On 11/29/2016 10:50 AM, Tomas Krizek wrote:
On 11/28/2016 05:38 PM, Robert Kudyba wrote:
There seems to be a problem either with Kerberos and/or using a self signed certificate vs. Let’s Encrypt. I tried to run the set up script from https://github.com/freeipa/freeipa-letsencrypt and below are some errors and logs.

Within the /etc/httpd/conf.d/ipa.conffile I commented out these directives as I had some Apache redirects that were breaking:

#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off

Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin
kinit: Generic preauthentication failure while getting initial credentials

journalctl -u named-pkcs11
-- No entries —

journalctl -u named
-- No entries —

 file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' (No such file or directory)

ldapsearch -Y GSSAPI '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:0))

ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials

In /var/log/krb5kdc.log:

Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional pre-authentication required
Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional pre-authentication required
Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11


you're hitting an issue with Let's Encrypt setup.


unfortunately, I'm not aware of any workaround or solution as of now.
Tomas Krizek

The issue should be fixed now. Please try to setup Let's Encrypt again. In case it does not work, you might need to reinstall IPA before setting up Let's Encrypt.

Tomas Krizek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to