[Freeipa-users] Re: Last FreeIPA master is failing
Ok so I don't know what happened the server really did take a long time to come
up but it did.
Everything looks pretty much the same. The setup-le.sh command I ran that said
> The ipa-certupdate command was successful
But I can't see it. I have to start ipa services with --ignore-service-failure
and --skip-version-check
When I go to web I still see the old expired certificate from May 21st.
I tried to run renew-le and I get this error:
# bash renew-le.sh
Error opening Certificate /var/lib/ipa/certs/httpd.crt
140430772283280:error:02001002:system library:fopen:No such file or
directory:bss_file.c:402:fopen('/var/lib/ipa/certs/httpd.crt','r')
140430772283280:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
Hi Rob,
Thanks a lot for your reply.
> It's because you are in the middle of an upgrade. You can add
> --skip-version-check to not do the upgrade until after the certs are renewed.
Amazing! So I turned back the clock and:
# ipactl restart --ignore-service-failure --skip-version-check
Skipping version check
Failed to get service list from file: Unknown error when retrieving list of
services from file: [Errno 2] No such file or directory:
'/var/run/ipa/services.list'
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Failed to restart pki-tomcatd Service
Forced restart, ignoring pki-tomcatd Service, continuing normal operation
Restarting ipa-otpd Service
Restarting ipa-ods-exporter Service
Restarting ods-enforcerd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
I did as Florence said and set the time back.
Then I imported the github.com/freeipa/freeipa-letsencrypt, edited as necessary
and ran setup-le.sh
It shows some errors like, I am including the full output here:
https://pastebin.com/S07vqXLy
In the end has this:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140667189670224
ipapython.admintool: INFO: The ipa-certupdate command was successful
Error opening Private Key /var/lib/ipa/private/httpd.key
139927634605968:error:02001002:system library:fopen:No such file or
directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r')
139927634605968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private Key
> These are just two different wrappers around let's encrypt certificates. As
> long as it can find the key(s) then it should work either way (one uses HTTP
> and one uses DNS). The real trick is what version(s) of IPA those support and
> where it is looking for the certificates. The cert locations and storage are
> different depending on the version of IPA.
I am assuming the script from antevens uses DNS. But how can it not matter if
someone is using an up to date version of freeipa and Florence mentioned
> - ipaCert is not stored any more in the NSS database /etc/httpd/alias, it is
> now in /var/lib/ipa/ra-agent.{key|pem}
So if this has changed and the scripts of that letsencrypt repo haven't been
edited in over an year, is it supposed to work? Or is it not compliant with the
latest IPA versions?
Btw, after setup-le.sh finished I set the time back and rebooted the server. It
seems like now it's not coming up at all . I'll have to VNC to it and see
what happened
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
Ricardo Mendes via FreeIPA-users wrote:
> Hi Florence,
>
> Thank you so much for your reply.
>
> I have some questions regarding your instructions.
>
> 1. ipactl start --ignore-service-failures doesn't work, it leaves most
> services down and I must use systemctl to bring them up.
>
> # sudo ipactl restart --ignore-service-failures
> IPA version error: data needs to be upgraded (expected version
> '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4')
> Automatically running upgrade, for details see /var/log/ipaupgrade.log
> Be patient, this may take a few minutes.
> Automatic upgrade failed: Update complete
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> CA did not start in 300.0s
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
> information
>
> See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade
> again
> Stopping ipa-dnskeysyncd Service
> Stopping ods-enforcerd Service
> Stopping ipa-ods-exporter Service
> Stopping ipa-otpd Service
> Stopping pki-tomcatd Service
> Stopping ntpd Service
> Stopping ipa-custodia Service
> Stopping httpd Service
> Stopping named Service
> Stopping kadmin Service
> Stopping krb5kdc Service
> Stopping Directory Service
> Aborting ipactl
>
> then I have to start manually using the systemctl command I put before.
It's because you are in the middle of an upgrade. You can add
--skip-version-check to not do the upgrade until after the certs are
renewed.
> Also is there a way to use ipactl to start manually a specified service?
No.
>
> 2. what procedure should I use to get a ssl.crt?
>
> # find /{etc,home,opt,root,tmp,usr,var} -type f -iname ssl.crt
> #
ssl.crt is just a generic name, IPA doesn't use it. Each certificate
that IPA issues has its own unique name. You'd need to look per-service
where the certificate is stored and what is named. The certmonger output
will help with this:
# getcert list
Note that this will include the certificates used by the IPA CA.
> I think I was using the wrong letsencrypt-freeipa I was using the one here
> https://github.com/antevens/letsencrypt-freeipa but now I see there's another
> here https://github.com/freeipa/freeipa-letsencrypt with more recent updates.
> How do I "replace" them?
These are just two different wrappers around let's encrypt certificates.
As long as it can find the key(s) then it should work either way (one
uses HTTP and one uses DNS). The real trick is what version(s) of IPA
those support and where it is looking for the certificates. The cert
locations and storage are different depending on the version of IPA.
rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
Hi Florence,
Thank you so much for your reply.
I have some questions regarding your instructions.
1. ipactl start --ignore-service-failures doesn't work, it leaves most services
down and I must use systemctl to bring them up.
# sudo ipactl restart --ignore-service-failures
IPA version error: data needs to be upgraded (expected version
'4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
CA did not start in 300.0s
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade
again
Stopping ipa-dnskeysyncd Service
Stopping ods-enforcerd Service
Stopping ipa-ods-exporter Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping ntpd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
Aborting ipactl
then I have to start manually using the systemctl command I put before.
Also is there a way to use ipactl to start manually a specified service?
2. what procedure should I use to get a ssl.crt?
# find /{etc,home,opt,root,tmp,usr,var} -type f -iname ssl.crt
#
I think I was using the wrong letsencrypt-freeipa I was using the one here
https://github.com/antevens/letsencrypt-freeipa but now I see there's another
here https://github.com/freeipa/freeipa-letsencrypt with more recent updates.
How do I "replace" them?
Many thanks!!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
On 6/10/20 4:13 PM, Ricardo Mendes via FreeIPA-users wrote:
# certutil -d /etc/pki/pki-tomcat/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-cau,u,u
DSTRootCAX3 C,,
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
caSigningCert cert-pki-caCTu,Cu,Cu
letsencryptx3C,,
letsencryptx3C,,
ISRGRootCAX1 C,,
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Hi,
ipa-cert-fix man page explicitely states that it cannot renew
certificates signed by external CAs:
- 8< -
This tool cannot renew certificates signed by external CAs. To install
new, externally-signed HTTP, LDAP or KDC certificates, use ipa-server-
certinstall(1).
- >8 -
In your case, you need to use the ipa-server-certinstall command to
replace the expired letsencrypt certs:
- change the date on the server to a date when the certificate was still
valid
- start IPA services (except ntpd/chronyd, otherwise the date will be reset)
- use ipa-server-certinstall as described in "Installing Third-Party
Certificates for HTTP or LDAP" [1] with the new certificates
- set the date back to the real current date
A few additional tips:
- when some services fail to start and trigger the shutdown of the whole
IPA stack, you can use the --ignore-service-failures option of ipactl:
# ipactl start --ignore-service-failures
- ipaCert is not stored any more in the NSS database /etc/httpd/alias,
it is now in /var/lib/ipa/ra-agent.{key|pem}
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#third-party-certs-http-ldap
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Last FreeIPA master is failing
# certutil -d /etc/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u DSTRootCAX3 C,, auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-caCTu,Cu,Cu letsencryptx3C,, letsencryptx3C,, ISRGRootCAX1 C,, ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Last FreeIPA master is failing
Hi all,
I'm having serious issues with our FreeIPA setup and I need some direction.
Our FreeIPA setup had two master-replicas. Late last month one of the
hypervisors at OVH died, they replaced hardware but the server is having issues
so hasn't come up yet. So for all matters, one master-replica is dead.
The original master was configured with letsencrypt-freeipa which failed to
renew certificates.
There are around 10 clients connected to it, and several services authenticate
against it. One for example is Gitlab, but I am still able to login to Gitlab.
Another example we have a number of pfSense routers that also use LDAP auth and
that always fails we had to fallback to the local admin user.
One of the most critical services is the DNS. When DNS goes down, everything
goes down, including email. This is currently one of the most critical services.
ipactl always fails. I have to manually start the services using systemctl, like
`systemctl start
{named-pkcs11,httpd,ipa-custodia,ipa-dnskeysyncd,ipa-ods-exporter,ods-enforcerd,krb5kdc,kadmin}`
getcert list returns 7 certificates, all MONITORING, none expired.
# getcert list -d /etc/httpd/alias -n ipaCert
No request found that matched arguments.
I can run ldap commands on the cli.
ALL ipa commands fail:
# ipa userlist
ipa: ERROR: cannot connect to 'any of the configured servers':
https://main.domain.io/ipa/json, https://secondary.domain.io/ipa/json
# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
DSTRootCAX3 C,,
CN=main.domain.io u,u,u
letsencryptx3C,,
letsencryptx3C,,
ISRGRootCAX1 C,,
DOMAIN.IO IPA CA CT,C,
the ipa-cert-fix command with increased verbosity:
```
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
dbm:/etc/pki/pki-tomcat/alias -L -n transportCert cert-pki-kra -a -f
/etc/pki/pki-tomcat/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert
cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
dbm:/etc/pki/pki-tomcat/alias -L -n storageCert cert-pki-kra -a -f
/etc/pki/pki-tomcat/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert
cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
dbm:/etc/pki/pki-tomcat/alias -L -n auditSigningCert cert-pki-kra -a -f
/etc/pki/pki-tomcat/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert:
auditSigningCert cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -L -n
Server-Cert -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
line 100, in run
certs, extra_certs = expired_certs(now)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
line 142, in expired_certs
return expired_dogtag_certs(now), expired_ipa_certs(now)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
line 191, in expired_ipa_certs
cert = db.get_cert('Server-Cert')
File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744, in
get_cert
raise RuntimeError("Failed to get %s" % nickname)
ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception:
RuntimeError: Failed to get Server-Cert
ipapython.admintool: ERROR: Failed to get Server-Cert
ipapython.admintool: ERROR: The ipa-cert-fix command failed.
```
I thought this command was to fix the certificates, so I don't get it why it
fails if one certificate is missing.
But anyway, can someone PLEASE give me some help I'm not great with
[Freeipa-users] Re: pam_unix(sshd:auth): authentication failure
On Tue, Jun 09, 2020 at 09:57:19PM +0200, lune voo via FreeIPA-users wrote: > I stopped sshd server and I started it again with the -d option to get more > information. > > Here is what appear as error : > ### > debug1: userauth-request for user myuser service ssh-connection method > password [preauth] > debug1: attempt 2 failures 1 [preauth] > debug1: PAM: password authentication failed for myuser: Permission denied > Failed password for myuser from myip port 64146 ssh2 > ### > > What could be this permission denied please ? Hi, please check the PAM related messages in /var/log/secure, this should tell you which PAM module caused the permission denied. Additionally please check /etc/pam.d/sshd and /etc/pam.d/password-auth which should be included by /etc/pam.d/sshd. From the debug messages you've sent it looks like only pam_unix was tried but pam_sss should be available in the PAM configuration as well. bye, Sumit > > Best regards. > > Lune > > Le mar. 9 juin 2020 à 19:44, lune voo a écrit : > > > Hello ! > > > > I send you this mail because I have a problem with an SSH connection with > > an IPA user (not a local user) on the client hosts. > > > > Here are the versions I used : > > - ipa-server : ipa-server-4.6.6-11.el7.x86_64 > > - ipa-client : ipa-client-4.4.0-12.el7.x86_64 > > > > My nodes are on RHEL7. > > > > When I try to connect from myhost with myuser on the remote host > > myremotehost, I have the following error : > > ### > > # ssh myuser@myremotehost > > myuser@myremotehost's password: > > Permission denied, please try again. > > myuser@myremotehost's password: > > ### > > > > In the /var/log/secure log, I can see the following lines which appear > > when I try my SSH connection. > > ### > > Jun 9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250 > > on myremotehostip port 22 > > Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 126: > > Deprecated option RSAAuthentication > > Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 129: > > Deprecated option RhostsRSAAuthentication > > Jun 9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from > > myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8 > > Jun 9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost > > user=myuser > > Jun 9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from > > myip port 62250 ssh2 > > ### > > > > The kinit with this password is OK. > > A "su - myuser" is OK with this password. > > > > I don't understand why ssh connection are not working. > > /etc/host.allow is configured to allow me to connect with sshd from myip > > and myhost to this host. > > In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the > > right group in AllowGroup. > > > > Here is the command used to join the realm on myremotehost : > > ### > > ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary > > --server=IPASERVER1 --server=IPASERVER2 --principal=admin > > --password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh > > --no-sshd > > ### > > > > Does the problem come from --no-ssh or --no-sshd ? How can I solve this > > problem without launching this command again ? > > > > Best regards. > > > > Lune > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
