date:20231004

[Freeipa-users] Ubuntu 22.04 and 4.9.x

2023-10-04 Thread Cyrus via FreeIPA-users

Hello!,

Anybody knows if there are any issues with freeipa-client with versions
higher than 4.9.8?.

I'm currently having issues with Ubuntu 22.04 due to a python library that
needed to be updated for an application requirements and breaks FreeIPA
python scripts.

I see tar files for 4.9.12 and wonder why Ubuntu would go higher today.

Any experiences are welcome, I'm considering building an alternative
package but most probably nobody will be maintaining it internally and I
prefer going with distro provided packages.

Regards,
Cyrus
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Healthcheck errors for certificate issues after update

2023-10-04 Thread Rob Crittenden via FreeIPA-users

Jeremy Tourville via FreeIPA-users wrote:
 Is this an externally-signed CA? 
> Yes
 What version of healthcheck do you have?
> 0.12-1
> 
> I *think* from what I am seeing this cert is valid.  Can you confirm?
> 
> # getcert list -i "20230901185953"
> Number of certificates and requests being tracked: 10.
> Request ID '20230901185953':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 
> Certificate DB',pin set
>   certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 
> Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=IDM.EXAMPLE.ORG
>   subject: CN=EXAMPLE-CA,DC=example,DC=org
>   issued: 2023-04-05 12:54:46 CDT
>   expires: 2038-01-06 09:20:42 CST
>   key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>   profile: caCACert
>   pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>   post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb"
>   track: yes
>   auto-renew: yes

This is a sub CA. These are not validated by healthcheck.

> If we both agree this cert is valid, how to I clear the warning message from 
> healthcheck?

See the EXCLUDES section in ipahealthcheck.conf(5)

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Health check issues

2023-10-04 Thread Rob Crittenden via FreeIPA-users

Jochen Kellner via FreeIPA-users wrote:
> Alex Corcoles via FreeIPA-users 
> writes:
> 
>> Hi all,
>>
>> Sorry I didn't keep track of this more accurately. Some time ago, the
>> ipa-healthcheck service started failing (September 23rd, I think). I
>> took a look, and IIRC, it said something like some certs were about to
>> expire. I ignored that (because they renew automatically?). But then I
>> checked some time after that, and ipa-healthcheck started reporting:
> ...
>>   "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the 
>> value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg"
> ...
>> Any thoughts?
> 
> This looks similar to
> https://pagure.io/freeipa/issue/9277
> https://github.com/dogtagpki/pki/issues/2157

The KRA values are definitely not being updated. That shouldn't be the
case for the CA values.

rob

> 
> I've used this play to fix my system:
> ---
> # file: freeipa-fixes.yml
> - name: Fix problems in IPA installations or configurations after install / 
> postinstall or later
>   hosts:
>   - ipaservers
>   become: true
> 
>   tasks:
> # ...
>   # Another healthcheck fix: when the PKI server certificate is renewed
>   # the new certificate is written to /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
>   # It needs to be in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg too.
>   # {
>   #   "source": "pki.server.healthcheck.meta.csconfig",
>   #   "check": "KRADogtagCertsConfigCheck",
>   #   "result": "ERROR",
>   #   "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005",
>   #   "when": "20221116030029Z",
>   #   "duration": "0.024925",
>   #   "kw": {
>   # "key": "kra_sslserver",
>   # "nickname": "Server-Cert cert-pki-ca",
>   # "directive": "kra.sslserver.cert",
>   # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
>   # "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value
>   #  of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
>   #   }
>   # },
>   # This is likely a bug in /usr/libexec/ipa/certmonger/renew_ca_cert
>   - name: Fetch ca.sslserver.cert from /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> ansible.builtin.command:
>   cmd: awk -F '=' '/^ca.sslserver.cert=/ { print $2 }' 
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> register: ca_sslserver_cert
> check_mode: false
> changed_when: false
> 
>   - name: Fetch kra.sslserver.cert= from 
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> ansible.builtin.command:
>   cmd: awk -F '=' '/^kra.sslserver.cert=/ { print $2 }' 
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> register: kra_sslserver_cert
> check_mode: false
> changed_when: false
> 
> #  - name: debug display the possibly different certs
> #ansible.builtin.debug:
> #  var: "{{ item }}"
> #loop:
> #- ca_sslserver_cert.stdout
> #- kra_sslserver_cert.stdout
> 
>   - name: Fix ipa-healthcheck, KRADogtagCertsConfigCheck
> ansible.builtin.lineinfile:
>   dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
>   regexp: '^kra.sslserver.cert='
>   line: 'kra.sslserver.cert={{ ca_sslserver_cert.stdout }}'
>   owner: pkiuser
>   group: pkiuser
>   mode: '0660'
>   backup: true
> when: ca_sslserver_cert.stdout != kra_sslserver_cert.stdout
> notify: Restart pki-tomcat
> 
> #  "key": "transportCert cert-pki-kra",
> # "directive": "ca.connector.KRA.transportCert",
> # "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
> # "msg": "Certificate 'transportCert cert-pki-kra' does not match the 
> value of
> #  ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/c 
> onf/ca/CS.cfg"
>   - name: Fetch Certificate 'transportCert cert-pki-kra'
> ansible.builtin.shell:
>   cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'transportCert 
> cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }'
> register: transportcert
> check_mode: false
> changed_when: false
> 
>   - name: Fetch Certificate ca.connector.KRA.transportCert
> ansible.builtin.shell:
>   cmd: awk -F '=' '/^ca.connector.KRA.transportCert=/ { print $2 }' 
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> register: ca_connector_transportcert
> check_mode: false
> changed_when: false
> 
>   - name: Fix ipa-healthcheck, ca.connector.KRA.transportCert
> ansible.builtin.lineinfile:
>   dest: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
>   regexp: '^ca.connector.KRA.transportCert='
>   line: 'ca.connector.KRA.transportCert={{ transportcert.stdout }}'
>   owner: pkiuser
>   group: pkiuser
>   mode: '0660'
>   backup: true
> when: ca_connector_transportcert.stdout != transportcert.stdout
> notify: Restart pki-tomcat
> 
>   - name: Fetch Certificate kra.transport.cert
> ansible.builtin.shell:
>   cmd: awk -F '=' '/^kra.transport.cert=/ { print $2 }' 
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> register: kra_transport_cert
> check_mode: false
> changed_when: false
> 
>

[Freeipa-users] Re: Health check issues

2023-10-04 Thread Rob Crittenden via FreeIPA-users

Alex Corcoles via FreeIPA-users wrote:
> Hi all,
> 
> Sorry I didn't keep track of this more accurately. Some time ago, the 
> ipa-healthcheck service started failing (September 23rd, I think). I took a 
> look, and IIRC, it said something like some certs were about to expire. I 
> ignored that (because they renew automatically?). But then I checked some 
> time after that, and ipa-healthcheck started reporting:

I'd start by verifying that the certificates indeed did renew.

> 
> [
>   {
> "source": "pki.server.healthcheck.meta.csconfig",
> "check": "CADogtagCertsConfigCheck",
> "result": "ERROR",
> "uuid": "af584c7d-6288-4848-acf8-9e59946e298b",
> "when": "20231004180708Z",
> "duration": "0.093486",
> "kw": {
>   "key": "ca_audit_signing",
>   "nickname": "auditSigningCert cert-pki-ca",
>   "directive": "ca.audit_signing.cert",
>   "configfile": "/etc/pki/pki-tomcat/ca/CS.cfg",
>   "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the 
> value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg"
> }
>   },
>   {
> "source": "ipahealthcheck.dogtag.ca",
> "check": "DogtagCertsConfigCheck",
> "result": "ERROR",
> "uuid": "94d21af1-63d1-4bc8-80ff-dc974b3bafc2",
> "when": "20231004180708Z",
> "duration": "0.401906",
> "kw": {
>   "key": "auditSigningCert cert-pki-ca",
>   "directive": "ca.audit_signing.cert",
>   "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
>   "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the 
> value of ca.audit_signing.cert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
> }
>   }
> ]
> 
> I suppose the automatic renewal process went awry? I have seen messages on 
> this list with similar errors, but the path forward does not seem clear to me.

There is some disagreement whether CS.cfg being updated is important or
not. The PKI team is looking into this now. If you really want to update
it you can get the base64 blob:

# certutil -L -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert
cert-pki-ca' -a

Then stop pki-tomcat@pki-tomcatd, update the mentioned blob in CS.cfg,
and restart tomcat.

rob
> 
> I'm running:
> 
> ipa-healthcheck-0.12-1.el9.noarch
> ipa-healthcheck-core-0.12-1.el9.noarch
> ipa-server-4.10.1-9.el9_2.x86_64
> 
> Coincidentally, some updates went out around those dates:
> 
> 2023-08-26T06:56:04+ SUBDEBUG Upgraded: 
> ipa-server-dns-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+ SUBDEBUG Upgraded: ipa-server-4.10.1-7.el9_2.x86_64
> 2023-08-26T06:56:05+ SUBDEBUG Upgraded: 
> python3-ipaserver-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+ SUBDEBUG Upgraded: ipa-client-4.10.1-7.el9_2.x86_64
> 2023-08-26T06:56:05+ SUBDEBUG Upgraded: 
> python3-ipaclient-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+ SUBDEBUG Upgraded: 
> python3-ipalib-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+ SUBDEBUG Upgraded: ipa-common-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+ SUBDEBUG Upgraded: 
> ipa-server-common-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+ SUBDEBUG Upgraded: 
> ipa-client-common-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+ SUBDEBUG Upgraded: ipa-selinux-4.10.1-7.el9_2.noarch
> 2023-09-24T06:56:28+ SUBDEBUG Upgraded: 
> ipa-server-dns-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:28+ SUBDEBUG Upgraded: ipa-server-4.10.1-8.el9_2.x86_64
> 2023-09-24T06:56:29+ SUBDEBUG Upgraded: 
> python3-ipaserver-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:29+ SUBDEBUG Upgraded: ipa-client-4.10.1-8.el9_2.x86_64
> 2023-09-24T06:56:29+ SUBDEBUG Upgraded: 
> python3-ipaclient-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:29+ SUBDEBUG Upgraded: 
> python3-ipalib-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:29+ SUBDEBUG Upgraded: ipa-common-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:30+ SUBDEBUG Upgraded: 
> ipa-server-common-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:30+ SUBDEBUG Upgraded: 
> ipa-client-common-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:30+ SUBDEBUG Upgraded: ipa-selinux-4.10.1-8.el9_2.noarch
> 
> Any thoughts?
> 
> Thanks,
> 
> Álex
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:

[Freeipa-users] Re: Health check issues

2023-10-04 Thread Alex Corcoles via FreeIPA-users

Oh, thanks for the playbook- I appreciate it.

It's surprising that some of the bugs you posted mention SELinux- the replica 
that doesn't have issues is running SELinux, while the replica that has issues 
doesn't (it's an LXC container).
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Health check issues

2023-10-04 Thread Jochen Kellner via FreeIPA-users

Alex Corcoles via FreeIPA-users 
writes:

> Hi all,
>
> Sorry I didn't keep track of this more accurately. Some time ago, the
> ipa-healthcheck service started failing (September 23rd, I think). I
> took a look, and IIRC, it said something like some certs were about to
> expire. I ignored that (because they renew automatically?). But then I
> checked some time after that, and ipa-healthcheck started reporting:
...
>   "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the 
> value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg"
...
> Any thoughts?

This looks similar to
https://pagure.io/freeipa/issue/9277
https://github.com/dogtagpki/pki/issues/2157

I've used this play to fix my system:
---
# file: freeipa-fixes.yml
- name: Fix problems in IPA installations or configurations after install / 
postinstall or later
  hosts:
  - ipaservers
  become: true

  tasks:
# ...
  # Another healthcheck fix: when the PKI server certificate is renewed
  # the new certificate is written to /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
  # It needs to be in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg too.
  # {
  #   "source": "pki.server.healthcheck.meta.csconfig",
  #   "check": "KRADogtagCertsConfigCheck",
  #   "result": "ERROR",
  #   "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005",
  #   "when": "20221116030029Z",
  #   "duration": "0.024925",
  #   "kw": {
  # "key": "kra_sslserver",
  # "nickname": "Server-Cert cert-pki-ca",
  # "directive": "kra.sslserver.cert",
  # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
  # "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value
  #  of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
  #   }
  # },
  # This is likely a bug in /usr/libexec/ipa/certmonger/renew_ca_cert
  - name: Fetch ca.sslserver.cert from /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
ansible.builtin.command:
  cmd: awk -F '=' '/^ca.sslserver.cert=/ { print $2 }' 
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg
register: ca_sslserver_cert
check_mode: false
changed_when: false

  - name: Fetch kra.sslserver.cert= from /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
ansible.builtin.command:
  cmd: awk -F '=' '/^kra.sslserver.cert=/ { print $2 }' 
/var/lib/pki/pki-tomcat/kra/conf/CS.cfg
register: kra_sslserver_cert
check_mode: false
changed_when: false

#  - name: debug display the possibly different certs
#ansible.builtin.debug:
#  var: "{{ item }}"
#loop:
#- ca_sslserver_cert.stdout
#- kra_sslserver_cert.stdout

  - name: Fix ipa-healthcheck, KRADogtagCertsConfigCheck
ansible.builtin.lineinfile:
  dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
  regexp: '^kra.sslserver.cert='
  line: 'kra.sslserver.cert={{ ca_sslserver_cert.stdout }}'
  owner: pkiuser
  group: pkiuser
  mode: '0660'
  backup: true
when: ca_sslserver_cert.stdout != kra_sslserver_cert.stdout
notify: Restart pki-tomcat

#  "key": "transportCert cert-pki-kra",
# "directive": "ca.connector.KRA.transportCert",
# "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
# "msg": "Certificate 'transportCert cert-pki-kra' does not match the value 
of
#  ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/c 
onf/ca/CS.cfg"
  - name: Fetch Certificate 'transportCert cert-pki-kra'
ansible.builtin.shell:
  cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'transportCert 
cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }'
register: transportcert
check_mode: false
changed_when: false

  - name: Fetch Certificate ca.connector.KRA.transportCert
ansible.builtin.shell:
  cmd: awk -F '=' '/^ca.connector.KRA.transportCert=/ { print $2 }' 
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg
register: ca_connector_transportcert
check_mode: false
changed_when: false

  - name: Fix ipa-healthcheck, ca.connector.KRA.transportCert
ansible.builtin.lineinfile:
  dest: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
  regexp: '^ca.connector.KRA.transportCert='
  line: 'ca.connector.KRA.transportCert={{ transportcert.stdout }}'
  owner: pkiuser
  group: pkiuser
  mode: '0660'
  backup: true
when: ca_connector_transportcert.stdout != transportcert.stdout
notify: Restart pki-tomcat

  - name: Fetch Certificate kra.transport.cert
ansible.builtin.shell:
  cmd: awk -F '=' '/^kra.transport.cert=/ { print $2 }' 
/var/lib/pki/pki-tomcat/kra/conf/CS.cfg
register: kra_transport_cert
check_mode: false
changed_when: false

  - name: Fix ipa-healthcheck, kra.transport.cert
ansible.builtin.lineinfile:
  dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
  regexp: '^kra.transport.cert='
  line: 'kra.transport.cert={{ transportcert.stdout }}'
  owner: pkiuser
  group: pkiuser
  mode: '0660'
  backup: true
when: kra_transport_cert.stdout != transportcert.stdout
notify: Restart

[Freeipa-users] Re: Health check issues

2023-10-04 Thread Alex Corcoles via FreeIPA-users

I forgot to add; I'm running two replicas, both are CAs and provisioned 
identically, and only one of them shows this issue. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Health check issues

2023-10-04 Thread Alex Corcoles via FreeIPA-users

Hi all,

Sorry I didn't keep track of this more accurately. Some time ago, the 
ipa-healthcheck service started failing (September 23rd, I think). I took a 
look, and IIRC, it said something like some certs were about to expire. I 
ignored that (because they renew automatically?). But then I checked some time 
after that, and ipa-healthcheck started reporting:

[
  {
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "af584c7d-6288-4848-acf8-9e59946e298b",
"when": "20231004180708Z",
"duration": "0.093486",
"kw": {
  "key": "ca_audit_signing",
  "nickname": "auditSigningCert cert-pki-ca",
  "directive": "ca.audit_signing.cert",
  "configfile": "/etc/pki/pki-tomcat/ca/CS.cfg",
  "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the 
value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg"
}
  },
  {
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "94d21af1-63d1-4bc8-80ff-dc974b3bafc2",
"when": "20231004180708Z",
"duration": "0.401906",
"kw": {
  "key": "auditSigningCert cert-pki-ca",
  "directive": "ca.audit_signing.cert",
  "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
  "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the 
value of ca.audit_signing.cert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
}
  }
]

I suppose the automatic renewal process went awry? I have seen messages on this 
list with similar errors, but the path forward does not seem clear to me.

I'm running:

ipa-healthcheck-0.12-1.el9.noarch
ipa-healthcheck-core-0.12-1.el9.noarch
ipa-server-4.10.1-9.el9_2.x86_64

Coincidentally, some updates went out around those dates:

2023-08-26T06:56:04+ SUBDEBUG Upgraded: ipa-server-dns-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+ SUBDEBUG Upgraded: ipa-server-4.10.1-7.el9_2.x86_64
2023-08-26T06:56:05+ SUBDEBUG Upgraded: 
python3-ipaserver-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+ SUBDEBUG Upgraded: ipa-client-4.10.1-7.el9_2.x86_64
2023-08-26T06:56:05+ SUBDEBUG Upgraded: 
python3-ipaclient-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+ SUBDEBUG Upgraded: python3-ipalib-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+ SUBDEBUG Upgraded: ipa-common-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+ SUBDEBUG Upgraded: 
ipa-server-common-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+ SUBDEBUG Upgraded: 
ipa-client-common-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+ SUBDEBUG Upgraded: ipa-selinux-4.10.1-7.el9_2.noarch
2023-09-24T06:56:28+ SUBDEBUG Upgraded: ipa-server-dns-4.10.1-8.el9_2.noarch
2023-09-24T06:56:28+ SUBDEBUG Upgraded: ipa-server-4.10.1-8.el9_2.x86_64
2023-09-24T06:56:29+ SUBDEBUG Upgraded: 
python3-ipaserver-4.10.1-8.el9_2.noarch
2023-09-24T06:56:29+ SUBDEBUG Upgraded: ipa-client-4.10.1-8.el9_2.x86_64
2023-09-24T06:56:29+ SUBDEBUG Upgraded: 
python3-ipaclient-4.10.1-8.el9_2.noarch
2023-09-24T06:56:29+ SUBDEBUG Upgraded: python3-ipalib-4.10.1-8.el9_2.noarch
2023-09-24T06:56:29+ SUBDEBUG Upgraded: ipa-common-4.10.1-8.el9_2.noarch
2023-09-24T06:56:30+ SUBDEBUG Upgraded: 
ipa-server-common-4.10.1-8.el9_2.noarch
2023-09-24T06:56:30+ SUBDEBUG Upgraded: 
ipa-client-common-4.10.1-8.el9_2.noarch
2023-09-24T06:56:30+ SUBDEBUG Upgraded: ipa-selinux-4.10.1-8.el9_2.noarch

Any thoughts?

Thanks,

Álex
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: FreeIPA and TrueNAS Scale for mounting of nfs4 shares

2023-10-04 Thread Francis Augusto Medeiros-Logeay via FreeIPA-users

Kevin:

Could you share the ACL of the dataset you share via nfs4? 

Best,

Francis 

> On Oct 3, 2023, at 16:10, Kevin Vasko via FreeIPA-users 
>  wrote:
> 
> I actually did this recently.
> 
> Full working settings configuration in TrueNAS Scale. You will need to create 
> a BIND account which I used "svcbind". The Aux Parameters are extremely 
> important otherwise your groups won't work correctly.
> 
> Directory Services
> 1. Hostname: ipa.site.example.com 
> 2. Base DN: dc=site,dc=example,dc=com
> 3. Bind DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
> 4. Bind Password: 
> 5. Kerberos Realm: SITE.EXAMPLE.COM 
> 6. Kerberos Principal: nfs/.site.example@site.example.com 
> 
> 7. LDAP Timeout: 10
> 8. DNS Timeout: 10
> 9. Enable: [ x ]
> 10. Auxiliary Parameters
> ``` 
> base passwd cn=users,cn=accounts,dc=site,dc=example,dc=com
> base group cn=groups,cn=accounts,dc=site,dc=example,dc=com
> ```
> 11. encryption Mode: off
> 12. Schema: RFC2307BIS
> 13. Validate Certificates: [x]
> 
> 1. Advanced Settings
> 1. Idmap
> 1. Idmap Backend: LDAP
> 2. DNS Domain Name: site.example.com 
> 3. Range Low: 10001
> 4. Range High: 20
> 5. Base DN: dc=site,dc=example,dc=com
> 6. LDAP User DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
> 7. LDAP User DN Password: 
> 8. URL: ipa.site.example.com 
> 2. Kerberos Realms
> 1. Realm: SITE.EXAMPLE.COM 
> 2. KDC: ipa.site.example.com 
> 3. Admin Servers: ipa.site.example.com 
> 3. Kerberos Settings:
> 1. Libdefaults Auxiliary Parameters
> ``` 
> default_realm = SITE.EXAMPLE.COM 
> dns_lookup_kdc = true
> allow_weak_crypto = true
> 4. Kerberos KeyTab
> 1. Name: .site.example.com.keytab
> 2. Add IPA Host
> 1.  `ipa host-add nas-server.site.example.com 
>  --ip-address 10.75.37.2`
> 3. Add service
> 1.  `ipa service-add NFS/emc-nas-server.site.example@site.example.com 
> 
> 4. Generate Keytab
> 1.  `ipa-getkeytab -s ipaserver.example.com  
> -p nfs/emc-nas-server.site.example.com 
>  -k /tmp/emc-nas-server.keytab`
> 5. Upload to TrueNAS
> 
> I'm not sure of the idmap settings if they are actually useful but everything 
> worked even though we have overlapping IDs (which TrueNas Scale complains 
> about).
> 
> Helpful Link:
> https://www.freeipa.org/page/Howto/Integrating_Dell_EMC_Unity
> 
> On Tue, Oct 3, 2023 at 5:23 AM Francis Augusto Medeiros-Logeay via 
> FreeIPA-users  > wrote:
>> 
>> 
>>> On 3 Oct 2023, at 11:50, Alexander Bokovoy >> > wrote:
>>> 
>>> On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users 
>>> wrote:
 
 
> On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users 
>  > wrote:
> 
> On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users 
> wrote:
>> Hi,
>> 
>> Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 
>> shares with kerberos?
>> 
>> I manage to mount the shares, the folder seems to have the right 
>> permissions, but I get permission denied when trying to access the 
>> folder.
>> 
>> I am trying from a Fedora 37 client.
>> 
>> As this is potentially off-topic, I’d be glad to take the discussion 
>> off-list.
>> 
> 
> That's a very interesting subject. Just today we started looking at the 
> same thing.
> I have no idea yet how to do this, so I too would like to know if 
> somebody has succeeded to set this up.
> --
> Kees
 
 Great! If it is ok with you, please keep in touch to share how/what you
 accomplish.
 
 Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem
 a few versions ago where the tickets wouldn’t be renewed. It is fixed
 now. So users and groups work.
 
 The issue with TrueNAS, as I see it, is the idmapd configuration.
 
 But I think we start to be very off topic, so don’t hesitate to mail me
 directly if you want to discuss this.
>>> 
>>> I think it can be discussed here, no problem.
>> 
>> Thank you, I really appreciate this, since this is a thing I’ve been working 
>> on for quite sometime, so it is really nice to have other eyes on it.
>> 
>>> My understanding is that TrueNAS Scale uses Debian as its base. It also
>>> uses Samba components for both client (users/groups identities)
>>> integration and server (SMB shares) integration. For SMB-related
>>> configuration one can have a pretty decent setup

[Freeipa-users] Re: FreeIPA and TrueNAS Scale for mounting of nfs4 shares

2023-10-04 Thread Francis Augusto Medeiros-Logeay via FreeIPA-users

Hi Kevin,

Thanks for sharing this.

My configuration is virtually identical.

The differences:

- I set LDAP encryption to «on» 
- I don’t validate certificates here. I do use one on the idmap configuration
- I also add `map passwd loginShell loginShell` to the Auxiliary Parameters of 
the LDAP configuration
- I have also «forwardable = yes» on my Kerberos configuration, in addition to 
what you have

I have also host/ and an nfs/ keytab. On my configuration, it was a host/ that 
was used, but I chose the nfs now, but it’s really not different.

I mount the directory, get the right permissions (sometimes), but when I access 
the folder, it fails: 

`drwx--. 5 francis francis   14 Oct  1 20:03 test
`
I changed back to LDAP for idmap, though I think Alexander Bokovoy is right, 
this could be NSS as well. But I don’t think I am having mapping errors here.

I wonder what could be wrong.

Best,

Francis


> On Oct 3, 2023, at 16:10, Kevin Vasko via FreeIPA-users 
>  wrote:
> 
> I actually did this recently.
> 
> Full working settings configuration in TrueNAS Scale. You will need to create 
> a BIND account which I used "svcbind". The Aux Parameters are extremely 
> important otherwise your groups won't work correctly.
> 
> Directory Services
> 1. Hostname: ipa.site.example.com 
> 2. Base DN: dc=site,dc=example,dc=com
> 3. Bind DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
> 4. Bind Password: 
> 5. Kerberos Realm: SITE.EXAMPLE.COM 
> 6. Kerberos Principal: nfs/.site.example@site.example.com 
> 
> 7. LDAP Timeout: 10
> 8. DNS Timeout: 10
> 9. Enable: [ x ]
> 10. Auxiliary Parameters
> ``` 
> base passwd cn=users,cn=accounts,dc=site,dc=example,dc=com
> base group cn=groups,cn=accounts,dc=site,dc=example,dc=com
> ```
> 11. encryption Mode: off
> 12. Schema: RFC2307BIS
> 13. Validate Certificates: [x]
> 
> 1. Advanced Settings
> 1. Idmap
> 1. Idmap Backend: LDAP
> 2. DNS Domain Name: site.example.com 
> 3. Range Low: 10001
> 4. Range High: 20
> 5. Base DN: dc=site,dc=example,dc=com
> 6. LDAP User DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
> 7. LDAP User DN Password: 
> 8. URL: ipa.site.example.com 
> 2. Kerberos Realms
> 1. Realm: SITE.EXAMPLE.COM 
> 2. KDC: ipa.site.example.com 
> 3. Admin Servers: ipa.site.example.com 
> 3. Kerberos Settings:
> 1. Libdefaults Auxiliary Parameters
> ``` 
> default_realm = SITE.EXAMPLE.COM 
> dns_lookup_kdc = true
> allow_weak_crypto = true
> 4. Kerberos KeyTab
> 1. Name: .site.example.com.keytab
> 2. Add IPA Host
> 1.  `ipa host-add nas-server.site.example.com 
>  --ip-address 10.75.37.2`
> 3. Add service
> 1.  `ipa service-add NFS/emc-nas-server.site.example@site.example.com 
> 
> 4. Generate Keytab
> 1.  `ipa-getkeytab -s ipaserver.example.com  
> -p nfs/emc-nas-server.site.example.com 
>  -k /tmp/emc-nas-server.keytab`
> 5. Upload to TrueNAS
> 
> I'm not sure of the idmap settings if they are actually useful but everything 
> worked even though we have overlapping IDs (which TrueNas Scale complains 
> about).
> 
> Helpful Link:
> https://www.freeipa.org/page/Howto/Integrating_Dell_EMC_Unity
> 
> On Tue, Oct 3, 2023 at 5:23 AM Francis Augusto Medeiros-Logeay via 
> FreeIPA-users  > wrote:
>> 
>> 
>>> On 3 Oct 2023, at 11:50, Alexander Bokovoy >> > wrote:
>>> 
>>> On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users 
>>> wrote:
 
 
> On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users 
>  > wrote:
> 
> On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users 
> wrote:
>> Hi,
>> 
>> Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 
>> shares with kerberos?
>> 
>> I manage to mount the shares, the folder seems to have the right 
>> permissions, but I get permission denied when trying to access the 
>> folder.
>> 
>> I am trying from a Fedora 37 client.
>> 
>> As this is potentially off-topic, I’d be glad to take the discussion 
>> off-list.
>> 
> 
> That's a very interesting subject. Just today we started looking at the 
> same thing.
> I have no idea yet how to do this, so I too would like to know if 
> somebody has succeeded to set this up.
> --
> Kees
 
 Great! If it is ok with you, please keep in touch to share how/what you
 accomplish.
 
 Here, I have managed to join TrueNAS

[Freeipa-users] Re: Healthcheck errors for certificate issues after update

2023-10-04 Thread Jeremy Tourville via FreeIPA-users

>>>Is this an externally-signed CA? 
Yes
>>>What version of healthcheck do you have?
0.12-1

I *think* from what I am seeing this cert is valid.  Can you confirm?

# getcert list -i "20230901185953"
Number of certificates and requests being tracked: 10.
Request ID '20230901185953':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 
Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IDM.EXAMPLE.ORG
subject: CN=EXAMPLE-CA,DC=example,DC=org
issued: 2023-04-05 12:54:46 CDT
expires: 2038-01-06 09:20:42 CST
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb"
track: yes
auto-renew: yes

If we both agree this cert is valid, how to I clear the warning message from 
healthcheck?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Healthcheck errors for certificate issues after update

2023-10-04 Thread Rob Crittenden via FreeIPA-users

Jeremy Tourville via FreeIPA-users wrote:
> I recently updated my system.  I am now at version 4.9.11.  After the update 
> I noticed the following output from healthcheck.
> 
> # ipa-healthcheck
> ra.get_certificate(): Request failed with status 404: Non-2xx response from 
> CA REST API: 404. Certificate ID 0x6f001f2421fafd67223225001f not 
> found (404)
> [
>   {
> "source": "ipahealthcheck.dogtag.ca",
> "check": "DogtagCertsConnectivityCheck",
> "result": "ERROR",
> "uuid": "8a663c7d-77f9-4739-8029-c401b113fa5e",
> "when": "20231003134004Z",
> "duration": "0.093615",
> "kw": {
>   "key": "cert_show_1",
>   "error": "Certificate operation cannot be completed: Request failed 
> with status 404: Non-2xx response from CA REST API: 404. Certificate ID 
> 0x6f001f2421fafd67223225001f not found (404)",
>   "serial": "2475382717198593230277736537855912919378690079",
>   "msg": "Serial number not found: {error}"
> }
>   },

Is this an externally-signed CA? There was a bug in healthcheck that
didn't take this case into account. What version of healthcheck do you have?

>   {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertTracking",
> "result": "WARNING",
> "uuid": "3c183bb0-bffc-403a-9899-a59a4d29750b",
> "when": "20231003134009Z",
> "duration": "1.819175",
> "kw": {
>   "key": "20230901185953",
>   "msg": "certmonger tracking request {key} found and is not expected on 
> an IPA master."
> }
>   }
> ]

You need to see what this tracking request is. It may be perfectly valid
for your setup, it just isn't an expected cert: getcert list -i
"20230901185953",

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Healthcheck errors for certificate issues after update

2023-10-04 Thread Jeremy Tourville via FreeIPA-users

I recently updated my system.  I am now at version 4.9.11.  After the update I 
noticed the following output from healthcheck.

# ipa-healthcheck
ra.get_certificate(): Request failed with status 404: Non-2xx response from CA 
REST API: 404. Certificate ID 0x6f001f2421fafd67223225001f not 
found (404)
[
  {
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "8a663c7d-77f9-4739-8029-c401b113fa5e",
"when": "20231003134004Z",
"duration": "0.093615",
"kw": {
  "key": "cert_show_1",
  "error": "Certificate operation cannot be completed: Request failed with 
status 404: Non-2xx response from CA REST API: 404. Certificate ID 
0x6f001f2421fafd67223225001f not found (404)",
  "serial": "2475382717198593230277736537855912919378690079",
  "msg": "Serial number not found: {error}"
}
  },
  {
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "3c183bb0-bffc-403a-9899-a59a4d29750b",
"when": "20231003134009Z",
"duration": "1.819175",
"kw": {
  "key": "20230901185953",
  "msg": "certmonger tracking request {key} found and is not expected on an 
IPA master."
}
  }
]

If I am understanding correctly it looks like the error is for a certificate 
that it cannot find. I have several questions here.  

#1 What cert is the system looking for?  
#2 How do I correct the error issue?
#3 Is the warning the result of the error? -ie are the issues related to each 
other?
#4 If the warning is not the result of the error, how do I correct that?

Thanks for your input.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Ubuntu 22.04 and 4.9.x

[Freeipa-users] Re: Healthcheck errors for certificate issues after update

[Freeipa-users] Re: Health check issues

[Freeipa-users] Re: Health check issues

[Freeipa-users] Re: Health check issues

[Freeipa-users] Re: Health check issues

[Freeipa-users] Re: Health check issues

[Freeipa-users] Health check issues

[Freeipa-users] Re: FreeIPA and TrueNAS Scale for mounting of nfs4 shares

[Freeipa-users] Re: FreeIPA and TrueNAS Scale for mounting of nfs4 shares

[Freeipa-users] Re: Healthcheck errors for certificate issues after update

[Freeipa-users] Re: Healthcheck errors for certificate issues after update

[Freeipa-users] Healthcheck errors for certificate issues after update

13 matches

Site Navigation

Mail list logo

Footer information