Re: [Freeipa-users] FreeIPA install
On 10/02/2015 03:41 PM, Andrew Meyer wrote: works in chrome and not firefox, creating new FF profile. Hi, try to remove IPA certificates from firefox in ff settings Martin On Friday, October 2, 2015 3:09 AM, Martin Kosek wrote: On 10/02/2015 04:15 AM, Andrew Meyer wrote: > I just created a new FreeIPA setup at my home and i'm getting the following: > > [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command > line: '/usr/sbin/httpd -D FOREGROUND' > [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa: INFO: *** PROCESS > START *** > [Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa: INFO: *** PROCESS > START *** > [Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL Library Error: > -12271 SSL client cannot verify your certificate > [Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL Library Error: > -12271 SSL client cannot verify your certificate > > I tried running the ipa-manage-cacert to generate a new one and install it. > But no go. > > Running CentOS 7.1 with latest updates. Is there a bug in generating the SSL cert? > > > This rather seems that your client browser does not trust FreeIPA CA certificate. Related thread: https://www.redhat.com/archives/freeipa-devel/2009-June/msg00188.html More related info: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/using-the-ui.html#config-browser Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA install
works in chrome and not firefox, creating new FF profile. On Friday, October 2, 2015 3:09 AM, Martin Kosek wrote: On 10/02/2015 04:15 AM, Andrew Meyer wrote: > I just created a new FreeIPA setup at my home and i'm getting the following: > > [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command > line: '/usr/sbin/httpd -D FOREGROUND' > [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa: INFO: *** PROCESS > START *** > [Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa: INFO: *** PROCESS > START *** > [Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL Library Error: > -12271 SSL client cannot verify your certificate > [Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL Library Error: > -12271 SSL client cannot verify your certificate > > I tried running the ipa-manage-cacert to generate a new one and install it. > But no go. > > Running CentOS 7.1 with latest updates. Is there a bug in generating the SSL > cert? > > > This rather seems that your client browser does not trust FreeIPA CA certificate. Related thread: https://www.redhat.com/archives/freeipa-devel/2009-June/msg00188.html More related info: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/using-the-ui.html#config-browser Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA install
I tried to clear them out of the preferences. No go.Still getting this: Secure Connection Failed An error occurred during a connection to asm-dns01.borg.local. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. On Friday, October 2, 2015 3:09 AM, Martin Kosek wrote: On 10/02/2015 04:15 AM, Andrew Meyer wrote: > I just created a new FreeIPA setup at my home and i'm getting the following: > > [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command > line: '/usr/sbin/httpd -D FOREGROUND' > [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa: INFO: *** PROCESS > START *** > [Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa: INFO: *** PROCESS > START *** > [Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL Library Error: > -12271 SSL client cannot verify your certificate > [Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL Library Error: > -12271 SSL client cannot verify your certificate > > I tried running the ipa-manage-cacert to generate a new one and install it. > But no go. > > Running CentOS 7.1 with latest updates. Is there a bug in generating the SSL > cert? > > > This rather seems that your client browser does not trust FreeIPA CA certificate. Related thread: https://www.redhat.com/archives/freeipa-devel/2009-June/msg00188.html More related info: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/using-the-ui.html#config-browser Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA install
On 10/02/2015 04:15 AM, Andrew Meyer wrote: I just created a new FreeIPA setup at my home and i'm getting the following: [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa: INFO: *** PROCESS START *** [Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa: INFO: *** PROCESS START *** [Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL Library Error: -12271 SSL client cannot verify your certificate [Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL Library Error: -12271 SSL client cannot verify your certificate I tried running the ipa-manage-cacert to generate a new one and install it. But no go. Running CentOS 7.1 with latest updates. Is there a bug in generating the SSL cert? This rather seems that your client browser does not trust FreeIPA CA certificate. Related thread: https://www.redhat.com/archives/freeipa-devel/2009-June/msg00188.html More related info: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/using-the-ui.html#config-browser Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA install
I just created a new FreeIPA setup at my home and i'm getting the following: [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa: INFO: *** PROCESS START *** [Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa: INFO: *** PROCESS START *** [Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL Library Error: -12271 SSL client cannot verify your certificate [Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL Library Error: -12271 SSL client cannot verify your certificate I tried running the ipa-manage-cacert to generate a new one and install it. But no go. Running CentOS 7.1 with latest updates. Is there a bug in generating the SSL cert? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA install fails on config. of certificate server with "Required parameter -client_token_name is not specified."
Hi Rob, Thanks for this. All worked fine with downgrading to 9.0.25 and FreeIPA install completed successfully. My /etc/krb5.conf file had got somewhat mangled, presumably by the earlier fun & games, but I managed to fix that. Now got the FreeIPA web UI running... :-D Thanks for the info about koji. I had come across it before, but never used it as a package source. Looks a useful way of downgrading packages when necessary. I am still just "practicing" with FreeIPA etc. before rebuilding the server for real, so let me know if I can help with testing any fix for the root cause issue. Regards, Andrew On Friday 21 June 2013 09:22:26 Rob Crittenden wrote: > Andrew Wasielewski wrote: > > Hi Rob, > > > > Thanks for the quick response. pki-ca is ver. 9.0.26, installed as a > > dependency by FreeIPA itself. > > It looks like the pki-ca package has added a new required option. I'll > open a bug. > > pki-ca-9.0.25 works ok if you want to try that version. It is > unfortunately not available via yum downgrade. > > The build is available at > http://koji.fedoraproject.org/koji/buildinfo?buildID=372295 > > If you install the koji tool it is easier to fetch the packages: > > # cd /tmp > # koji download-build --arch=noarch pki-core-9.0.25-1.fc17 > # koji download-build --arch=x86_64 pki-core-9.0.25-1.fc17 > > Then force the older packages to be installed (note this is all in one > line, I don't know how horribly my mail client will wrap this): > > # rpm -Uvh --force pki-ca-9.0.25-1.fc17.noarch.rpm > pki-common-9.0.25-1.fc17.noarch.rpm > pki-selinux-9.0.25-1.fc17.noarch.rpm pki-setup-9.0.25-1.fc17.noarch.rpm > pki-symkey-9.0.25-1.fc17.x86_64.rpm > pki-java-tools-9.0.25-1.fc17.noarch.rpm > pki-util-9.0.25-1.fc17.noarch.rpm > pki-native-tools-9.0.25-1.fc17.x86_64.rpm > pki-silent-9.0.25-1.fc17.noarch.rpm > > rob > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA install fails on config. of certificate server with "Required parameter -client_token_name is not specified."
Andrew Wasielewski wrote: Hi Rob, Thanks for the quick response. pki-ca is ver. 9.0.26, installed as a dependency by FreeIPA itself. It looks like the pki-ca package has added a new required option. I'll open a bug. pki-ca-9.0.25 works ok if you want to try that version. It is unfortunately not available via yum downgrade. The build is available at http://koji.fedoraproject.org/koji/buildinfo?buildID=372295 If you install the koji tool it is easier to fetch the packages: # cd /tmp # koji download-build --arch=noarch pki-core-9.0.25-1.fc17 # koji download-build --arch=x86_64 pki-core-9.0.25-1.fc17 Then force the older packages to be installed (note this is all in one line, I don't know how horribly my mail client will wrap this): # rpm -Uvh --force pki-ca-9.0.25-1.fc17.noarch.rpm pki-common-9.0.25-1.fc17.noarch.rpm pki-selinux-9.0.25-1.fc17.noarch.rpm pki-setup-9.0.25-1.fc17.noarch.rpm pki-symkey-9.0.25-1.fc17.x86_64.rpm pki-java-tools-9.0.25-1.fc17.noarch.rpm pki-util-9.0.25-1.fc17.noarch.rpm pki-native-tools-9.0.25-1.fc17.x86_64.rpm pki-silent-9.0.25-1.fc17.noarch.rpm rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA install fails on config. of certificate server with "Required parameter -client_token_name is not specified."
Hi Rob, Thanks for the quick response. pki-ca is ver. 9.0.26, installed as a dependency by FreeIPA itself. Regards, Andrew On Thursday 20 June 2013 17:39:30 Rob Crittenden wrote: > Andrew Wasielewski wrote: > > Hello everyone, > > > > I am trying to install FreeIPA 2.2.2 on Fedora 17 (kernel > > 3.8.13-100.fc17.x86_64). Each time it fails in step 2/17 of "Configuring > > certificate server". The relevant portion of the log is appended below. > > It looks like the specific cause of the error is "Required parameter > > -client_token_name is not specified." I can't find anything on Google > > relating to this exact string so am requesting help here. > > > > All necessary package installs, DNS config etc. have been done, so there > > are no error messages during the info gathering part of the script. > > There has been no previous installation of Kerberos or any CA software. > > I did do some work with OpenLDAP to set up a user management directory - > > before I found out about FreeIPA - but that used slapd which is now > > disabled to avoid conflict with 389 Directory Server. > > > > Any advice much appreciated. > > I sure seems like the IPA installer isn't passing an option to the CA. > What version of pki-ca do you have installed? > > rob > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA install fails on config. of certificate server with "Required parameter -client_token_name is not specified."
Andrew Wasielewski wrote: Hello everyone, I am trying to install FreeIPA 2.2.2 on Fedora 17 (kernel 3.8.13-100.fc17.x86_64). Each time it fails in step 2/17 of "Configuring certificate server". The relevant portion of the log is appended below. It looks like the specific cause of the error is "Required parameter -client_token_name is not specified." I can't find anything on Google relating to this exact string so am requesting help here. All necessary package installs, DNS config etc. have been done, so there are no error messages during the info gathering part of the script. There has been no previous installation of Kerberos or any CA software. I did do some work with OpenLDAP to set up a user management directory - before I found out about FreeIPA - but that used slapd which is now disabled to avoid conflict with 389 Directory Server. Any advice much appreciated. I sure seems like the IPA installer isn't passing an option to the CA. What version of pki-ca do you have installed? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA install fails on config. of certificate server with "Required parameter -client_token_name is not specified."
Hello everyone, I am trying to install FreeIPA 2.2.2 on Fedora 17 (kernel 3.8.13-100.fc17.x86_64). Each time it fails in step 2/17 of "Configuring certificate server". The relevant portion of the log is appended below. It looks like the specific cause of the error is "Required parameter -client_token_name is not specified." I can't find anything on Google relating to this exact string so am requesting help here. All necessary package installs, DNS config etc. have been done, so there are no error messages during the info gathering part of the script. There has been no previous installation of Kerberos or any CA software. I did do some work with OpenLDAP to set up a user management directory - before I found out about FreeIPA - but that used slapd which is now disabled to avoid conflict with 389 Directory Server. Any advice much appreciated. Regards, Andrew 2013-06-20T21:12:27Z DEBUG stderr= 2013-06-20T21:12:27Z DEBUG duration: 0 seconds 2013-06-20T21:12:27Z DEBUG done configuring pkids. 2013-06-20T21:12:27Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2013-06-20T21:12:27Z DEBUG Configuring certificate server: Estimated time 3 minutes 30 seconds 2013-06-20T21:12:27Z DEBUG [1/17]: creating certificate server user 2013-06-20T21:12:27Z DEBUG ca user pkiuser exists 2013-06-20T21:12:27Z DEBUG duration: 0 seconds 2013-06-20T21:12:27Z DEBUG [2/17]: configuring certificate server instance 2013-06-20T21:12:27Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname server.wasielewski.co.uk -cs_port 9445 -client_certdb_dir /tmp/tmp-YYL2Te -client_certdb_pwd -preop_pin 1JbX3OUn0 TgehavAiRWv -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa- ca-agent,O=WASIELEWSKI.CO.UK -ldap_host server.wasielewski.co.uk -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=WASIELEWSKI.CO.UK -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=WASIELEWSKI.CO.UK -ca_server_cert_subject_name CN=server.wasielewski.co.uk,O=WASIELEWSKI.CO.UK -ca_audit_signing_cert_subject_name CN=CA Audit,O=WASIELEWSKI.CO.UK -ca_sign_cert_subject_name CN=Certificate Authority,O=WASIELEWSKI.CO.UK -external false -clone false 2013-06-20T21:12:27Z DEBUG stdout=libpath=/usr/lib64 ### Required parameter -client_token_name is not specified. Use -help for help information ### 2013-06-20T21:12:27Z DEBUG stderr= 2013-06-20T21:12:27Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname server.wasielewski.co.uk -cs_port 9445 -client_certdb_dir /tmp/tmp-YYL2Te -client_certdb_pwd -preop_pin 1JbX3OUn0TgehavAiRWv -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=WASIELEWSKI.CO.UK -ldap_host server.wasielewski.co.uk -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=WASIELEWSKI.CO.UK -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=WASIELEWSKI.CO.UK -ca_server_cert_subject_name CN=server.wasielewski.co.uk,O=WASIELEWSKI.CO.UK -ca_audit_signing_cert_subject_name CN=CA Audit,O=WASIELEWSKI.CO.UK -ca_sign_cert_subject_name CN=Certificate Authority,O=WASIELEWSKI.CO.UK -external false -clone false' returned non-zero exit status 255 2013-06-20T21:12:27Z DEBUG Configuration of CA failed File "/usr/sbin/ipa-server-install", line 1100, in rval = main() File "/usr/sbin/ipa-server-install", line 888, in main subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 531, in configure_instance self.start_creation("Configuring certificate server", 210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 257, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 667, in __configure_instance raise RuntimeError('Configuration of CA failed') ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users