[Freeipa-users] Re: nss certs and Certificate not found error
On 05/01/18 20:59, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: hi everyone apologies first and foremost as this does not concert IPA directly, I've tried apache's list but no help I found there(yet). So I know Apache's experts traverse here thus maybe more luck here. I'm experiencing a weird thing. What I'm trying to do I believe must be so common that many of you have done it and thus could advice. I converted my let's encrypt cert into a new cert8.db(but also tried cert9.db, as belowe), and I have in config: DocumentRoot /usr/share/wordpress.none DirectoryIndex index.php index.html ServerName none.net ServerAlias www NSSEngine on NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSCertificateDatabase sql:/etc/httpd/none NSSNickname "none.net - Let's Encrypt" ErrorLog /var/log/httpd/none.net_443-error.log CustomLog /var/log/httpd/none.net_443-access.log common When I do: $ certutil -L -d sql:/etc/httpd/none/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI none.net - Let's Encrypt u,u,u Let's Encrypt Authority X3 - Digital Signature Trust Co. CT,C,C So all good, right? Cert is there in the database, yet Apache fails to start. ... [Thu Jan 04 15:34:17.188664 2018] [:error] [pid 21849:tid 140612518500608] Certificate not found: 'none.net' ... Is this not ... well, strange. I presume NSS can handle multiple NSSCertificateDatabase(per VirtualHost) ? Not files permission, not selinux. What can be a problem here? There can be only one NSSCertificateDatabase right now. I've been toying with NSS contexts which might allow multiple but it is pretty low priority-wise. rob you guys are the best, not for freeipa only, but as for "helpers" too. many! thanks. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] ipa-client-install - error - Failed to obtain host TGT: Major (851968)
hi everyone
I'm trying a client, when I do:
$ ipa-client-install --no-ntp --force-join
Discovery was successful!
...
Also note that following ports are necessary for ipa-client
working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (851968): Unspecified GSS
failure. Minor code may provide more information, Minor
(2529638936): Preauthentication failed
Installation failed. Rolling back changes.
-- end
At server's end(one single server in domain):
..
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560685](info): closing down fd 11
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.5.6.17: NEEDED_PREAUTH:
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x
for
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x,
Additional pre-authentication required
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): closing down fd 11
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): preauth (encrypted_timestamp) verify
failure: Preauthentication failed
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.5.6.17: PREAUTH_FAILED:
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x
for
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x,
Preauthentication failed
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560681](info): AS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.5.6.17: NEEDED_PREAUTH:
ad...@private.xx.xx.private.xx.xx.x for
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x,
Additional pre-authentication required
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560681](info): closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes
{rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x
for
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes
{rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x
for
ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes
{rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x
for
HTTP/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x
-- end
But after many tries(randomly) suddenly it would succeed.
Client said to use --force-join.
VERSION: 4.5.0, API_VERSION: 2.228
What can a problem?
regards, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] replica install fails: CA_UNREACHABLE
hi
I'm trying to install replica, process fails:
..
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed
(CA_UNREACHABLE)
Your system may be partly configured.
..
-- end
and in intall log file:
..
2018-01-06T13:50:29Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -A -n
PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA -t CT,C,C -a -f
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/pwdfile.txt
2018-01-06T13:50:29Z DEBUG Process finished, return code=0
2018-01-06T13:50:29Z DEBUG stdout=
2018-01-06T13:50:29Z DEBUG stderr=
2018-01-06T13:50:30Z DEBUG certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1)
2018-01-06T13:50:35Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)
2018-01-06T13:50:35Z DEBUG Traxx.ck (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 824, in __enable_ssl
post_command=cmd)
File
"/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py",
line 317, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed
({})".format(state))
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
2018-01-06T13:50:35Z DEBUG [error] RuntimeError:
Certificate issuance failed (CA_UNREACHABLE)
2018-01-06T13:50:35Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 172, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 333, in run
cfgr.run()
File "/usr/lib/python2.7/site-
...
-- end
Would this be that new candidate's problem or some
communication issues with existing server? Client installed
(kind of)okey though.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
