[Freeipa-users] Re: still unable to renew certificates - deep trouble

[Fraser Tweedale via FreeIPA-users]

On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote:
> Hello,
> 
> I'm getting desperate, I'm still unable to fix my expired certificates on
> my freeIPA master.
> 
> Summary:
> 
>-  I discovered that my web ui SSL certificate had expired.
>-   the certificate lives in /etc/httpd/alias, is named Server-Cert
>-   for some reason, it is not tracked by ipa-getcert  list
>-   from the web-ui, Authentication --> certificates fail:
>   -  IPA Error 4301: CertificateOperationError
>   -   Certificate operation cannot be completed: Unable to communicate
>   with CMS (Internal Server Error)
>-   I tried to set the system time back in time -> was unable to get
>kinit credentials (revoked)
>
This seems odd.  You are performing `kinit` on the affected master,
right?  After changing the time, did you restart IPA and execute
`kdestroy -A` before trying to `kinit`?

>-   I tried to set certmonger to track the expired certificate:
>   - ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p
>   /etc/httpd/alias/pwdfile.txt
>   - status from ipa-getcert  list:
>  -  ca-error: Unable to determine principal name for signing
>  request.
>
You need some additional options to `ipa-getcert start-tracking`:

  -D  # SAN dnsName (for RFC 2818 compliance)
  -K HTTP/# kerberos principal name

>   - I followed some instructions to manually renew the certificates.
>- at one point I need ipa cert-request to sign the request.
>   - but the ipa cert commands do not work, e.g.
>   - ipa cert-find
>   ipa: ERROR: cert validation failed for "CN=ipa.quartzbio.com,O=
>   QUARTZBIO.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate
>   has expired.)
>   ipa: ERROR: Certificate operation cannot be completed: Unable to
>   communicate with CMS (Not Found)
> 
> What could/should I do !?!?
> 
> Is is possible to manually renew the certificate using only certutil ?
> 
Yes.  certutil(1) can do it.  The NSSDB with the IPA CA signing cert
is /etc/pki/pki-tomcat/alias.  I don't know the arcane incantation
of certutil(1) required, but hopefully the manpage will be useful.
This should be an absolute last resort.  Be very careful to:

- choose a serial number that has not already been used and is not
  likely to be used in the lifetime of the deployment (IPA uses
  sequential serial numbers so pick something large and random and
  you should be OK).

- make sure Dogtag is NOT RUNNING when you use certutil in a way
  that accesses Dogtag NSSDB.

Good luck!

> 
> Thanks for any help.
> 
> Karl
> 
> P.S
> 
> this runs in a freeipa-server docker container.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Update signing certificate

[Jatin Nansi via FreeIPA-users]

How are you issuing the certs for the clients? Are they signed by the same
certificate chain that signed the IPA certificate? Did you install the CA
certificate chain as trusted CA on the clients?

On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> We are in the process of switching to using an external CA. We have
> successfully gone through he process and indeed the Web UI now shows the
> expected certificate chain.
>
> However when we issue certificates to our clients downstream they are
> using a signing certificate that was not issued by the new external CA.
> I've tried to find in the documentation how that gets set, but seem to be
> at a loss. Can anyone point me in the correct direction?
>
> Thanks!
> Jeff
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

[Lachlan Musicman via FreeIPA-users]

On 13 July 2017 at 00:48, bogusmaster--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> > On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via
> FreeIPA-users wrote:
>
> I have verified that hint. I've stopped sssd daemon, cleared the cache and
> started it back again. Although ipa commands are returning correct members
> of the group, when in issue getent group ... on the server it still returns
> old members of the group that are not present in the group returned by ipa
> command.
> Can you please advise on how I can troubleshoot it further?
>


There are two parts to IPA - ipa server which does the "server" part, and
SSSD, which does the client part. On the IPA server itself, if you are
using SSSD, you might need to also update SSSD to 1.15.2-5 and clear the
cache?

ipa-client basically installs SSSD and configures it for the ipa server in
question.

cheers
L.


--
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."

 - Patrisse Cullors, *Black Lives Matter founder*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: [Freeipa-users]FreeIPA-users mailing list archive broken?

[Jason B. Nance via FreeIPA-users]

The list was migrated to Fedora Hosted. (note the footer on messages and how 
the posting address is @fedorahosted.org)

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/


- Original Message -
From: "John Morris via FreeIPA-users" 
To: "FreeIPA users list" 
Cc: "John Morris" 
Sent: Wednesday, July 12, 2017 4:13:52 PM
Subject: [Freeipa-users]FreeIPA-users mailing list archive broken?

Seems the mailing list archives stopped working in mid-May:

https://www.redhat.com/archives/freeipa-users/

John
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] FreeIPA-users mailing list archive broken?

[John Morris via FreeIPA-users]

Seems the mailing list archives stopped working in mid-May:

https://www.redhat.com/archives/freeipa-users/

John
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

[bogusmaster--- via FreeIPA-users]

> On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via FreeIPA-users 
> wrote:
> 
> 
> The ipa-client gets all its data from the IPA server and for efficiency
> the lookup on the server goes via the SSSD cache on the server.
> 
> While on the client during authentication the user data is refreshed
> unconditionally the old data might still be on the cache on the server.
> I would expect that when you call 'sss_cache -E' on the IPA server after
> changing the group memberships the client should see the new groups during
> authentication and access should be granted.
> 
> HTH
> 
> bye,
> Sumit

I have verified that hint. I've stopped sssd daemon, cleared the cache and 
started it back again. Although ipa commands are returning correct members of 
the group, when in issue getent group ... on the server it still returns old 
members of the group that are not present in the group returned by ipa command.
Can you please advise on how I can troubleshoot it further?
Best,
Bart
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: can not restart httpd service after certificate renewal

[Karl Forner via FreeIPA-users]

I think the problem is that the web UI certificate is not tracked by
Certmonger.
I compared with my replica server which seems alright:

master server (with expired certificate):
# ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20150826135329':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/tmp/webserver.key'
certificate: type=FILE,location='/tmp/webserver.crt'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-08-26 13:53:32 UTC
principal name: HTTP/apache.quartzbio@quartzbio.com
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

replica server (with valid certificate)
# ipa-getcert
list

Number of certificates and requests being tracked: 8.
Request ID '20151223161521':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-QUARTZBIO-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-12-23 16:03:52 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
QUARTZBIO-COM
track: yes
auto-renew: yes
Request ID '20151223162016':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-12-23 16:03:59 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

There are two things that seem weird to me:
  1. the only tracked certificate on my master seems wrong: non-existing
location: /tmp/webserver.key and wrong host name apache.quartzbio.com
  2. the replica server tracks 2 certificates, and the second seems the
correct SSL certificate.

I tried tracking the certificate from /etc/httpd/alias on the server:

# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p
/etc/httpd/alias/pwdfile.txt

# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20150826135329':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/tmp/webserver.key'
certificate: type=FILE,location='/tmp/webserver.crt'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-08-26 13:53:32 UTC
principal name: HTTP/apache.quartzbio@quartzbio.com
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20170712124534':
status: MONITORING
ca-error: Unable to determine principal name for signing request.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=ipa.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-07-09 09:42:56 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

As you can see, it almost worked, except for the " ca-error: Unable to
determine principal name for signing request." message.
What does it mean ?








On Tue, Jul 11, 2017 at 6:23 PM, None via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hello,
>
> Today I realized that the https certificate for my freeipa web ui has
> expired.
> I tried to renew it using:
> #ipa-cacert-manage renew
> Renewing CA certificate, please wait
>
>
> CA certificate successfully renewed
> The ipa-cacert-manage command was successful
>
> So it seemed to went well. I tried to restart ipa but it failed:
> # ipactl start
> Starting Directory 

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

[bogusmaster--- via FreeIPA-users]

What was the IPA version you used? It might be not related, but when i upgraded 
sssd to 1.15.2-5 ssh doesn't work for me neither on the FreeIPA server, nor on 
the clients. What's more strange, getent passwd for AD users doesn't work for 
the clients, although it works for the server.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] can not restart httpd service after certificate renewal

[Karl Forner via FreeIPA-users]

Hello,

Today I realized that the https certificate for my freeipa web ui has
expired.
I tried to renew it using:
#ipa-cacert-manage renew
Renewing CA certificate, please wait


CA certificate successfully renewed
The ipa-cacert-manage command was successful

So it seemed to went well. I tried to restart ipa but it failed:
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Job for httpd.service failed because the control process exited with error
code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Failed to start httpd Service
Shutting down


What went wrong ? I'm running in a freeipa-server docker on a linux
server...
It is quite a big deal since I can not run my master freeipa anymore even
from a backup !

Moreover, even after starting from a backup of the ipa data, the httpd
service still fails.
Could it be caused by the replica server ?

Thanks.

logs
===


# systemctl status httpd.service
* httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
   `-abc.conf
   Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 CEST;
3min 52s ago
  Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited,
status=0/SUCCESS)
  Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
(code=exited, status=1/FAILURE)
  Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
(code=exited, status=0/SUCCESS)
 Main PID: 28717 (code=exited, status=1/FAILURE)

Jul 11 17:21:56 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP
Server...
Jul 11 17:21:56 ipa.quartzbio.com ipa-httpd-kdcproxy[28716]: ipa :
INFO KDC proxy enabled
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Main process
exited, code=exited, status=1/FAILURE
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Failed to start The Apache
HTTP Server.
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered
failed state.
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Failed with
result 'exit-code'.
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Stopped The Apache HTTP
Server.


and (excerpt from journalctl -xe)

-- The start-up result is done.
Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Unregistered
Authentication Agent for unix-process:28918:604682378 (system bus
name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
locale C) (disconnected from bus)
Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Registered Authentication
Agent for unix-process:28932:604682393 (system bus na
me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-hwdb-update.service:
Cannot add dependency job, ignoring: Unit systemd-hwdb
-update.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dev-hugepages.mount: Cannot
add dependency job, ignoring: Unit dev-hugepages.mount
is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: ldconfig.service: Cannot add
dependency job, ignoring: Unit ldconfig.service is mas
ked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: swap.target: Cannot add
dependency job, ignoring: Unit swap.target is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]:
sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit
sys-fs-fus
e-connections.mount is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: local-fs.target: Cannot add
dependency job, ignoring: Unit local-fs.target is maske
d.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-update-done.service:
Cannot add dependency job, ignoring: Unit systemd-upda
te-done.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: slices.target: Cannot add
dependency job, ignoring: Unit slices.target is masked.

Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dnf-makecache.timer: Cannot
add dependency job, ignoring: Unit dnf-makecache.timer
is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: fedora-autorelabel-mark.service:
Cannot add dependency job, ignoring: Unit fedora-a
utorelabel-mark.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: rpcbind.socket: Cannot add
dependency job, ignoring: Unit rpcbind.socket is masked.

Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP
Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit httpd.service has begun starting up.
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable
to get root NS rrset from cache: not found
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
70.9.10.in-addr.arpa/IN: sending notifies (serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone