[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
Hi Florence, On Fri, 11 Jan 2019, Florence Blanc-Renaud via FreeIPA-users wrote: On 1/11/19 3:24 PM, dbischof--- via FreeIPA-users wrote: On Thu, 10 Jan 2019, Florence Blanc-Renaud wrote: On 1/10/19 1:46 PM, dbischof--- via FreeIPA-users wrote: [...] you can use ldapmodify to manually add the missing certificate: 1. transform the RA agent cert into der format $ openssl x509 -outform der -in /var/lib/ipa/ra-agent.pem -out /tmp/ra-agent.der 2. upload the cert in LDAP $ ldapmodify -h ipa2 -p 389 -D "cn=directory manager" -W Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca changetype: modify add: usercertificate usercertificate:< file:///tmp/ra-agent.der modifying entry "uid=ipara,ou=people,o=ipaca" to exit After that, you should be able to re-run ipa-server-upgrade. At this point, please make sure that replication could be re-established between the two nodes. your help is greatly appreciated. I had to change the cert serial in "description" additionally the same way via ldapmodify, but now ipa-server-upgrade goes smooth and IPA on ipa2 comes up properly after a reboot. Fine. Regarding replication: Checking, whether replication works properly is achieved with "ipa-replica-manage -v list ", right? Has to work on both IPA servers and "last update ended" must be a reasonable recent timestamp? Yes, ipa-replica-manage -v list will display the status of the replication for the domain (user, hosts, ...). The value of "last update status" must be "Replica acquired successfully: Incremental update succeeded". this is working now, thanks again. If the topology includes multiple CA instances, replication is also configured for the CA data, and the status can be found using ipa-csreplica-manage -v list . I do have 2 CA instances and it appears that i'm not yet out of the woods here: ---ipa2 $ ipa-csreplica-manage -v list ipa1.example.com ipa2.example.com last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00 --- But i will start a new thread for this, if i can't get fixed myself. Mit freundlichen Gruessen/With best regards, --Daniel. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
On 1/11/19 3:24 PM, dbischof--- via FreeIPA-users wrote: Hi Florence, On Thu, 10 Jan 2019, Florence Blanc-Renaud wrote: On 1/10/19 1:46 PM, dbischof--- via FreeIPA-users wrote: [...] you can use ldapmodify to manually add the missing certificate: 1. transform the RA agent cert into der format $ openssl x509 -outform der -in /var/lib/ipa/ra-agent.pem -out /tmp/ra-agent.der 2. upload the cert in LDAP $ ldapmodify -h ipa2 -p 389 -D "cn=directory manager" -W Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca changetype: modify add: usercertificate usercertificate:< file:///tmp/ra-agent.der modifying entry "uid=ipara,ou=people,o=ipaca" to exit After that, you should be able to re-run ipa-server-upgrade. At this point, please make sure that replication could be re-established between the two nodes. your help is greatly appreciated. I had to change the cert serial in "description" additionally the same way via ldapmodify, but now ipa-server-upgrade goes smooth and IPA on ipa2 comes up properly after a reboot. Fine. Regarding replication: Checking, whether replication works properly is achieved with "ipa-replica-manage -v list ", right? Has to work on both IPA servers and "last update ended" must be a reasonable recent timestamp? Yes, ipa-replica-manage -v list will display the status of the replication for the domain (user, hosts, ...). The value of "last update status" must be "Replica acquired successfully: Incremental update succeeded". If the topology includes multiple CA instances, replication is also configured for the CA data, and the status can be found using ipa-csreplica-manage -v list . HTH, flo Mit freundlichen Gruessen/With best regards, --Daniel. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
Hi Florence, On Thu, 10 Jan 2019, Florence Blanc-Renaud wrote: On 1/10/19 1:46 PM, dbischof--- via FreeIPA-users wrote: [...] you can use ldapmodify to manually add the missing certificate: 1. transform the RA agent cert into der format $ openssl x509 -outform der -in /var/lib/ipa/ra-agent.pem -out /tmp/ra-agent.der 2. upload the cert in LDAP $ ldapmodify -h ipa2 -p 389 -D "cn=directory manager" -W Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca changetype: modify add: usercertificate usercertificate:< file:///tmp/ra-agent.der modifying entry "uid=ipara,ou=people,o=ipaca" to exit After that, you should be able to re-run ipa-server-upgrade. At this point, please make sure that replication could be re-established between the two nodes. your help is greatly appreciated. I had to change the cert serial in "description" additionally the same way via ldapmodify, but now ipa-server-upgrade goes smooth and IPA on ipa2 comes up properly after a reboot. Fine. Regarding replication: Checking, whether replication works properly is achieved with "ipa-replica-manage -v list ", right? Has to work on both IPA servers and "last update ended" must be a reasonable recent timestamp? Mit freundlichen Gruessen/With best regards, --Daniel. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
On 1/10/19 1:46 PM, dbischof--- via FreeIPA-users wrote: Hi Florence, On Tue, 8 Jan 2019, Florence Blanc-Renaud wrote: On 1/8/19 3:51 PM, dbischof--- via FreeIPA-users wrote: Hi Florence, On Mon, 7 Jan 2019, Florence Blanc-Renaud wrote: [...] i shaved this thread a little, since it gets confusing. Hope i kept the interesting bits. The errors related to "Unable to find request for serial xxx" mean that the cert is tracked by certmonger, but there is no corresponding LDAP entry cn=xxx,ou=ca,ou=requests,o=ipaca on the local LDAP server. Is the replication still working between your two masters? "ipa cert-show" broken on ipa2 often points to an out-of-date certificate in /var/lib/ipa/ra-agent.{pem|key}. The content should be the same as on the renewal master, and also the same as in the entry uid=ipara,ou=People,o=ipaca (which should be replicated and identical on all the masters, except if you have replication issues). Replication appeared to be working, however, I did server maintenance today, ipa1 and ipa2 got upgraded and rebooted. ipa1 works fine, ipa2 does not come up properly: --- ipa2 $ ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED You need to have a look at krb5 logs to understand why kerberos failed to start. Please check https://www.freeipa.org/page/Troubleshooting/Kerberos for more information. Turns out that kerberos starts when started manually with systemctl: --- $ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful --- Kerberos log: --- [...] : NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 08 10:39:22 ipa2.example.com krb5kdc[21691](info): closing down fd 11 Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): closing down fd 11 Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for HTTP/ipa2.example@example.com Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): closing down fd 11 --- httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful --- --- ipa1 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial Serial Number: 268304391 (0xffe0007) $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca [...] description: 2;268304391;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM --- Looks good. --- ipa2 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial Serial Number: 268304391 (0xffe0007) $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca [...] description: 2;44;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM --- Looks bad. So yes, the replication of the suffix o=ipaca seems broken. In a deployment with CA, the ldap server contains 2 different suffixes, one for the IdM data (your base DN as defined in /etc/ipa/default.conf) and another one for the CA, below o=ipaca. You can have a look at https://www.freeipa.org/page/Troubleshooting/Directory_Server for replication troubleshooting, but the repl issue could be a consequence of kerberos server not starting. I checked the troubleshooting pages and carried out the steps described in there, but my system (ipa2) appears to be ok as far as the steps go. --- /var/log/ipaupgrade.log [...] 2018-12-28T10:55:53Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API --- --- /var/log/dirsrv/slapd-EXAMPLE-COM/errors [...] [28/Dec/2018:11:55:55.559648469 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.example@example.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) --- --- ipa-checkcerts.py [...] ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304394 Un
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
Hi Florence, On Tue, 8 Jan 2019, Florence Blanc-Renaud wrote: On 1/8/19 3:51 PM, dbischof--- via FreeIPA-users wrote: Hi Florence, On Mon, 7 Jan 2019, Florence Blanc-Renaud wrote: [...] i shaved this thread a little, since it gets confusing. Hope i kept the interesting bits. The errors related to "Unable to find request for serial xxx" mean that the cert is tracked by certmonger, but there is no corresponding LDAP entry cn=xxx,ou=ca,ou=requests,o=ipaca on the local LDAP server. Is the replication still working between your two masters? "ipa cert-show" broken on ipa2 often points to an out-of-date certificate in /var/lib/ipa/ra-agent.{pem|key}. The content should be the same as on the renewal master, and also the same as in the entry uid=ipara,ou=People,o=ipaca (which should be replicated and identical on all the masters, except if you have replication issues). Replication appeared to be working, however, I did server maintenance today, ipa1 and ipa2 got upgraded and rebooted. ipa1 works fine, ipa2 does not come up properly: --- ipa2 $ ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED You need to have a look at krb5 logs to understand why kerberos failed to start. Please check https://www.freeipa.org/page/Troubleshooting/Kerberos for more information. Turns out that kerberos starts when started manually with systemctl: --- $ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful --- Kerberos log: --- [...] : NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 08 10:39:22 ipa2.example.com krb5kdc[21691](info): closing down fd 11 Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): closing down fd 11 Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for HTTP/ipa2.example@example.com Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): closing down fd 11 --- httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful --- --- ipa1 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial Serial Number: 268304391 (0xffe0007) $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca [...] description: 2;268304391;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM --- Looks good. --- ipa2 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial Serial Number: 268304391 (0xffe0007) $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca [...] description: 2;44;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM --- Looks bad. So yes, the replication of the suffix o=ipaca seems broken. In a deployment with CA, the ldap server contains 2 different suffixes, one for the IdM data (your base DN as defined in /etc/ipa/default.conf) and another one for the CA, below o=ipaca. You can have a look at https://www.freeipa.org/page/Troubleshooting/Directory_Server for replication troubleshooting, but the repl issue could be a consequence of kerberos server not starting. I checked the troubleshooting pages and carried out the steps described in there, but my system (ipa2) appears to be ok as far as the steps go. --- /var/log/ipaupgrade.log [...] 2018-12-28T10:55:53Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API --- --- /var/log/dirsrv/slapd-EXAMPLE-COM/errors [...] [28/Dec/2018:11:55:55.559648469 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.example@example.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) --- --- ipa-checkcerts.py [...] ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304394 Unable to find request for serial 268304394 ipa: INFO: Unable to find request for serial 268304393
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
On 1/8/19 3:51 PM, dbischof--- via FreeIPA-users wrote: Hi Florence, On Mon, 7 Jan 2019, Florence Blanc-Renaud wrote: [...] i shaved this thread a little, since it gets confusing. Hope i kept the interesting bits. The errors related to "Unable to find request for serial xxx" mean that the cert is tracked by certmonger, but there is no corresponding LDAP entry cn=xxx,ou=ca,ou=requests,o=ipaca on the local LDAP server. Is the replication still working between your two masters? "ipa cert-show" broken on ipa2 often points to an out-of-date certificate in /var/lib/ipa/ra-agent.{pem|key}. The content should be the same as on the renewal master, and also the same as in the entry uid=ipara,ou=People,o=ipaca (which should be replicated and identical on all the masters, except if you have replication issues). Replication appeared to be working, however, I did server maintenance today, ipa1 and ipa2 got upgraded and rebooted. ipa1 works fine, ipa2 does not come up properly: --- ipa2 $ ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED You need to have a look at krb5 logs to understand why kerberos failed to start. Please check https://www.freeipa.org/page/Troubleshooting/Kerberos for more information. Turns out that kerberos starts when started manually with systemctl: --- $ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful --- Kerberos log: --- [...] : NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 08 10:39:22 ipa2.example.com krb5kdc[21691](info): closing down fd 11 Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): closing down fd 11 Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for HTTP/ipa2.example@example.com Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): closing down fd 11 --- httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful --- --- ipa1 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial Serial Number: 268304391 (0xffe0007) $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca [...] description: 2;268304391;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM --- Looks good. --- ipa2 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial Serial Number: 268304391 (0xffe0007) $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca [...] description: 2;44;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM --- Looks bad. So yes, the replication of the suffix o=ipaca seems broken. In a deployment with CA, the ldap server contains 2 different suffixes, one for the IdM data (your base DN as defined in /etc/ipa/default.conf) and another one for the CA, below o=ipaca. You can have a look at https://www.freeipa.org/page/Troubleshooting/Directory_Server for replication troubleshooting, but the repl issue could be a consequence of kerberos server not starting. I checked the troubleshooting pages and carried out the steps described in there, but my system (ipa2) appears to be ok as far as the steps go. --- /var/log/ipaupgrade.log [...] 2018-12-28T10:55:53Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API --- --- /var/log/dirsrv/slapd-EXAMPLE-COM/errors [...] [28/Dec/2018:11:55:55.559648469 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.example@example.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) --- --- ipa-checkcerts.py [...] ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304394 Unable to find request for serial 268304394 ipa: INFO: Unable to find request for serial 268304393 Unable to find request for serial 268304393 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
Hi Florence, On Mon, 7 Jan 2019, Florence Blanc-Renaud wrote: [...] i shaved this thread a little, since it gets confusing. Hope i kept the interesting bits. The errors related to "Unable to find request for serial xxx" mean that the cert is tracked by certmonger, but there is no corresponding LDAP entry cn=xxx,ou=ca,ou=requests,o=ipaca on the local LDAP server. Is the replication still working between your two masters? "ipa cert-show" broken on ipa2 often points to an out-of-date certificate in /var/lib/ipa/ra-agent.{pem|key}. The content should be the same as on the renewal master, and also the same as in the entry uid=ipara,ou=People,o=ipaca (which should be replicated and identical on all the masters, except if you have replication issues). Replication appeared to be working, however, I did server maintenance today, ipa1 and ipa2 got upgraded and rebooted. ipa1 works fine, ipa2 does not come up properly: --- ipa2 $ ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED You need to have a look at krb5 logs to understand why kerberos failed to start. Please check https://www.freeipa.org/page/Troubleshooting/Kerberos for more information. Turns out that kerberos starts when started manually with systemctl: --- $ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful --- Kerberos log: --- [...] : NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 08 10:39:22 ipa2.example.com krb5kdc[21691](info): closing down fd 11 Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): closing down fd 11 Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for HTTP/ipa2.example@example.com Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): closing down fd 11 --- httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful --- --- ipa1 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial Serial Number: 268304391 (0xffe0007) $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca [...] description: 2;268304391;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM --- Looks good. --- ipa2 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial Serial Number: 268304391 (0xffe0007) $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca [...] description: 2;44;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM --- Looks bad. So yes, the replication of the suffix o=ipaca seems broken. In a deployment with CA, the ldap server contains 2 different suffixes, one for the IdM data (your base DN as defined in /etc/ipa/default.conf) and another one for the CA, below o=ipaca. You can have a look at https://www.freeipa.org/page/Troubleshooting/Directory_Server for replication troubleshooting, but the repl issue could be a consequence of kerberos server not starting. I checked the troubleshooting pages and carried out the steps described in there, but my system (ipa2) appears to be ok as far as the steps go. --- /var/log/ipaupgrade.log [...] 2018-12-28T10:55:53Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API --- --- /var/log/dirsrv/slapd-EXAMPLE-COM/errors [...] [28/Dec/2018:11:55:55.559648469 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.example@example.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) --- --- ipa-checkcerts.py [...] ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304394 Unable to find request for serial 268304394 ipa: INFO: Unable to find request for serial 268304393 Unable to find request for serial 268304393 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Unable to find request for serial 268304390 Unable to find req
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
On 12/28/18 1:03 PM, dbischof--- via FreeIPA-users wrote: Hi Florence, On Fri, 21 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/21/18 11:58 AM, dbischof--- via FreeIPA-users wrote: thank you very much for your help. On Fri, 21 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 6:52 PM, dbischof--- via FreeIPA-users wrote: On Thu, 20 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote: my IPA system consists of 2 masters with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed due to an unknown reason."). Web UI logins on the other server (ipa2) work and everything else is working fine, too, ipactl status reports all services running. On login attempt: --- httpd log [...] [:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [...] [:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 --- --- krb5kdc.log [...] Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Additional pre-authentication required Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11 Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Failed to verify own certificate (depth 0): certificate has expired Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11 --- --- ipa-checkcerts.py IPA version 4.5.4-10.el7.centos.3 Check CA status Check tracking Check NSS trust Check dates Checking certificates in CS.cfg Comparing certificates to requests in LDAP Checking RA certificate Checking authorities Checking host keytab Validating certificates Checking renewal master End-to-end cert API test Checking permissions and ownership Failures: Unable to find request for serial 268304391 Unable to find request for serial 268304394 Unable to find request for serial 268304393 Unable to find request for serial 268304392 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 --- --- ipa pkinit-status --all - 2 servers matched - Server name: ipa2.example.com PKINIT status: enabled Server name: ipa1.example.com PKINIT status: enabled Number of entries returned 2 To my understanding, proper certificate exchange between my two servers ceased working at some point. How do i track this down and fix it? your issue looks similar to ticket #6792 [1]. Can you check the result of upgrade in /var/log/ipaupgrade.log? Also check the output of $ ipa-pkinit-manage status and if the files /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/lib/ipa-client/pki/ca-bundle.pem exist, with -rw-r--r-- permissions. Regarding the certificates, does getcert list show expired certs? flo [1] https://pagure.io/freeipa/issue/6792 --- $ ipa-pkinit-manage status PKINIT is enabled --- There are no expired certificates, kdc-ca-bundle.pem and ca-bundle.pem exist with proper permissions, but I found something in ipaupgrade.log: --- 2018-09-12T13:37:18Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u EXAMPLE.COM IPA CA CT,C,C 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Starting external process 2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n EXAMPLE.COM IPA CA -a -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= -BEGIN CERTIFICATE- [...] -END CERTIFICATE- 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
Hi Florence, On Fri, 21 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/21/18 11:58 AM, dbischof--- via FreeIPA-users wrote: thank you very much for your help. On Fri, 21 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 6:52 PM, dbischof--- via FreeIPA-users wrote: On Thu, 20 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote: my IPA system consists of 2 masters with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed due to an unknown reason."). Web UI logins on the other server (ipa2) work and everything else is working fine, too, ipactl status reports all services running. On login attempt: --- httpd log [...] [:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [...] [:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 --- --- krb5kdc.log [...] Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Additional pre-authentication required Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11 Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Failed to verify own certificate (depth 0): certificate has expired Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11 --- --- ipa-checkcerts.py IPA version 4.5.4-10.el7.centos.3 Check CA status Check tracking Check NSS trust Check dates Checking certificates in CS.cfg Comparing certificates to requests in LDAP Checking RA certificate Checking authorities Checking host keytab Validating certificates Checking renewal master End-to-end cert API test Checking permissions and ownership Failures: Unable to find request for serial 268304391 Unable to find request for serial 268304394 Unable to find request for serial 268304393 Unable to find request for serial 268304392 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 --- --- ipa pkinit-status --all - 2 servers matched - Server name: ipa2.example.com PKINIT status: enabled Server name: ipa1.example.com PKINIT status: enabled Number of entries returned 2 To my understanding, proper certificate exchange between my two servers ceased working at some point. How do i track this down and fix it? your issue looks similar to ticket #6792 [1]. Can you check the result of upgrade in /var/log/ipaupgrade.log? Also check the output of $ ipa-pkinit-manage status and if the files /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/lib/ipa-client/pki/ca-bundle.pem exist, with -rw-r--r-- permissions. Regarding the certificates, does getcert list show expired certs? flo [1] https://pagure.io/freeipa/issue/6792 --- $ ipa-pkinit-manage status PKINIT is enabled --- There are no expired certificates, kdc-ca-bundle.pem and ca-bundle.pem exist with proper permissions, but I found something in ipaupgrade.log: --- 2018-09-12T13:37:18Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u EXAMPLE.COM IPA CA CT,C,C 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Starting external process 2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n EXAMPLE.COM IPA CA -a -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= -BEGIN CERTIFICATE- [...] -END CERTIFICATE- 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Executing upgrade plugin: update_ra_cert_store 2018-09-12T13:37:19Z DEBUG raw:
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
On 12/21/18 11:58 AM, dbischof--- via FreeIPA-users wrote: Hi Florence, thank you very much for your help. On Fri, 21 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 6:52 PM, dbischof--- via FreeIPA-users wrote: On Thu, 20 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote: my IPA system consists of 2 masters with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed due to an unknown reason."). Web UI logins on the other server (ipa2) work and everything else is working fine, too, ipactl status reports all services running. On login attempt: --- httpd log [...] [:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [...] [:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 --- --- krb5kdc.log [...] Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Additional pre-authentication required Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11 Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Failed to verify own certificate (depth 0): certificate has expired Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11 --- --- ipa-checkcerts.py IPA version 4.5.4-10.el7.centos.3 Check CA status Check tracking Check NSS trust Check dates Checking certificates in CS.cfg Comparing certificates to requests in LDAP Checking RA certificate Checking authorities Checking host keytab Validating certificates Checking renewal master End-to-end cert API test Checking permissions and ownership Failures: Unable to find request for serial 268304391 Unable to find request for serial 268304394 Unable to find request for serial 268304393 Unable to find request for serial 268304392 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 --- --- ipa pkinit-status --all - 2 servers matched - Server name: ipa2.example.com PKINIT status: enabled Server name: ipa1.example.com PKINIT status: enabled Number of entries returned 2 To my understanding, proper certificate exchange between my two servers ceased working at some point. How do i track this down and fix it? your issue looks similar to ticket #6792 [1]. Can you check the result of upgrade in /var/log/ipaupgrade.log? Also check the output of $ ipa-pkinit-manage status and if the files /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/lib/ipa-client/pki/ca-bundle.pem exist, with -rw-r--r-- permissions. Regarding the certificates, does getcert list show expired certs? flo [1] https://pagure.io/freeipa/issue/6792 --- $ ipa-pkinit-manage status PKINIT is enabled --- There are no expired certificates, kdc-ca-bundle.pem and ca-bundle.pem exist with proper permissions, but I found something in ipaupgrade.log: --- 2018-09-12T13:37:18Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u EXAMPLE.COM IPA CA CT,C,C 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Starting external process 2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n EXAMPLE.COM IPA CA -a -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= -BEGIN CERTIFICATE- [...] -END CERTIFICATE- 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Executing upgrade plugin: update_ra_cert_store 2018-09-12T13:37:19Z DEBUG raw: update_ra_cert_store 2018-09-12T13:37:19Z DEBUG raw: ca_is_enabled(version=u'2.228') 2018-09-12T13:37:19Z DEBUG ca_is_enabled(version=u'2.228') 2018-09-12T13:37:19Z DEBUG
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
Hi Florence, thank you very much for your help. On Fri, 21 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 6:52 PM, dbischof--- via FreeIPA-users wrote: On Thu, 20 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote: my IPA system consists of 2 masters with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed due to an unknown reason."). Web UI logins on the other server (ipa2) work and everything else is working fine, too, ipactl status reports all services running. On login attempt: --- httpd log [...] [:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [...] [:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 --- --- krb5kdc.log [...] Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Additional pre-authentication required Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11 Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Failed to verify own certificate (depth 0): certificate has expired Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11 --- --- ipa-checkcerts.py IPA version 4.5.4-10.el7.centos.3 Check CA status Check tracking Check NSS trust Check dates Checking certificates in CS.cfg Comparing certificates to requests in LDAP Checking RA certificate Checking authorities Checking host keytab Validating certificates Checking renewal master End-to-end cert API test Checking permissions and ownership Failures: Unable to find request for serial 268304391 Unable to find request for serial 268304394 Unable to find request for serial 268304393 Unable to find request for serial 268304392 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 --- --- ipa pkinit-status --all - 2 servers matched - Server name: ipa2.example.com PKINIT status: enabled Server name: ipa1.example.com PKINIT status: enabled Number of entries returned 2 To my understanding, proper certificate exchange between my two servers ceased working at some point. How do i track this down and fix it? your issue looks similar to ticket #6792 [1]. Can you check the result of upgrade in /var/log/ipaupgrade.log? Also check the output of $ ipa-pkinit-manage status and if the files /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/lib/ipa-client/pki/ca-bundle.pem exist, with -rw-r--r-- permissions. Regarding the certificates, does getcert list show expired certs? flo [1] https://pagure.io/freeipa/issue/6792 --- $ ipa-pkinit-manage status PKINIT is enabled --- There are no expired certificates, kdc-ca-bundle.pem and ca-bundle.pem exist with proper permissions, but I found something in ipaupgrade.log: --- 2018-09-12T13:37:18Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u EXAMPLE.COM IPA CA CT,C,C 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Starting external process 2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n EXAMPLE.COM IPA CA -a -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= -BEGIN CERTIFICATE- [...] -END CERTIFICATE- 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Executing upgrade plugin: update_ra_cert_store 2018-09-12T13:37:19Z DEBUG raw: update_ra_cert_store 2018-09-12T13:37:19Z DEBUG raw: ca_is_enabled(version=u'2.228') 2018-09-12T13:37:19Z DEBUG ca_is_enabled(version=u'2.228') 2018-09-12T13:37:19Z DEBUG Starting external process 2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
On 12/20/18 6:52 PM, dbischof--- via FreeIPA-users wrote: Hi Florence, On Thu, 20 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote: my IPA system consists of 2 masters with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed due to an unknown reason."). Web UI logins on the other server (ipa2) work and everything else is working fine, too, ipactl status reports all services running. On login attempt: --- httpd log [...] [:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [...] [:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 --- --- krb5kdc.log [...] Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Additional pre-authentication required Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11 Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Failed to verify own certificate (depth 0): certificate has expired Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11 --- --- ipa-checkcerts.py IPA version 4.5.4-10.el7.centos.3 Check CA status Check tracking Check NSS trust Check dates Checking certificates in CS.cfg Comparing certificates to requests in LDAP Checking RA certificate Checking authorities Checking host keytab Validating certificates Checking renewal master End-to-end cert API test Checking permissions and ownership Failures: Unable to find request for serial 268304391 Unable to find request for serial 268304394 Unable to find request for serial 268304393 Unable to find request for serial 268304392 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 --- --- ipa pkinit-status --all - 2 servers matched - Server name: ipa2.example.com PKINIT status: enabled Server name: ipa1.example.com PKINIT status: enabled Number of entries returned 2 To my understanding, proper certificate exchange between my two servers ceased working at some point. How do i track this down and fix it? your issue looks similar to ticket #6792 [1]. Can you check the result of upgrade in /var/log/ipaupgrade.log? Also check the output of $ ipa-pkinit-manage status and if the files /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/lib/ipa-client/pki/ca-bundle.pem exist, with -rw-r--r-- permissions. Regarding the certificates, does getcert list show expired certs? flo [1] https://pagure.io/freeipa/issue/6792 --- $ ipa-pkinit-manage status PKINIT is enabled --- There are no expired certificates, kdc-ca-bundle.pem and ca-bundle.pem exist with proper permissions, but I found something in ipaupgrade.log: --- 2018-09-12T13:37:18Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u EXAMPLE.COM IPA CA CT,C,C 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Starting external process 2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n EXAMPLE.COM IPA CA -a -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= -BEGIN CERTIFICATE- [...] -END CERTIFICATE- 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Executing upgrade plugin: update_ra_cert_store 2018-09-12T13:37:19Z DEBUG raw: update_ra_cert_store 2018-09-12T13:37:19Z DEBUG raw: ca_is_enabled(version=u'2.228') 2018-09-12T13:37:19Z DEBUG ca_is_enabled(version=u'2.228') 2018-09-12T13:37:19Z DEBUG Starting external process 2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n ipaCert -a -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=255 2018-09-12T13:37:19Z DEBUG stdout= 2018-09-12T13:37:19Z DEBUG stderr=certutil
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
Hi Florence, On Thu, 20 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote: my IPA system consists of 2 masters with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed due to an unknown reason."). Web UI logins on the other server (ipa2) work and everything else is working fine, too, ipactl status reports all services running. On login attempt: --- httpd log [...] [:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [...] [:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 --- --- krb5kdc.log [...] Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Additional pre-authentication required Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11 Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Failed to verify own certificate (depth 0): certificate has expired Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11 --- --- ipa-checkcerts.py IPA version 4.5.4-10.el7.centos.3 Check CA status Check tracking Check NSS trust Check dates Checking certificates in CS.cfg Comparing certificates to requests in LDAP Checking RA certificate Checking authorities Checking host keytab Validating certificates Checking renewal master End-to-end cert API test Checking permissions and ownership Failures: Unable to find request for serial 268304391 Unable to find request for serial 268304394 Unable to find request for serial 268304393 Unable to find request for serial 268304392 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 --- --- ipa pkinit-status --all - 2 servers matched - Server name: ipa2.example.com PKINIT status: enabled Server name: ipa1.example.com PKINIT status: enabled Number of entries returned 2 To my understanding, proper certificate exchange between my two servers ceased working at some point. How do i track this down and fix it? your issue looks similar to ticket #6792 [1]. Can you check the result of upgrade in /var/log/ipaupgrade.log? Also check the output of $ ipa-pkinit-manage status and if the files /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/lib/ipa-client/pki/ca-bundle.pem exist, with -rw-r--r-- permissions. Regarding the certificates, does getcert list show expired certs? flo [1] https://pagure.io/freeipa/issue/6792 --- $ ipa-pkinit-manage status PKINIT is enabled --- There are no expired certificates, kdc-ca-bundle.pem and ca-bundle.pem exist with proper permissions, but I found something in ipaupgrade.log: --- 2018-09-12T13:37:18Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u EXAMPLE.COM IPA CA CT,C,C 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Starting external process 2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n EXAMPLE.COM IPA CA -a -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=0 2018-09-12T13:37:19Z DEBUG stdout= -BEGIN CERTIFICATE- [...] -END CERTIFICATE- 2018-09-12T13:37:19Z DEBUG stderr= 2018-09-12T13:37:19Z DEBUG Executing upgrade plugin: update_ra_cert_store 2018-09-12T13:37:19Z DEBUG raw: update_ra_cert_store 2018-09-12T13:37:19Z DEBUG raw: ca_is_enabled(version=u'2.228') 2018-09-12T13:37:19Z DEBUG ca_is_enabled(version=u'2.228') 2018-09-12T13:37:19Z DEBUG Starting external process 2018-09-12T13:37:19Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n ipaCert -a -f /etc/httpd/alias/pwdfile.txt 2018-09-12T13:37:19Z DEBUG Process finished, return code=255 2018-09-12T13:37:19Z DEBUG stdout= 2018-09-12T13:37:19Z DEBUG stderr=certutil: Could not find cert: ipaCert : PR_FILE_NOT_FOUND_ERROR: File not found
[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4
On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote: Hi, my IPA system consists of 2 masters with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed due to an unknown reason."). Web UI logins on the other server (ipa2) work and everything else is working fine, too, ipactl status reports all services running. On login attempt: --- httpd log [...] [:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [...] [:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 --- --- krb5kdc.log [...] Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Additional pre-authentication required Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11 Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA: WELLKNOWN/anonym...@example.com for krbtgt/example@example.com, Failed to verify own certificate (depth 0): certificate has expired Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11 --- --- ipa-checkcerts.py IPA version 4.5.4-10.el7.centos.3 Check CA status Check tracking Check NSS trust Check dates Checking certificates in CS.cfg Comparing certificates to requests in LDAP Checking RA certificate Checking authorities Checking host keytab Validating certificates Checking renewal master End-to-end cert API test Checking permissions and ownership Failures: Unable to find request for serial 268304391 Unable to find request for serial 268304394 Unable to find request for serial 268304393 Unable to find request for serial 268304392 Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 --- --- ipa pkinit-status --all - 2 servers matched - Server name: ipa2.example.com PKINIT status: enabled Server name: ipa1.example.com PKINIT status: enabled Number of entries returned 2 To my understanding, proper certificate exchange between my two servers ceased working at some point. How do i track this down and fix it? Hi, your issue looks similar to ticket #6792 [1]. Can you check the result of upgrade in /var/log/ipaupgrade.log? Also check the output of $ ipa-pkinit-manage status and if the files /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/lib/ipa-client/pki/ca-bundle.pem exist, with -rw-r--r-- permissions. Regarding the certificates, does getcert list show expired certs? flo [1] https://pagure.io/freeipa/issue/6792 Mit freundlichen Gruessen/With best regards, --Daniel. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org