[Freeipa-users] Re: Testing requested - certificate checking tool
Rob, I'd love to test your tool, as part of working on my problem "ipa.service fails to start", but I still run 4.4.0-12.0.1.el7.x86_64, hence do you think this is the obstacle? Again, as part of "ipa.service fails to start" work, I was hoping to add new IPA server 4.5.4, but ipa-replica-prepare (from v4.4.0) fails with: Creating SSL certificate for the Directory Server cannot connect to 'https://ca-ldap02.domain.com:8443/ca/ee/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. One more thing, mine domain level is 0, will it help raising to 1 and is this process harmful? I am desperate to try things that can possibly lead to resolving my expire cert problems. thanks, Zarko ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert
Hi Kees, I've been also looking to Rob's blog as part of working on my problem ("ipa.service "fails" to start"). In my case, when running the curl command (with -v), I do see * About to connect() to ca-ldap03 port 8443 (#0) * Trying x.x.x..x ... * Connected to ca-ldap03 port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * NSS: client certificate not found (nickname not specified) ... but then I see : < HTTP/1.1 500 Internal Server Error .. finally command's exit status is 0, hence I understand no need to modify trust flag. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa.service "fails" to start
Hi Flo and Rob, additional update. There is discrepancy in some of cert's expire time among 4 servers, I thought maybe another server can be candidate to be new renewal master. The command "ipa-csreplica-manage set-renewal-master ca-ldap02" worked well, hence "ipa config-show" on all 4 servers reads ca-ldap02 is IPA CA renewal master. But it's still mixer of expired and valid certs, auditSigningCert, caSigningCert and ipaCert are expired. So on ca-ldap02 I repeated familiar process of "kill ntpd, going back a few days, restart krb5kdc, dirsrv, httpd, CA , then certmonger" and having error from previous update : "Directory Server on ca-ldap02: Insufficient access: Invalid credentials" Have a good weekend, hope to continue troubleshoot next week. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa.service "fails" to start
Agree Flo, making sure that I am in the past, unfortunately still not resolution. [root@ca-ldap01 ~]# systemctl restart krb5kdc [root@ca-ldap01 ~]# systemctl restart dirsrv@DOMAIN-COM.service [root@ca-ldap01 ~]# systemctl restart httpd [root@ca-ldap01 ~]# systemctl restart pki-tomcatd@pki-tomcat.service Kerberos now understand we are in the past! [root@ca-ldap01 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: ad...@domain.com Valid starting Expires Service principal 08/13/2018 11:21:32 08/14/2018 11:21:28 krbtgt/domain@domain.com [root@ca-ldap01 ~]# date Mon Aug 13 11:22:20 PDT 2018 And these are renew.log errors when certmonger is restarted, or getcert resubmit, basically insufficient access to directory server !? 2018-08-13T18:46:49Z13747 MainThread ipa DEBUG Initializing principal host/ca-ldap01.domain@domain.com using keytab /etc/krb5.keytab 2018-08-13T18:46:49Z13747 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-NGZEev/ccache 2018-08-13T18:46:49Z13747 MainThread ipa DEBUG Attempt 1/1: success 2018-08-13T18:46:49Z13747 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-08-13T18:46:49Z13747 MainThread ipa DEBUG Could not connect to the Directory Server on ca-ldap01.domain.com: Insufficient access: Invalid credentials Syslog message also reads "Insufficient access: Invalid credentials" Aug 13 12:20:39 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in #012sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", lin e 1650, in __bind_with_wait#012bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012'', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials Aug 13 12:20:39 ca-ldap01 certmonger: 2018-08-13 12:20:39 [16173] Internal error I've been worrying now, it's being a week and this is prod environment. I've tried to add 5th server, but replica to it fails. Any hope for resolution? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa.service "fails" to start
Hi Rob, I follow one of your suggestions in another post, it's : "certmonger _should_ have renewed them. Try killing ntpd, going back a few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and see what happens" I did it, no success with messages: - MainThread ipa DEBUG Could not connect to the Directory Server on ca-ldap01.domain.com: Insufficient access: Invalid credentials - ca-dap01 certmonger: 2018-08-07 10:40:39 [4831] Internal error - ca-ldap01 [sssd[ldap_child[5045]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm 'DOMAIN.COM'. Unable to create GSSAPI-encrypted LDAP connection. - ca-ldap01 [sssd[ldap_child[5045]]]: Cannot contact any KDC for realm 'DOMAIN.COM' And I notice that Kerberos somehow still shows current date, instead of 2018-08-07 (my back in time). [root@ca-ldap01 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: ad...@domain.com Valid starting Expires Service principal 10/25/2018 20:55:02 10/26/2018 20:54:58 krbtgt/domain@domain.com Is this reason for failure? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa.service "fails" to start
Hi Rob, thanks much. Some of Flo's blogs about CA helps me to understand better now. Sure "ipa cacert-manage renew" and "ipa-certupdate" was run before, hopefully not harmful, "caSigningCert cert-pki-ca" was valid for 18 more years. You're right, there is mix of old and renewed ones, three requres renewal: auditSigningCert, subsystemCert and ipaCert , all expired on 2018-08-14. Time I went back was 7 days earlier, 2018-08-07 Sorry, nothing to revert, please let me know what would you suggest now. The state of certs is: status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=CA Audit,O=DOMAIN.COM expires: 2018-08-14 20:49:38 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=OCSP Subsystem,O=DOMAIN.COM expires: 2020-10-11 20:15:53 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' subject: CN=CA Subsystem,O=DOMAIN.COM expires: 2018-08-14 20:49:36 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=Certificate Authority,O=DOMAIN.COM expires: 2038-10-22 18:15:48 UTC status: MONITORING certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' subject: CN=IPA RA,O=DOMAIN.COM expires: 2018-08-14 20:50:00 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' subject: CN=ca-ldap01.DOMAIN.com,O=DOMAIN.COM expires: 2020-07-07 01:47:45 UTC ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa.service "fails" to start
No, CA component is not running, and seems not much activity under /var/log/pki/pki-tomcat. Maybe these can be of interest: [1] selftests.log 0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate ocspSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! [2] catalina.log WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property Flo, if I can suspect on this I recall before incident this one expires on 2036, now it's 2038 status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2038-10-22 18:15:48 UTC track: yes auto-renew: yes And URI was hostname, not ipa-ca. # certutil -L -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' | grep URI URI: "http://ipa-ca.domain.com/ca/ocsp; Is there way to "manually" revert change or renew a cert? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa.service "fails" to start
Hi Flo, I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and /var/log/pki/pki-tomcat/ca/debug reads: [08/Aug/2018:10:12:02][localhost-startStop-1]: = DEBUG SUBSYSTEM INITIALIZED === java.lang.Exception: Certificate ocspSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:844) at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:936) at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1053) at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1803) at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1402) at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193) at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:858) at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1808) at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1914) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1355) at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) at com.netscape.certsrv.apps.CMS.start(CMS.java:1617) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.cert.CertificateException: Invalid certificate: (-8181) Peer's Certificate has expired. at org.mozilla.jss.CryptoManager.verifyCertificateNowNative(Native Method) at org.mozilla.jss.CryptoManager.verifyCertificate(CryptoManager.java:1554) at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:842) ... 44 more Invalid class name repositorytop at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244)
[Freeipa-users] ipa.service "fails" to start
Hi there, This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7. After reboot I couldn't start ipa service via systemctl, hence I run "ipactl start --ignore-service-failures" and this was kind of successful. I still have some discrepancies, and looking for troubleshooting ideas. 1."systemctl status ipa.service" reads that service failed 2. "systemctl status pki-tomcatd.target" reads that PKI Tomcat Server is running. 3. # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: STOPPED < !! ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful Well, why pki-tomcatd reads 'stopped' and how to make systemctl to recognize that ipa service is running, thanks in advance, Zarko ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME
This is resolved by updating sudo package. ---> Package sudo.x86_64 0:1.8.6p7-11.el7 will be updated ---> Package sudo.x86_64 0:1.8.19p2-10.el7 will be an update From: Pavel BřezinaSent: Thursday, August 31, 2017 1:48:33 AM To: Jakub Hrozek; Z D Cc: FreeIPA users list Subject: Re: [Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME On 08/31/2017 08:35 AM, Jakub Hrozek wrote: > On Wed, Aug 30, 2017 at 08:51:24PM +, Z D wrote: >>> Does ipa_hostname in sssd.conf point to cname (or, the hostname registered >>> with IPA) ? >> >> >> It points to the DNS A record, the one that is registered with IPA. > > Pavel, is a setup with a machne where the hostname in IPA doesn't match > the machine hostname known to work? sudo should read ipa_hostname from /etc/sssd/sssd.conf so if this option is present, it should work. If it does not, we need sudo debug logs. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org