[Freeipa-users] ghost replica for radius server

2022-11-17 Thread Grant Janssen via FreeIPA-users 
Building a radius server, and decided this was an ideal application for a 
hidden replica.
I got some errors in the replica install, and the consistency check does not 
show a ghost replica (but does show my radius host in Replication Status.)
I run external DNS, this radius host has only has A and PTR records.

grant@radius01:~[20221117-13:45][#89]$ sudo ipa-replica-install --setup-ca 
--hidden-replica
Password for ad...@production.efilm.com<mailto:ad...@production.efilm.com>: 
*

WARNING: 376 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]: no
Run connection check to master
Connection check OK
-snip-
  [28/30]: importing IPA certificate profiles
Lookup failed: Preferred host 
radius01.production.efilm.com<http://radius01.production.efilm.com> does not 
provide CA.
Lookup failed: Preferred host 
radius01.production.efilm.com<http://radius01.production.efilm.com> does not 
provide CA.
Failed to import profile 'acmeIPAServerCert': Request failed with status 500: 
Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade when 
installation is completed may resolve this issue.
  [29/30]: configuring certmonger renewal for lightweight CAs
  [30/30]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed (CA_REJECTED: 
Server at https://ef-idm01.production.efilm.com/ipa/json failed request, will 
retry: 903 (an internal error has occurred).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
-snip-
  [7/7]: adding fallback group
Fallback group already set, nothing to do
Done.
The ipa-replica-install command was successful
grant@radius01:~[20221117-13:51][#90]$

check consistency
grant@radius01:~[20221117-13:53][#92]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> -W *
FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04STATE
=
Active Users349 349 349 349 OK
Stage Users 7   7   7   7   OK
Preserved Users 5   5   5   5   OK
User Groups 42  42  42  42  OK
Hosts   423 423 423 423 OK
Host Groups 23  23  23  23  OK
HBAC Rules  9   9   9   9   OK
SUDO Rules  35  35  35  35  OK
DNS Zones   ERROR   ERROR   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  NO  NO  OK
Ghost Replicas  NO  NO  NO  NO  OK
Anonymous BIND  YES YES YES YES OK
Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0
ef-idm03 0  ef-idm01 0  ef-idm01 0
ef-idm04 0
radius01 0
=====
grant@radius01:~[20221117-13:53][#93]$

I executed ipa-server-upgrade as suggested
grant@radius01:~[20221117-16:09][#88]$ sudo ipa-server-upgrade
[sudo] password for grant:
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
Add failure attribute "cn" not allowed
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
-snip-
Migrating profile 'caAuditSigningCert'
[Ensuring presence of included profiles]
[Add default CA ACL]
[Updating ACME configuration]
[Migrating to authselect profile]
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Add r...@production.efilm.com<mailto:r...@production.efilm.com> alias to admin 
account]
A

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Sean McLennan via FreeIPA-users 
I feel like this output from "ipa-certupdate -v" is relevant:

ipapython.ipautil: DEBUG: stderr=
ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request 
'20201114211109'
ipalib.install.certmonger: DEBUG: certmonger request is in state 
dbus.String(u'GENERATING_CSR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state 
dbus.String(u'SUBMITTING', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state 
dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state 
dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state 
dbus.String(u'MONITORING', variant_level=1)
ipaclient.install.ipa_certupdate: DEBUG: modifying certmonger request 
'20201114211109'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 
'dbm:/etc/ipa/nssdb', '-L', '-n', 'IPA CA', '-a', '-f', 
u'/etc/ipa/nssdb/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: SCEP

2022-11-17 Thread Francis Augusto Medeiros-Logeay via FreeIPA-users 


On 2022-11-17 14:55, Rob Crittenden via FreeIPA-users wrote:

Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:



On 17 Nov 2022, at 10:15, Alexander Bokovoy  
wrote:


On to, 17 marras 2022, Francis Augusto Medeiros-Logeay via 
FreeIPA-users wrote:

Hi,

I try to find good documentation on SCEP and FreeIPA, but I cannot 
find something that seems updated nor conclusive.


Does FreeIPA support SCEP out of the box, or does it need some 
hacking to do so?


And does it support other types of certificate enrolment besides its 
own api/client?





Thanks a lot for a very explanatory answer as usual, Alexander.

It really depends on what you are asking for: FreeIPA as an 
integrated

CA or FreeIPA as a consumer of some other CA.


I was thinking more as FreeIPA and its own CA.


As a consumer of some other CAs, certmonger supports requesting
certificates through SCEP. See certmonger-scep-submit(8) man page and
/usr/share/doc/certmonger/scep.txt for details.

FreeIPA integrated CA does not support SCEP itself. Well, Dogtag PKI
does have support for SCEP responder but it is not configured by 
default

and is not supported in IPA frontend that does verification of the
request.


Yes, I guess that this is what some of the documents I’ve seen around 
say.



FreeIPA integrated CA supports ACME protocol (same as Let's Encrypt).
Would using ACME be a better option?


I was thinking of trying to use FreeIPA with some MDM solutions, and 
the one I am trying (Workspace ONE) does not support ACME, 
unfortunately.


I think the dogtag SCEP server might be difficult to use in automation.

It uses a flat authentication file consisting of the remote IP address
and PIN, probably making it difficult for mobile devices which don't 
use

static addresses. Creating some sort of middle-man service that updates
the file and returns the PIN to use would be a security target.



Thanks Rob. I think most people would use a proxy anyway since the PKI 
usually is on prep and secluded, while the clients can be anywhere - but 
I might be wrong.


Best,

Francis
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: SCEP

2022-11-17 Thread Francis Augusto Medeiros-Logeay via FreeIPA-users 



On 2022-11-17 11:12, Alexander Bokovoy via FreeIPA-users wrote:

On to, 17 marras 2022, Francis Augusto Medeiros-Logeay wrote:



On 17 Nov 2022, at 10:15, Alexander Bokovoy  
wrote:


On to, 17 marras 2022, Francis Augusto Medeiros-Logeay via 
FreeIPA-users wrote:

Hi,

I try to find good documentation on SCEP and FreeIPA, but I cannot 
find something that seems updated nor conclusive.


Does FreeIPA support SCEP out of the box, or does it need some 
hacking to do so?


And does it support other types of certificate enrolment besides its 
own api/client?





Thanks a lot for a very explanatory answer as usual, Alexander.

It really depends on what you are asking for: FreeIPA as an 
integrated

CA or FreeIPA as a consumer of some other CA.


I was thinking more as FreeIPA and its own CA.


As a consumer of some other CAs, certmonger supports requesting
certificates through SCEP. See certmonger-scep-submit(8) man page and
/usr/share/doc/certmonger/scep.txt for details.

FreeIPA integrated CA does not support SCEP itself. Well, Dogtag PKI
does have support for SCEP responder but it is not configured by 
default

and is not supported in IPA frontend that does verification of the
request.


Yes, I guess that this is what some of the documents I’ve seen around 
say.



FreeIPA integrated CA supports ACME protocol (same as Let's Encrypt).
Would using ACME be a better option?


I was thinking of trying to use FreeIPA with some MDM solutions, and
the one I am trying (Workspace ONE) does not support ACME,
unfortunately.


I can only suggest to look at Dogtag's documentation and practical
examples. Dogtag PKI's CI system has a SCEP scenario with a core
configuration defined here:
https://github.com/dogtagpki/pki/blob/master/.github/workflows/scep-test.yml#L79-L90
This test configuration allows SCEP client from the 'client' system
(running in a separate container but that is an implementation detail),
more details available in 
https://github.com/dogtagpki/pki/wiki/Configuring-SCEP-Responder


Since access to integrated CA is proxied via IPA's httpd instance, 
you'd

also need to add one more PKI proxy rule in
/etc/httpd/conf.d/ipa-pki-proxy.conf. The required URL path is shown 
the

test and that wiki page.

Something like

# matches for SCEP API of CA

SSLOptions +StdEnvVars +ExportCertData +StrictRequire 
+OptRenegotiate

SSLVerifyClient optional
ProxyPassMatch ajp://localhost:8009 
secret=---copy-value-from-the-other-LocationMatch-entries

ProxyPassReverse ajp://localhost:8009



Thanks a lot! I will check the docs a bit closer.

Best,

Francis
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: dirsrv times out at startup

2022-11-17 Thread Alexander Bokovoy via FreeIPA-users 

On to, 17 marras 2022, Rob Crittenden via FreeIPA-users wrote:

Roberto Cornacchia via FreeIPA-users wrote:

Oh. I hadn't forgotten. This is what happened.

These are my settings:

[root@ipa02 etc]# cat sysctl.conf | grep -v '#'
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0

These will overwrite my settings:

[root@ipa02 etc]# cat sysctl.d/anaconda.conf
# Anaconda disabling ipv6 (noipv6 option)
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

Two questions:
- Does FreeIPA (or, some components therein) really require ipv6? During
installation, it forced me to enable it.


ipv6 can listen to both ipv4 and ipv6. It is required.


It is also a common misunderstanding among administrators. Man page for
ipv6(7) has it covered but people hardly read that:

--
   IPv4  connections  can  be  handled with the v6 API by using the
   v4-mapped-on-v6 address type; thus a program needs to support
   only this API type to support both protocols.  This is handled
   transparently by the address handling functions in the C library.

   IPv4 and IPv6 share the local port space.  When you get an IPv4
   connection or packet to an IPv6 socket, its source address will
   be mapped to v6 and it will be mapped to v6.
--




- If so, these anaconda settings look like a trivial way to break the
system. I didn't install anaconda, but it was probably part of some
dependencies. Can something be done to make this more robust?


It isn't a common issue.

rob



Best, Roberto

On Thu, 17 Nov 2022 at 19:06, Roberto Cornacchia
mailto:roberto.cornacc...@gmail.com>> wrote:

I found it!

dirsrv listens on ipv6 only.
I had set net.ipv6.conf.all.disable_ipv6
and net.ipv6.conf.all.disable_ipv6 to 0, but apparently forgot to
make the change permanent, so after the reboot ipv6 was disabled.



On Thu, 17 Nov 2022 at 18:50, Roberto Cornacchia
mailto:roberto.cornacc...@gmail.com>>
wrote:

This, however, works:

# ldapsearch -H ldap://localhost:389 -x uid=roberto
# extended LDIF
#
# LDAPv3
# base  (default) with scope subtree
# filter: uid=roberto
# requesting: ALL
#

# roberto, users, compat, hq.spinque.com 
dn: uid=roberto,cn=users,cn=compat,dc=hq,dc=spinque,dc=com
[.. omitted ..]


On Thu, 17 Nov 2022 at 18:44, Roberto Cornacchia
mailto:roberto.cornacc...@gmail.com>> wrote:


You still have a replication agreement, and until its
removed you will keep seeing these messages.  However
it's not related to this issue though.


Good to know. I hope there is a way to force removal of that
agreement.


- sometimes, but not always, this log also shows:
ERR - bdb_version_write - Could not open file
"/dev/shm/slapd-HQ-SPINQUE-COM/DBVERSION" for writing
Netscape Portable Runtime -5950 (File not found.)


This might happen after a system reboot.  It should be
safe to ignore as long as the server still starts :)

Again, good to know, thanks

So looking at the error log it looks like the server is
started.  Schema compat plugin is doing its
initialization which is very resource intensive, but the
server should still be working.

Try doing a ldapsearch just to see if it's responding:

ldapsearch -H ldap://localhost:389 -b "" -s base -D
"cn=directory manager" -W

Ouch, I don't have the directory manager password with me at
the moment, I'll have to wait till tomorrow when I go to the
office.
The server is up and listening:

# netstat -tulnp | grep 389
tcp6       0      0 :::389                  :::*            
       LISTEN      3575/ns-slapd       

However, it's not just a slow start. 
I can start all the other services via systemctl, so things
seem ok, but when much later I do ipactl stop I get:

# ipactl stop
Failed to read data from Directory Service: Timeout exceeded
Shutting down

So, it's really not cooperating.



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: dirsrv times out at startup

2022-11-17 Thread Roberto Cornacchia via FreeIPA-users 
>
> It isn't a common issue.
>
>
You are right. I thought it referred to the Python Anaconda package. This
file was generated by anaconda the installer, apparently we had a --noipv6
in the kickstart.
(bad practice by anaconda anyway, to use non-numbered configuration files)

Roberto
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: dirsrv times out at startup

2022-11-17 Thread Rob Crittenden via FreeIPA-users 
Roberto Cornacchia via FreeIPA-users wrote:
> Oh. I hadn't forgotten. This is what happened.
> 
> These are my settings:
> 
> [root@ipa02 etc]# cat sysctl.conf | grep -v '#'
> net.ipv6.conf.all.disable_ipv6=0
> net.ipv6.conf.default.disable_ipv6=0
> 
> These will overwrite my settings:
> 
> [root@ipa02 etc]# cat sysctl.d/anaconda.conf
> # Anaconda disabling ipv6 (noipv6 option)
> net.ipv6.conf.all.disable_ipv6=1
> net.ipv6.conf.default.disable_ipv6=1
> 
> Two questions:
> - Does FreeIPA (or, some components therein) really require ipv6? During
> installation, it forced me to enable it.

ipv6 can listen to both ipv4 and ipv6. It is required.

> - If so, these anaconda settings look like a trivial way to break the
> system. I didn't install anaconda, but it was probably part of some
> dependencies. Can something be done to make this more robust?

It isn't a common issue.

rob

> 
> Best, Roberto
> 
> On Thu, 17 Nov 2022 at 19:06, Roberto Cornacchia
> mailto:roberto.cornacc...@gmail.com>> wrote:
> 
> I found it!
> 
> dirsrv listens on ipv6 only.
> I had set net.ipv6.conf.all.disable_ipv6
> and net.ipv6.conf.all.disable_ipv6 to 0, but apparently forgot to
> make the change permanent, so after the reboot ipv6 was disabled.
> 
> 
> 
> On Thu, 17 Nov 2022 at 18:50, Roberto Cornacchia
> mailto:roberto.cornacc...@gmail.com>>
> wrote:
> 
> This, however, works:
> 
> # ldapsearch -H ldap://localhost:389 -x uid=roberto
> # extended LDIF
> #
> # LDAPv3
> # base  (default) with scope subtree
> # filter: uid=roberto
> # requesting: ALL
> #
> 
> # roberto, users, compat, hq.spinque.com 
> dn: uid=roberto,cn=users,cn=compat,dc=hq,dc=spinque,dc=com
> [.. omitted ..]
> 
> 
> On Thu, 17 Nov 2022 at 18:44, Roberto Cornacchia
>  > wrote:
> 
> 
> You still have a replication agreement, and until its
> removed you will keep seeing these messages.  However
> it's not related to this issue though.
> 
> 
> Good to know. I hope there is a way to force removal of that
> agreement.
> 
>> - sometimes, but not always, this log also shows:
>> ERR - bdb_version_write - Could not open file
>> "/dev/shm/slapd-HQ-SPINQUE-COM/DBVERSION" for writing
>> Netscape Portable Runtime -5950 (File not found.)
> 
> This might happen after a system reboot.  It should be
> safe to ignore as long as the server still starts :)
> 
> Again, good to know, thanks
> 
> So looking at the error log it looks like the server is
> started.  Schema compat plugin is doing its
> initialization which is very resource intensive, but the
> server should still be working.
> 
> Try doing a ldapsearch just to see if it's responding:
> 
> ldapsearch -H ldap://localhost:389 -b "" -s base -D
> "cn=directory manager" -W
> 
> Ouch, I don't have the directory manager password with me at
> the moment, I'll have to wait till tomorrow when I go to the
> office.
> The server is up and listening:
> 
> # netstat -tulnp | grep 389
> tcp6       0      0 :::389                  :::*            
>        LISTEN      3575/ns-slapd       
> 
> However, it's not just a slow start. 
> I can start all the other services via systemctl, so things
> seem ok, but when much later I do ipactl stop I get:
> 
> # ipactl stop
> Failed to read data from Directory Service: Timeout exceeded
> Shutting down
> 
> So, it's really not cooperating.
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Sean McLennan via FreeIPA-users 

> ^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 but
> it definitely looks wrong, unless IPA was installed with custom (and
> puzzlin) options: subject CN=localhost.
> 
> How was IPA installed? The default settings would install a self-signed CA
> with subject CN=Certificate Authority,O=IPA.TEST for instance.
> What is the content of /etc/ipa/ca.crt? You should see the original IPA CA
> in this file.

Yeah, I just used 'ipa-server-install' and as much default as possible. 
Definitely wasn't trying anything fancy.  I do still have the original install 
log (and my entire command history) if there's something worth looking for in 
there.

/etc/ipa/ca.crt is just "-BEGIN CERTIFICATE-[text]-END 
CERTIFICATE-"; should there be something more informative in there?

Any thoughts on what I can try to renew these?

As an aside: Honestly, I would love nothing more than to get IPA off of this 
damn server and onto one that is actually supported and can, you know, but 
updated. :[  My impression is that the only way I can do that though is through 
replicating it to another instance and promoting the new one/retiring the old 
one... but like I said, I have tried many times to add another and have been 
unsuccessful. Is there a way to restore the data from a backup into a new 
install?

PS. Thank you for replying; I appreciate the help.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: dirsrv times out at startup

2022-11-17 Thread Roberto Cornacchia via FreeIPA-users 
Oh. I hadn't forgotten. This is what happened.

These are my settings:

[root@ipa02 etc]# cat sysctl.conf | grep -v '#'
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0

These will overwrite my settings:

[root@ipa02 etc]# cat sysctl.d/anaconda.conf
# Anaconda disabling ipv6 (noipv6 option)
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

Two questions:
- Does FreeIPA (or, some components therein) really require ipv6? During
installation, it forced me to enable it.
- If so, these anaconda settings look like a trivial way to break the
system. I didn't install anaconda, but it was probably part of some
dependencies. Can something be done to make this more robust?

Best, Roberto

On Thu, 17 Nov 2022 at 19:06, Roberto Cornacchia <
roberto.cornacc...@gmail.com> wrote:

> I found it!
>
> dirsrv listens on ipv6 only.
> I had set net.ipv6.conf.all.disable_ipv6
> and net.ipv6.conf.all.disable_ipv6 to 0, but apparently forgot to make the
> change permanent, so after the reboot ipv6 was disabled.
>
>
>
> On Thu, 17 Nov 2022 at 18:50, Roberto Cornacchia <
> roberto.cornacc...@gmail.com> wrote:
>
>> This, however, works:
>>
>> # ldapsearch -H ldap://localhost:389 -x uid=roberto
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  (default) with scope subtree
>> # filter: uid=roberto
>> # requesting: ALL
>> #
>>
>> # roberto, users, compat, hq.spinque.com
>> dn: uid=roberto,cn=users,cn=compat,dc=hq,dc=spinque,dc=com
>> [.. omitted ..]
>>
>>
>> On Thu, 17 Nov 2022 at 18:44, Roberto Cornacchia <
>> roberto.cornacc...@gmail.com> wrote:
>>
>>>
 You still have a replication agreement, and until its removed you will
 keep seeing these messages.  However it's not related to this issue though.

>>>
>>> Good to know. I hope there is a way to force removal of that agreement.
>>>
 - sometimes, but not always, this log also shows:
 ERR - bdb_version_write - Could not open file
 "/dev/shm/slapd-HQ-SPINQUE-COM/DBVERSION" for writing Netscape Portable
 Runtime -5950 (File not found.)

 This might happen after a system reboot.  It should be safe to ignore
 as long as the server still starts :)

>>> Again, good to know, thanks
>>>
 So looking at the error log it looks like the server is started.
 Schema compat plugin is doing its initialization which is very resource
 intensive, but the server should still be working.

 Try doing a ldapsearch just to see if it's responding:

 ldapsearch -H ldap://localhost:389 -b "" -s base -D "cn=directory
 manager" -W

>>> Ouch, I don't have the directory manager password with me at the moment,
>>> I'll have to wait till tomorrow when I go to the office.
>>> The server is up and listening:
>>>
>>> # netstat -tulnp | grep 389
>>> tcp6   0  0 :::389  :::*
>>>  LISTEN  3575/ns-slapd
>>>
>>> However, it's not just a slow start.
>>> I can start all the other services via systemctl, so things seem ok, but
>>> when much later I do ipactl stop I get:
>>>
>>> # ipactl stop
>>> Failed to read data from Directory Service: Timeout exceeded
>>> Shutting down
>>>
>>> So, it's really not cooperating.
>>>
>>>
>>>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: dirsrv times out at startup

2022-11-17 Thread Roberto Cornacchia via FreeIPA-users 
I found it!

dirsrv listens on ipv6 only.
I had set net.ipv6.conf.all.disable_ipv6 and net.ipv6.conf.all.disable_ipv6
to 0, but apparently forgot to make the change permanent, so after the
reboot ipv6 was disabled.



On Thu, 17 Nov 2022 at 18:50, Roberto Cornacchia <
roberto.cornacc...@gmail.com> wrote:

> This, however, works:
>
> # ldapsearch -H ldap://localhost:389 -x uid=roberto
> # extended LDIF
> #
> # LDAPv3
> # base  (default) with scope subtree
> # filter: uid=roberto
> # requesting: ALL
> #
>
> # roberto, users, compat, hq.spinque.com
> dn: uid=roberto,cn=users,cn=compat,dc=hq,dc=spinque,dc=com
> [.. omitted ..]
>
>
> On Thu, 17 Nov 2022 at 18:44, Roberto Cornacchia <
> roberto.cornacc...@gmail.com> wrote:
>
>>
>>> You still have a replication agreement, and until its removed you will
>>> keep seeing these messages.  However it's not related to this issue though.
>>>
>>
>> Good to know. I hope there is a way to force removal of that agreement.
>>
>>> - sometimes, but not always, this log also shows:
>>> ERR - bdb_version_write - Could not open file
>>> "/dev/shm/slapd-HQ-SPINQUE-COM/DBVERSION" for writing Netscape Portable
>>> Runtime -5950 (File not found.)
>>>
>>> This might happen after a system reboot.  It should be safe to ignore as
>>> long as the server still starts :)
>>>
>> Again, good to know, thanks
>>
>>> So looking at the error log it looks like the server is started.  Schema
>>> compat plugin is doing its initialization which is very resource intensive,
>>> but the server should still be working.
>>>
>>> Try doing a ldapsearch just to see if it's responding:
>>>
>>> ldapsearch -H ldap://localhost:389 -b "" -s base -D "cn=directory
>>> manager" -W
>>>
>> Ouch, I don't have the directory manager password with me at the moment,
>> I'll have to wait till tomorrow when I go to the office.
>> The server is up and listening:
>>
>> # netstat -tulnp | grep 389
>> tcp6   0  0 :::389  :::*
>>  LISTEN  3575/ns-slapd
>>
>> However, it's not just a slow start.
>> I can start all the other services via systemctl, so things seem ok, but
>> when much later I do ipactl stop I get:
>>
>> # ipactl stop
>> Failed to read data from Directory Service: Timeout exceeded
>> Shutting down
>>
>> So, it's really not cooperating.
>>
>>
>>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: dirsrv times out at startup

2022-11-17 Thread Roberto Cornacchia via FreeIPA-users 
This, however, works:

# ldapsearch -H ldap://localhost:389 -x uid=roberto
# extended LDIF
#
# LDAPv3
# base  (default) with scope subtree
# filter: uid=roberto
# requesting: ALL
#

# roberto, users, compat, hq.spinque.com
dn: uid=roberto,cn=users,cn=compat,dc=hq,dc=spinque,dc=com
[.. omitted ..]


On Thu, 17 Nov 2022 at 18:44, Roberto Cornacchia <
roberto.cornacc...@gmail.com> wrote:

>
>> You still have a replication agreement, and until its removed you will
>> keep seeing these messages.  However it's not related to this issue though.
>>
>
> Good to know. I hope there is a way to force removal of that agreement.
>
>> - sometimes, but not always, this log also shows:
>> ERR - bdb_version_write - Could not open file
>> "/dev/shm/slapd-HQ-SPINQUE-COM/DBVERSION" for writing Netscape Portable
>> Runtime -5950 (File not found.)
>>
>> This might happen after a system reboot.  It should be safe to ignore as
>> long as the server still starts :)
>>
> Again, good to know, thanks
>
>> So looking at the error log it looks like the server is started.  Schema
>> compat plugin is doing its initialization which is very resource intensive,
>> but the server should still be working.
>>
>> Try doing a ldapsearch just to see if it's responding:
>>
>> ldapsearch -H ldap://localhost:389 -b "" -s base -D "cn=directory
>> manager" -W
>>
> Ouch, I don't have the directory manager password with me at the moment,
> I'll have to wait till tomorrow when I go to the office.
> The server is up and listening:
>
> # netstat -tulnp | grep 389
> tcp6   0  0 :::389  :::*LISTEN
>  3575/ns-slapd
>
> However, it's not just a slow start.
> I can start all the other services via systemctl, so things seem ok, but
> when much later I do ipactl stop I get:
>
> # ipactl stop
> Failed to read data from Directory Service: Timeout exceeded
> Shutting down
>
> So, it's really not cooperating.
>
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: dirsrv times out at startup

2022-11-17 Thread Roberto Cornacchia via FreeIPA-users 
>
>
> You still have a replication agreement, and until its removed you will
> keep seeing these messages.  However it's not related to this issue though.
>

Good to know. I hope there is a way to force removal of that agreement.

> - sometimes, but not always, this log also shows:
> ERR - bdb_version_write - Could not open file
> "/dev/shm/slapd-HQ-SPINQUE-COM/DBVERSION" for writing Netscape Portable
> Runtime -5950 (File not found.)
>
> This might happen after a system reboot.  It should be safe to ignore as
> long as the server still starts :)
>
Again, good to know, thanks

> So looking at the error log it looks like the server is started.  Schema
> compat plugin is doing its initialization which is very resource intensive,
> but the server should still be working.
>
> Try doing a ldapsearch just to see if it's responding:
>
> ldapsearch -H ldap://localhost:389 -b "" -s base -D "cn=directory
> manager" -W
>
Ouch, I don't have the directory manager password with me at the moment,
I'll have to wait till tomorrow when I go to the office.
The server is up and listening:

# netstat -tulnp | grep 389
tcp6   0  0 :::389  :::*LISTEN
 3575/ns-slapd

However, it's not just a slow start.
I can start all the other services via systemctl, so things seem ok, but
when much later I do ipactl stop I get:

# ipactl stop
Failed to read data from Directory Service: Timeout exceeded
Shutting down

So, it's really not cooperating.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Florence Blanc-Renaud via FreeIPA-users 
Hi,

On Thu, Nov 17, 2022 at 6:22 PM Sean McLennan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Mm. Actually, I'm not so sure.  Am I not interpreting the "getcert list"
> results correctly? When it says CA_UNREACHABLE because the cert expired,
> isn't that the CA Cert?
>
> Number of certificates and requests being tracked: 9.
> Request ID '20201114211025':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=[domain.com]
> subject: CN=IPA RA,O=[domain.com]
> expires: 2022-11-04 14:10:27 MDT
> key usage: digitalSignature,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20201114211106':
> status: NEED_CSR_GEN_TOKEN
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=[domain.com]
> subject: CN=localhost
> expires: 2022-11-11 14:11:49 MST
> key usage: digitalSignature,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20201114211107':
> status: NEED_CSR_GEN_TOKEN
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=[domain.com]
> subject: CN=localhost
> expires: 2022-11-11 14:11:53 MST
> key usage: digitalSignature,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20201114211108':
> status: NEED_CSR_GEN_TOKEN
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=[domain.com]
> subject: CN=localhost
> expires: 2022-11-04 14:11:32 MDT
> key usage: digitalSignature,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20201114211109':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=[domain.com]
> subject: CN=localhost
> expires: 2022-11-11 14:11:50 MST
>
^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 but
it definitely looks wrong, unless IPA was installed with custom (and
puzzlin) options: subject CN=localhost.

How was IPA installed? The default settings would install a self-signed CA
with subject CN=Certificate Authority,O=IPA.TEST for instance.
What is the content of /etc/ipa/ca.crt? You should see the original IPA CA
in this file.

flo

> key usage: digitalSignature,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
> track: yes
>

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Sean McLennan via FreeIPA-users 
Mm. Actually, I'm not so sure.  Am I not interpreting the "getcert list" 
results correctly? When it says CA_UNREACHABLE because the cert expired, isn't 
that the CA Cert?

Number of certificates and requests being tracked: 9.
Request ID '20201114211025':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=IPA RA,O=[domain.com]
expires: 2022-11-04 14:10:27 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20201114211106':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:49 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211107':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:53 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211108':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-04 14:11:32 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert 
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211109':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:50 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert 
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '2020111420':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-04 14:11:40 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:

[Freeipa-users] Re: dirsrv times out at startup

2022-11-17 Thread Mark Reynolds via FreeIPA-users 

Hi Roberto,

On 11/17/22 11:36 AM, Roberto Cornacchia via FreeIPA-users wrote:
Yesterday I installed a replica on a clean Rocky 9 system. No issues 
at all. Everything

seemed to work fine.

Today the machine was rebooted (no dnf updates, no system changes) and 
ipa could not start anymore.


ipactl start -d says:

Starting Directory Service
ipa: DEBUG: Starting external process
ipa: DEBUG: args=['/bin/systemctl', 'start', 
'dirsrv@HQ-SPINQUE-COM.service']

ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args=['/bin/systemctl', 'is-active', 
'dirsrv@HQ-SPINQUE-COM.service']

ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120
ipa: DEBUG: waiting for port: 389
ipa: DEBUG: Failed to connect to port 389 tcp on ::1
ipa: DEBUG:   File 
"/usr/lib/python3.9/site-packages/ipaserver/install/installutils.py", 
line 781, in run_script

    return_value = main_function()

  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipactl.py", 
line 739, in main

    ipa_restart(options)

  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipactl.py", 
line 499, in ipa_restart

    raise IpactlError("Failed to start Directory Service: " + str(e))

ipa: DEBUG: The ipactl command failed, exception: IpactlError: Failed 
to start Directory Service: Timeout exceeded

Failed to start Directory Service: Timeout exceeded

/var/log/dirsrv/slapd-HQ-SPINQUE-COM/errors says:

[17/Nov/2022:17:22:21.074990853 +0100] - INFO - slapd_extract_cert - 
CA CERT NAME: HQ.SPINQUE.COM  IPA CA
[17/Nov/2022:17:22:21.668775045 +0100] - WARN - Security 
Initialization - SSL alert: Sending pin request to SVRCore. You may 
need to run systemd-tty-ask-password-agent to provide the password if 
pin.txt does not exist.
[17/Nov/2022:17:22:22.295325169 +0100] - INFO - slapd_extract_cert - 
SERVER CERT NAME: Server-Cert
[17/Nov/2022:17:22:23.275812957 +0100] - INFO - Security 
Initialization - SSL info: Enabling default cipher set.
[17/Nov/2022:17:22:26.090728693 +0100] - INFO - Security 
Initialization - SSL info: Configured NSS Ciphers
[17/Nov/2022:17:22:26.771211814 +0100] - INFO - Security 
Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled
[17/Nov/2022:17:22:28.438124063 +0100] - INFO - Security 
Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
[17/Nov/2022:17:22:28.928766931 +0100] - INFO - Security 
Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled
[17/Nov/2022:17:22:29.544178747 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 
enabled
[17/Nov/2022:17:22:30.099717701 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[17/Nov/2022:17:22:30.657974763 +0100] - INFO - Security 
Initialization - SSL info: 
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[17/Nov/2022:17:22:31.245996850 +0100] - INFO - Security 
Initialization - SSL info: 
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[17/Nov/2022:17:22:31.790186166 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 
enabled
[17/Nov/2022:17:22:32.205374722 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[17/Nov/2022:17:22:32.771492861 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[17/Nov/2022:17:22:33.139528386 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[17/Nov/2022:17:22:33.392948327 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[17/Nov/2022:17:22:33.420924018 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 
enabled
[17/Nov/2022:17:22:33.468560401 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[17/Nov/2022:17:22:33.524578902 +0100] - INFO - Security 
Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[17/Nov/2022:17:22:33.769874334 +0100] - INFO - Security 
Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[17/Nov/2022:17:22:34.596047264 +0100] - INFO - Security 
Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 
enabled
[17/Nov/2022:17:22:35.137255640 +0100] - INFO - Security 
Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[17/Nov/2022:17:22:35.938316117 +0100] - INFO - Security 
Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[17/Nov/2022:17:22:36.492933614 +0100] - INFO - Security 
Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[17/Nov/2022:17:22:37.059388478 +0100] - INFO - Security 
Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[17/Nov/2022:17:22:37.497954414 +0100] - INFO - Security

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Sean McLennan via FreeIPA-users 
Oh. :P  Well isn't that embarrassing.

I guess it's the server certificate then?

ipa: ERROR: cannot connect to 'https://ipa01./ipa/json': [SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] dirsrv times out at startup

2022-11-17 Thread Roberto Cornacchia via FreeIPA-users 
Yesterday I installed a replica on a clean Rocky 9 system. No issues at
all. Everything
seemed to work fine.

Today the machine was rebooted (no dnf updates, no system changes) and ipa
could not start anymore.

ipactl start -d says:

Starting Directory Service
ipa: DEBUG: Starting external process
ipa: DEBUG: args=['/bin/systemctl', 'start', 'dirsrv@HQ-SPINQUE-COM.service
']
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args=['/bin/systemctl', 'is-active',
'dirsrv@HQ-SPINQUE-COM.service']
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120
ipa: DEBUG: waiting for port: 389
ipa: DEBUG: Failed to connect to port 389 tcp on ::1
ipa: DEBUG:   File
"/usr/lib/python3.9/site-packages/ipaserver/install/installutils.py", line
781, in run_script
return_value = main_function()

  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipactl.py", line
739, in main
ipa_restart(options)

  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipactl.py", line
499, in ipa_restart
raise IpactlError("Failed to start Directory Service: " + str(e))

ipa: DEBUG: The ipactl command failed, exception: IpactlError: Failed to
start Directory Service: Timeout exceeded
Failed to start Directory Service: Timeout exceeded

/var/log/dirsrv/slapd-HQ-SPINQUE-COM/errors says:

[17/Nov/2022:17:22:21.074990853 +0100] - INFO - slapd_extract_cert - CA
CERT NAME: HQ.SPINQUE.COM IPA CA
[17/Nov/2022:17:22:21.668775045 +0100] - WARN - Security Initialization -
SSL alert: Sending pin request to SVRCore. You may need to run
systemd-tty-ask-password-agent to provide the password if pin.txt does not
exist.
[17/Nov/2022:17:22:22.295325169 +0100] - INFO - slapd_extract_cert - SERVER
CERT NAME: Server-Cert
[17/Nov/2022:17:22:23.275812957 +0100] - INFO - Security Initialization -
SSL info: Enabling default cipher set.
[17/Nov/2022:17:22:26.090728693 +0100] - INFO - Security Initialization -
SSL info: Configured NSS Ciphers
[17/Nov/2022:17:22:26.771211814 +0100] - INFO - Security Initialization -
SSL info: TLS_AES_128_GCM_SHA256: enabled
[17/Nov/2022:17:22:28.438124063 +0100] - INFO - Security Initialization -
SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
[17/Nov/2022:17:22:28.928766931 +0100] - INFO - Security Initialization -
SSL info: TLS_AES_256_GCM_SHA384: enabled
[17/Nov/2022:17:22:29.544178747 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[17/Nov/2022:17:22:30.099717701 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[17/Nov/2022:17:22:30.657974763 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[17/Nov/2022:17:22:31.245996850 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[17/Nov/2022:17:22:31.790186166 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[17/Nov/2022:17:22:32.205374722 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[17/Nov/2022:17:22:32.771492861 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[17/Nov/2022:17:22:33.139528386 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[17/Nov/2022:17:22:33.392948327 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[17/Nov/2022:17:22:33.420924018 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[17/Nov/2022:17:22:33.468560401 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[17/Nov/2022:17:22:33.524578902 +0100] - INFO - Security Initialization -
SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[17/Nov/2022:17:22:33.769874334 +0100] - INFO - Security Initialization -
SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[17/Nov/2022:17:22:34.596047264 +0100] - INFO - Security Initialization -
SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[17/Nov/2022:17:22:35.137255640 +0100] - INFO - Security Initialization -
SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[17/Nov/2022:17:22:35.938316117 +0100] - INFO - Security Initialization -
SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[17/Nov/2022:17:22:36.492933614 +0100] - INFO - Security Initialization -
SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[17/Nov/2022:17:22:37.059388478 +0100] - INFO - Security Initialization -
SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[17/Nov/2022:17:22:37.497954414 +0100] - INFO - Security Initialization -
SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[17/Nov/2022:17:22:37.899521527 +0100] - INFO - Security Initialization -
SSL info:

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

2022-11-17 Thread Rob Crittenden via FreeIPA-users 
Rob Crittenden wrote:
> Microsoft addressed a number of CVEs last week which introduced some
> authentication issues. After installation of these patches, user
> authentication on Linux systems integrated in Active Directory no longer
> works and new systems are unable to join an AD domain that is managed by
> domain controllers where these patches have been applied.
> 
> For more details see https://access.redhat.com/solutions/6985061 (open
> to the public).
> 
> rob
> 

More detailed information on the issue from Alexander,
https://www.redhat.com/en/blog/red-hat-enterprise-linux-and-microsoft-security-update-november-2022

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: SCEP

2022-11-17 Thread Rob Crittenden via FreeIPA-users 
Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
> 
> 
>> On 17 Nov 2022, at 10:15, Alexander Bokovoy  wrote:
>>
>> On to, 17 marras 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users 
>> wrote:
>>> Hi,
>>>
>>> I try to find good documentation on SCEP and FreeIPA, but I cannot find 
>>> something that seems updated nor conclusive.
>>>
>>> Does FreeIPA support SCEP out of the box, or does it need some hacking to 
>>> do so?
>>>
>>> And does it support other types of certificate enrolment besides its own 
>>> api/client?
>>
> 
> 
> Thanks a lot for a very explanatory answer as usual, Alexander.
> 
>> It really depends on what you are asking for: FreeIPA as an integrated
>> CA or FreeIPA as a consumer of some other CA.
> 
> I was thinking more as FreeIPA and its own CA.
> 
>> As a consumer of some other CAs, certmonger supports requesting
>> certificates through SCEP. See certmonger-scep-submit(8) man page and
>> /usr/share/doc/certmonger/scep.txt for details.
>>
>> FreeIPA integrated CA does not support SCEP itself. Well, Dogtag PKI
>> does have support for SCEP responder but it is not configured by default
>> and is not supported in IPA frontend that does verification of the
>> request.
> 
> Yes, I guess that this is what some of the documents I’ve seen around say.
> 
>> FreeIPA integrated CA supports ACME protocol (same as Let's Encrypt).
>> Would using ACME be a better option?
> 
> I was thinking of trying to use FreeIPA with some MDM solutions, and the one 
> I am trying (Workspace ONE) does not support ACME, unfortunately.

I think the dogtag SCEP server might be difficult to use in automation.

It uses a flat authentication file consisting of the remote IP address
and PIN, probably making it difficult for mobile devices which don't use
static addresses. Creating some sort of middle-man service that updates
the file and returns the PIN to use would be a security target.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: SCEP

2022-11-17 Thread Alexander Bokovoy via FreeIPA-users 

On to, 17 marras 2022, Francis Augusto Medeiros-Logeay wrote:




On 17 Nov 2022, at 10:15, Alexander Bokovoy  wrote:

On to, 17 marras 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:

Hi,

I try to find good documentation on SCEP and FreeIPA, but I cannot find 
something that seems updated nor conclusive.

Does FreeIPA support SCEP out of the box, or does it need some hacking to do so?

And does it support other types of certificate enrolment besides its own 
api/client?





Thanks a lot for a very explanatory answer as usual, Alexander.


It really depends on what you are asking for: FreeIPA as an integrated
CA or FreeIPA as a consumer of some other CA.


I was thinking more as FreeIPA and its own CA.


As a consumer of some other CAs, certmonger supports requesting
certificates through SCEP. See certmonger-scep-submit(8) man page and
/usr/share/doc/certmonger/scep.txt for details.

FreeIPA integrated CA does not support SCEP itself. Well, Dogtag PKI
does have support for SCEP responder but it is not configured by default
and is not supported in IPA frontend that does verification of the
request.


Yes, I guess that this is what some of the documents I’ve seen around say.


FreeIPA integrated CA supports ACME protocol (same as Let's Encrypt).
Would using ACME be a better option?


I was thinking of trying to use FreeIPA with some MDM solutions, and
the one I am trying (Workspace ONE) does not support ACME,
unfortunately.


I can only suggest to look at Dogtag's documentation and practical
examples. Dogtag PKI's CI system has a SCEP scenario with a core
configuration defined here:
https://github.com/dogtagpki/pki/blob/master/.github/workflows/scep-test.yml#L79-L90
This test configuration allows SCEP client from the 'client' system
(running in a separate container but that is an implementation detail),
more details available in 
https://github.com/dogtagpki/pki/wiki/Configuring-SCEP-Responder

Since access to integrated CA is proxied via IPA's httpd instance, you'd
also need to add one more PKI proxy rule in
/etc/httpd/conf.d/ipa-pki-proxy.conf. The required URL path is shown the
test and that wiki page.

Something like

# matches for SCEP API of CA

SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient optional
ProxyPassMatch ajp://localhost:8009 
secret=---copy-value-from-the-other-LocationMatch-entries
ProxyPassReverse ajp://localhost:8009


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-healthcheck: KRADogtagCertsConfigCheck

2022-11-17 Thread Jochen Kellner via FreeIPA-users 

Hi,

Florence Blanc-Renaud via FreeIPA-users
 writes:

> Hi,
>
> On Wed, Nov 16, 2022 at 9:54 AM Jochen Kellner via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>>
>> Hello,
>>
>> On 2022-11-16 two of my four IPA server have this healthcheck error:
>>
>> freeipa1, freeipa2:
>>
>>   {
>> "source": "pki.server.healthcheck.meta.csconfig",
>> "check": "KRADogtagCertsConfigCheck",
...
>> When looking at the script, we call this for the cert:
>> python3.10/site-packages/ipaserver/install/cainstance.py:1157:
>> def update_cert_config(self, nickname, cert):
>>
>> Which calls that function:
>> python3.10/site-packages/ipaserver/install/dogtaginstance.py:555:
>> def update_cert_cs_cfg(self, directive, cert):
>>
>> But: there is no code to loop over the running services in pki-tomcat as
>> far as I can see. So we update ca/conf/CS.cfg, but not kra/conf/CS.cfg

>>
> Thanks for the detailed description, you completely nailed it.
> The post-save command does not update the certificate in the
> kra/conf/CS.cfg file but you can manually fix it.

You're welcome.

> Extract the new certificate from the NSS database, remove the header and
> footer and print it on a single line:
> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n "Server-Cert cert-pki-ca" -a
> | tail -n +2 | head -n -1 | tr -d '\r\n'

I hope it will be fixed before the next certs expire :-)
But if not, here's my take in ansible to fix it when needed:

  - name: fetch ca.sslserver.cert from /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
ansible.builtin.command:
  cmd: awk -F '=' '/^ca.sslserver.cert=/ { print $2 }' 
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg
register: ca_sslserver_cert
check_mode: false
changed_when: false

  - name: fetch kra.sslserver.cert= from /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
ansible.builtin.command:
  cmd: awk -F '=' '/^kra.sslserver.cert=/ { print $2 }' 
/var/lib/pki/pki-tomcat/kra/conf/CS.cfg
register: kra_sslserver_cert
check_mode: false
changed_when: false

  - name: fix ipa-healthcheck, KRADogtagCertsConfigCheck
ansible.builtin.lineinfile:
  dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
  # regexp: '^hosts: (.*)\s*\smyhostname(\s.*)$'
  regexp: '^kra.sslserver.cert='
  line: 'kra.sslserver.cert={{ ca_sslserver_cert.stdout }}'
  owner: pkiuser
  group: pkiuser
  mode: '0660'
  backup: true
when: ca_sslserver_cert.stdout != kra_sslserver_cert.stdout
notify: restart pki-tomcat

> Could you open a ticket against freeipa at https://pagure.io/freeipa/issues
> so that we fix the post-save command? It looks like it doesn't take into
> account the KRA certificates.

I've opened that ticket: https://pagure.io/freeipa/issue/9277

Thanks for your confirmation,
Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: SCEP

2022-11-17 Thread Francis Augusto Medeiros-Logeay via FreeIPA-users 


> On 17 Nov 2022, at 10:15, Alexander Bokovoy  wrote:
> 
> On to, 17 marras 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users 
> wrote:
>> Hi,
>> 
>> I try to find good documentation on SCEP and FreeIPA, but I cannot find 
>> something that seems updated nor conclusive.
>> 
>> Does FreeIPA support SCEP out of the box, or does it need some hacking to do 
>> so?
>> 
>> And does it support other types of certificate enrolment besides its own 
>> api/client?
> 


Thanks a lot for a very explanatory answer as usual, Alexander.

> It really depends on what you are asking for: FreeIPA as an integrated
> CA or FreeIPA as a consumer of some other CA.

I was thinking more as FreeIPA and its own CA.

> As a consumer of some other CAs, certmonger supports requesting
> certificates through SCEP. See certmonger-scep-submit(8) man page and
> /usr/share/doc/certmonger/scep.txt for details.
> 
> FreeIPA integrated CA does not support SCEP itself. Well, Dogtag PKI
> does have support for SCEP responder but it is not configured by default
> and is not supported in IPA frontend that does verification of the
> request.

Yes, I guess that this is what some of the documents I’ve seen around say.

> FreeIPA integrated CA supports ACME protocol (same as Let's Encrypt).
> Would using ACME be a better option?

I was thinking of trying to use FreeIPA with some MDM solutions, and the one I 
am trying (Workspace ONE) does not support ACME, unfortunately.

Best,

Francis 

> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: SCEP

2022-11-17 Thread Alexander Bokovoy via FreeIPA-users 

On to, 17 marras 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:

Hi,

I try to find good documentation on SCEP and FreeIPA, but I cannot 
find something that seems updated nor conclusive.


Does FreeIPA support SCEP out of the box, or does it need some hacking 
to do so?


And does it support other types of certificate enrolment besides its 
own api/client?


It really depends on what you are asking for: FreeIPA as an integrated
CA or FreeIPA as a consumer of some other CA.

As a consumer of some other CAs, certmonger supports requesting
certificates through SCEP. See certmonger-scep-submit(8) man page and
/usr/share/doc/certmonger/scep.txt for details.

FreeIPA integrated CA does not support SCEP itself. Well, Dogtag PKI
does have support for SCEP responder but it is not configured by default
and is not supported in IPA frontend that does verification of the
request.

FreeIPA integrated CA supports ACME protocol (same as Let's Encrypt).
Would using ACME be a better option?


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] SCEP

2022-11-17 Thread Francis Augusto Medeiros-Logeay via FreeIPA-users 

Hi,

I try to find good documentation on SCEP and FreeIPA, but I cannot find 
something that seems updated nor conclusive.


Does FreeIPA support SCEP out of the box, or does it need some hacking 
to do so?


And does it support other types of certificate enrolment besides its own 
api/client?


Best,

Francis

--
Francis Augusto Medeiros-Logeay
Oslo, Norway
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-replica-install: "Trust is configured"

2022-11-17 Thread Roberto Cornacchia via FreeIPA-users 
OK, thanks!

On Thu, 17 Nov 2022, 08:45 Florence Blanc-Renaud,  wrote:

> Hi,
>
> On Wed, Nov 16, 2022 at 10:44 PM Roberto Cornacchia via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> I'm adding a replica, with CA and DNS setup, to an existing server (also
>> DNS and CA).
>>
>> First enrolled the server-to-be with ipa-client-install, then promoting
>> it to replica with ipa-replica-install.
>>
>> With or without CA and DNs, I get:
>>
>> ===
>> # ipa-replica-install
>> Lookup failed: Preferred host ipa02.hq.spinque.com does not provide DNS.
>> Trust is configured but no NetBIOS domain name found, setting it now.
>> Enter the NetBIOS name for the IPA domain.
>> Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
>> Example: EXAMPLE.
>>
>>
>> NetBIOS domain name [HQ]:
>> ===
>>
>> The system is a clean Rocky 9 install, we never had a single Windows
>> machine, we never used AD-trust, on both ipa01 and ipa02 ipa trust-find
>> returns 0 matches.
>>
>> Where is it getting this from, and how can I avoid it?
>>
>
> Starting with FreeIPA 4.9.8, the installers also configure SID generation
> even if no trust is configured. For more information you can refer to the
> design page:
> https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html
>
> This means that a NetBIOS name is assigned to each server, and a domain
> SID assigned to IPA.
> I agree with you that the message "*Trust is configured but no NetBIOS
> domain name found, setting it now*" could be misleading and should be
> replaced with "*No NetBIOS domain name found, setting it now*".
> Nothing to worry on your side, you can simply accept the proposed value
> (or enter a value).
>
> Hope this clarifies,
> flo
>
>
>> VERSION: 4.9.8, API_VERSION: 2.246
>>
>> Thanks, Roberto
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue