Re: [Freeipa-users] IPA server certificate update and Directory Manager password
On Jan 20, 2011, at 17:32 , Rob Crittenden wrote: Yes, that was going to be my next question. While throwing any old self-signed cert in there might get the server up other things won't work, notably replication. Ok, here are some steps I worked out that I think will get you back in business. I'm going to try to renew your 389-ds certificate using IPA. First we need to get 389-ds back up and running. I'm going to use REALM in place of the instance name for your 399-ds install. 1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif 2. Make a backup of your dirsrv NSS database (so /etc/dirsrv/slapd- REALM/*.db) 2. Edit dse.ldif and set nsslapd-security to off 3. Try starting dirsrv: service start dirsrv REALM 4. Get a kerberos ticket for admin: kinit admin 5. Generate a new CSR for your directory server: certutil -R -k 'NSS Certificate DB:Server-Cert' -s 'cn=nebio- directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f /etc/dirsrv/ slapd-REALM/pwdfile.txt -a renew.csr 6. Get a new certificate: ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab 7. Paste the value in the output for Certificate into a file. This is a base64-encoded blob of text probably starting with MII and ending with ==. 8. Add this new cert to your 389-ds database certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a cert.txt 9. service dirsrv stop REALM 10. edit dse.ldif and set nsslapd-security to on 11. service dirsrv start REALM I ran the majority of these steps against my own IPA installation and nothing caught on fire. I hope you have equal success. Rob, any more advice on this? Step 5 fails, but it works if I remove the NSS Cert part or of I use IPA... something or other that I figured out. But then step 6 fails, I get a No Modification Requried result when I run the command, and nothing I did could get past that. If I want to start from scratch with the new Beta release, how would I dump the entire LDAP/KRB database so that I could import it into a new server? The Docs mention doing regular backups, but they don't even tell how to backup the data, whether to backups files (which ones?!) or to dump the data into a file, and backup that. Can I convert from the 1.9 alpha to a 2.0beta freeipa instance? Best, Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
On Tue, 1 Feb 2011 12:38:50 -0500 Peter Doherty dohe...@hkl.hms.harvard.edu wrote: If I want to start from scratch with the new Beta release, how would I dump the entire LDAP/KRB database so that I could import it into a new server? The Docs mention doing regular backups, but they don't even tell how to backup the data, whether to backups files (which ones?!) or to dump the data into a file, and backup that. database dumps + filesystem backups Can I convert from the 1.9 alpha to a 2.0beta freeipa instance? Not easy, and it depends on what you mean by convert. A simple rpm update will give you issues because we still made minor changes to the DIT and schema between the 1.9 alpha and the beta. If you have many keys in your kerberos database I can describe a procedure that *should* work to dump the keys and reload them in a new server where you manually/script migrate the users/host/services data by using the ipa user-add/host-add/srvice-add commands. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Ian Stokes-Rees wrote: Rob, Thanks for your most recent comments. I'm not sure if I should try these *before* or *after* the steps described in the 5:32 EST email. Ian I think roll back the time to the 15th, disable SSL in 389-ds and bring the servers back up. Then follow the instructions to renew the certificates. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Some good news: turning off security has the Directory Server starting
up properly. If the directory server is only accessible within our
small intranet, can we safely run it without security enabled? If this
is theoretically possible it looks like the trick will be to change the
IPA config for Apache to allow non SSL access...
Also, is there any scope to dump the current directory contents and
start from scratch? I feel like I may be near the point where that is
easier.
The main sticking point now is step 5 where certutil -R -k 'NSS
Certificate DB:Server-Cert' ... fails because the value specified for
the -k argument is invalid (or there is some other problem with the
certificate DB).
More details below.
Yes, that was going to be my next question. While throwing any old
self-signed cert in there might get the server up other things won't
work, notably replication.
I'm having trouble with accessing the certificate DB. When I try to
connect I'm asked for a password:
# certutil -K -d /etc/dirsrv/slapd-NEBIOGRID-ORG/
certutil: Checking token NSS Certificate DB in slot NSS User Private
Key and Certificate Services
Enter Password or Pin for NSS Certificate DB:
I overwrote the Directory Manager password yesterday with freeipa
but that isn't working for this.
Also, my self signed cert (PKCS12 format) has *two* encryption passwords
(both the same): one to open the PKCS12 file, and one to access the
private key contained within the file (inherited from the PEM file).
Should I remove the password on the private key PEM file before
generating the PKCS#12 file with the pub/priv key pair?
Or should I just abandon my self signed cert generated by OpenSSL and
persevere with getting one out of FreeIPA?
Ok, here are some steps I worked out that I think will get you back in
business. I'm going to try to renew your 389-ds certificate using IPA.
First we need to get 389-ds back up and running.
I'm going to use REALM in place of the instance name for your 399-ds
install.
1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif
2. Make a backup of your dirsrv NSS database (so
/etc/dirsrv/slapd-REALM/*.db)
2. Edit dse.ldif and set nsslapd-security to off
3. Try starting dirsrv: service start dirsrv REALM
4. Get a kerberos ticket for admin: kinit admin
5. Generate a new CSR for your directory server:
certutil -R -k 'NSS Certificate DB:Server-Cert' -s
'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f
/etc/dirsrv/slapd-REALM/pwdfile.txt -a renew.csr
FAILS - it appears it doesn't know anything about 'NSS Certificate
DB:Server-Cert'
# certutil -R -k 'NSS Certificate DB:Server-Cert' -s
'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-NEBIOGRID-ORG/
-f /etc/dirsrv/slapd-NEBIOGRID-ORG/pwdfile.txt -a renew.csr
certutil: NSS Certificate DB:Server-Cert is neither a key-type nor a
nickname: security library: bad database.
The DB files and password file all seem to be there, so I'm not sure
what bad database means:
# ls -Fla /etc/dirsrv/slapd-NEBIOGRID-ORG/*.{db,txt}
-rw---. 1 root root 65536 Jan 10 13:35
/etc/dirsrv/slapd-NEBIOGRID-ORG/cert8.db
-rw---. 1 root root 16384 Jan 10 13:35
/etc/dirsrv/slapd-NEBIOGRID-ORG/key3.db
-r. 1 dirsrv root90 Jul 21 2010
/etc/dirsrv/slapd-NEBIOGRID-ORG/pin.txt
-rw---. 1 dirsrv root77 Jan 10 13:35
/etc/dirsrv/slapd-NEBIOGRID-ORG/pwdfile.txt
-rw---. 1 root root 16384 Jan 10 13:35
/etc/dirsrv/slapd-NEBIOGRID-ORG/secmod.db
6. Get a new certificate:
ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab
7. Paste the value in the output for Certificate into a file. This is
a base64-encoded blob of text probably starting with MII and ending
with ==.
Since I can't get this far, I don't know if this is going to be the
private key or public key, or both (one after the other)
8. Add this new cert to your 389-ds database
certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a
cert.txt
So I tried doing this, but using the full text output of my self-signed
PKCS#12 file with the base64 encoded public and private keys (since I
can't run the certutil or ipa cert-request commands). It didn't
complain, but I also don't think it exactly worked. Also, does this
somehow link to the cert used by Apache httpd?
9. service dirsrv stop REALM
10. edit dse.ldif and set nsslapd-security to on
11. service dirsrv start REALM
Can't restart dirsrv after turning nsslapd-security back on. Similar
errors to before:
/var/log/dirsrv/slapd-NEBIOGRID-ORG/errors
[21/Jan/2011:14:30:53 -0500] - SSL alert: Security Initialization: Can't
find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config
(Netscape Portable Runtime error -8174 - security library: bad database.)
[21/Jan/2011:14:30:53 -0500] - SSL alert: Security Initialization:
Unable to retrieve private key for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad
[Freeipa-users] IPA server certificate update and Directory Manager password
Hello, We have a deployment of IPA that we have been using successfully for 185 days. We are 3 days past the "half year" mark, and the self-signed cert that was created with the original IPA install (FreeIPA v2 alpha) has expired. I have created a new self-signed cert, PKCS#12 format, but I cannot load it using the command: ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap When I try this, I am asked for: Directory Manager password: And I have no idea what this would be. I've tried the Kerberos "admin" password (used with "kinit admin"), and the root password. I don't know what other passwords would work. Is there some way to force this, or reset it, without starting from scratch? The added challenge is that the person who setup this version of FreeIPA went on vacation for 2 weeks, so I have minimal background with FreeIPA from an admin/install perspective. TIA, Ian -- Ian Stokes-Rees, PhD W: http://hkl.hms.harvard.edu ijsto...@hkl.hms.harvard.edu T: +1 617 432-5608 x75 NEBioGrid, Harvard Medical School C: +1 617 331-5993 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Ian Stokes-Rees wrote: Hello, We have a deployment of IPA that we have been using successfully for 185 days. We are 3 days past the half year mark, and the self-signed cert that was created with the original IPA install (FreeIPA v2 alpha) has expired. I have created a new self-signed cert, PKCS#12 format, but I cannot load it using the command: ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap When I try this, I am asked for: Directory Manager password: And I have no idea what this would be. I've tried the Kerberos admin password (used with kinit admin), and the root password. I don't know what other passwords would work. Is there some way to force this, or reset it, without starting from scratch? The added challenge is that the person who setup this version of FreeIPA went on vacation for 2 weeks, so I have minimal background with FreeIPA from an admin/install perspective. Just so I have the full context, where did the original self-signed cert come from? The initial cert should have been good for 12 months so I'm a little confused. Do you know where the initial certificate came from? You're running a pretty old build so maybe we didn't have this quite working but we use a tool named certmonger to keep the SSL certificates valid. It could be that we weren't using certmonger then, or not enabling it correctly, I'm not sure. If you want to see then as root run: ipa-getcert list. This will show you the certificates that certmonger is monitoring (and I suppose it could be none or you could get a DBus error. Since your infrastructure is probably down because of this here are the instructions you need to get going again. I hesitate because I don't want to make things worse for you by not understanding the history. The Directory Manager is essentially the super-user of 389-ds. It gets a separate password when IPA is installed. See these instructions for resetting it: http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword I'm also curious why only the 389-ds cert has expired and not the Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d /etc/httpd/alias -n Server-Cert' will show you. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Some more info: 1. certmonger wasn't running, so I started it. Then I can execute "ipa-getcert list" but it doesn't return anything. 2. /var/log/ipa/default.log (the only log file in that dir) appears to show the *new* cert being imported successfully (the latest timestamps are from about 1000 seconds ago, or less than 20 minutes): 1295559526.007954 10650 MainThread INFO skipping plugin module ipaserver.plugins.selfsign: selfsign is not selected as RA plugin, it is dogtag 1295559526.060926 10650 MainThread INFO Mounting ipaserver.rpcserver.xmlserver() at 'xml' 1295559526.064243 10650 MainThread INFO Mounting ipaserver.rpcserver.jsonserver() at 'json' 1295559528.905495 10650 MainThread INFO args=/usr/bin/certutil -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -N -f /etc/dirsrv/slapd-NEBIOGRID-ORG//pwdfile.txt 1295559528.906025 10650 MainThread INFO stdout= 1295559528.906155 10650 MainThread INFO stderr= 1295559528.922699 10650 MainThread INFO args=/usr/bin/pk12util -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -i ldap-selfsigned-to20120120.pkcs12 -k /etc/dirsrv/slapd-NEBIOGRID-ORG//pwdfile.txt -w /tmp/tmpglOV1H 1295559528.923025 10650 MainThread INFO stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 1295559528.923120 10650 MainThread INFO stderr= 1295559528.932131 10650 MainThread INFO args=/usr/bin/pk12util -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -l ldap-selfsigned-to20120120.pkcs12 -k /tmp/tmpglOV1H -w /tmp/tmpglOV1H 1295559528.932373 10650 MainThread INFO stdout=Certificate(has private key): Data: Version: 3 (0x2) Serial Number: 00:a2:6f:63:17:17:c3:28:60 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=nebio-directory.in.hwlab,O=IPA" Validity: Not Before: Thu Jan 20 16:46:31 2011 Not After : Fri Jan 20 16:46:31 2012 Subject: "CN=nebio-directory.in.hwlab,O=IPA" 3. dirsrv errors has this as its last log entries: /var/log/dirsrv/slapd-NEBIOGRID-ORG/errors: [20/Jan/2011:16:55:22 -0500] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [20/Jan/2011:16:55:22 -0500] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [20/Jan/2011:16:55:22 -0500] - SSL failure: None of the cipher are valid [20/Jan/2011:16:55:22 -0500] - ERROR: SSL Initialization phase 2 Failed. 4. httpd reports lots of errors: /var/log/httpd/error_log [Thu Jan 20 17:05:43 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Thu Jan 20 17:05:43 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Jan 20 17:05:44 2011] [error] Certificate not verified: 'Server-Cert' [Thu Jan 20 17:05:44 2011] [error] SSL Library Error: -8181 Certificate has expired [Thu Jan 20 17:05:44 2011] [error] Server certificate is expired: 'Server-Cert' [Thu Jan 20 17:05:44 2011] [notice] Digest: generating secret for digest authentication ... [Thu Jan 20 17:05:44 2011] [notice] Digest: done [Thu Jan 20 17:05:44 2011] [error] python_init: Python version mismatch, expected '2.6', found '2.6.4'. [Thu Jan 20 17:05:44 2011] [error] python_init: Python executable found '/usr/bin/python'. [Thu Jan 20 17:05:44 2011] [error] python_init: Python path being used '/usr/lib64/python26.zip:/usr/lib64/python2.6/:/usr/lib64/python2.6/plat-linux2:/usr/lib64/python2.6/lib-tk:/usr/lib64/python2.6/lib-old:/usr/lib64/python2.6/lib-dynload'. [Thu Jan 20 17:05:44 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Thu Jan 20 17:05:44 2011] [notice] mod_python: using mutex_directory /tmp [Thu Jan 20 17:05:44 2011] [notice] Apache/2.2.16 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.6.2 mod_python/3.3.1 Python/2.6.4 mod_wsgi/3.1 configured -- resuming normal operations [Thu Jan 20 17:05:44 2011] [error] Certificate not verified: 'Server-Cert' [Thu Jan 20 17:05:44 2011] [error] SSL Library Error: -8181 Certificate has expired [Thu Jan 20 17:05:44 2011] [error] Server certificate is expired: 'Server-Cert' ... [Thu Jan 20 17:05:45 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/nebio-directory.in.hw...@nebiogrid.org in /etc/httpd/conf/ipa.keytab: (-1765328324, 'Generic error (see e-text)')
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Ian Stokes-Rees wrote: Just so I have the full context, where did the original self-signed cert come from? The initial cert should have been good for 12 months so I'm a little confused. Do you know where the initial certificate came from? I have to plead ignorance, since it was our regular sys admin (away on vacation for 2 weeks) who installed this summer of 2010. I'm a user stuck with managing the system while he's away. I assume this cert came from the default installation process. He chimed in with a quick comment on our internal ticket, and said he doesn't know any details about the cert infrastructure of FreeIPA. Ouch, you have my sympathies. You're running a pretty old build so maybe we didn't have this quite working but we use a tool named certmonger to keep the SSL certificates valid. It could be that we weren't using certmonger then, or not enabling it correctly, I'm not sure.If you want to see then as root run: ipa-getcert list. This will show you the certificates that certmonger is monitoring (and I suppose it could be none or you could get a DBus error. Probably not running it: # ipa-getcert list Error org.freedesktop.DBus.Error.ServiceUnknown: The name org.fedorahosted.certmonger was not provided by any .service files Ok, that's fine. Maybe we can use it once you get up and running again, but first things first. Since your infrastructure is probably down because of this here are the instructions you need to get going again. I hesitate because I don't want to make things worse for you by not understanding the history. The Directory Manager is essentially the super-user of 389-ds. It gets a separate password when IPA is installed. See these instructions for resetting it: http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword Seemed straight forward, but it hasn't worked. After changing the password in the dse.ldif file I can't restart dirsrv successfully: our instance won't restart, but the PKI-IPA one will restart just fine. In either case, I can't execute the ipa-server-certinstall, as I get an error: # ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap Directory Manager password: an unexpected error occurred: Can't contact LDAP server: [stacktrace] DatabaseError: Can't contact LDAP server: /me smacks head Ok, of course you can't contact the LDAP server because it isn't up because the cert is expired! Also, I should reiterate that the PKCS#12 file is *self signed*, but I notice in /etc/ipa/ca.crt there is a cert (just public) for the IPA CA -- perhaps my cert needs to be signed by this CA? Yes, that was going to be my next question. While throwing any old self-signed cert in there might get the server up other things won't work, notably replication. Ok, here are some steps I worked out that I think will get you back in business. I'm going to try to renew your 389-ds certificate using IPA. First we need to get 389-ds back up and running. I'm going to use REALM in place of the instance name for your 399-ds install. 1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif 2. Make a backup of your dirsrv NSS database (so /etc/dirsrv/slapd-REALM/*.db) 2. Edit dse.ldif and set nsslapd-security to off 3. Try starting dirsrv: service start dirsrv REALM 4. Get a kerberos ticket for admin: kinit admin 5. Generate a new CSR for your directory server: certutil -R -k 'NSS Certificate DB:Server-Cert' -s 'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f /etc/dirsrv/slapd-REALM/pwdfile.txt -a renew.csr 6. Get a new certificate: ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab 7. Paste the value in the output for Certificate into a file. This is a base64-encoded blob of text probably starting with MII and ending with ==. 8. Add this new cert to your 389-ds database certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a cert.txt 9. service dirsrv stop REALM 10. edit dse.ldif and set nsslapd-security to on 11. service dirsrv start REALM I ran the majority of these steps against my own IPA installation and nothing caught on fire. I hope you have equal success. I'm also curious why only the 389-ds cert has expired and not the Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d /etc/httpd/alias -n Server-Cert' will show you. Here you can see the expired cert and the 6 month lifespan: # certutil -L -d /etc/httpd/alias -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: CN=Certificate Authority,O=IPA Validity: Not Before: Wed Jul 21 18:13:52 2010 Not After : Mon Jan 17 18:13:52 2011 Subject: CN=nebio-directory.in.hwlab,O=IPA Wow, not sure why it would do a 6 month cert but seeing is believing. regards rob ___ Freeipa-users mailing list
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Ian Stokes-Rees wrote: Some more info: 1. certmonger wasn't running, so I started it. Then I can execute ipa-getcert list but it doesn't return anything. Ok, your install must have pre-dated our implementation of it. 2. /var/log/ipa/default.log (the only log file in that dir) appears to show the *new* cert being imported successfully (the latest timestamps are from about 1000 seconds ago, or less than 20 minutes): As one might expect the Apache cert has also expired. Apache needs a valid cert and needs to contact 389-ds to start IPA. 3. dirsrv errors has this as its last log entries: /var/log/dirsrv/slapd-NEBIOGRID-ORG/errors: It doesn't seem to like the self-signed cert you installed. The key used to initially generate the 389-ds certificate should still be in your NSS database, certutil -K -d /etc/dirsrv/slapd-REALM should have it. We should be able to use that to get things working again. I think the fastest way to get back up would be to set your system clock back to Jan 15. Disable security in 389-ds and start that, then restart Apache. This should be enough to get part of your infrastructure back up and running long enough to renew the certs. Once you renew the 389-ds certificate and get that working you can do pretty much the same thing to Apache. The Apache NSS database is in /etc/httpd/alias. You won't need to disable security for this at all. Otherwise we may have to set up a sort of temporary CA, issue new certificates for Apache and 389-ds to get them back up and running, then renew things. If you try going back in time don't forget to reset the date. You'll have to stop ntpd when going back in time. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
