[Freeipa-users] ipa-replica-prepare failing
While trying to run IPA replica prepare with debug, we see an unexplained failure. Debug seems to show the process running smoothly, then I see: "Certificate issuance failed". Looking at previous mail-archives, I see that someone has run into this before, however all permissions on caIPAserviceCert.cfg are correct (the solution for him). Is there any method to get more details on the failure from ipa-replica-prepare? Thanks -- <http://www.owneriq.com/> *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: jruy...@owneriq.com <https://www.linkedin.com/company/owneriq-inc.> <https://www.facebook.com/OwnerIQ> <https://twitter.com/owneriq> <http://www.owneriq.com/blog/> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problems after install 3rd Party Certs
Forgot to add. After some digging I saw the CA needed to be added to the nssdbs I've added the CA cert to: [root@ipa02 ipa02]# certutil -A -d /etc/pki/nssdb -n 'NewCA' -t CT,C,C -a -i fullchain.pem [root@ipa02 ipa02]# certutil -A -d /etc/httpd/alias -n 'NewCA' -t CT,C,C -a -i fullchain.pem On Mon, Oct 17, 2016 at 11:32 AM, Joshua Ruybal <jruy...@owneriq.com> wrote: > Hi, > > We've recently tried to change our https web certs for our IPA servers > following the instructions listed here: https://www.freeipa.org/ > page/Using_3rd_part_certificates_for_HTTP/LDAP > > The web gui is successfully using https now, however we are having several > other problems. > > Enrollment now fails for new hosts, and we're unable to install replicas. > > Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by the user. > > Any advice on this? > > ipa-server 3.0.0 > CentOS 6.7 > > Thanks, > > --Josh > -- <http://www.owneriq.com/> *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: jruy...@owneriq.com <https://www.linkedin.com/company/owneriq-inc.> <https://www.facebook.com/OwnerIQ> <https://twitter.com/owneriq> <http://www.owneriq.com/blog/> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problems after install 3rd Party Certs
Hi, We've recently tried to change our https web certs for our IPA servers following the instructions listed here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP The web gui is successfully using https now, however we are having several other problems. Enrollment now fails for new hosts, and we're unable to install replicas. Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. Any advice on this? ipa-server 3.0.0 CentOS 6.7 Thanks, --Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 3rd Party http certs breaking Apache
Can confirm nss.conf has NSSNickname set to Signing-Cert. I set the nickname of the Root CA issuing the 3rd party Certs to "LetsEncrypt_X1" On Wed, Oct 12, 2016 at 10:57 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Joshua Ruybal wrote: > >> Hi, >> >> I'm trying to add 3rd party certs for the webgui and ldap as documented >> here: https://www.freeipa.org/page/Using_3rd_part_certificates_for >> _HTTP/LDAP >> >> I'm able to add the CA cert. >> >> Then add the chained cert and key via ipa-server-certinstall tool. >> However when I try to restart httpd, it fails and I get the following >> error in the logs. >> >> >> [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232: >> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >> [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init: >> (ipa-test.example.com:443 <http://ipa-test.example.com:443>) You >> configured HTTP(80) on the standard HTTPS(443) port! >> [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598] >> NSSSessionCacheTimeout is deprecated. Ignoring. >> [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error: >> -8102 Certificate key usage inadequate for attempted operation. >> [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify >> certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf >> so the server can start until the problem can be resolved. >> >> >> I've looked into the key, but everything seems to work as expected. >> >> Has anyone seen this before? >> >> Environment: >> IPA VERSION: 4.2.0, API_VERSION: 2.156 >> CentOS 7.2 >> > > You set NSSNickname to Signing-Cert? What is the nickname of the cert you > imported? > > # certutil -L -d /etc/httpd/alias > > rob > > -- <http://www.owneriq.com/> *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: jruy...@owneriq.com <https://www.linkedin.com/company/owneriq-inc.> <https://www.facebook.com/OwnerIQ> <https://twitter.com/owneriq> <http://www.owneriq.com/blog/> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] 3rd Party http certs breaking Apache
Hi, I'm trying to add 3rd party certs for the webgui and ldap as documented here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I'm able to add the CA cert. Then add the chained cert and key via ipa-server-certinstall tool. However when I try to restart httpd, it fails and I get the following error in the logs. [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init: ( ipa-test.example.com:443) You configured HTTP(80) on the standard HTTPS(443) port! [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598] NSSSessionCacheTimeout is deprecated. Ignoring. [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error: -8102 Certificate key usage inadequate for attempted operation. [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. I've looked into the key, but everything seems to work as expected. Has anyone seen this before? Environment: IPA VERSION: 4.2.0, API_VERSION: 2.156 CentOS 7.2 Thanks, --Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS Dynamic Update Failing
Thanks for the reply. It makes a bit more sense now. I'm running FreeIPA 3.0.0 on CentOS 6.7 I followed your advice and was able to use dynamic update once I removed the zone forwarder. However I've set the global config to "forward only", but I'm still getting local resolution when I use dig from a client server. I'd expect to see the external records instead. I'm not seeing much in documentation how to troubleshoot this. Also I realize we're falling into the realm of a different subject and can start a fresh email chain if needed. Thanks again, Josh On Wed, Feb 3, 2016 at 12:45 AM Martin Basti <mba...@redhat.com> wrote: > > > On 03.02.2016 01:47, Joshua Ruybal wrote: > > Hi All, > > I've run into a frustrating issue regarding DNS Dynamic Updating. > > In a nutshell: > > If I enroll a new client when the forward policy on a dns zone is set to > "disabled" I don't have a problem enrolling the client and updating the dns > record. > > However if the policy of the zone is set to "only" or "first", nsupdate > fails during the client install. Install logs says nsupdate: Specified Zone > 'example.com' does not exist (NXDOMAIN). > > I'm seeing this in multiple zones, and all I need to change to fix it is > to change the forwarding policy. However it's problematic as we start the > rollout, since we will need to rely on external dns until we have all > servers enrolled. > > > Client Install Log Snippet: > > 2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt > 2016-02-02T22:53:17Z DEBUG stdout= > 2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does > not exist (NXDOMAIN) > specified zone 'dev.example.net' does not exist (NXDOMAIN) > > Zone Configuration: > > [admin@ipa01 ~]$ ipa dnszone-show --all > Zone name: dev.example.net > dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com > Zone name: dev.example.net > Authoritative nameserver: ipa01 > Administrator e-mail address: hostmaster.dev.example.net. > SOA serial: 1454447236 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM > krb5-self * ; grant EXAMPLE.COM krb5-self * SSHFP; > Active zone: TRUE > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > Zone forwarders: 8.8.8.8 > Forward policy: only > nsrecord: ipa01, ipa02 > objectclass: top, idnsrecord, idnszone > > Any ideas on how to remedy this? I'd like to avoid updating records by > hand if it can be avoided. > > Thanks! > Josh > > > Hello, > > which version of freeIPA do you use? > > If version is older than 4.1, then specifying forward policy and > forwarders cause that zone work as forwardzone thus, you cannot add host > there, because all queries ale forwarded to specified forwarders (8.8.8.8) > which does not know zone dev.example.com > > If version is 4.1+ then nsupdate should work and it can be bug. However > I'm curious why do you need forwarding in master zone, what is the use case? > > More details about forwardzones in IPA: > http://www.freeipa.org/page/V4/Forward_zones > > IMO you need specify global forwarder to your external DNS server, instead > of adding per zone forwarders. > > > Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNS Dynamic Update Failing
Hi All, I've run into a frustrating issue regarding DNS Dynamic Updating. In a nutshell: If I enroll a new client when the forward policy on a dns zone is set to "disabled" I don't have a problem enrolling the client and updating the dns record. However if the policy of the zone is set to "only" or "first", nsupdate fails during the client install. Install logs says nsupdate: Specified Zone 'example.com' does not exist (NXDOMAIN). I'm seeing this in multiple zones, and all I need to change to fix it is to change the forwarding policy. However it's problematic as we start the rollout, since we will need to rely on external dns until we have all servers enrolled. Client Install Log Snippet: 2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-02-02T22:53:17Z DEBUG stdout= 2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does not exist (NXDOMAIN) specified zone 'dev.example.net' does not exist (NXDOMAIN) Zone Configuration: [admin@ipa01 ~]$ ipa dnszone-show --all Zone name: dev.example.net dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com Zone name: dev.example.net Authoritative nameserver: ipa01 Administrator e-mail address: hostmaster.dev.example.net. SOA serial: 1454447236 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * ; grant EXAMPLE.COM krb5-self * SSHFP; Active zone: TRUE Dynamic update: TRUE Allow query: any; Allow transfer: none; Zone forwarders: 8.8.8.8 Forward policy: only nsrecord: ipa01, ipa02 objectclass: top, idnsrecord, idnszone Any ideas on how to remedy this? I'd like to avoid updating records by hand if it can be avoided. Thanks! Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project