[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

[Gustavo Berman via FreeIPA-users]

Hi Pavel,
On this machine it says that the first install of rhel-release-server was
7.2-9
But the ipa information came from a centos 6.4 install some years ago with
ipa 3.0
Later it was converted to rhel 7.0  and then upgraded through the years
Hope that helps


On Wed, Aug 9, 2017 at 12:15 PM, Pavel Vomacka <pvoma...@redhat.com> wrote:

>
>
> On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote:
>
> Pavel,
> Thanks for the help, that solved the problem. Now I can access the web ui.
>
> I'm glad that it works again.
>
> The upgrade took place yesterday and it was a release upgrade from rhel
> 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package
> updates):
>
> Thank you for info. I have one additional question: What was the first
> y-version of RHEL 7 you used?
>
> ID | Command line | Date and time| Action(s)  |
> Altered
> 
> ---
> 35 | update   | 2017-08-07 09:07 | E, I, O, U |
> 470 EE
>
>
> Acording to yum history info, this are the ipa packages that where updated:
> Obsoleted   ipa-admintools-4.4.0-14.el7_3.
> 7.noarch@rhel7
> Updated ipa-client-4.4.0-14.el7_3.7.x86_64
> @rhel7
> Obsoleting  ipa-client-4.5.0-21.el7.x86_64
> @rhel7
> Updated ipa-client-common-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated ipa-common-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update 4.5.0-21.el7.noarch
> @rhel7
> Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated ipa-server-4.4.0-14.el7_3.7.x86_64
> @rhel7
> Update 4.5.0-21.el7.x86_64
> @rhel7
> Updated ipa-server-common-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated ipa-server-dns-4.4.0-14.el7_3.
> 7.noarch@rhel7
> Update 4.5.0-21.el7.noarch
> @rhel7
> Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64
> @rhel7
> Update  1.15.2-50.el7.x86_64
> @rhel7
> Updated python-libipa_hbac-1.14.0-43.
> el7_3.18.x86_64  @rhel7
> Update 1.15.2-50.el7.x86_64
> @rhel7
> Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated python2-ipalib-4.4.0-14.el7_3.
> 7.noarch@rhel7
> Update 4.5.0-21.el7.noarch
> @rhel7
> Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64
> @rhel7
> Update   1.15.2-50.el7.x86_64
> @rhel7
>
>
> Again, thanks for the help!
> Kind regards
>
>
> On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka <pvoma...@redhat.com> wrote:
>
>>
>>
>> On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
>>
>> Hello Pavel
>>
>> On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka <pvoma...@redhat.com>
>> wrote:
>>
>>>
>>> Hello Gustavo,
>>> From what I can see, the issue would be PROTOCOL ERROR in whoami
>>> command. Could you please check whether all services running? Please run
>>> # ipactl status
>>>
>>> and post the output.
>>>
>>>
>> # ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> httpd Service: RUNNING
>> ipa-custodia Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>>
>>
>>
>>> And please could you send me the /etc/named.conf? Especially everything
>>> after
>>>  dyndb "ipa"
>>> line is interesting for us.
>>>
>>
>> This is from /etc/named.conf
>>
>> options {
>> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
>> listen-on-v6 {any;};
>>
>> // Put files that named is allowed to write in the data/
>> directory:
>> directory "/var/named"; // the default
>> dump-file   "data/cache_dump.db";
>&g

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

[Gustavo Berman via FreeIPA-users]

Pavel,
Thanks for the help, that solved the problem. Now I can access the web ui.
The upgrade took place yesterday and it was a release upgrade from rhel 7.3
(last update was last week) to rhel 7.4 (so we had a lot of package
updates):

ID | Command line | Date and time| Action(s)  |
Altered
---
35 | update   | 2017-08-07 09:07 | E, I, O, U |
470 EE


Acording to yum history info, this are the ipa packages that where updated:
Obsoleted
ipa-admintools-4.4.0-14.el7_3.7.noarch@rhel7
Updated
ipa-client-4.4.0-14.el7_3.7.x86_64@rhel7
Obsoleting
ipa-client-4.5.0-21.el7.x86_64@rhel7
Updated
ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-common-4.4.0-14.el7_3.7.noarch@rhel7
Update
4.5.0-21.el7.noarch@rhel7
Updated
ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-server-4.4.0-14.el7_3.7.x86_64@rhel7
Update
4.5.0-21.el7.x86_64@rhel7
Updated
ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-server-dns-4.4.0-14.el7_3.7.noarch@rhel7
Update
4.5.0-21.el7.noarch@rhel7
Updated
libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7
Update
1.15.2-50.el7.x86_64  @rhel7
Updated
python-libipa_hbac-1.14.0-43.el7_3.18.x86_64  @rhel7
Update
1.15.2-50.el7.x86_64   @rhel7
Updated
python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
python2-ipalib-4.4.0-14.el7_3.7.noarch@rhel7
Update
4.5.0-21.el7.noarch@rhel7
Updated
python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
sssd-ipa-1.14.0-43.el7_3.18.x86_64@rhel7
Update
1.15.2-50.el7.x86_64 @rhel7


Again, thanks for the help!
Kind regards


On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka <pvoma...@redhat.com> wrote:

>
>
> On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
>
> Hello Pavel
>
> On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka <pvoma...@redhat.com>
> wrote:
>
>>
>> Hello Gustavo,
>> From what I can see, the issue would be PROTOCOL ERROR in whoami command.
>> Could you please check whether all services running? Please run
>> # ipactl status
>>
>> and post the output.
>>
>>
> # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
>
>
>
>> And please could you send me the /etc/named.conf? Especially everything
>> after
>>  dyndb "ipa"
>> line is interesting for us.
>>
>
> This is from /etc/named.conf
>
> options {
> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
> listen-on-v6 {any;};
>
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> dump-file   "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file  "data/named_mem_stats.txt";
>
> forward only;
> forwarders {
> 10.73.2.100;
> 10.73.2.102;
> 10.73.2.101;
> };
>
> // Any host is permitted to issue recursive queries
> allow-recursion { any; };
>
> tkey-gssapi-keytab "/etc/named.keytab";
> pid-file "/run/named/named.pid";
> dnssec-enable yes;
> dnssec-validation no;
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory "/var/named/dynamic";
> };
>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
>  * By default, SELinux policy does not allow named 

[Freeipa-users] Cannot access Web UI after IPA upgrade to 4.5

[Gustavo Berman via FreeIPA-users]

Hi there,
Today we upgraded to the latest IPA 4.5, log says it upgraded just fine,
ipa seems to authenticate allright, but web ui fails with:

Operations ErrorSome operations failed.an internal error has occurred
And the details it shows when I press the OK button are:

Runtime error

Web UI got in unrecoverable state during "profile" phase.
Technical details:
t.metadata is undefined
update_logged_in@https://ipaserver.fisica.cabib/ipa/ui/
js/freeipa/app.js?40500:1:18156 choose_profile@https://
ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651
register_phases/

<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181
_run_phase/

<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3476
forEach@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/
dojo.js?v=40500:1:29752 _run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/
freeipa/app.js?40500:1:3440 next_phase@https://ipaserver.
fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/

<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@
https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960
d/t.then@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/
dojo.js?v=40500:1:62246

_run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/
freeipa/app.js?40500:1:3548 next_phase@https://ipaserver.
fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/

<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@
https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 l@
https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886
d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/
js/dojo/dojo.js?v=40500:1:61873 dojo/promise/all/

https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:
85255 c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?
v=40500:1:60960
l@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886
d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/
js/dojo/dojo.js?v=40500:1:61873 register_phases/

https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1092
on_success@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431
freeipa/rpc/

https://ipaserver.fisica.cabib/ipa/
ui/js/freeipa/app.js?40500:1:57160 freeipa/rpc/

https://ipaserver.fisica.cabib/
ipa/ui/js/freeipa/app.js?40500:1:56953 freeipa/rpc/

https://ipaserver.fisica.cabib/
ipa/ui/js/freeipa/app.js?40500:1:56790 freeipa/rpc/

https://ipaserver.
fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340 freeipa/rpc/

https://ipaserver.fisica.cabib/ipa/ui/
js/freeipa/app.js?40500:1:53786 f@https://ipaserver.fisica.
cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586 dojo/on/

https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45192
dojo/on/

https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:
45808 emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?
v=40500:1:48712 c@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.
js?40500:1:52429 l@https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.
js?v=40500:4:24877 fireWith@https://ipaserver.fisica.cabib/ipa/ui/js/libs/
jquery.js?v=40500:4:25702 k@https://ipaserver.fisica.
cabib/ipa/ui/js/libs/jquery.js?v=40500:6:5346 t/
<@
https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:9152




Apache error logs shows:

[Mon Aug 07 11:04:32.078630 2017] [:warn] [pid 11845] [client
##.##.##.##:45938] failed to set perms (3140) on file
(/var/run/ipa/ccaches/tavo@FISICA.CABIB)!, referer:

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

[Gustavo Berman via FreeIPA-users]

Hello Pavel

On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka  wrote:

>
> Hello Gustavo,
> From what I can see, the issue would be PROTOCOL ERROR in whoami command.
> Could you please check whether all services running? Please run
> # ipactl status
>
> and post the output.
>
>
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful




> And please could you send me the /etc/named.conf? Especially everything
> after
>  dyndb "ipa"
> line is interesting for us.
>

This is from /etc/named.conf

options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};

// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file   "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file  "data/named_mem_stats.txt";

forward only;
forwarders {
10.73.2.100;
10.73.2.102;
10.73.2.101;
};

// Any host is permitted to issue recursive queries
allow-recursion { any; };

tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable yes;
dnssec-validation no;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};

/* If you want to enable debugging, eg. using the 'rndc trace' command,
 * By default, SELinux policy does not allow named to modify the /var/named
directory,
 * so put the default debug log file in data/ :
 */
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

dyndb "ipa" "/usr/lib64/bind/ldap.so" {
uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket";
base "cn=dns, dc=fisica,dc=cabib";
fake_mname "ipaserver.fisica.cabib.";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/ipaserver.fisica.cabib";
server_id "ipaserver.fisica.cabib";
};
include "/etc/named.root.key";

key "rndc-key" {
algorithm hmac-md5;
secret "#";
};



-- 
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Install client fails in Ubuntu 22.04

[Gustavo Berman via FreeIPA-users]

45:d7:4f:58:80:cc:65:d8:ba:
> > 5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f:
> > 77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17:
> > 68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b:
> > 38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03:
> > dd:92:d4:68
> > localadmin@fisica75:~$
> >
> >
> > And more info obtained with curl:
> >
> > localadmin@fisica75:~$ curl --insecure -vvI
> https://ipaserver.fisica.cabib
> > *   Trying 10.reda.cted.ip:443...
> > * Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > * TLSv1.2 (IN), TLS header, Certificate Status (22):
> > * TLSv1.3 (IN), TLS handshake, Server hello (2):
> > * TLSv1.2 (IN), TLS handshake, Certificate (11):
> > * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> > * TLSv1.2 (IN), TLS handshake, Server finished (14):
> > * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> > * TLSv1.2 (OUT), TLS header, Finished (20):
> > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> > * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> > * TLSv1.2 (OUT), TLS handshake, Finished (20):
> > * TLSv1.2 (IN), TLS header, Finished (20):
> > * TLSv1.2 (IN), TLS header, Certificate Status (22):
> > * TLSv1.2 (IN), TLS handshake, Finished (20):
> > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> > * ALPN, server did not agree to a protocol
> > * Server certificate:
> > *  subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
> > *  start date: Jul 14 14:25:06 2020 GMT
> > *  expire date: Jul 15 14:25:06 2022 GMT
> > *  issuer: O=FISICA.CABIB; CN=Certificate Authority
> > *  SSL certificate verify result: self-signed certificate in certificate
> > chain (19), continuing anyway.
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> >> HEAD / HTTP/1.1
> >> Host: ipaserver.fisica.cabib
> >> User-Agent: curl/7.81.0
> >> Accept: */*
> >>
> > * TLSv1.2 (IN), TLS header, Supplemental data (23):
> > * Mark bundle as not supporting multiuse
> > < HTTP/1.1 301 Moved Permanently
> > HTTP/1.1 301 Moved Permanently
> > < Date: Fri, 27 May 2022 13:53:28 GMT
> > Date: Fri, 27 May 2022 13:53:28 GMT
> > < Server: Apache/redactedversion
> > Server: Apache/redactedversion
> > < Location: https://ipaserver.fisica.cabib/ipa/ui
> > Location: https://ipaserver.fisica.cabib/ipa/ui
> > < Content-Type: text/html; charset=iso-8859-1
> > Content-Type: text/html; charset=iso-8859-1
> >
> > <
> > * Connection #0 to host ipaserver.fisica.cabib left intact
> >
> > Also attached public cert
> >
> >
> >
> >
> > El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>) escribió:
> >
> > Gustavo Berman via FreeIPA-users wrote:
> > > Hello there!
> > >
> > > Ubuntu 18.04 (and previous ones) works just fine
> > > In Ubuntu 22.04 I'm trying to execute ipa-client install but it
> > fails with:
> > >
> > > root@fisica75:~# ipa-client-install
> > > This program will set up IPA client.
> > > Version 4.9.8
> > >
> > > WARNING: conflicting time synchronization service 'ntp' will
> be
> > > disabled in favor of chronyd
> > >
> > > Discovery was successful!
> > > Do you want to configure chrony with NTP server or pool address?
> [no]:
> > > Client hostname: fisica75.fisica.cabib
> > > Realm: FISICA.CABIB
> > > DNS Domain: fisica.cabib
> > > IPA Server: ipaserver.fisica.cabib
> > > BaseDN: dc=fisica,dc=cabib
> > >
> > > Continue to configure the system with these values? [no]: yes
> > > Synchronizing time
> > > No SRV records of NTP servers found and no NTP server or pool
> address
> > > was provided.
> > > Using default chrony configuration.
> > > Attempting to sync time with chronyc.
> > > Time synchronization was successful.
> > > User authorized to enroll computers: tavo
> > > Password for tavo@FISICA.CABIB:
> > > Successfully retrieved CA cert
> > >   

[Freeipa-users] Re: Install client fails in Ubuntu 22.04

[Gustavo Berman via FreeIPA-users]

der, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
*  start date: Jul 14 14:25:06 2020 GMT
*  expire date: Jul 15 14:25:06 2022 GMT
*  issuer: O=FISICA.CABIB; CN=Certificate Authority
*  SSL certificate verify result: self-signed certificate in certificate
chain (19), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD / HTTP/1.1
> Host: ipaserver.fisica.cabib
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Date: Fri, 27 May 2022 13:53:28 GMT
Date: Fri, 27 May 2022 13:53:28 GMT
< Server: Apache/redactedversion
Server: Apache/redactedversion
< Location: https://ipaserver.fisica.cabib/ipa/ui
Location: https://ipaserver.fisica.cabib/ipa/ui
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1

<
* Connection #0 to host ipaserver.fisica.cabib left intact

Also attached public cert




El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcrit...@redhat.com)
escribió:

> Gustavo Berman via FreeIPA-users wrote:
> > Hello there!
> >
> > Ubuntu 18.04 (and previous ones) works just fine
> > In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails
> with:
> >
> > root@fisica75:~# ipa-client-install
> > This program will set up IPA client.
> > Version 4.9.8
> >
> > WARNING: conflicting time synchronization service 'ntp' will be
> > disabled in favor of chronyd
> >
> > Discovery was successful!
> > Do you want to configure chrony with NTP server or pool address? [no]:
> > Client hostname: fisica75.fisica.cabib
> > Realm: FISICA.CABIB
> > DNS Domain: fisica.cabib
> > IPA Server: ipaserver.fisica.cabib
> > BaseDN: dc=fisica,dc=cabib
> >
> > Continue to configure the system with these values? [no]: yes
> > Synchronizing time
> > No SRV records of NTP servers found and no NTP server or pool address
> > was provided.
> > Using default chrony configuration.
> > Attempting to sync time with chronyc.
> > Time synchronization was successful.
> > User authorized to enroll computers: tavo
> > Password for tavo@FISICA.CABIB:
> > Successfully retrieved CA cert
> > Subject: CN=Certificate Authority,O=FISICA.CABIB
> > Issuer:  CN=Certificate Authority,O=FISICA.CABIB
> > Valid From:  2014-01-14 12:56:57
> > Valid Until: 2034-01-14 12:56:57
> >
> > Enrolled in IPA realm FISICA.CABIB
> > Created /etc/ipa/default.conf
> > Configured /etc/sssd/sssd.conf
> > Configured /etc/krb5.conf for IPA realm FISICA.CABIB
> > cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
> > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
> > certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
> > The ipa-client-install command failed. See
> > /var/log/ipaclient-install.log for more information
> > root@fisica75:~#
> >
> > There is no Hostname mismatch for the server certificate. It has been
> > working just fine for years with multiple distros as clients. I can
> > access the website with the same URL and cert is just fine.
> >
>
> The error message is pretty clear and comes out of openssl. Can we see
> the web server certificate from that host? Can you confirm that the host
> the client connected to is actually this host (e.g. DNS or /etc/host
> issues)?
>
> rob
>
>

-- 
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA


ipaserver.fisica.cabib.pem
Description: application/x509-ca-cert
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Install client fails in Ubuntu 22.04

[Gustavo Berman via FreeIPA-users]

Hello there!

Ubuntu 18.04 (and previous ones) works just fine
In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails with:

root@fisica75:~# ipa-client-install
This program will set up IPA client.
Version 4.9.8

WARNING: conflicting time synchronization service 'ntp' will be
disabled in favor of chronyd

Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: fisica75.fisica.cabib
Realm: FISICA.CABIB
DNS Domain: fisica.cabib
IPA Server: ipaserver.fisica.cabib
BaseDN: dc=fisica,dc=cabib

Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was
provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: tavo
Password for tavo@FISICA.CABIB:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FISICA.CABIB
Issuer:  CN=Certificate Authority,O=FISICA.CABIB
Valid From:  2014-01-14 12:56:57
Valid Until: 2034-01-14 12:56:57

Enrolled in IPA realm FISICA.CABIB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FISICA.CABIB
cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
The ipa-client-install command failed. See /var/log/ipaclient-install.log
for more information
root@fisica75:~#

There is no Hostname mismatch for the server certificate. It has been
working just fine for years with multiple distros as clients. I can access
the website with the same URL and cert is just fine.

Any ideas?
Thanks!


-- 
Gustavo Berman
2022-05-26T12:18:49Z DEBUG Logging to /var/log/ipaclient-install.log
2022-05-26T12:18:49Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': False, 'force_join': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'automount_location': None, 'domain_name': None, 'servers': None, 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2022-05-26T12:18:49Z DEBUG IPA version 4.9.8
2022-05-26T12:18:49Z DEBUG IPA platform debian
2022-05-26T12:18:49Z DEBUG IPA os-release Ubuntu 22.04 (Jammy Jellyfish)
2022-05-26T12:18:49Z DEBUG Starting external process
2022-05-26T12:18:49Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:18:49Z DEBUG Process execution failed
2022-05-26T12:18:49Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2022-05-26T12:18:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:18:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:18:49Z DEBUG Starting external process
2022-05-26T12:18:49Z DEBUG args=['sudo', '-V']
2022-05-26T12:18:49Z DEBUG Process finished, return code=0
2022-05-26T12:18:49Z DEBUG stdout=Sudo versión 1.9.9
Opciones de configuración: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking -v --with-all-insults --with-pam --with-pam-login --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --disable-root-mailer --with-sendmail=/usr/sbin/sendmail --with-rundir=/run/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --enable-zlib=system --with-selinux --with-linux-audit --enable-tmpfiles.d=yes --without-lecture --with-tty-tickets --enable-admin-flag
versión del complemento de políticas de sudoers 1.9.9
versión de gramática del archivo Sudoers 48

Ruta de sudoers: /etc/sudoers
Métodos de autenticicación: 'pam'
Facilidad de syslog, cuando se usa syslog para el registro: authpriv
Prioridad de syslog a usarse cuando el usuario se autentifica con éxito: notice
Prioridad de syslog a usarse cuando el usuario no se autentifica 

[Freeipa-users] Re: Install client fails in Ubuntu 22.04

[Gustavo Berman via FreeIPA-users]

4:8e:bf:fd:37:59:52:56:15:
>> > a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37:
>> > ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d:
>> > bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92:
>> > 1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f:
>> > 6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b:
>> > e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7:
>> > 91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49:
>> > 66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48:
>> > c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba:
>> > 5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f:
>> > 77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17:
>> > 68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b:
>> > 38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03:
>> > dd:92:d4:68
>> > localadmin@fisica75:~$
>> >
>> >
>> > And more info obtained with curl:
>> >
>> > localadmin@fisica75:~$ curl --insecure -vvI
>> https://ipaserver.fisica.cabib
>> > *   Trying 10.reda.cted.ip:443...
>> > * Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0)
>> > * ALPN, offering h2
>> > * ALPN, offering http/1.1
>> > * TLSv1.0 (OUT), TLS header, Certificate Status (22):
>> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>> > * TLSv1.2 (IN), TLS header, Certificate Status (22):
>> > * TLSv1.3 (IN), TLS handshake, Server hello (2):
>> > * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> > * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> > * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> > * TLSv1.2 (OUT), TLS header, Certificate Status (22):
>> > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> > * TLSv1.2 (OUT), TLS header, Finished (20):
>> > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
>> > * TLSv1.2 (OUT), TLS header, Certificate Status (22):
>> > * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> > * TLSv1.2 (IN), TLS header, Finished (20):
>> > * TLSv1.2 (IN), TLS header, Certificate Status (22):
>> > * TLSv1.2 (IN), TLS handshake, Finished (20):
>> > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
>> > * ALPN, server did not agree to a protocol
>> > * Server certificate:
>> > *  subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
>> > *  start date: Jul 14 14:25:06 2020 GMT
>> > *  expire date: Jul 15 14:25:06 2022 GMT
>> > *  issuer: O=FISICA.CABIB; CN=Certificate Authority
>> > *  SSL certificate verify result: self-signed certificate in certificate
>> > chain (19), continuing anyway.
>> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
>> >> HEAD / HTTP/1.1
>> >> Host: ipaserver.fisica.cabib
>> >> User-Agent: curl/7.81.0
>> >> Accept: */*
>> >>
>> > * TLSv1.2 (IN), TLS header, Supplemental data (23):
>> > * Mark bundle as not supporting multiuse
>> > < HTTP/1.1 301 Moved Permanently
>> > HTTP/1.1 301 Moved Permanently
>> > < Date: Fri, 27 May 2022 13:53:28 GMT
>> > Date: Fri, 27 May 2022 13:53:28 GMT
>> > < Server: Apache/redactedversion
>> > Server: Apache/redactedversion
>> > < Location: https://ipaserver.fisica.cabib/ipa/ui
>> > Location: https://ipaserver.fisica.cabib/ipa/ui
>> > < Content-Type: text/html; charset=iso-8859-1
>> > Content-Type: text/html; charset=iso-8859-1
>> >
>> > <
>> > * Connection #0 to host ipaserver.fisica.cabib left intact
>> >
>> > Also attached public cert
>> >
>> >
>> >
>> >
>> > El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcrit...@redhat.com
>> > <mailto:rcrit...@redhat.com>) escribió:
>> >
>> > Gustavo Berman via FreeIPA-users wrote:
>> > > Hello there!
>> > >
>> > > Ubuntu 18.04 (and previous ones) works just fine
>> > > In Ubuntu 22.04 I'm trying to execute ipa-client install but it
>> > fails with:
>> > >
>> > > root@fisica75:~# ipa-client-install
>> > > This program will set up IPA client.
>> > > Version 4.9.8
>> > >
>> > > WARNING: conflicting time synchronization service 'ntp' will
>> be
>> > > disabled in