date:20150728

[Freeipa-users] CA-less replica setup and trouble with cert chain

2015-07-28 Thread Mike Oliver


Hi folks,

We're trying to add a FreeIPA  (4.1; CentOS 7) replica to our 
infrastructure and keep running into an issue that prevents us from 
preparing the replica.


We're using the CA-less setup where FreeIPA is using a wildcard 
certificate provided by RapidSSL. I started trying to create the replica 
using the information provided here : 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html


But since we're not using a CA, it tells me that I need to specify 
--http-cert-file and --dirsrv-cert-file. I create a p12 file that 
includes the wildcard cert and the rest of the certs in the chain with:
$ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey 
wildcard.key -name replica01 -out replica01.mydomain.com.p12


I then check to see if all the necessary certs were added to the p12 file:
$ pk12util -l replica01.mydomain.com.p12

I see our wildcard certificate, RapidSSL's intermediate certificate, and 
the entry for Equifax/GeoTrust, that signed RapidSSL's certificate.


Then I run 'ipa-replica-prepare' on the existing FreeIPA server.
$ ipa-replica-prepare replica01.mydomain.com \
--http-cert-file=replica01.mydomain.com.p12 \
--dirsrv-cert-file=replica01.mydomain.com.p12 \
--ca /etc/ipa/ca.crt \
-v

I get the following error after the debug output reports  a series of 
calls to certutil:

ipa: DEBUG: stderr=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File 
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 169, in 
execute

self.ask_for_options()
  File 
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, 
line 262, in ask_for_options

options.http_cert_name)
  File 
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, 
line 162, in load_pkcs12

host_name=self.replica_fqdn)
  File 
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, 
line 799, in load_pkcs12

(, .join(cert_files)))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The 
ipa-replica-prepare command failed, exception: ScriptError: The full 
certificate chain is not present in replica01.mydomain.com.p12
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The 
full certificate chain is not present in replicate01.mydomain.com.p12



The chain certainly looks to be complete given the output of pk12util, 
but it's possible I'm just building the file wrong for use with FreeIPA. 
What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting 
and how should I go about generating the certificate used by 
'ipa-replica-prepare' with a CA-less configuration?


Thanks all,

--
Mike Oliver

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] bind-dynamicdb TKEY update

2015-07-28 Thread Jorgen Lundman


Hola!

So with todays advisory: https://kb.isc.org/article/AA-01272
we finally get to test the procedure to patch and update here :)

Are there any plans for the dynamic_db github to pull in the fix, or should
I proceed with that step?

Sincerely,

Lund

-- 
Jorgen Lundman   | lund...@lundman.net
Unix Administrator   | +81 (0)90-5578-8500  (work)
Shibuya-ku, Tokyo| +81 (0)80-2090-5800  (cell)
Japan| +81 (0)3 -3375-1767  (home)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] bind-dynamicdb TKEY update

2015-07-28 Thread Jorgen Lundman


Took a look at the diff while I was waiting:

diff -rub bind-9.9.7-P1/lib/dns/tkey.c bind-9.9.7-P2/lib/dns/tkey.c
--- bind-9.9.7-P1/lib/dns/tkey.c2015-06-18 07:48:03.0 +0900
+++ bind-9.9.7-P2/lib/dns/tkey.c2015-07-15 08:50:22.0 +0900
@@ -650,6 +650,7 @@
 * Try the answer section, since that's where Win2000
 * puts it.
 */
+   name = NULL;
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
 dns_rdatatype_tkey, 0, name,
 tkeyset) != ISC_R_SUCCESS) {


Sigh. All that work for one line. :)

Lund

Jorgen Lundman wrote:
 
 Hola!
 
 So with todays advisory: https://kb.isc.org/article/AA-01272
 we finally get to test the procedure to patch and update here :)
 
 Are there any plans for the dynamic_db github to pull in the fix, or should
 I proceed with that step?
 
 Sincerely,
 
 Lund
 

-- 
Jorgen Lundman   | lund...@lundman.net
Unix Administrator   | +81 (0)90-5578-8500  (work)
Shibuya-ku, Tokyo| +81 (0)80-2090-5800  (cell)
Japan| +81 (0)3 -3375-1767  (home)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA-less replica setup and trouble with cert chain

2015-07-28 Thread Jan Cholasta


Hi,

Dne 29.7.2015 v 00:56 Mike Oliver napsal(a):

Hi folks,

We're trying to add a FreeIPA  (4.1; CentOS 7) replica to our
infrastructure and keep running into an issue that prevents us from
preparing the replica.

We're using the CA-less setup where FreeIPA is using a wildcard
certificate provided by RapidSSL. I started trying to create the replica
using the information provided here :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html


But since we're not using a CA, it tells me that I need to specify
--http-cert-file and --dirsrv-cert-file. I create a p12 file that
includes the wildcard cert and the rest of the certs in the chain with:
$ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey
wildcard.key -name replica01 -out replica01.mydomain.com.p12

I then check to see if all the necessary certs were added to the p12 file:
$ pk12util -l replica01.mydomain.com.p12

I see our wildcard certificate, RapidSSL's intermediate certificate, and
the entry for Equifax/GeoTrust, that signed RapidSSL's certificate.

Then I run 'ipa-replica-prepare' on the existing FreeIPA server.
$ ipa-replica-prepare replica01.mydomain.com \
 --http-cert-file=replica01.mydomain.com.p12 \
 --dirsrv-cert-file=replica01.mydomain.com.p12 \
 --ca /etc/ipa/ca.crt \
 -v


Note that you can use the .crt and .key files directly:

$ ipa-replica-prepare replica01.mydomain.com 
--http-cert-file=wildcard-with-intermediates.crt 
--http-cert-file=wildcard.key 
--dirsrv-cert-file=wildcard-with-intermediates.crt 
--dirsrv-cert-file=wildcard.key




I get the following error after the debug output reports  a series of
calls to certutil:
ipa: DEBUG: stderr=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 169, in
execute
 self.ask_for_options()
   File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 262, in ask_for_options
 options.http_cert_name)
   File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 162, in load_pkcs12
 host_name=self.replica_fqdn)
   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 799, in load_pkcs12
 (, .join(cert_files)))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: ScriptError: The full
certificate chain is not present in replica01.mydomain.com.p12
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
full certificate chain is not present in replicate01.mydomain.com.p12


The chain certainly looks to be complete given the output of pk12util,
but it's possible I'm just building the file wrong for use with FreeIPA.
What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting
and how should I go about generating the certificate used by
'ipa-replica-prepare' with a CA-less configuration?


If the chain is complete, there should be a self-signed CA certificate 
at the top. For you that would be the Equifax/GeoTrust certificate. If 
it's not self-signed, it means the chain is in fact not complete.




Thanks all,



Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare error

2015-07-28 Thread Jan Cholasta


Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):

On 07/20/2015 12:57 AM, Jan Cholasta wrote:

Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):

On 07/14/2015 11:53 PM, Jan Cholasta wrote:


  # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX


Directory Manager (existing master) password:

(SEC_ERROR_LIBRARY_FAILURE) security library failure.

Not much :(

Seems to be very early.

I can't find an ipa-replica-prepare.log file.


That's weird, there should be ~50 lines of output before ipa-replica-prepare
prompts you for directory manager password.

I didn't have any luck in reproducing the issue so far.

Could you please try this:

 $ mkdir tmpdb
 $ certutil -N -d tmpdb
 $ pk12util -i nwra.com.p12
 $ certutil -L -d tmpdb  # look for nickname of certificate
which has trust attributes of u,u,u
 $ certutil -O -d tmpdb -n nickname  # use the nickname from above

I would like to see the output of the last 2 commands.



[root@europa ~]# pk12util -i nwra.com.p12 -d tmpdb
Enter Password or Pin for NSS Certificate DB:
Enter password for PKCS12 file:
pk12util: no nickname for cert in PKCS12 file.
pk12util: using nickname: *.nwra.com - COMODO CA Limited
pk12util: PKCS12 IMPORT SUCCESSFUL
[root@europa ~]# certutil -L -d tmpdb

Certificate Nickname Trust Attributes
  SSL,S/MIME,JAR/XPI

COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited ,,
AddTrust External CA Root - AddTrust AB  ,,
*.nwra.com - COMODO CA Limited   u,u,u
COMODO RSA Certification Authority - AddTrust AB ,,
[root@europa ~]# certutil -O -d tmpdb -n '*.nwra.com - COMODO CA Limited'
AddTrust External CA Root - AddTrust AB [CN=AddTrust External CA
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE]

   COMODO RSA Certification Authority - AddTrust AB [CN=COMODO RSA
Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB]

 COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited
[CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB]

   *.nwra.com - COMODO CA Limited [CN=*.nwra.com,OU=PositiveSSL
Wildcard,OU=Domain Control Validated]


Thanks. Unfortunately it looks perfectly fine, so I still have no idea 
what's wrong.


This is a long shot, but coult you try running ipa-replica-prepare in 
strace and post the log of that?


# strace -o ipa-replica-prepare-strace.log ipa-replica-prepare 
ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XX 
--http_pkcs12=nwra.com.p12 --http_pin=XX


--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos hanging approx. once a day

2015-07-28 Thread Torsten Harenberg

Dear Rich, all,

Am 28.07.15 um 19:08 schrieb Rich Megginson:

 # ldapsearch -xLLL -D cn=directory manager -W -s base -b
 dc=uni-wuppertal,dc=de

[...]



 real0m4.559s
 user0m0.403s
 sys 0m0.057s
 [root@ipa httpd]#

 Looks okay to us, or?
 
 4 seconds?  That seems way too long.

No.. that includes the time it took me to enter the password. Only the
user line is relevant, so 0.4 seconds.


 So.. here is the problem which is left over. When logging in as admin
 now through th web page or locally:

 [Thu Jul 23 21:43:47.340133 2015] [wsgi:error] [pid 1134] ipa: INFO:
 [jsonserver_session] wens...@pleiades.uni-wuppertal.de:
 radiusproxy_find(None, version=u'2.114'): SUCCESS
 [Thu Jul 23 21:43:48.758849 2015] [wsgi:error] [pid 1133] ipa: INFO:
 [jsonserver_session] wens...@pleiades.uni-wuppertal.de: user_find(None,
 version=u'2.114'): SUCCESS
 [Fri Jul 24 07:20:10.198903 2015] [wsgi:error] [pid 1134] ipa: INFO: 401
 Unauthorized: kinit: Clients credentials have been revoked while getting
 initial credentials
 [Fri Jul 24 07:20:10.198977 2015] [wsgi:error] [pid 1134]
 [Fri Jul 24 07:20:18.181715 2015] [wsgi:error] [pid 1133] ipa: INFO: 401
 Unauthorized: kinit: Clients credentials have been revoked while getting
 initial credentials
 [Fri Jul 24 07:20:18.181809 2015] [wsgi:error] [pid 1133]
 [Fri Jul 24 07:21:12.919751 2015] [wsgi:error] [pid 1134] ipa: INFO: 401
 Unauthorized: kinit: Clients credentials have been revoked while getting
 initial credentials
 [Fri Jul 24 07:21:12.919878 2015] [wsgi:error] [pid 1134]
 [root@ipa httpd]# kinit admin
 kinit: Clients credentials have been revoked while getting initial
 credentials
 [root@ipa httpd]# klist
 Ticket cache: KEYRING:persistent:0:0
 Default principal: ad...@pleiades.uni-wuppertal.de

 Valid starting   Expires  Service principal
 07/23/2015 11:44:13  07/24/2015 11:44:08
 HTTP/ipa.pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de
 07/23/2015 11:44:11  07/24/2015 11:44:08
 krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de
 [root@ipa httpd]#


 Hope you have an idea about that one as well :).
 
 I do not, sorry.  Maybe one of our kerberos experts will know.

Hope so.. the problem still persists. Strangely, it's not always there.
And it's only on the primary, not on the secondary server.

with an strace there is a difference when it does NOT work:

keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 294917837
keyctl(KEYCTL_SEARCH, 294917837, keyring, _krb,
KEY_SPEC_PROCESS_KEYRING) = 780102244
keyctl(KEYCTL_SEARCH, 780102244, user, krb_ccache:primary, 0) = 12049273
keyctl(KEYCTL_READ, 12049273, NULL, 0)  = 10
keyctl(KEYCTL_READ, 12049273, , 10)   = 10
keyctl(KEYCTL_READ, 780102244, NULL, 0) = 4
keyctl(KEYCTL_READ, 780102244, y\333\267, 4) = 4
keyctl(KEYCTL_SEARCH, 780102244, keyring, 0, 0) = -1 ENOKEY
(Required key not available)
keyctl(KEYCTL_DESCRIBE, 12049273, NULL, 0) = 37
keyctl(KEYCTL_DESCRIBE, 12049273, user;0;0;3f01;krb_ccache:pri...,
37) = 37

compared to when it WORKS:

keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 294917837
keyctl(KEYCTL_SEARCH, 294917837, keyring, _krb,
KEY_SPEC_PROCESS_KEYRING) = 780102244
keyctl(KEYCTL_SEARCH, 780102244, user, krb_ccache:primary, 0) = 12049273
keyctl(KEYCTL_READ, 12049273, NULL, 0)  = 10
keyctl(KEYCTL_READ, 12049273, , 10)   = 10
keyctl(KEYCTL_SEARCH, 780102244, keyring, 0, 0) = 17381009
keyctl(KEYCTL_SEARCH, 17381009, user, __krb5_princ__, 0) = 378086918
keyctl(KEYCTL_SEARCH, 17381009, user, __krb5_time_offsets__, 0) =
416824569
keyctl(KEYCTL_READ, 416824569, NULL, 0) = 8
keyctl(KEYCTL_READ, 416824569, , 8)   = 8
keyctl(KEYCTL_READ, 378086918, NULL, 0) = 46
keyctl(KEYCTL_READ, 378086918, , 46)  = 46
keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 294917837
keyctl(KEYCTL_SEARCH, 294917837, keyring, _krb,
KEY_SPEC_PROCESS_KEYRING) = 780102244
keyctl(KEYCTL_SEARCH, 780102244, user, krb_ccache:primary, 0) = 12049273
keyctl(KEYCTL_READ, 12049273, NULL, 0)  = 10
keyctl(KEYCTL_READ, 12049273, , 10)   = 10
keyctl(KEYCTL_READ, 780102244, NULL, 0) = 12
keyctl(KEYCTL_READ, 780102244, y\333\267, 12) = 12
keyctl(KEYCTL_SEARCH, 780102244, keyring, 0, 0) = 17381009
keyctl(KEYCTL_SEARCH, 17381009, user, __krb5_princ__, 0) = 378086918
keyctl(KEYCTL_READ, 378086918, NULL, 0) = 46
keyctl(KEYCTL_READ, 378086918, , 46)  = 46

Best regards

  Torsten


-- 

  
 Dr. Torsten Harenberg harenb...@physik.uni-wuppertal.de  
 Bergische Universitaet   
 FB C - Physik Tel.: +49 (0)202 439-3521  
 Gaussstr. 20  Fax : +49 (0)202 439-2811  
 42097 Wuppertal  
  
 Of course it runs NetBSD http://www.netbsd.org 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Kerberos hanging approx. once a day

2015-07-28 Thread Rich Megginson


On 07/24/2015 01:20 AM, Torsten Harenberg wrote:

Dear Rich and all,

thanks to everbody! Really thankful for your support.

The situation really approved.

We:

- enlarged the caches for 389ds until the WARNING messages disappeared
in the log files,
- (just to be sure) re-sync'ed firewalld rules between primary and
secondary server.

Now the server was stable, Kerberos and 389ds are still alive and all
clients can still resolve all users. There is only one issue left (see
bottom).


First let us answer that:

Am 23.07.15 um 18:28 schrieb Rich Megginson:


# ldapsearch -xLLL -D cn=directory manager -W -s base -b
dc=uni-wuppertal,dc=de

This search should return immediately.  If it hangs, then the problem is
in slapd, and get a stack trace as before.


[root@ipa httpd]# time ldapsearch -xLLL -D cn=directory manager -W -s
base -b dc=pleiades,dc=uni-wuppertal,dc=de
Enter LDAP Password:
dn: dc=pleiades,dc=uni-wuppertal,dc=de
objectClass: top
objectClass: domain
objectClass: pilotObject
objectClass: domainRelatedObject
objectClass: nisDomainObject
dc: pleiades
info: IPA V2.0
nisDomain: pleiades.uni-wuppertal.de
associatedDomain: pleiades.uni-wuppertal.de


real0m4.559s
user0m0.403s
sys 0m0.057s
[root@ipa httpd]#

Looks okay to us, or?


4 seconds?  That seems way too long.

What does the dirsrv access log look like for this sequence of 
operations?  There will be a connection, a BIND, a SRCH, and an UNBIND.




So.. here is the problem which is left over. When logging in as admin
now through th web page or locally:

[Thu Jul 23 21:43:47.340133 2015] [wsgi:error] [pid 1134] ipa: INFO:
[jsonserver_session] wens...@pleiades.uni-wuppertal.de:
radiusproxy_find(None, version=u'2.114'): SUCCESS
[Thu Jul 23 21:43:48.758849 2015] [wsgi:error] [pid 1133] ipa: INFO:
[jsonserver_session] wens...@pleiades.uni-wuppertal.de: user_find(None,
version=u'2.114'): SUCCESS
[Fri Jul 24 07:20:10.198903 2015] [wsgi:error] [pid 1134] ipa: INFO: 401
Unauthorized: kinit: Clients credentials have been revoked while getting
initial credentials
[Fri Jul 24 07:20:10.198977 2015] [wsgi:error] [pid 1134]
[Fri Jul 24 07:20:18.181715 2015] [wsgi:error] [pid 1133] ipa: INFO: 401
Unauthorized: kinit: Clients credentials have been revoked while getting
initial credentials
[Fri Jul 24 07:20:18.181809 2015] [wsgi:error] [pid 1133]
[Fri Jul 24 07:21:12.919751 2015] [wsgi:error] [pid 1134] ipa: INFO: 401
Unauthorized: kinit: Clients credentials have been revoked while getting
initial credentials
[Fri Jul 24 07:21:12.919878 2015] [wsgi:error] [pid 1134]
[root@ipa httpd]# kinit admin
kinit: Clients credentials have been revoked while getting initial
credentials
[root@ipa httpd]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@pleiades.uni-wuppertal.de

Valid starting   Expires  Service principal
07/23/2015 11:44:13  07/24/2015 11:44:08
HTTP/ipa.pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de
07/23/2015 11:44:11  07/24/2015 11:44:08
krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de
[root@ipa httpd]#


Hope you have an idea about that one as well :).


I do not, sorry.  Maybe one of our kerberos experts will know.



Thanks

  Marisa and Torsten




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] CA-less replica setup and trouble with cert chain

[Freeipa-users] bind-dynamicdb TKEY update

Re: [Freeipa-users] bind-dynamicdb TKEY update

Re: [Freeipa-users] CA-less replica setup and trouble with cert chain

Re: [Freeipa-users] ipa-replica-prepare error

Re: [Freeipa-users] Kerberos hanging approx. once a day

Re: [Freeipa-users] Kerberos hanging approx. once a day

7 matches

Site Navigation

Mail list logo

Footer information