Re: [Freeipa-users] How to remove bad cert renewal from certmonger?

[Tikkanen, Tuomo (Nokia - FI/Espoo)]

On 23.4.2016 1:23, EXT Rob Crittenden wrote:

Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:



Repetitio est mater studiorum:

How I can clean this defective state of certmonger?


# ipa-getcert stop-tracking -i 20160212110456



Ah! That was obvious! Thanks a lot Rob.



Second question if/when the above urgent problem is solved:

Is there any way to get IP address to SAN field for the IPA Server-Certs?


Not without changing code. IP address SAN are explicitly forbidden:
Subject alt name type IP Address is forbidden

rob


Is there any true reason why IP Address is forbidden by certmonger / 
freeipa? Or is it just "not implemented" kind of restriction?


--
tuomo.tikka...@nokia.com

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to remove bad cert renewal from certmonger?

[Alexander Bokovoy]

On Mon, 25 Apr 2016, Rob Crittenden wrote:

Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:

On 23.4.2016 1:23, EXT Rob Crittenden wrote:

Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:



Repetitio est mater studiorum:

How I can clean this defective state of certmonger?


# ipa-getcert stop-tracking -i 20160212110456



Ah! That was obvious! Thanks a lot Rob.



Second question if/when the above urgent problem is solved:

Is there any way to get IP address to SAN field for the IPA
Server-Certs?


Not without changing code. IP address SAN are explicitly forbidden:
Subject alt name type IP Address is forbidden

rob


Is there any true reason why IP Address is forbidden by certmonger /
freeipa? Or is it just "not implemented" kind of restriction?



It is denied by IPA, not certmonger.

IP addresses are frowned upon in certs in general and they are denied 
by IPA because the access control would be really difficult. Today a 
host must be granted access to issue certs with additional names in 
it.


You can open a RFE for this on the IPA trac if you really need it.

I'm not deeply familiar with the new profile support so perhaps it is 
possible to do this using the latest version of IPA, I'm not sure.
Correct and no, it is not right now. 


Certificate profile defines what CA considers possible to grant when
issuing a cert. CA doesn't have contextual logic -- that would be
provided by an agent approving the cert. IPA framework is sitting in
front of CA to put the context in place and could be considered such an
agent, so we have logic to cross-check the request for fields that would
be conflicting with IPA access controls.

As it happens now, IPA framework disallows IP addresses. Adding support
for that would need to get proper logic in place to decide which
address spaces to allow being managing by a requesting party -- a host
in your case as certmonger asks for the cert on behalf of the host. We
don't have any system in place for that.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nss unrecognized name alert with SAN name

[Rob Crittenden]

John Obaterspok wrote:


2016-02-11 1:34 GMT+01:00 Fraser Tweedale >:

On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:
 > 2016-02-06 23:29 GMT+01:00 Rob Crittenden >:
 >
 > > John Obaterspok wrote:
 > >
 > >> Hi,
 > >>
 > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to
ipa.my.lan
 > >>
 > >> I recently started to get nss error "SSL peer has no
certificate for the
 > >> requested DNS name." when I'm accesing my https://gitserver.my.lan
 > >>
 > >> Previously this worked fine if I had set "git config --global
 > >> http.sslVerify false" according to
 > >>
https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
 > >>
 > >> Now I tried to solve this by adding a SubjectAltName to the
 > >> HTTP/ipa.my.lan certitficate like this:
 > >>
 > >> status: MONITORING
 > >> stuck: no
 > >> key pair storage:
 > >>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 > >> certificate:
 > >>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 > >> Certificate DB'
 > >> CA: IPA
 > >> issuer: CN=Certificate Authority,O=MY.LAN
 > >> subject: CN=ipa.my.lan,O=MY.LAN
 > >> expires: 2018-02-06 19:24:52 UTC
 > >> dns: gitserver.my.lan,ipa.my.lan
 > >> principal name: http/ipa.my@my.lan
 > >> key usage:
 > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 > >> eku: id-kp-serverAuth,id-kp-clientAuth
 > >> pre-save command:
 > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
 > >> track: yes
 > >> auto-renew: yes
 > >>
 > >> But I still get the below error:
 > >>
 > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
 > >> * SSL peer has no certificate for the requested DNS name
 > >>
 > >
 > > What version of mod_nss? It recently added support for SNI. You
can try
 > > turning it off by adding NSSSNI off to
/etc/httpd/conf.d/nss.conf but I'd
 > > imagine you were already relying on it.
 > >
 > >
 > Hi,
 >
 > Turning it off didn't help
 >
 > I'm on F23 with latest updates so I have mod_nss-1.0.12-1
 > I noticed it worked if I set "ServerName gitserver.my.lan" in
 > gitserver.conf, but then I got the NAME ALERT when accessing
ipa.my.lan.
 >
 > I then tried to put ipa.conf in  but then I
got error
 > about SSL_ERROR_RX_RECORD_TOO_LONG
 >
 > gitserver.conf has this:
 >
 > 
 > DocumentRoot /opt/wwwgit
 > SetEnv GIT_PROJECT_ROOT /opt/wwwgit
 > SetEnv GIT_HTTP_EXPORT_ALL
 > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
 > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
 >
 > ServerName gitserver.my.lan
 >
 >   
 >   Options Indexes
 >   AllowOverride None
 >   Require all granted
 >  
 >
 >  
 >   Options Indexes
 >   AllowOverride None
 >   Require all granted
 >  
 >
 > 
 >   #SSLRequireSSL
 >   AuthType Kerberos
 >   AuthName "Kerberos Login"
 >   KrbAuthRealm MY.LAN
 >   Krb5KeyTab /etc/httpd/conf/ipa.keytab
 >   KrbMethodNegotiate on
 >   KrbMethodK5Passwd off # Set to on to query for pwd if
negotiation
 > failed due to no ticket available
 >   KrbSaveCredentials on
 >   KrbVerifyKDC on
 >   KrbServiceName HTTP/ipa.my@my.lan
 >
 >   AuthLDAPUrl
ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName
 >   AuthLDAPBindDN
"uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"
 >   AuthLDAPBindPassword "secret123abc"
 >   Require ldap-group
cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
 >  
 >
 > 
 >
 >
 > Any more ideas what I do wrong?

It was suggested that this may be due to the certificate not being
compliant with RFC 2818.  This is likely true, but I think it is not
likely to be the problem.  You can use `openssl s_client` to confirm
what certificate the server is sending:

 openssl s_client -showcerts \
 -servername gitserver.my.lan -connect gitserver.my.lan:443

This will dump the certificates (in PEM format), which you can copy
to a file examine with `opeenssl x509 -text < cert.pem`.

Feel free to reply with the output; I am happy to have a closer
look.

Hi Fraser,

*cough*, I didn't see this until now :)

Anyway,

[admin@ipa ~]$ openssl s_client -showcerts -servername 

Re: [Freeipa-users] How to remove bad cert renewal from certmonger?

[Rob Crittenden]

Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:

On 23.4.2016 1:23, EXT Rob Crittenden wrote:

Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:



Repetitio est mater studiorum:

How I can clean this defective state of certmonger?


# ipa-getcert stop-tracking -i 20160212110456



Ah! That was obvious! Thanks a lot Rob.



Second question if/when the above urgent problem is solved:

Is there any way to get IP address to SAN field for the IPA
Server-Certs?


Not without changing code. IP address SAN are explicitly forbidden:
Subject alt name type IP Address is forbidden

rob


Is there any true reason why IP Address is forbidden by certmonger /
freeipa? Or is it just "not implemented" kind of restriction?



It is denied by IPA, not certmonger.

IP addresses are frowned upon in certs in general and they are denied by 
IPA because the access control would be really difficult. Today a host 
must be granted access to issue certs with additional names in it.


You can open a RFE for this on the IPA trac if you really need it.

I'm not deeply familiar with the new profile support so perhaps it is 
possible to do this using the latest version of IPA, I'm not sure.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate FreeIPA data from v3.0. to v4.2.0

[Anthony Cheng]

So I went ahead and ran the migrate-ds command; ran into issue that was
described here:
https://www.redhat.com/archives/freeipa-users/2015-March/msg00398.html when
trying to change password

I re-ran migrate-ds option; but I actually don't see the user accounts
being migrated at all when I run a "ipa user-show user_name --all"

I supposed manual option/script is the only option at this point?

Anthony

On Mon, Apr 25, 2016 at 1:06 PM Anthony Cheng 
wrote:

> Hi list,
>
> Currently in the midst of doing a migration of FreeIPA from v3.0.0 to
> v4.2.0; I have setup the new IPA instances and I am looking at migrate the
> data.
>
> Based on the section under 'Migrating from other FreeIPA to FreeIPA' here (
> http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment),
> it is suggested to run the following sample command:
>
> echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://migrated.freeipa.server.test
>
> My questions are:
> 1) Will this work as my new domain has changed (so realm is different)
> 2) Will this work for migration from 3.0.0 to 4.2.0?
> 3) Is this command safe to run from a production box?
> 4) If it fails or is not safe to run, what is the alternative/process?
> (details would be appreciated)
>
> Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS,
> ...) have to be migrated manually, by exporting the LDIF from old FreeIPA
> instance, selecting the records to be migrated, updating the attributes in
> batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA."
>
> I have some idea how to do LDIF import/export but is this process
> documented anywhere (on the freeipa.org)?
>
> Thanks, Anthony
> --
>
> Thanks, Anthony
>
-- 

Thanks, Anthony
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Migrate FreeIPA data from v2.0. to v4.2.0

[Anthony Cheng]

Hi list,

Currently in the midst of doing a migration of FreeIPA from v3.0.0 to
v4.2.0; I have setup the new IPA instances and I am looking at migrate the
data.

Based on the section under 'Migrating from other FreeIPA to FreeIPA' here (
http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment),
it is suggested to run the following sample command:

echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
--user-ignore-objectclass=mepOriginEntry --with-compat
ldap://migrated.freeipa.server.test

My questions are:
1) Will this work as my new domain has changed (so realm is different)
2) Will this work for migration from 3.0.0 to 4.2.0?
3) Is this command safe to run from a production box?
4) If it fails or is not safe to run, what is the alternative/process?
(details would be appreciated)

Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS,
...) have to be migrated manually, by exporting the LDIF from old FreeIPA
instance, selecting the records to be migrated, updating the attributes in
batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA."

I have some idea how to do LDIF import/export but is this process
documented anywhere (on the freeipa.org)?

Thanks, Anthony
-- 

Thanks, Anthony
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nss unrecognized name alert with SAN name

[John Obaterspok]

Thanks Rob!

I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server
and it works like a charm.

Thanks,

   john

2016-04-25 16:47 GMT+02:00 Rob Crittenden :

> John Obaterspok wrote:
>
>>
>> 2016-02-11 1:34 GMT+01:00 Fraser Tweedale > >:
>>
>> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:
>>  > 2016-02-06 23:29 GMT+01:00 Rob Crittenden > >:
>>
>>  >
>>  > > John Obaterspok wrote:
>>  > >
>>  > >> Hi,
>>  > >>
>>  > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to
>> ipa.my.lan
>>  > >>
>>  > >> I recently started to get nss error "SSL peer has no
>> certificate for the
>>  > >> requested DNS name." when I'm accesing my
>> https://gitserver.my.lan
>>  > >>
>>  > >> Previously this worked fine if I had set "git config --global
>>  > >> http.sslVerify false" according to
>>  > >>
>>
>> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
>>  > >>
>>  > >> Now I tried to solve this by adding a SubjectAltName to the
>>  > >> HTTP/ipa.my.lan certitficate like this:
>>  > >>
>>  > >> status: MONITORING
>>  > >> stuck: no
>>  > >> key pair storage:
>>  > >>
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>  > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>  > >> certificate:
>>  > >>
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>  > >> Certificate DB'
>>  > >> CA: IPA
>>  > >> issuer: CN=Certificate Authority,O=MY.LAN
>>  > >> subject: CN=ipa.my.lan,O=MY.LAN
>>  > >> expires: 2018-02-06 19:24:52 UTC
>>  > >> dns: gitserver.my.lan,ipa.my.lan
>>  > >> principal name: http/ipa.my@my.lan
>>  > >> key usage:
>>  > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>  > >> eku: id-kp-serverAuth,id-kp-clientAuth
>>  > >> pre-save command:
>>  > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>  > >> track: yes
>>  > >> auto-renew: yes
>>  > >>
>>  > >> But I still get the below error:
>>  > >>
>>  > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
>>  > >> * SSL peer has no certificate for the requested DNS name
>>  > >>
>>  > >
>>  > > What version of mod_nss? It recently added support for SNI. You
>> can try
>>  > > turning it off by adding NSSSNI off to
>> /etc/httpd/conf.d/nss.conf but I'd
>>  > > imagine you were already relying on it.
>>  > >
>>  > >
>>  > Hi,
>>  >
>>  > Turning it off didn't help
>>  >
>>  > I'm on F23 with latest updates so I have mod_nss-1.0.12-1
>>  > I noticed it worked if I set "ServerName gitserver.my.lan" in
>>  > gitserver.conf, but then I got the NAME ALERT when accessing
>> ipa.my.lan.
>>  >
>>  > I then tried to put ipa.conf in  but then I
>> got error
>>  > about SSL_ERROR_RX_RECORD_TOO_LONG
>>  >
>>  > gitserver.conf has this:
>>  >
>>  > 
>>  > DocumentRoot /opt/wwwgit
>>  > SetEnv GIT_PROJECT_ROOT /opt/wwwgit
>>  > SetEnv GIT_HTTP_EXPORT_ALL
>>  > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
>>  > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
>>  >
>>  > ServerName gitserver.my.lan
>>  >
>>  >   
>>  >   Options Indexes
>>  >   AllowOverride None
>>  >   Require all granted
>>  >  
>>  >
>>  >  
>>  >   Options Indexes
>>  >   AllowOverride None
>>  >   Require all granted
>>  >  
>>  >
>>  > 
>>  >   #SSLRequireSSL
>>  >   AuthType Kerberos
>>  >   AuthName "Kerberos Login"
>>  >   KrbAuthRealm MY.LAN
>>  >   Krb5KeyTab /etc/httpd/conf/ipa.keytab
>>  >   KrbMethodNegotiate on
>>  >   KrbMethodK5Passwd off # Set to on to query for pwd if
>> negotiation
>>  > failed due to no ticket available
>>  >   KrbSaveCredentials on
>>  >   KrbVerifyKDC on
>>  >   KrbServiceName HTTP/ipa.my@my.lan
>>  >
>>  >   AuthLDAPUrl
>> ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName
>>  >   AuthLDAPBindDN
>> "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"
>>  >   AuthLDAPBindPassword "secret123abc"
>>  >   Require ldap-group
>> cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
>>  >  
>>  >
>>  > 
>>  >
>>  >
>>  > Any more ideas what I do wrong?
>>
>> It was suggested that this may be due to the certificate not being
>> compliant with RFC 2818.  This is likely true, 

[Freeipa-users] Add CA server AFTER install?

[Zak Wolfinger]

Not having much luck with the docs / Google.  Is there a way to add the CA 
server role to a FreeIPA installation if it wasn’t included at the time of 
install?

Thanks!



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add CA server AFTER install?

[Rob Crittenden]

Zak Wolfinger wrote:

Not having much luck with the docs / Google.  Is there a way to add the
CA server role to a FreeIPA installation if it wasn’t included at the
time of install?

Thanks!





ipa-ca-install

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add CA server AFTER install?

[Rob Crittenden]

Zak Wolfinger wrote:

Not having much luck with the docs / Google.  Is there a way to add the
CA server role to a FreeIPA installation if it wasn’t included at the
time of install?


Too quick on the draw...

It isn't clear what you mean. ipa-ca-install can add a CA to a master 
installed using ipa-replica-install.


If you installed as CA-less then I'd look at 
http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion It is 
rather thin on details unfortunately but it looks like you can just run 
ipa-ca-install in this case as well.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nss unrecognized name alert with SAN name

[John Obaterspok]

2016-02-11 1:34 GMT+01:00 Fraser Tweedale :

> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:
> > 2016-02-06 23:29 GMT+01:00 Rob Crittenden :
> >
> > > John Obaterspok wrote:
> > >
> > >> Hi,
> > >>
> > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to
> ipa.my.lan
> > >>
> > >> I recently started to get nss error "SSL peer has no certificate for
> the
> > >> requested DNS name." when I'm accesing my https://gitserver.my.lan
> > >>
> > >> Previously this worked fine if I had set "git config --global
> > >> http.sslVerify false" according to
> > >>
> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
> > >>
> > >> Now I tried to solve this by adding a SubjectAltName to the
> > >> HTTP/ipa.my.lan certitficate like this:
> > >>
> > >> status: MONITORING
> > >> stuck: no
> > >> key pair storage:
> > >>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > >> certificate:
> > >>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > >> Certificate DB'
> > >> CA: IPA
> > >> issuer: CN=Certificate Authority,O=MY.LAN
> > >> subject: CN=ipa.my.lan,O=MY.LAN
> > >> expires: 2018-02-06 19:24:52 UTC
> > >> dns: gitserver.my.lan,ipa.my.lan
> > >> principal name: http/ipa.my@my.lan
> > >> key usage:
> > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > >> eku: id-kp-serverAuth,id-kp-clientAuth
> > >> pre-save command:
> > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> > >> track: yes
> > >> auto-renew: yes
> > >>
> > >> But I still get the below error:
> > >>
> > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
> > >> * SSL peer has no certificate for the requested DNS name
> > >>
> > >
> > > What version of mod_nss? It recently added support for SNI. You can try
> > > turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but
> I'd
> > > imagine you were already relying on it.
> > >
> > >
> > Hi,
> >
> > Turning it off didn't help
> >
> > I'm on F23 with latest updates so I have mod_nss-1.0.12-1
> > I noticed it worked if I set "ServerName gitserver.my.lan" in
> > gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan.
> >
> > I then tried to put ipa.conf in  but then I got error
> > about SSL_ERROR_RX_RECORD_TOO_LONG
> >
> > gitserver.conf has this:
> >
> > 
> > DocumentRoot /opt/wwwgit
> > SetEnv GIT_PROJECT_ROOT /opt/wwwgit
> > SetEnv GIT_HTTP_EXPORT_ALL
> > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
> > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
> >
> > ServerName gitserver.my.lan
> >
> >   
> >   Options Indexes
> >   AllowOverride None
> >   Require all granted
> >  
> >
> >  
> >   Options Indexes
> >   AllowOverride None
> >   Require all granted
> >  
> >
> > 
> >   #SSLRequireSSL
> >   AuthType Kerberos
> >   AuthName "Kerberos Login"
> >   KrbAuthRealm MY.LAN
> >   Krb5KeyTab /etc/httpd/conf/ipa.keytab
> >   KrbMethodNegotiate on
> >   KrbMethodK5Passwd off # Set to on to query for pwd if
> negotiation
> > failed due to no ticket available
> >   KrbSaveCredentials on
> >   KrbVerifyKDC on
> >   KrbServiceName HTTP/ipa.my@my.lan
> >
> >   AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName
> >   AuthLDAPBindDN
> "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"
> >   AuthLDAPBindPassword "secret123abc"
> >   Require ldap-group
> cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
> >  
> >
> > 
> >
> >
> > Any more ideas what I do wrong?
>
> It was suggested that this may be due to the certificate not being
> compliant with RFC 2818.  This is likely true, but I think it is not
> likely to be the problem.  You can use `openssl s_client` to confirm
> what certificate the server is sending:
>
> openssl s_client -showcerts \
> -servername gitserver.my.lan -connect gitserver.my.lan:443
>
> This will dump the certificates (in PEM format), which you can copy
> to a file examine with `opeenssl x509 -text < cert.pem`.
>
> Feel free to reply with the output; I am happy to have a closer
> look.
>
>
Hi Fraser,

*cough*, I didn't see this until now :)

Anyway,

[admin@ipa ~]$ openssl s_client -showcerts -servername gitserver.my.lan
-connect gitserver.my.lan:443
CONNECTED(0003)
140404557162360:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
unrecognized name:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 227 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher 

Re: [Freeipa-users] Best practice for requesting a certificate in Kickstart?

[David Kupka]

On 24/04/16 04:46, Anthony Clark wrote:

Hello All,

TL;DR: what's the best way to grab a SSL cert and key during kickstart?

(this is all using CentOS 7.2 latest)

I'm using Foreman to manage my kickstart and Puppet services, and its built-in
FreeIPA client enrollment works just fine.

However I'd like to also request a certificate and key for a Puppet client to
use to authenticate to the Foreman-controlled Puppet server.

If I manually set up a puppet client then it works just fine.  I use something
like this:

# ipa-getcert request -w -r -f /var/lib/puppet/ssl/certs/<%= @host.name
 %>.pem -k /var/lib/puppet/ssl/private_keys/<%= @host.name
 %>.pem
# cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem

(then setting the correct paths and settings in /etc/puppet/puppet.conf)

I tried to make that work inside the Kickstart process, but as those commands
are running inside a kickstart chroot the certmonger service won't start.

Is there a better method to grab a SSL cert and key for the host during
kickstart?  Or should I just wait until firstboot and perform the steps at that
point?

Many Thanks and FreeIPA is really amazing!

Anthony Clark





Hello Anthony,

TL;DR Set DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null in kickstart 
chroot environment before calling "ipa-getcert request".



The issue is already addressed by BZ1134497 [1]. When getcert detects 
there is no DBus it starts certmonger and communicates over unix socet. 
But in Kickstart environment DBus is available but unusable (BZ1271551, 
[2]). It can be workaround by setting 
DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null (it is described in Doc Text 
of [1]).


You can also run ipa-client-install with --request-cert and it will also 
request certificate for the client. And also require the workaround in 
Kickstart chroot environment. But unlike "ipa-getcert request -w" it 
won't wait for the certificate to be issued and fetched.


The reason is that it can take days for certificate to be issued (some 
CAs require human approval) so ipa-client-install only submit the 
request and doesn't wait for certificate.
After the installation completes and system is started certmonger 
periodically query for the certificate and fetch it when available.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1134497
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1271551

HTH,
--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] RoundRobin - Cname - 2 servers with same services

[Petr Spacek]

On 22.4.2016 16:41, Martin Basti wrote:
> 
> 
> On 22.04.2016 16:00, Gady Notrica wrote:
>>
>> Hello World,
>>
>> I am trying to enable roundrobin on freeipa. I have 2 servers providing same
>> service (http). I am trying to give it a friendly name so that when user
>> what to access it, they can land on any one of the 2 servers.
>>
>> But IPA dns doesn’t want to let me create CName that has the same name but 2
>> different destination.
>>
>> How do I go around this?
>>
>> Thanks,
>>
>> Gady
>>
>>
>>
> Hello,
> 
> you don't, ldapschema limits CNAME to just one value in IPA
> 
> It is possible with BIND9.1+ to have multiple CNAMEs ?
> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_07.htm
> 
> Anyway this is violation of RFC.
> 
> You should use for load balancing A records.

To be absolutely sure I tried to put two CNAME records to one node. BIND 9.10
refuses to load the zone and gives following error:

zone t1.test/IN: loading from master file t1.db failed: multiple RRs of
singleton type
zone t1.test/IN: not loaded due to errors.

So does IPA.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Differential data on cluster syn back to server1

[barrykfl]

Hi:

I have 2 servers clusters replicating ...server1 down server2 take up role
running,
if server 1 turn on again I found the differential ac/data created on
server2 not replicate back to server 1 ...any idea ?

Is it possible to syn back the different data manually or force syn?
if both servers on , it can be replcationg normally,


THX & Regards

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] 2 servers replicatong if onefail_how_made itreplicate the differential?

[barrykfl]

Tried.noramlly it replicationg but if one fail and still add new users. The
recovered server not syn back.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project