[Freeipa-users] Re: Testing requested - certificate checking tool
Morning Rob > > What's the process for either removing or making it known? > > I'll add something to the program about this too but for now you can run: > > # getcert list -i 20170919231606 > > That will tell us what it is. It is perfectly fine to have certmonger > track other certs on the system. I display unexpected once as a > just-in-case. > > It's supposed to display as just a warning. I'll fix that too since it > is a little alarming. This is the result I got on my end.: Failures: Unable to find request for serial 268304424 Unable to find request for serial 268304426 Unable to find request for serial 268304425 Unable to find request for serial 268304423 Subject O=ENG.EXAMPLE.COM,CN=zinc.eng.example.com and template subject CN=lithium.eng.example.com,O=ENG.EXAMPLE.COM do not match for serial 77 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/key3.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/cert8.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/secmod.db are 0600 and should be 0640 Warnings: Unknown certmonger ids: 20170812234301 [root@lithium bin]# The system so far seem healthy. Did these file permission had a stricter access that was relaxed later? I have never attempted to change them, at least impicitly Regards, William ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users wrote: > Might this be related to: > > https://pagure.io/freeipa/issue/7654 > > Maybe? > Possibly. Need the HTTP access log, the Dogtag access log (/var/log/pki/pki-tomcat/localhost_access_log.txt) and the Dogtag debug log (/var/log/pki/pki-tomcat/ca/debug) from the master being contacted (ovh1.pdp7.net) to analyse further. Cheers, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Might this be related to: https://pagure.io/freeipa/issue/7654 Maybe? -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Issues installing replica
So I solved my LXC problems (thanks Rob, again), but now: ipa-replica-install -U --setup-ca -N fails when rebuilding my replica from scratch, see: https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251 , where I think I've copied the relevant logs. I think I saw someone recommending revoking the replica certs, which makes sense as I'm using the same hostname that I used on the previous replica, but that doesn't seem to fix things. (I'm removing the previous replica via the admin interface, IPA Server -> Topology -> IPA Servers, select my replica and "Delete Server". This removes it too from the host list). Any idea? Cheers, Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA on CentOS 7 under LXC, replica installation problems
On Mon, Nov 5, 2018 at 5:36 PM Rob Crittenden wrote: > The bug was in dogtag and not in IPA. It looks like this is only fixed > in 10.6.3+ upstream. I don't know if they have or plan to backport this > to 10.5.x. > > The fix is > > https://github.com/dogtagpki/pki/commit/11fa1e2c4cc74e93cd1f9486ab12b3e1360a5179 > so I guess worst-case you could manually make the changes before > installing. > Oh, should have thought about that. Yeah, will do that and if it works, I'll ask the maintainers of dogtag to backport it. If there are more issues I will report them. Thanks! Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA on CentOS 7 under LXC, replica installation problems
Alex Corcoles via FreeIPA-users wrote: > So I had a running replica on CentOS 7 LXC which started giving me > trouble, so I decided to rebuild it. > > Now, when running ipa-replica install I get: > > 2018-11-04T20:12:20Z DEBUG stderr=pkispawn : ERROR ... > subprocess.CalledProcessError: Command '['sysctl', > 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255! > > 2018-11-04T20:12:20Z CRITICAL Failed to configure CA instance: Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpyZ34z1' returned non-zero exit status 1 > > , which seems to cause this to fail. Googling around, I find this thread: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/ZDKZJCAQUXSI4IBZBCAEKQXVZFBTDMMB/ > > , where apparently two bugs were filed to fix this- and they were fixed. > Are they supposed to land on CentOS 7? The bug was in dogtag and not in IPA. It looks like this is only fixed in 10.6.3+ upstream. I don't know if they have or plan to backport this to 10.5.x. The fix is https://github.com/dogtagpki/pki/commit/11fa1e2c4cc74e93cd1f9486ab12b3e1360a5179 so I guess worst-case you could manually make the changes before installing. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Replica install on RPI3
Winfried de Heiden via FreeIPA-users wrote: > Hi all, > > Believe me, after modifying "startup_timeout" in > /usr/lib/python3.7/site-packages/ipalib/constants.py and > /etc/ipa/default.conf is does run on a Pi as a Master but obviously this > is not enough fiir the Replica. See https://www.freeipa.org/page/ARM > I did not add this post to discuss whether it is usefull to run on a P, > I try to find out which install parameter (I guess) to modify in which > file. I had FreeIPA running Master running for months on a Pi. It ran > stable :) There are multiple reports of it (and related hardware like the banana pi) running fine. How much of a good idea it is is up for debate ;-) TBH I'm glad you're creating a replica with a CA so you don't have a single point-of-failure. rob > Winfried > > > > Fraser Tweedale via FreeIPA-users schreef op 05-11-2018 0:37: >> Dogtag CA is a massive enterprise Java program. Can't do much about >> it. Run a CA-less deployment, or run a CA-ful deployment with >> RaspberryPi replicas having no CA, and CA replicas running on >> machines with more memory and more grunt. >> >> Cheers, >> Fraser >> >> On Sun, Nov 04, 2018 at 04:04:27PM +0100, Winfried de Heiden via >> FreeIPA-users wrote: >>> Hi all, >>> can't tell it's the only issue. Installing the replica without CA >>> works well. The error happens during a restart during installation >>> wich take too much time. Don't know what will go wrong after fixing >>> this issue >>> Winfried >>> John Keates via FreeIPA-users schreef op za 03-11-2018 om 16:41 [+0100]: >>> > Ah, so the install went fine but the CA startup is the only >>> remaining issue? >>> > John >>> > >>> > > On 3 Nov 2018, at 16:39, Winfried de Heiden via FreeIPA-users >>> wrote: >>> > > >>> > > Hi all, >>> > > Yes, the Pi is too slow but funny enough it can work perfectly. >>> The DogTag CA server just takes a painfull time to start. I had a Pi >>> running as just a master for months quite well, but start Dogtag took >>> a very long time, but afterwards it all ran well in a small >>> environment (@home...) >>> > > As mentioned, just for the sake of trying and Pi are so cheap, I' >>> m trying to setup a Pi Replica but default setup timeout settings >>> need a modification... >>> > > Winfried >>> > > >>> > > >>> > > John Keates schreef op za 03-11-2018 om 16:26 [+0100]: >>> > > > My suggestion would be: don’t run it on a Pi, it’s not fast >>> enough. But you came to that conclusion already, so I guess the next >>> issue would be: where does it fail?I’m assuming the rpm install works >>> out but ipa-server-install doesn’t? Or does that work but does the >>> starting of all the components time out? >>> > > > >>> > > > If it’s just the installation that’s failing, you can get >>> around that by running the install in an emulated ARM machine first, >>> and then copying the filesystem over to the Pi. >>> > > > >>> > > > John >>> > > > >>> > > > >>> > > > > On 3 Nov 2018, at 15:53, Winfried de Heiden via FreeIPA-users >>> wrote: >>> > > > > >>> > > > > Hi all, >>> > > > > Just because we can and a Rapsberry Pi 3 is cheap, I'm trying >>> to install a FreeIPA replica on Fedora 29 ARM. It looks like the >>> Raspberry is a bit too slow for default installation settings: >>> > > > > 018-11-03T12:27:12Z DEBUG stderr=WARNING: Password was >>> garbage collected before it was cleared.password file contains no >>> datapkispawn : ERROR ... server did not start after >>> 60spkispawn : ERROR ... server failed to restart >>> > > > > 2018-11-03T12:27:12Z CRITICAL Failed to configure CA >>> instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', >>> 'CA', '-f', '/tmp/tmpv2y32e9l'] returned non-zero exit status 1: >>> 'WARNING: Password was garbage collected before it was >>> cleared.\npassword file contains no data\npkispawn : ERROR >>> ... server did not start after 60s\npkispawn : ERROR >>> ... server failed to restart\n')2018-11-03T12:27:12Z CRITICAL See >>> the installation logs and the following files/directories for more >>> information:2018-11-03T12:27:12Z CRITICAL >>> /var/log/pki/pki-tomcat2018-11-03T12:27:12Z DEBUG Traceback (most >>> recent call last): File >>> "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", >>> line 164, in spawn_instance ipautil.run(args, nolog=nolog_list) >>> File "/usr/lib/python3.7/site-packages/ipapython/ipautil.py", line >>> 573, in run p.returncode, arg_string, output_log, error_log >>> ipapython.ipautil.CalledProcessError: CalledProcessError(Command > ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpv2y32e9l'] returned > non-zero exit status 1: 'WARNING: Password was garbage collected before > it was cleared.\npassword file contains no data\npkispawn : ERROR > ... server did not start after 60s\npkispawn : ERROR > ... server failed to restart\n') >>> > > > > I did change the "startup_timeout" in >>> /usr/lib/python3.7/site-pack
[Freeipa-users] Re: Replica install on RPI3
Hi all, Believe me, after modifying "startup_timeout" in /usr/lib/python3.7/site-packages/ipalib/constants.py and /etc/ipa/default.conf is does run on a Pi as a Master but obviously this is not enough fiir the Replica. I did not add this post to discuss whether it is usefull to run on a P, I try to find out which install parameter (I guess) to modify in which file. I had FreeIPA running Master running for months on a Pi. It ran stable :) Winfried Fraser Tweedale via FreeIPA-users schreef op 05-11-2018 0:37: Dogtag CA is a massive enterprise Java program. Can't do much about it. Run a CA-less deployment, or run a CA-ful deployment with RaspberryPi replicas having no CA, and CA replicas running on machines with more memory and more grunt. Cheers, Fraser On Sun, Nov 04, 2018 at 04:04:27PM +0100, Winfried de Heiden via FreeIPA-users wrote: Hi all, can't tell it's the only issue. Installing the replica without CA works well. The error happens during a restart during installation wich take too much time. Don't know what will go wrong after fixing this issue Winfried John Keates via FreeIPA-users schreef op za 03-11-2018 om 16:41 [+0100]: > Ah, so the install went fine but the CA startup is the only remaining issue? > John > > > On 3 Nov 2018, at 16:39, Winfried de Heiden via FreeIPA-users wrote: > > > > Hi all, > > Yes, the Pi is too slow but funny enough it can work perfectly. The DogTag CA server just takes a painfull time to start. I had a Pi running as just a master for months quite well, but start Dogtag took a very long time, but afterwards it all ran well in a small environment (@home...) > > As mentioned, just for the sake of trying and Pi are so cheap, I' m trying to setup a Pi Replica but default setup timeout settings need a modification... > > Winfried > > > > > > John Keates schreef op za 03-11-2018 om 16:26 [+0100]: > > > My suggestion would be: don’t run it on a Pi, it’s not fast enough. But you came to that conclusion already, so I guess the next issue would be: where does it fail?I’m assuming the rpm install works out but ipa-server-install doesn’t? Or does that work but does the starting of all the components time out? > > > > > > If it’s just the installation that’s failing, you can get around that by running the install in an emulated ARM machine first, and then copying the filesystem over to the Pi. > > > > > > John > > > > > > > > > > On 3 Nov 2018, at 15:53, Winfried de Heiden via FreeIPA-users wrote: > > > > > > > > Hi all, > > > > Just because we can and a Rapsberry Pi 3 is cheap, I'm trying to install a FreeIPA replica on Fedora 29 ARM. It looks like the Raspberry is a bit too slow for default installation settings: > > > > 018-11-03T12:27:12Z DEBUG stderr=WARNING: Password was garbage collected before it was cleared.password file contains no datapkispawn: ERROR ... server did not start after 60spkispawn: ERROR... server failed to restart > > > > 2018-11-03T12:27:12Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpv2y32e9l'] returned non-zero exit status 1: 'WARNING: Password was garbage collected before it was cleared.\npassword file contains no data\npkispawn: ERROR ... server did not start after 60s\npkispawn: ERROR... server failed to restart\n')2018-11-03T12:27:12Z CRITICAL See the installation logs and the following files/directories for more information:2018-11-03T12:27:12Z CRITICAL /var/log/pki/pki-tomcat2018-11-03T12:27:12Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 164, in spawn_instanceipautil.run(args, nolog=nolog_list) File "/usr/lib/python3.7/site-packages/ipapython/ipautil.py", line 573, in runp.returncode, arg_string, output_log, error_log ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpv2y32e9l'] returned non-zero exit status 1: 'WARNING: Password was garbage collected before it was cleared.\npassword file contains no data\npkispawn: ERROR... server did not start after 60s\npkispawn: ERROR... server failed to restart\n') > > > > I did change the "startup_timeout" in /usr/lib/python3.7/site-packages/ipalib/constants.py and /etc/ipa/default.conf but it doens't seem to be enough. > > > > Any sugestion? > > > > Winfried > > > > ___ > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > >