[Freeipa-users] Re: still unable to renew certificates - deep trouble
On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote: > Hello, > > I'm getting desperate, I'm still unable to fix my expired certificates on > my freeIPA master. > > Summary: > >- I discovered that my web ui SSL certificate had expired. >- the certificate lives in /etc/httpd/alias, is named Server-Cert >- for some reason, it is not tracked by ipa-getcert list >- from the web-ui, Authentication --> certificates fail: > - IPA Error 4301: CertificateOperationError > - Certificate operation cannot be completed: Unable to communicate > with CMS (Internal Server Error) >- I tried to set the system time back in time -> was unable to get >kinit credentials (revoked) > This seems odd. You are performing `kinit` on the affected master, right? After changing the time, did you restart IPA and execute `kdestroy -A` before trying to `kinit`? >- I tried to set certmonger to track the expired certificate: > - ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p > /etc/httpd/alias/pwdfile.txt > - status from ipa-getcert list: > - ca-error: Unable to determine principal name for signing > request. > You need some additional options to `ipa-getcert start-tracking`: -D # SAN dnsName (for RFC 2818 compliance) -K HTTP/# kerberos principal name > - I followed some instructions to manually renew the certificates. >- at one point I need ipa cert-request to sign the request. > - but the ipa cert commands do not work, e.g. > - ipa cert-find > ipa: ERROR: cert validation failed for "CN=ipa.quartzbio.com,O= > QUARTZBIO.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate > has expired.) > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > What could/should I do !?!? > > Is is possible to manually renew the certificate using only certutil ? > Yes. certutil(1) can do it. The NSSDB with the IPA CA signing cert is /etc/pki/pki-tomcat/alias. I don't know the arcane incantation of certutil(1) required, but hopefully the manpage will be useful. This should be an absolute last resort. Be very careful to: - choose a serial number that has not already been used and is not likely to be used in the lifetime of the deployment (IPA uses sequential serial numbers so pick something large and random and you should be OK). - make sure Dogtag is NOT RUNNING when you use certutil in a way that accesses Dogtag NSSDB. Good luck! > > Thanks for any help. > > Karl > > P.S > > this runs in a freeipa-server docker container. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Update signing certificate
How are you issuing the certs for the clients? Are they signed by the same certificate chain that signed the IPA certificate? Did you install the CA certificate chain as trusted CA on the clients? On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > We are in the process of switching to using an external CA. We have > successfully gone through he process and indeed the Web UI now shows the > expected certificate chain. > > However when we issue certificates to our clients downstream they are > using a signing certificate that was not issued by the new external CA. > I've tried to find in the documentation how that gets set, but seem to be > at a loss. Can anyone point me in the correct direction? > > Thanks! > Jeff > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away
On 13 July 2017 at 00:48, bogusmaster--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via > FreeIPA-users wrote: > > I have verified that hint. I've stopped sssd daemon, cleared the cache and > started it back again. Although ipa commands are returning correct members > of the group, when in issue getent group ... on the server it still returns > old members of the group that are not present in the group returned by ipa > command. > Can you please advise on how I can troubleshoot it further? > There are two parts to IPA - ipa server which does the "server" part, and SSSD, which does the client part. On the IPA server itself, if you are using SSSD, you might need to also update SSSD to 1.15.2-5 and clear the cache? ipa-client basically installs SSSD and configures it for the ipa server in question. cheers L. -- "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrisse Cullors, *Black Lives Matter founder* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [Freeipa-users]FreeIPA-users mailing list archive broken?
The list was migrated to Fedora Hosted. (note the footer on messages and how the posting address is @fedorahosted.org) https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/ - Original Message - From: "John Morris via FreeIPA-users"To: "FreeIPA users list" Cc: "John Morris" Sent: Wednesday, July 12, 2017 4:13:52 PM Subject: [Freeipa-users]FreeIPA-users mailing list archive broken? Seems the mailing list archives stopped working in mid-May: https://www.redhat.com/archives/freeipa-users/ John ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] FreeIPA-users mailing list archive broken?
Seems the mailing list archives stopped working in mid-May: https://www.redhat.com/archives/freeipa-users/ John ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away
> On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via FreeIPA-users > wrote: > > > The ipa-client gets all its data from the IPA server and for efficiency > the lookup on the server goes via the SSSD cache on the server. > > While on the client during authentication the user data is refreshed > unconditionally the old data might still be on the cache on the server. > I would expect that when you call 'sss_cache -E' on the IPA server after > changing the group memberships the client should see the new groups during > authentication and access should be granted. > > HTH > > bye, > Sumit I have verified that hint. I've stopped sssd daemon, cleared the cache and started it back again. Although ipa commands are returning correct members of the group, when in issue getent group ... on the server it still returns old members of the group that are not present in the group returned by ipa command. Can you please advise on how I can troubleshoot it further? Best, Bart ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: can not restart httpd service after certificate renewal
I think the problem is that the web UI certificate is not tracked by Certmonger. I compared with my replica server which seems alright: master server (with expired certificate): # ipa-getcert list Number of certificates and requests being tracked: 7. Request ID '20150826135329': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/webserver.key' certificate: type=FILE,location='/tmp/webserver.crt' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM expires: 2017-08-26 13:53:32 UTC principal name: HTTP/apache.quartzbio@quartzbio.com key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes replica server (with valid certificate) # ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20151223161521': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-QUARTZBIO-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM expires: 2017-12-23 16:03:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv QUARTZBIO-COM track: yes auto-renew: yes Request ID '20151223162016': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM expires: 2017-12-23 16:03:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes There are two things that seem weird to me: 1. the only tracked certificate on my master seems wrong: non-existing location: /tmp/webserver.key and wrong host name apache.quartzbio.com 2. the replica server tracks 2 certificates, and the second seems the correct SSL certificate. I tried tracking the certificate from /etc/httpd/alias on the server: # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt # ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20150826135329': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/webserver.key' certificate: type=FILE,location='/tmp/webserver.crt' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM expires: 2017-08-26 13:53:32 UTC principal name: HTTP/apache.quartzbio@quartzbio.com key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20170712124534': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipa.quartzbio.com,O=QUARTZBIO.COM expires: 2017-07-09 09:42:56 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes As you can see, it almost worked, except for the " ca-error: Unable to determine principal name for signing request." message. What does it mean ? On Tue, Jul 11, 2017 at 6:23 PM, None via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > Today I realized that the https certificate for my freeipa web ui has > expired. > I tried to renew it using: > #ipa-cacert-manage renew > Renewing CA certificate, please wait > > > CA certificate successfully renewed > The ipa-cacert-manage command was successful > > So it seemed to went well. I tried to restart ipa but it failed: > # ipactl start > Starting Directory
[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away
What was the IPA version you used? It might be not related, but when i upgraded sssd to 1.15.2-5 ssh doesn't work for me neither on the FreeIPA server, nor on the clients. What's more strange, getent passwd for AD users doesn't work for the clients, although it works for the server. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] can not restart httpd service after certificate renewal
Hello, Today I realized that the https certificate for my freeipa web ui has expired. I tried to renew it using: #ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful So it seemed to went well. I tried to restart ipa but it failed: # ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. Failed to start httpd Service Shutting down What went wrong ? I'm running in a freeipa-server docker on a linux server... It is quite a big deal since I can not run my master freeipa anymore even from a backup ! Moreover, even after starting from a backup of the ipa data, the httpd service still fails. Could it be caused by the replica server ? Thanks. logs === # systemctl status httpd.service * httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service) Drop-In: /usr/lib/systemd/system/httpd.service.d `-abc.conf Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 CEST; 3min 52s ago Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited, status=0/SUCCESS) Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS) Main PID: 28717 (code=exited, status=1/FAILURE) Jul 11 17:21:56 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server... Jul 11 17:21:56 ipa.quartzbio.com ipa-httpd-kdcproxy[28716]: ipa : INFO KDC proxy enabled Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Failed to start The Apache HTTP Server. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered failed state. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Failed with result 'exit-code'. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Stopped The Apache HTTP Server. and (excerpt from journalctl -xe) -- The start-up result is done. Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Unregistered Authentication Agent for unix-process:28918:604682378 (system bus name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus) Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Registered Authentication Agent for unix-process:28932:604682393 (system bus na me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit systemd-hwdb -update.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dev-hugepages.mount: Cannot add dependency job, ignoring: Unit dev-hugepages.mount is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: ldconfig.service: Cannot add dependency job, ignoring: Unit ldconfig.service is mas ked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: swap.target: Cannot add dependency job, ignoring: Unit swap.target is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit sys-fs-fus e-connections.mount is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: local-fs.target: Cannot add dependency job, ignoring: Unit local-fs.target is maske d. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-update-done.service: Cannot add dependency job, ignoring: Unit systemd-upda te-done.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: slices.target: Cannot add dependency job, ignoring: Unit slices.target is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dnf-makecache.timer: Cannot add dependency job, ignoring: Unit dnf-makecache.timer is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: fedora-autorelabel-mark.service: Cannot add dependency job, ignoring: Unit fedora-a utorelabel-mark.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: rpcbind.socket: Cannot add dependency job, ignoring: Unit rpcbind.socket is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server... -- Subject: Unit httpd.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit httpd.service has begun starting up. Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache: not found Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: sending notifies (serial 1499786955) Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone