required
Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11
Hi,
you're hitting an issue with Let's Encrypt setup.
https://github.com/freeipa/freeipa-letsencrypt/issues/1
unfortunately, I'm not aware of any workaround or solution as of now.
--
Tomas Krizek
The issue should be fixed now. Please try to setup Let's Encrypt again.
In case it does not work, you might need to reinstall IPA before setting
up Let's Encrypt.
--
Tomas Krizek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
