subject:"\[Freeipa\-users\] Broken dirsrv and SSL certificate in CA\-less install of FreeIPA 4.4 on CentOS 7.3"

Re: [Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

2017-01-04 Thread Martin Basti




On 30.12.2016 11:54, Martin Basti wrote:


Hello,

The first half of the first issue is this bug: 
https://fedorahosted.org/freeipa/ticket/6226


you have to enable SSL on server manually after installation


The second half of the first issue shouldn't be related to ticket 
above, but I don't know more details I'll leave this for IPA CA gurus



The second issue is unrelated to certificates, I believe that 
something in dirsrv causes this unusual behavior. I saw this before 
with other users.


* both no such entry for HTTP principal, or for topology plugin are 
the same issue


* all users have this issue with CA-less installation, but not always 
reproducible, I'm not sure if there can be a step in CA-less install 
that can cause this


* entries are in database (were added previously by installer) but 
during installation the search failed with no such entry, ldapsearch 
after installation works


* in access log SRCH is before ADD operation, but this is against the 
steps in installer, entry is added first and even installer failed 
hard so there is no way how to add it after failure caused by not 
found error.


[29/Dec/2016:10:33:02.775715491 +] conn=16 op=1 SRCH 
base="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
  scope=0 filter="(objectClass=*)" attrs=ALL
[29/Dec/2016:10:33:02.775892719 +] conn=16 op=1 RESULT err=32 tag=101 
nentries=0 etime=0
This caused installation failure (IMO - there is no more SRCH operation for 
HTTP principal in log) ^^
..
[29/Dec/2016:10:33:05.487917960 +] conn=17 op=10 ADD 
dn="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
[29/Dec/2016:10:33:05.492213776 +] conn=17 op=10 RESULT err=0 tag=105 
nentries=0 etime=0 csn=5864e6530004
[29/Dec/2016:10:33:05.492372184 +] conn=17 op=11 MOD 
dn="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
[29/Dec/2016:10:33:05.494649080 +] conn=17 op=11 RESULT err=0 tag=103 
nentries=0 etime=0 csn=5864e65300010004
[29/Dec/2016:10:33:05.494816357 +] conn=17 op=12 MOD 
dn="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
These were added after failure ??? ^

I need a DS guru assistance to resolve this :)
Martin^2
Ticket for this issue has been opened 
https://fedorahosted.org/freeipa/ticket/6575 Martin^2

On 29.12.2016 19:13, Peter Pakos wrote:

Access log: https://files.pakos.uk/access.txt
Error log: https://files.pakos.uk/ipareplica-install.log.txt
I hope it helps.
On 29 December 2016 at 12:52, Peter Pakos > wrote:


Hi guys,
I'm facing yet another problem with CA-less install of FreeIPA
replica and 3rd party SSL certificate.
Few days ago I deployed a new CA-less server (ipa02) by running
the following command:

ipa-server-install \   -r PAKOS.UK  \   -n
pakos.uk  \   -p 'password' \   -a
'password' \   --mkhomedir \   --setup-dns \  
--no-forwarders \   --no-dnssec-validation \  
--dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \  
--dirsrv-pin='' \  
--http-cert-file=/root/ssl/star.pakos.uk.pfx \  
--http-pin='' \   --http-cert-name=AlphaWildcardIPA \  
--idstart=1000


This server appears to be working OK.
Then yesterday I deployed a client (ipa01):

ipa-client-install \   -p admin \   -w 'password' \   --mkhomedir

Next, I promoted it to IPA server:

ipa-replica-install \   -w 'password' \   --mkhomedir \  
--setup-dns \   --no-forwarders \   --no-dnssec-validation \
  --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \  
--dirsrv-pin='' \   --dirsrv-cert-name=AlphaWildcardIPA \  
--http-cert-file=/root/ssl/star.pakos.uk.pfx \  
--http-pin='' \   --http-cert-name=AlphaWildcardIPA


After it finished, I've noticed that dirsrv wasn't running on
port 636 on ipa01.
Further investigation revealed that the SSL wildcard certificate
(AlphaWildcardIPA) wasn't installed in dirsrv DB and CA
certificates were named oddly (CA 1 and CA 2):

[root@ipa01 ~]# certutil -L -d /etc/httpd/alias/ Certificate
Nickname Trust Attributes SSL,S/MIME,JAR/XPI AlphaWildcardIPA
u,u,u CA 1 ,, CA 2 C,, [root@ipa01 ~]# certutil -L -d
/etc/dirsrv/slapd-PAKOS-UK/ Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI GlobalSign Root CA - GlobalSign nv-sa ,,
AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,

This is what I found in the error log:

[29/Dec/2016:01:43:58.852745536 +] 389-Directory/1.3.5.10
 B2016.341. starting up
[29/Dec/2016:01:43:58.867642515 +] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match [29/Dec/2016:01:43:58.889866051 +]
schema-compat-plugin - scheduled schema-compat-plugin tree scan

Re: [Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

2016-12-30 Thread Martin Basti


Hello,

The first half of the first issue is this bug: 
https://fedorahosted.org/freeipa/ticket/6226


you have to enable SSL on server manually after installation


The second half of the first issue shouldn't be related to ticket above, 
but I don't know more details I'll leave this for IPA CA gurus



The second issue is unrelated to certificates, I believe that something 
in dirsrv causes this unusual behavior. I saw this before with other users.


* both no such entry for HTTP principal, or for topology plugin are the 
same issue


* all users have this issue with CA-less installation, but not always 
reproducible, I'm not sure if there can be a step in CA-less install 
that can cause this


* entries are in database (were added previously by installer) but 
during installation the search failed with no such entry, ldapsearch 
after installation works


* in access log SRCH is before ADD operation, but this is against the 
steps in installer, entry is added first and even installer failed hard 
so there is no way how to add it after failure caused by not found error.


[29/Dec/2016:10:33:02.775715491 +] conn=16 op=1 SRCH 
base="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
 scope=0 filter="(objectClass=*)" attrs=ALL
[29/Dec/2016:10:33:02.775892719 +] conn=16 op=1 RESULT err=32 tag=101 
nentries=0 etime=0


This caused installation failure (IMO - there is no more SRCH operation for 
HTTP principal in log) ^^
..
[29/Dec/2016:10:33:05.487917960 +] conn=17 op=10 ADD 
dn="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
[29/Dec/2016:10:33:05.492213776 +] conn=17 op=10 RESULT err=0 tag=105 
nentries=0 etime=0 csn=5864e6530004
[29/Dec/2016:10:33:05.492372184 +] conn=17 op=11 MOD 
dn="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
[29/Dec/2016:10:33:05.494649080 +] conn=17 op=11 RESULT err=0 tag=103 
nentries=0 etime=0 csn=5864e65300010004
[29/Dec/2016:10:33:05.494816357 +] conn=17 op=12 MOD 
dn="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
These were added after failure ??? ^


I need a DS guru assistance to resolve this :)
Martin^2

On 29.12.2016 19:13, Peter Pakos wrote:

Access log: https://files.pakos.uk/access.txt
Error log: https://files.pakos.uk/ipareplica-install.log.txt
I hope it helps.
On 29 December 2016 at 12:52, Peter Pakos > wrote:


Hi guys,
I'm facing yet another problem with CA-less install of FreeIPA
replica and 3rd party SSL certificate.
Few days ago I deployed a new CA-less server (ipa02) by running
the following command:

ipa-server-install \   -r PAKOS.UK  \   -n
pakos.uk  \   -p 'password' \   -a 'password'
\   --mkhomedir \   --setup-dns \   --no-forwarders \  
--no-dnssec-validation \  
--dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \  
--dirsrv-pin='' \  
--http-cert-file=/root/ssl/star.pakos.uk.pfx \   --http-pin=''

\   --http-cert-name=AlphaWildcardIPA \   --idstart=1000

This server appears to be working OK.
Then yesterday I deployed a client (ipa01):

ipa-client-install \   -p admin \   -w 'password' \   --mkhomedir

Next, I promoted it to IPA server:

ipa-replica-install \   -w 'password' \   --mkhomedir \  
--setup-dns \   --no-forwarders \   --no-dnssec-validation \  
--dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \  
--dirsrv-pin='' \   --dirsrv-cert-name=AlphaWildcardIPA \  
--http-cert-file=/root/ssl/star.pakos.uk.pfx \   --http-pin=''

\   --http-cert-name=AlphaWildcardIPA

After it finished, I've noticed that dirsrv wasn't running on port
636 on ipa01.
Further investigation revealed that the SSL wildcard certificate
(AlphaWildcardIPA) wasn't installed in dirsrv DB and CA
certificates were named oddly (CA 1 and CA 2):

[root@ipa01 ~]# certutil -L -d /etc/httpd/alias/ Certificate
Nickname Trust Attributes SSL,S/MIME,JAR/XPI AlphaWildcardIPA
u,u,u CA 1 ,, CA 2 C,, [root@ipa01 ~]# certutil -L -d
/etc/dirsrv/slapd-PAKOS-UK/ Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI GlobalSign Root CA - GlobalSign nv-sa ,,
AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,

This is what I found in the error log:

[29/Dec/2016:01:43:58.852745536 +] 389-Directory/1.3.5.10
 B2016.341. starting up
[29/Dec/2016:01:43:58.867642515 +] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match [29/Dec/2016:01:43:58.889866051 +]
schema-compat-plugin - scheduled schema-compat-plugin tree scan in
about 5 seconds after the server startup!
[29/Dec/2016:01:43:58.905267535 +] NSACLPlugin - The ACL
target cn=groups,cn=compat,d

Re: [Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

2016-12-29 Thread Peter Pakos

Access log: https://files.pakos.uk/access.txt
Error log: https://files.pakos.uk/ipareplica-install.log.txt

I hope it helps.

On 29 December 2016 at 12:52, Peter Pakos  wrote:

> Hi guys,
>
> I'm facing yet another problem with CA-less install of FreeIPA replica and
> 3rd party SSL certificate.
>
> Few days ago I deployed a new CA-less server (ipa02) by running the
> following command:
>
> ipa-server-install \
>>   -r PAKOS.UK \
>>   -n pakos.uk \
>>   -p 'password' \
>>   -a 'password' \
>>   --mkhomedir \
>>   --setup-dns \
>>   --no-forwarders \
>>   --no-dnssec-validation \
>>   --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>>   --dirsrv-pin='' \
>>   --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>>   --http-pin='' \
>>   --http-cert-name=AlphaWildcardIPA \
>>   --idstart=1000
>
>
> This server appears to be working OK.
>
> Then yesterday I deployed a client (ipa01):
>
> ipa-client-install \
>>   -p admin \
>>   -w 'password' \
>>   --mkhomedir
>
>
> Next, I promoted it to IPA server:
>
> ipa-replica-install \
>>   -w 'password' \
>>   --mkhomedir \
>>   --setup-dns \
>>   --no-forwarders \
>>   --no-dnssec-validation \
>>   --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>>   --dirsrv-pin='' \
>>   --dirsrv-cert-name=AlphaWildcardIPA \
>>   --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>>   --http-pin='' \
>>   --http-cert-name=AlphaWildcardIPA
>
>
> After it finished, I've noticed that dirsrv wasn't running on port 636 on
> ipa01.
>
> Further investigation revealed that the SSL wildcard certificate
> (AlphaWildcardIPA) wasn't installed in dirsrv DB and CA certificates were
> named oddly (CA 1 and CA 2):
>
> [root@ipa01 ~]# certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
>
> AlphaWildcardIPA u,u,u
> CA 1 ,,
> CA 2 C,,
>
>
> [root@ipa01 ~]# certutil -L -d /etc/dirsrv/slapd-PAKOS-UK/
>
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
>
> GlobalSign Root CA - GlobalSign nv-sa,,
> AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,
>
>
> This is what I found in the error log:
>
> [29/Dec/2016:01:43:58.852745536 +] 389-Directory/1.3.5.10 B2016.341. 
> starting up
> [29/Dec/2016:01:43:58.867642515 +] default_mr_indexer_create: warning - 
> plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
> [29/Dec/2016:01:43:58.889866051 +] schema-compat-plugin - scheduled 
> schema-compat-plugin tree scan in about 5 seconds after the server startup!
> [29/Dec/2016:01:43:58.905267535 +] NSACLPlugin - The ACL target 
> cn=groups,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.907051833 +] NSACLPlugin - The ACL target 
> cn=computers,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.908396407 +] NSACLPlugin - The ACL target 
> cn=ng,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.909758735 +] NSACLPlugin - The ACL target 
> ou=sudoers,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.911133739 +] NSACLPlugin - The ACL target 
> cn=users,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.912416230 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.913644794 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.914901802 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.916158004 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.917409810 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.918636743 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.919904210 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.921175543 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.922417264 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.923818252 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.925218237 +] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.928474915 +] NSACLPlugin - The ACL target 
> cn=ad,cn=etc,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.943158867 +] NSACLPlugin - The ACL target 
> cn=casigningcer

[Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

2016-12-29 Thread Peter Pakos

Hi guys,

I'm facing yet another problem with CA-less install of FreeIPA replica and
3rd party SSL certificate.

Few days ago I deployed a new CA-less server (ipa02) by running the
following command:

ipa-server-install \
>   -r PAKOS.UK \
>   -n pakos.uk \
>   -p 'password' \
>   -a 'password' \
>   --mkhomedir \
>   --setup-dns \
>   --no-forwarders \
>   --no-dnssec-validation \
>   --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>   --dirsrv-pin='' \
>   --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>   --http-pin='' \
>   --http-cert-name=AlphaWildcardIPA \
>   --idstart=1000


This server appears to be working OK.

Then yesterday I deployed a client (ipa01):

ipa-client-install \
>   -p admin \
>   -w 'password' \
>   --mkhomedir


Next, I promoted it to IPA server:

ipa-replica-install \
>   -w 'password' \
>   --mkhomedir \
>   --setup-dns \
>   --no-forwarders \
>   --no-dnssec-validation \
>   --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>   --dirsrv-pin='' \
>   --dirsrv-cert-name=AlphaWildcardIPA \
>   --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>   --http-pin='' \
>   --http-cert-name=AlphaWildcardIPA


After it finished, I've noticed that dirsrv wasn't running on port 636 on
ipa01.

Further investigation revealed that the SSL wildcard certificate
(AlphaWildcardIPA) wasn't installed in dirsrv DB and CA certificates were
named oddly (CA 1 and CA 2):

[root@ipa01 ~]# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

AlphaWildcardIPA u,u,u
CA 1 ,,
CA 2 C,,


[root@ipa01 ~]# certutil -L -d /etc/dirsrv/slapd-PAKOS-UK/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

GlobalSign Root CA - GlobalSign nv-sa,,
AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,


This is what I found in the error log:

[29/Dec/2016:01:43:58.852745536 +] 389-Directory/1.3.5.10
B2016.341. starting up
[29/Dec/2016:01:43:58.867642515 +] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match
[29/Dec/2016:01:43:58.889866051 +] schema-compat-plugin -
scheduled schema-compat-plugin tree scan in about 5 seconds after the
server startup!
[29/Dec/2016:01:43:58.905267535 +] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.907051833 +] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.908396407 +] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.909758735 +] NSACLPlugin - The ACL target
ou=sudoers,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.911133739 +] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.912416230 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.913644794 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.914901802 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.916158004 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.917409810 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.918636743 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.919904210 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.921175543 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.922417264 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.923818252 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.925218237 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.928474915 +] NSACLPlugin - The ACL target
cn=ad,cn=etc,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.943158867 +] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.944679679 +] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:59.060335708 +] NSACLPlugin - The ACL target
cn=automember rebuild membership,cn=tasks,cn=config does not exist
[29/Dec/2016:01:43:59.066618653 +

Re: [Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

Re: [Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

Re: [Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

[Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

4 matches

Site Navigation

Mail list logo

Footer information