Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Thank you Rob and Martin, the correct place on Ubuntu seems to be: /etc/pki/nssdb/ This directory does not seem to be initialised by the *ipa-client-install* tool. Now my script still doesn't work, but offer brand new errors :) Thank you On 8 November 2016 at 14:55, Rob Crittenden <rcrit...@redhat.com> wrote: > Alessandro De Maria wrote: > > Hello Martin, > > > > still no luck unfortunately. > > > > The client is an ubuntu 14.04 server, and I believe it is enrolled > already. > > > > The /etc/ipa/ca.pem is correct and already installed, and I even added > > it to the /etc/ssl/certs directory (which is why my curl command in the > > first email does not complain) > > The client normally uses /etc/ipa/nssdb for NSS. I'm not sure how this > is handled on Ubuntu clients but you'll need to confirm that whatever > Ubuntu uses exists and has the IPA CA certificate installed. > > rob > > > > > Commands like /kinit/ work just fine, and I have never experienced a > > problem which would make me doubt of the enrollment of this client. > > > > > > I run the following commands: > > # mkdir /etc/ipa/nssdb > > # certutil -A -d /etc/ipa/nssdb -n 'PROD.X.COM > > <http://PROD.X.COM> IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt > > # chmod +r /etc/ipa/nssdb/* > > # certutil -L -d /etc/ipa/nssdb > > > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > PROD..COM <http://PROD..COM> IPA CA > > CT,C,C > > > > But I am still unable to run the script. > > Is there anything else I need to do? Do I need to restart some > > components? Any log I could look into? > > > > Thank you > > > > > > On 8 November 2016 at 07:56, Martin Babinsky <mbabi...@redhat.com > > <mailto:mbabi...@redhat.com>> wrote: > > > > On 11/07/2016 04:45 PM, Alessandro De Maria wrote: > > > > Hi Martin, > > > > I tried from the host I am executing the script from, and I get: > > certutil -L -d /etc/httpd/alias/ > > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The > > certificate/key database is in an old, unsupported format. > > > > > > >From the FreeIPA server, as I said previously, I get: > > > > certutil -L -d /etc/httpd/alias/ > > > > Certificate Nickname > Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Signing-Cert > u,u,u > > ipaCert > u,u,u > > Server-Cert > u,u,u > > PROD.X.COM <http://PROD.X.COM> > > <http://prod.x.com/ > > <http://prod.x.com/>> IPA CA > > CT,C,C > > > > > > >From the FreeIPA server, I seem to be able to run the script, > so we are > > definitely on the right track. > > How do I get the /etc/httpd/alias/ in sync across these hosts? > can I > > copy it, or is there a way to regenerate it? > > > > Regards > > Alessandro > > > > On 7 November 2016 at 15:36, Alessandro De Maria > > <alessandro.dema...@gmail.com > > <mailto:alessandro.dema...@gmail.com> > > <mailto:alessandro.dema...@gmail.com > > <mailto:alessandro.dema...@gmail.com>>> wrote: > > > > Hi Martin, this is the output from the id1 host: > > > > certutil -L -d /etc/httpd/alias/ > > > > Certificate Nickname > > Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Signing-Cert > > u,u,u > > ipaCert > > u,u,u > > Server-Cert > > u,u,u > > PROD.X.COM <http://PROD.X.COM> > > <http://PROD.X.COM> IPA CA > > CT,C,C > > > > > > looks just like you suggested. Any other suggestion? > > > > On 7 November 2016 at 10:56, Martin Babinsky > > <mbabi...@redhat.com <mailto:mbabi...@redhat.com> > > <mailto:mbabi...@redhat.com <mailto:mbabi...@redhat.com>>> > > wrote: > > > >
Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Hello Martin, still no luck unfortunately. The client is an ubuntu 14.04 server, and I believe it is enrolled already. The /etc/ipa/ca.pem is correct and already installed, and I even added it to the /etc/ssl/certs directory (which is why my curl command in the first email does not complain) Commands like *kinit* work just fine, and I have never experienced a problem which would make me doubt of the enrollment of this client. I run the following commands: # mkdir /etc/ipa/nssdb # certutil -A -d /etc/ipa/nssdb -n 'PROD.X.COM IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt # chmod +r /etc/ipa/nssdb/* # certutil -L -d /etc/ipa/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI PROD..COM IPA CA CT,C,C But I am still unable to run the script. Is there anything else I need to do? Do I need to restart some components? Any log I could look into? Thank you On 8 November 2016 at 07:56, Martin Babinsky <mbabi...@redhat.com> wrote: > On 11/07/2016 04:45 PM, Alessandro De Maria wrote: > >> Hi Martin, >> >> I tried from the host I am executing the script from, and I get: >> certutil -L -d /etc/httpd/alias/ >> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The >> certificate/key database is in an old, unsupported format. >> >> >> From the FreeIPA server, as I said previously, I get: >> >> certutil -L -d /etc/httpd/alias/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Signing-Cert u,u,u >> ipaCert u,u,u >> Server-Cert u,u,u >> PROD.X.COM <http://prod.x.com/> IPA CA >> CT,C,C >> >> >> From the FreeIPA server, I seem to be able to run the script, so we are >> definitely on the right track. >> How do I get the /etc/httpd/alias/ in sync across these hosts? can I >> copy it, or is there a way to regenerate it? >> >> Regards >> Alessandro >> >> On 7 November 2016 at 15:36, Alessandro De Maria >> <alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com>> >> wrote: >> >> Hi Martin, this is the output from the id1 host: >> >> certutil -L -d /etc/httpd/alias/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Signing-Cert u,u,u >> ipaCert u,u,u >> Server-Cert u,u,u >> PROD.XXXXXXXXX.COM <http://PROD.X.COM> IPA CA >> CT,C,C >> >> >> looks just like you suggested. Any other suggestion? >> >> On 7 November 2016 at 10:56, Martin Babinsky <mbabi...@redhat.com >> <mailto:mbabi...@redhat.com>> wrote: >> >> On 11/04/2016 04:52 PM, Alessandro De Maria wrote: >> >> Hello, >> >> I have a FreeIPA installation that is working very nicely, >> we already >> have configured many hosts and so far we are quite happy >> with it. >> >> I was trying to connect Ansible to fetch hosts from FreeIPA >> using the >> freeipa.py script >> (https://github.com/ansible/ansible/blob/devel/contrib/inven >> tory/freeipa.py >> <https://github.com/ansible/ansible/blob/devel/contrib/inven >> tory/freeipa.py>) >> >> >> Unfortunately when I run it, I get the following: >> >> *ipa: ERROR: cert validation failed for >> "CN=id1.prod.****.com,O=PROD..COM >> <http://PROD..COM> >> <http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) >> Peer's >> certificate issuer has been marked as not trusted by the >> user.)* >> *ipa: ERROR: cert validation failed for >> "CN=id2.prod.****.com,O=PROD..COM >> <http://PROD..COM> >> <http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) >> Peer's >> certificate issuer has been marked as not trusted by the &
Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Hi Martin, I tried from the host I am executing the script from, and I get: certutil -L -d /etc/httpd/alias/ certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. >From the FreeIPA server, as I said previously, I get: certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u PROD.X.COM <http://prod.x.com/> IPA CA CT,C,C >From the FreeIPA server, I seem to be able to run the script, so we are definitely on the right track. How do I get the /etc/httpd/alias/ in sync across these hosts? can I copy it, or is there a way to regenerate it? Regards Alessandro On 7 November 2016 at 15:36, Alessandro De Maria < alessandro.dema...@gmail.com> wrote: > Hi Martin, this is the output from the id1 host: > > certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Signing-Cert u,u,u > ipaCert u,u,u > Server-Cert u,u,u > PROD.X.COM IPA CACT,C,C > > > looks just like you suggested. Any other suggestion? > > On 7 November 2016 at 10:56, Martin Babinsky <mbabi...@redhat.com> wrote: > >> On 11/04/2016 04:52 PM, Alessandro De Maria wrote: >> >>> Hello, >>> >>> I have a FreeIPA installation that is working very nicely, we already >>> have configured many hosts and so far we are quite happy with it. >>> >>> I was trying to connect Ansible to fetch hosts from FreeIPA using the >>> freeipa.py script >>> (https://github.com/ansible/ansible/blob/devel/contrib/inven >>> tory/freeipa.py) >>> >>> Unfortunately when I run it, I get the following: >>> >>> *ipa: ERROR: cert validation failed for >>> "CN=id1.prod.****.com,O=PROD..COM >>> <http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's >>> certificate issuer has been marked as not trusted by the user.)* >>> *ipa: ERROR: cert validation failed for >>> "CN=id2.prod.****.com,O=PROD..COM >>> <http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's >>> certificate issuer has been marked as not trusted by the user.)* >>> *Traceback (most recent call last):* >>> * File "./freeipa.py", line 82, in * >>> *api = initialize()* >>> * File "./freeipa.py", line 17, in initialize* >>> *api.Backend.rpcclient.connect()* >>> * File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66, >>> in connect* >>> *conn = self.create_connection(*args, **kw)* >>> * File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in >>> create_connection* >>> *error=', '.join(urls))* >>> *ipalib.errors.NetworkError: cannot connect to 'any of the configured >>> servers': https://id1.prod.****.com/ipa/json, >>> https://id2.prod.****.com/ipa/json* >>> >>> >>> If I curl the URL, it works just fine ( I imported the CA Certificate in >>> the system directory /etc/ssl/certs). >>> >>> I have run `openssl s_client` connect and downloaded the remote >>> certificate locally, then I run: >>> >>> # openssl verify cert.pem >>> # *id1.prod.****.com.pem*: OK >>> >>> >>> Would you help me figure out what's going on? >>> >>> >>> >>> -- >>> Alessandro De Maria >>> alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com> >>> >>> >>> >> Hi Alessandro, >> >> this error can mean that the CA certificate in IPA NSS database has wrong >> trust flags set. Please make sure that there is IPA CA certificate present >> on /etc/httpd/alias and it has trust flags CT,C,C like this: >> >> # certutil -L -d /etc/httpd/alias/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> ipaCert u,u,u >> Server-Cert u,u,u >> <$REALM> IPA CA CT,C,C >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > -- > Alessandro De Maria > alessandro.dema...@gmail.com > -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Hi Martin, this is the output from the id1 host: certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u PROD.X.COM IPA CACT,C,C looks just like you suggested. Any other suggestion? On 7 November 2016 at 10:56, Martin Babinsky <mbabi...@redhat.com> wrote: > On 11/04/2016 04:52 PM, Alessandro De Maria wrote: > >> Hello, >> >> I have a FreeIPA installation that is working very nicely, we already >> have configured many hosts and so far we are quite happy with it. >> >> I was trying to connect Ansible to fetch hosts from FreeIPA using the >> freeipa.py script >> (https://github.com/ansible/ansible/blob/devel/contrib/inven >> tory/freeipa.py) >> >> Unfortunately when I run it, I get the following: >> >> *ipa: ERROR: cert validation failed for >> "CN=id1.prod.****.com,O=PROD..COM >> <http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's >> certificate issuer has been marked as not trusted by the user.)* >> *ipa: ERROR: cert validation failed for >> "CN=id2.prod.****.com,O=PROD..COM >> <http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's >> certificate issuer has been marked as not trusted by the user.)* >> *Traceback (most recent call last):* >> * File "./freeipa.py", line 82, in * >> *api = initialize()* >> * File "./freeipa.py", line 17, in initialize* >> *api.Backend.rpcclient.connect()* >> * File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66, >> in connect* >> *conn = self.create_connection(*args, **kw)* >> * File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in >> create_connection* >> *error=', '.join(urls))* >> *ipalib.errors.NetworkError: cannot connect to 'any of the configured >> servers': https://id1.prod.****.com/ipa/json, >> https://id2.prod.****.com/ipa/json* >> >> >> If I curl the URL, it works just fine ( I imported the CA Certificate in >> the system directory /etc/ssl/certs). >> >> I have run `openssl s_client` connect and downloaded the remote >> certificate locally, then I run: >> >> # openssl verify cert.pem >> # *id1.prod.****.com.pem*: OK >> >> >> Would you help me figure out what's going on? >> >> >> >> -- >> Alessandro De Maria >> alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com> >> >> >> > Hi Alessandro, > > this error can mean that the CA certificate in IPA NSS database has wrong > trust flags set. Please make sure that there is IPA CA certificate present > on /etc/httpd/alias and it has trust flags CT,C,C like this: > > # certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert u,u,u > Server-Cert u,u,u > <$REALM> IPA CA CT,C,C > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Hello, I have a FreeIPA installation that is working very nicely, we already have configured many hosts and so far we are quite happy with it. I was trying to connect Ansible to fetch hosts from FreeIPA using the freeipa.py script ( https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py) Unfortunately when I run it, I get the following: *ipa: ERROR: cert validation failed for "CN=id1.prod.****.com,O=PROD..COM <http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)* *ipa: ERROR: cert validation failed for "CN=id2.prod.****.com,O=PROD..COM <http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)* *Traceback (most recent call last):* * File "./freeipa.py", line 82, in * *api = initialize()* * File "./freeipa.py", line 17, in initialize* *api.Backend.rpcclient.connect()* * File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66, in connect* *conn = self.create_connection(*args, **kw)* * File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in create_connection* *error=', '.join(urls))* *ipalib.errors.NetworkError: cannot connect to 'any of the configured servers': https://id1.prod <https://id1.prod>.****.com/ipa/json, https://id2.prod <https://id2.prod>.****.com/ipa/json* If I curl the URL, it works just fine ( I imported the CA Certificate in the system directory /etc/ssl/certs). I have run `openssl s_client` connect and downloaded the remote certificate locally, then I run: # openssl verify cert.pem # *id1.prod.**xxxx**.com.pem*: OK Would you help me figure out what's going on? -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IP SAN in certificates
Hello, I am running the following command to create a certificate for etcd ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt", "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zz", "-D", "dock07.prod.", "-A", "10.0.1.67", "-K", "etcd/dock07.prod." ca-error: Server at https://id1.prod.zz/ipa/xml denied our request, > giving up: 2100 (RPC failed at server. Insufficient access: Subject alt > name type IP Address is forbidden). I believe FreeIPA does not currently support IPs as the SAN of a certificate. Is this still the case? is there a workaroud? Regards Alessandro -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error looking up public keys
The workaround worked thank you! On 6 Oct 2016 5:09 pm, "Sumit Bose" <sb...@redhat.com> wrote: > On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote: > > Hello, > > > > We are moving some of our servers to use 16.04 and for all new installs I > > have noticed that I am unable to fetch the ssh_authorized keys from the > > server. > > > > /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzz.com ademaria > > (Thu Oct 6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys] > [main] > > (0x0020): sss_ssh_get_ent() failed (14): Bad address > > Error looking up public keys > > > > This only happens on Ubuntu 16.04. We have a number of 12.04 that work > > perfectly. > > > > The configuration seems ok or at least matches the one on 12.04. > > I increased the debug level on sssd and sss_ssh and this is the output I > get > > ... > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040): > > NSS_InitContext failed [-8015]. > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] > > (0x0040): cert_to_ssh_key failed. > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): > > decode_and_add_base64_data failed. > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal > > error, killing connection! > > ... > > Newer version of SSSD can derive ssh-keys from valid X.509 certificates > stored in the LDAP entry of the user. Unfortunately it looks like in > your build of SSSD needs a fix for > https://fedorahosted.org/sssd/ticket/2977. Please open a ticket for your > distribution to include the patch for this issue which is linked at the > end of the ticket. > > As a workaround you can set 'ldap_user_certificate = noSuchAttribute' in > the [domain/...] section of sssd.conf. This should prevent SSSD from > reading the certificate stored in the user entry. After changing > sssd.conf you should invalidate the cache by calling 'sss_cache -E' and > restart SSSD. > > HTH > > bye, > Sumit > > > > > Could you help me understand what is the issue with it? > > > > Regards > > Alessandro > > > > -- > > Alessandro De Maria > > alessandro.dema...@gmail.com > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Error looking up public keys
Hello, We are moving some of our servers to use 16.04 and for all new installs I have noticed that I am unable to fetch the ssh_authorized keys from the server. /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzz.com ademaria (Thu Oct 6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys] [main] (0x0020): sss_ssh_get_ent() failed (14): Bad address Error looking up public keys This only happens on Ubuntu 16.04. We have a number of 12.04 that work perfectly. The configuration seems ok or at least matches the one on 12.04. I increased the debug level on sssd and sss_ssh and this is the output I get (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x67b890][18] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x67b890][18] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x67b890][18] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [prod.zzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [ademaria][prod.zzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'ademaria' matched without domain, user is ademaria (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): using default domain [prod.zzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [ademaria] from [prod.zzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40b850:1:ademaria@prod.zzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [prod.zzz][0x1][BE_REQ_USER][1][name=ademaria] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0x658390 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40b850:1:ademaria@prod.zzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0x658390 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x65a7b0 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [ademaria@prod.zzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x666a00 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x666ac0 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x666a00 "ltdb_callback" (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x666ac0 "ltdb_timeout" (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x666a00 "ltdb_callback" (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x4000): Mssing element, nothing to do. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x4000): Mssing element, nothing to do. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040): NSS_InitContext failed [-8015]. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): cert_to_ssh_key failed. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): decode_and_add_base64_data failed. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal error, killing connection! (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [client_destructor] (0x2000): Terminated client [0x67b890][18] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40b850:1:ademaria@prod.zzz] (Thu Oct 6 15:42:10 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x6566b0 (Thu Oct 6 15:42:10 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Oct 6 15:42:10 2016) [sssd[ssh]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Thu Oct 6 15:42:10 2016) [sssd[ssh]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu Oct 6 15:42:20 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x6566b0 (Thu Oct 6 15:42:20 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Oct 6 15:42:20 2016) [sssd[ssh]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Thu Oct 6 15:42:20 2016) [sssd[ssh]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit Could you help me understand what is the issue with it? Regards A
Re: [Freeipa-users] User certificate workflow
Fantastic thank you! On 16 Mar 2016 12:21 a.m., "Fraser Tweedale" <ftwee...@redhat.com> wrote: > On Tue, Mar 15, 2016 at 09:39:12AM +0000, Alessandro De Maria wrote: > > Thank you Martin that's very helpful. > > > > The annoying thing about cut/paste from web ui is that the cert is not > > wrapped at 60 chars like it should be, but I guess I'll have to wait for > > the save certificate functionality. > > Any idea of then that's planned for? > > > > Regards > > Alessandro > > > Hi Alessandro, > > The easiest way to get the cert is with the `ipa user-show` (if > it was saved to the IPA direct after issuance, which is controlled > by the `store` option Martin mentioned). E.g.: > > ipa user-show alice --out=cert.pem > > Which will save alice's certificate(s) to the file `cert.pem`. > > If you copy the data from the web UI and save it to a file, the > following will convert it to PEM: > > base64 -d < cert.txt | openssl x509 -inform DER > cert.pem > > Finally, to configure a profile to issue certificates with a > validity of X days, the relevant profile configuration is: > > policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl > policyset.serverCertSet.2.constraint.name=Validity Constraint > policyset.serverCertSet.2.constraint.params.range=740 > policyset.serverCertSet.2.constraint.params.notBeforeCheck=false > policyset.serverCertSet.2.constraint.params.notAfterCheck=false > policyset.serverCertSet.2.default.class_id=validityDefaultImpl > policyset.serverCertSet.2.default.name=Validity Default > policyset.serverCertSet.2.default.params.range=X > policyset.serverCertSet.2.default.params.startTime=0 > > Replace `X` above with the desired lifetime in days. (Note that the > index (`2`, above) may be different for different profiles.) > > Cheers, > Fraser > > > On 15 March 2016 at 08:50, Martin Babinsky <mbabi...@redhat.com> wrote: > > > > > On 03/15/2016 08:39 AM, Alessandro De Maria wrote: > > > > > >> Hello, > > >> > > >> I would like to have authenticated users to upload a csr request and > > >> have their certificate automatically signed. Their certificate would > > >> expire in x days. > > >> > > >> Given the short life of the certificate, I would then like them to be > > >> able to easily download the certificate. > > >> > > >> Any suggestion on how to do it? > > >> I would prefer the shell script approach but also having it self > > >> serviced on the web ui would be great. > > >> > > >> Regards > > >> > > >> > > >> -- > > >> Alessandro De Maria > > >> alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com> > > >> > > >> > > >> > > > Hi Alessandro, > > > > > > for FreeIPA 4.2+ you can use the following links as a guide to set up a > > > custom profile and CA ACL rules so that users can request certificates > for > > > themselves: > > > > > > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test > > > > > > > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ > > > > > > The user then can generate CSR request e.g. using OpenSSL and use 'ipa > > > cert-request' to send it to IPA CA. If you specify 'store=True' when > adding > > > the custom certificate profile, the certificate will be added to the > user > > > entry as 'usercertificate;binary' attribute which he can view from > > > CLI/WebUI as PEM and save it to a file by copy-pasting it (The > > > functionality to save the certificate directly to a file is under > > > development). > > > > > > It should be possible to modify the certificate profile to restrict the > > > maximum validity of the issued certificate but I have no knowledge > about > > > that. I have CC'ed Fraser Tweedale (the blog post author), he may help > you > > > with this. > > > > > > -- > > > Martin^3 Babinsky > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > -- > > Alessandro De Maria > > alessandro.dema...@gmail.com > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] User certificate workflow
Thank you Martin that's very helpful. The annoying thing about cut/paste from web ui is that the cert is not wrapped at 60 chars like it should be, but I guess I'll have to wait for the save certificate functionality. Any idea of then that's planned for? Regards Alessandro On 15 March 2016 at 08:50, Martin Babinsky <mbabi...@redhat.com> wrote: > On 03/15/2016 08:39 AM, Alessandro De Maria wrote: > >> Hello, >> >> I would like to have authenticated users to upload a csr request and >> have their certificate automatically signed. Their certificate would >> expire in x days. >> >> Given the short life of the certificate, I would then like them to be >> able to easily download the certificate. >> >> Any suggestion on how to do it? >> I would prefer the shell script approach but also having it self >> serviced on the web ui would be great. >> >> Regards >> >> >> -- >> Alessandro De Maria >> alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com> >> >> >> > Hi Alessandro, > > for FreeIPA 4.2+ you can use the following links as a guide to set up a > custom profile and CA ACL rules so that users can request certificates for > themselves: > > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test > > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ > > The user then can generate CSR request e.g. using OpenSSL and use 'ipa > cert-request' to send it to IPA CA. If you specify 'store=True' when adding > the custom certificate profile, the certificate will be added to the user > entry as 'usercertificate;binary' attribute which he can view from > CLI/WebUI as PEM and save it to a file by copy-pasting it (The > functionality to save the certificate directly to a file is under > development). > > It should be possible to modify the certificate profile to restrict the > maximum validity of the issued certificate but I have no knowledge about > that. I have CC'ed Fraser Tweedale (the blog post author), he may help you > with this. > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP not working since upgrade
Solved. This turned out to be the ipa-otp process stuck on one of the 2 servers. The VPN requests where being sent to the other server which was working fine a simple restart of ipa fixed it. Regards On 28 February 2016 at 23:17, Alessandro De Maria < alessandro.dema...@gmail.com> wrote: > Hello, > > since I upgraded to 4.2.0 on Centos, OTPs do not seem to work anymore. > Name: ipa-server > Version : 4.2.0 > Release : 15.el7_2.6 > > The error I see in the > Feb 28 23:01:40 id1 krb5kdc[2894](info): AS_REQ (6 etypes {18 17 16 23 25 > 26}) 10.0.1.10: NEEDED_PREAUTH: alessan...@xx.com for krbtgt/xx@xx.com, > Additional pre-authentication required > Feb 28 23:01:41 id1.XX.com krb5kdc[2896](info): AS_REQ (6 etypes {18 17 > 16 23 25 26}) 10.0.1.10: PREAUTH_FAILED: alessan...@xx.com for krbtgt/ > xx@xx.com, Incorrect password in encrypted challenge > > I tried syncing the OTP and also creating a new one. > Strangely enough I can connect OK with the VPN supplying password + OTP, > but OTP is not working on both freeipa gui and when issuing sudo. > > Could someone help me understand what is going on? > > Regards > Alessandro > > > -- > Alessandro De Maria > alessandro.dema...@gmail.com > -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] OTP not working since upgrade
Hello, since I upgraded to 4.2.0 on Centos, OTPs do not seem to work anymore. Name: ipa-server Version : 4.2.0 Release : 15.el7_2.6 The error I see in the Feb 28 23:01:40 id1 krb5kdc[2894](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.10: NEEDED_PREAUTH: alessan...@xx.com for krbtgt/xx@xx.com, Additional pre-authentication required Feb 28 23:01:41 id1.XX.com krb5kdc[2896](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.10: PREAUTH_FAILED: alessan...@xx.com for krbtgt/ xx@xx.com, Incorrect password in encrypted challenge I tried syncing the OTP and also creating a new one. Strangely enough I can connect OK with the VPN supplying password + OTP, but OTP is not working on both freeipa gui and when issuing sudo. Could someone help me understand what is going on? Regards Alessandro -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to get new certificates after upgrade
I re-run the upgrade script and that fixed it. Thank you very much Alexander! On 27 February 2016 at 21:46, Alessandro De Maria < alessandro.dema...@gmail.com> wrote: > Yes that looks exactly like it, thank you. > Are you aware of a workaround available? Like changing manually the CS.cfg? > > > On 27 February 2016 at 21:40, Alexander Bokovoy <aboko...@redhat.com> > wrote: > >> On Sat, 27 Feb 2016, Alessandro De Maria wrote: >> >>> great that explains a lot! Thank you. >>> >>> My hunt for > 4.2.0 was just because in the release note for 4.2.1 it >>> had: >>> >>> - Various fixes for new Certificates Profiles feature >>> >>> >>> So I immediately assumed the problem I might be experiencing could be >>> fixed >>> by an upgrade (I have tried everything else I know) >>> >>> But thank you this is already very helpful. >>> >>> I hope I can find some other pointed to understand my issue then. >>> >> I think you are hitting https://fedorahosted.org/freeipa/ticket/5682 >> >> commit 704319c3eaf74e0531dd2aa1e5880db7b6ab830c >> Author: Martin Babinsky <mbabi...@redhat.com> >> Date: Mon Feb 22 13:35:41 2016 +0100 >> >>upgrade: unconditional import of certificate profiles into LDAP >> During IPA server upgrade, the migration of Dogtag profiles into >> LDAP >>backend was bound to the update of CS.cfg which enabled the LDAP >> profile >>subsystem. If the subsequent profile migration failed, the subsequent >>upgrades were not executing the migration code leaving CA subsystem in >>broken state. Therefore the migration code path should be executed >>regardless of the status of the main Dogtag config file. >> https://fedorahosted.org/freeipa/ticket/5682 >> Reviewed-By: Fraser Tweedale <ftwee...@redhat.com> >>Reviewed-By: Jan Cholasta <jchol...@redhat.com> >> >> This should be part of 4.2.4 release and will eventually make into >> RHEL/CentOS updates. >> >> -- >> / Alexander Bokovoy >> > > > > -- > Alessandro De Maria > alessandro.dema...@gmail.com > -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to get new certificates after upgrade
Yes that looks exactly like it, thank you. Are you aware of a workaround available? Like changing manually the CS.cfg? On 27 February 2016 at 21:40, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Sat, 27 Feb 2016, Alessandro De Maria wrote: > >> great that explains a lot! Thank you. >> >> My hunt for > 4.2.0 was just because in the release note for 4.2.1 it had: >> >> - Various fixes for new Certificates Profiles feature >> >> >> So I immediately assumed the problem I might be experiencing could be >> fixed >> by an upgrade (I have tried everything else I know) >> >> But thank you this is already very helpful. >> >> I hope I can find some other pointed to understand my issue then. >> > I think you are hitting https://fedorahosted.org/freeipa/ticket/5682 > > commit 704319c3eaf74e0531dd2aa1e5880db7b6ab830c > Author: Martin Babinsky <mbabi...@redhat.com> > Date: Mon Feb 22 13:35:41 2016 +0100 > >upgrade: unconditional import of certificate profiles into LDAP > During IPA server upgrade, the migration of Dogtag profiles into LDAP >backend was bound to the update of CS.cfg which enabled the LDAP profile >subsystem. If the subsequent profile migration failed, the subsequent >upgrades were not executing the migration code leaving CA subsystem in >broken state. Therefore the migration code path should be executed >regardless of the status of the main Dogtag config file. > https://fedorahosted.org/freeipa/ticket/5682 > Reviewed-By: Fraser Tweedale <ftwee...@redhat.com> >Reviewed-By: Jan Cholasta <jchol...@redhat.com> > > This should be part of 4.2.4 release and will eventually make into > RHEL/CentOS updates. > > -- > / Alexander Bokovoy > -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to get new certificates after upgrade
great that explains a lot! Thank you. My hunt for > 4.2.0 was just because in the release note for 4.2.1 it had: - Various fixes for new Certificates Profiles feature So I immediately assumed the problem I might be experiencing could be fixed by an upgrade (I have tried everything else I know) But thank you this is already very helpful. I hope I can find some other pointed to understand my issue then. Regards Alessandro On 27 February 2016 at 21:25, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Sat, 27 Feb 2016, Alessandro De Maria wrote: > >> Hello list, >> >> I was running freeipa 4.1 on Centos 7.1. >> I wanted to upgrade to freeipa 4.2.x to make use of user certificates. >> >> Upgrade (through yum upgrade) went ok and I am now on version: >> Name: ipa-server >> Version : 4.2.0 >> Release : 15.el7_2.6 >> >> >> However I am unable to generate new certificates (this functionality was >> working perfectly before) >> >> When I use ipa-getcert request I get the following message (ipa-getcert >> list) >> >> *Failed request, will retry: 4001 (RPC failed at server. caIPAserviceCert: >> Certificate Profile not found* >> I read this blog: >> >> https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ >> >> I tried the following: >> $ ipa certprofile-show caIPAserviceCert >> ipa: ERROR: caIPAserviceCert: Certificate Profile not found >> >> >> So i tried to download *caIPAserviceCert* from this url and importing it: >> >> $ wget >> >> https://raw.githubusercontent.com/encukou/freeipa/master/install/share/profiles/caIPAserviceCert.cfg >> >> $ ipa certprofile-import caIPAserviceCert --file caIPAserviceCert.cfg >> --desc "Default certificates" --store TRUE >> ipa: ERROR: Non-2xx response from CA REST API: 400 Bad Request. Profile >> already exists >> >> So I imported it with another profile name (caIPAserviceCert_new) and that >> worked (I can see it from the web interface, but I cannot see >> caIPAserviceCert >> there) >> >> I tried to use: >> ipa-getcert request -T caIPAserviceCert_new ... ... ... >> >> and that still gives the the infamous message above: >> *Failed request, will retry: 4001 (RPC failed at server. caIPAserviceCert: >> Certificate Profile not found* >> >> Could someone help me out please? I noticed that 4.2.3 is out with >> important bug fixes, is there a repository out there with Centos rmps? >> > I have no comments to your problem but wanted to comment on this > specific thing: > > When certain software is packaged as part of Red Hat Enterprise Linux, > there are rules its maintainers have to follow. One of these rules is to > be more strict with rebases and package versions. > When a rebase to newer version is not granted, any bugfixes/updates will > be managed as patches to the base version. This means that if you see > ipa-server-4.2.0-.el7_2 in RHEL 7.2, this does not mean that > a particular package has only FreeIPA 4.2.0 version. It includes a > number of patches on top of it which make it equal to a certain 4.2.x > version at the time of a release of that package. These patches will > have to be carried as separate files until next package rebase. > > For example ipa-4.2.0-15.el7.centos.3.src.rpm has 170 patches on top of > 4.2.0 tarball. Some of these are downstream-specific like branding > changes but the rest are patches on top of 4.2.0 upstream version that > bring the package close to 4.2.3. > > This allows to be more explicit in what is added on top of a base > version and some Red Hat customers actually depend on such information > in their own software management processes. For maintainers this, of > course, creates a bit of overhead but it is better to be more explicit > here. The only inconvenience is that we have to explain the process > sometimes to people like you who think 4.2.0-.el7_2 is older > than 4.2.3 upstream release. > > In fact, out of those 170 patches, there are patches which went into > upstream 4.3.0 release and weren't yet released in 4.2.x branch because > there wasn't any 4.2.x release after 4.2.3 yet. So in the case of > 4.2.0-.el7_2 you are actually getting more than FreeIPA > 4.2.3. > > I hope this makes your hunt for '4.2.3' CentOS release less urgent. > > > -- > / Alexander Bokovoy > -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unable to get new certificates after upgrade
Hello list, I was running freeipa 4.1 on Centos 7.1. I wanted to upgrade to freeipa 4.2.x to make use of user certificates. Upgrade (through yum upgrade) went ok and I am now on version: Name: ipa-server Version : 4.2.0 Release : 15.el7_2.6 However I am unable to generate new certificates (this functionality was working perfectly before) When I use ipa-getcert request I get the following message (ipa-getcert list) *Failed request, will retry: 4001 (RPC failed at server. caIPAserviceCert: Certificate Profile not found* I read this blog: https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ I tried the following: $ ipa certprofile-show caIPAserviceCert ipa: ERROR: caIPAserviceCert: Certificate Profile not found So i tried to download *caIPAserviceCert* from this url and importing it: $ wget https://raw.githubusercontent.com/encukou/freeipa/master/install/share/profiles/caIPAserviceCert.cfg $ ipa certprofile-import caIPAserviceCert --file caIPAserviceCert.cfg --desc "Default certificates" --store TRUE ipa: ERROR: Non-2xx response from CA REST API: 400 Bad Request. Profile already exists So I imported it with another profile name (caIPAserviceCert_new) and that worked (I can see it from the web interface, but I cannot see caIPAserviceCert there) I tried to use: ipa-getcert request -T caIPAserviceCert_new ... ... ... and that still gives the the infamous message above: *Failed request, will retry: 4001 (RPC failed at server. caIPAserviceCert: Certificate Profile not found* Could someone help me out please? I noticed that 4.2.3 is out with important bug fixes, is there a repository out there with Centos rmps? Regards Alessandro -- Alessandro De Maria alessandro.dema...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project