[Freeipa-users] Re: Last FreeIPA master is failing
Ok so I don't know what happened the server really did take a long time to come up but it did. Everything looks pretty much the same. The setup-le.sh command I ran that said > The ipa-certupdate command was successful But I can't see it. I have to start ipa services with --ignore-service-failure and --skip-version-check When I go to web I still see the old expired certificate from May 21st. I tried to run renew-le and I get this error: # bash renew-le.sh Error opening Certificate /var/lib/ipa/certs/httpd.crt 140430772283280:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/certs/httpd.crt','r') 140430772283280:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load certificate ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
Hi Rob, Thanks a lot for your reply. > It's because you are in the middle of an upgrade. You can add > --skip-version-check to not do the upgrade until after the certs are renewed. Amazing! So I turned back the clock and: # ipactl restart --ignore-service-failure --skip-version-check Skipping version check Failed to get service list from file: Unknown error when retrieving list of services from file: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Failed to restart pki-tomcatd Service Forced restart, ignoring pki-tomcatd Service, continuing normal operation Restarting ipa-otpd Service Restarting ipa-ods-exporter Service Restarting ods-enforcerd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful I did as Florence said and set the time back. Then I imported the github.com/freeipa/freeipa-letsencrypt, edited as necessary and ran setup-le.sh It shows some errors like, I am including the full output here: https://pastebin.com/S07vqXLy In the end has this: ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140667189670224 ipapython.admintool: INFO: The ipa-certupdate command was successful Error opening Private Key /var/lib/ipa/private/httpd.key 139927634605968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r') 139927634605968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load Private Key > These are just two different wrappers around let's encrypt certificates. As > long as it can find the key(s) then it should work either way (one uses HTTP > and one uses DNS). The real trick is what version(s) of IPA those support and > where it is looking for the certificates. The cert locations and storage are > different depending on the version of IPA. I am assuming the script from antevens uses DNS. But how can it not matter if someone is using an up to date version of freeipa and Florence mentioned > - ipaCert is not stored any more in the NSS database /etc/httpd/alias, it is > now in /var/lib/ipa/ra-agent.{key|pem} So if this has changed and the scripts of that letsencrypt repo haven't been edited in over an year, is it supposed to work? Or is it not compliant with the latest IPA versions? Btw, after setup-le.sh finished I set the time back and rebooted the server. It seems like now it's not coming up at all . I'll have to VNC to it and see what happened ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
Ricardo Mendes via FreeIPA-users wrote: > Hi Florence, > > Thank you so much for your reply. > > I have some questions regarding your instructions. > > 1. ipactl start --ignore-service-failures doesn't work, it leaves most > services down and I must use systemctl to bring them up. > > # sudo ipactl restart --ignore-service-failures > IPA version error: data needs to be upgraded (expected version > '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4') > Automatically running upgrade, for details see /var/log/ipaupgrade.log > Be patient, this may take a few minutes. > Automatic upgrade failed: Update complete > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > [Verifying that CA proxy configuration is correct] > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command > ipa-server-upgrade manually. > CA did not start in 300.0s > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > information > > See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade > again > Stopping ipa-dnskeysyncd Service > Stopping ods-enforcerd Service > Stopping ipa-ods-exporter Service > Stopping ipa-otpd Service > Stopping pki-tomcatd Service > Stopping ntpd Service > Stopping ipa-custodia Service > Stopping httpd Service > Stopping named Service > Stopping kadmin Service > Stopping krb5kdc Service > Stopping Directory Service > Aborting ipactl > > then I have to start manually using the systemctl command I put before. It's because you are in the middle of an upgrade. You can add --skip-version-check to not do the upgrade until after the certs are renewed. > Also is there a way to use ipactl to start manually a specified service? No. > > 2. what procedure should I use to get a ssl.crt? > > # find /{etc,home,opt,root,tmp,usr,var} -type f -iname ssl.crt > # ssl.crt is just a generic name, IPA doesn't use it. Each certificate that IPA issues has its own unique name. You'd need to look per-service where the certificate is stored and what is named. The certmonger output will help with this: # getcert list Note that this will include the certificates used by the IPA CA. > I think I was using the wrong letsencrypt-freeipa I was using the one here > https://github.com/antevens/letsencrypt-freeipa but now I see there's another > here https://github.com/freeipa/freeipa-letsencrypt with more recent updates. > How do I "replace" them? These are just two different wrappers around let's encrypt certificates. As long as it can find the key(s) then it should work either way (one uses HTTP and one uses DNS). The real trick is what version(s) of IPA those support and where it is looking for the certificates. The cert locations and storage are different depending on the version of IPA. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
Hi Florence, Thank you so much for your reply. I have some questions regarding your instructions. 1. ipactl start --ignore-service-failures doesn't work, it leaves most services down and I must use systemctl to bring them up. # sudo ipactl restart --ignore-service-failures IPA version error: data needs to be upgraded (expected version '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. CA did not start in 300.0s The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ods-enforcerd Service Stopping ipa-ods-exporter Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ntpd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl then I have to start manually using the systemctl command I put before. Also is there a way to use ipactl to start manually a specified service? 2. what procedure should I use to get a ssl.crt? # find /{etc,home,opt,root,tmp,usr,var} -type f -iname ssl.crt # I think I was using the wrong letsencrypt-freeipa I was using the one here https://github.com/antevens/letsencrypt-freeipa but now I see there's another here https://github.com/freeipa/freeipa-letsencrypt with more recent updates. How do I "replace" them? Many thanks!! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
On 6/10/20 4:13 PM, Ricardo Mendes via FreeIPA-users wrote: # certutil -d /etc/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u DSTRootCAX3 C,, auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-caCTu,Cu,Cu letsencryptx3C,, letsencryptx3C,, ISRGRootCAX1 C,, ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Hi, ipa-cert-fix man page explicitely states that it cannot renew certificates signed by external CAs: - 8< - This tool cannot renew certificates signed by external CAs. To install new, externally-signed HTTP, LDAP or KDC certificates, use ipa-server- certinstall(1). - >8 - In your case, you need to use the ipa-server-certinstall command to replace the expired letsencrypt certs: - change the date on the server to a date when the certificate was still valid - start IPA services (except ntpd/chronyd, otherwise the date will be reset) - use ipa-server-certinstall as described in "Installing Third-Party Certificates for HTTP or LDAP" [1] with the new certificates - set the date back to the real current date A few additional tips: - when some services fail to start and trigger the shutdown of the whole IPA stack, you can use the --ignore-service-failures option of ipactl: # ipactl start --ignore-service-failures - ipaCert is not stored any more in the NSS database /etc/httpd/alias, it is now in /var/lib/ipa/ra-agent.{key|pem} HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#third-party-certs-http-ldap ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
# certutil -d /etc/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u DSTRootCAX3 C,, auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-caCTu,Cu,Cu letsencryptx3C,, letsencryptx3C,, ISRGRootCAX1 C,, ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Last FreeIPA master is failing
Hi all, I'm having serious issues with our FreeIPA setup and I need some direction. Our FreeIPA setup had two master-replicas. Late last month one of the hypervisors at OVH died, they replaced hardware but the server is having issues so hasn't come up yet. So for all matters, one master-replica is dead. The original master was configured with letsencrypt-freeipa which failed to renew certificates. There are around 10 clients connected to it, and several services authenticate against it. One for example is Gitlab, but I am still able to login to Gitlab. Another example we have a number of pfSense routers that also use LDAP auth and that always fails we had to fallback to the local admin user. One of the most critical services is the DNS. When DNS goes down, everything goes down, including email. This is currently one of the most critical services. ipactl always fails. I have to manually start the services using systemctl, like `systemctl start {named-pkcs11,httpd,ipa-custodia,ipa-dnskeysyncd,ipa-ods-exporter,ods-enforcerd,krb5kdc,kadmin}` getcert list returns 7 certificates, all MONITORING, none expired. # getcert list -d /etc/httpd/alias -n ipaCert No request found that matched arguments. I can run ldap commands on the cli. ALL ipa commands fail: # ipa userlist ipa: ERROR: cannot connect to 'any of the configured servers': https://main.domain.io/ipa/json, https://secondary.domain.io/ipa/json # certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DSTRootCAX3 C,, CN=main.domain.io u,u,u letsencryptx3C,, letsencryptx3C,, ISRGRootCAX1 C,, DOMAIN.IO IPA CA CT,C, the ipa-cert-fix command with increased verbosity: ``` ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n transportCert cert-pki-kra -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n storageCert cert-pki-kra -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n auditSigningCert cert-pki-kra -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: auditSigningCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -L -n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 100, in run certs, extra_certs = expired_certs(now) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 142, in expired_certs return expired_dogtag_certs(now), expired_ipa_certs(now) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 191, in expired_ipa_certs cert = db.get_cert('Server-Cert') File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744, in get_cert raise RuntimeError("Failed to get %s" % nickname) ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: RuntimeError: Failed to get Server-Cert ipapython.admintool: ERROR: Failed to get Server-Cert ipapython.admintool: ERROR: The ipa-cert-fix command failed. ``` I thought this command was to fix the certificates, so I don't get it why it fails if one certificate is missing. But anyway, can someone PLEASE give me some help I'm not great with
[Freeipa-users] Re: pam_unix(sshd:auth): authentication failure
On Tue, Jun 09, 2020 at 09:57:19PM +0200, lune voo via FreeIPA-users wrote: > I stopped sshd server and I started it again with the -d option to get more > information. > > Here is what appear as error : > ### > debug1: userauth-request for user myuser service ssh-connection method > password [preauth] > debug1: attempt 2 failures 1 [preauth] > debug1: PAM: password authentication failed for myuser: Permission denied > Failed password for myuser from myip port 64146 ssh2 > ### > > What could be this permission denied please ? Hi, please check the PAM related messages in /var/log/secure, this should tell you which PAM module caused the permission denied. Additionally please check /etc/pam.d/sshd and /etc/pam.d/password-auth which should be included by /etc/pam.d/sshd. From the debug messages you've sent it looks like only pam_unix was tried but pam_sss should be available in the PAM configuration as well. bye, Sumit > > Best regards. > > Lune > > Le mar. 9 juin 2020 à 19:44, lune voo a écrit : > > > Hello ! > > > > I send you this mail because I have a problem with an SSH connection with > > an IPA user (not a local user) on the client hosts. > > > > Here are the versions I used : > > - ipa-server : ipa-server-4.6.6-11.el7.x86_64 > > - ipa-client : ipa-client-4.4.0-12.el7.x86_64 > > > > My nodes are on RHEL7. > > > > When I try to connect from myhost with myuser on the remote host > > myremotehost, I have the following error : > > ### > > # ssh myuser@myremotehost > > myuser@myremotehost's password: > > Permission denied, please try again. > > myuser@myremotehost's password: > > ### > > > > In the /var/log/secure log, I can see the following lines which appear > > when I try my SSH connection. > > ### > > Jun 9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250 > > on myremotehostip port 22 > > Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 126: > > Deprecated option RSAAuthentication > > Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 129: > > Deprecated option RhostsRSAAuthentication > > Jun 9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from > > myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8 > > Jun 9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost > > user=myuser > > Jun 9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from > > myip port 62250 ssh2 > > ### > > > > The kinit with this password is OK. > > A "su - myuser" is OK with this password. > > > > I don't understand why ssh connection are not working. > > /etc/host.allow is configured to allow me to connect with sshd from myip > > and myhost to this host. > > In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the > > right group in AllowGroup. > > > > Here is the command used to join the realm on myremotehost : > > ### > > ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary > > --server=IPASERVER1 --server=IPASERVER2 --principal=admin > > --password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh > > --no-sshd > > ### > > > > Does the problem come from --no-ssh or --no-sshd ? How can I solve this > > problem without launching this command again ? > > > > Best regards. > > > > Lune > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org