debian 8 freeipa-client
by Andrew Radygin
Hello!
I have freeipa server 4.5 on Centos 7.
And want to enroll host on Debian 8 to domain.
I've found freeipa-client 4.4 in the sid repo, installing of it was almost
successful...
apt-get cannot complete configuring for certmonger, and I've got following
error:
======
# journalctl -u certmonger
-- Logs begin at Thu 2017-07-20 18:27:15 MSK, end at Thu 2017-12-21
15:39:01 MSK. --
Dec 21 13:25:36 HOSTNAME systemd[1]: Starting Certificate monitoring and
PKI enrollment...
Dec 21 13:25:36 HOSTNAME certmonger[18411]: 2017-12-21 13:25:36 [18411]
Unable to set well-known bus name "org.fedorahosted.certmonger": Connection
":1.4" is not allowed to own the service "org.fedora
Dec 21 13:25:36 HOSTNAME certmonger[18411]: Error connecting to D-Bus.
Dec 21 13:25:36 HOSTNAME systemd[1]: certmonger.service: main process
exited, code=exited, status=1/FAILURE
Dec 21 13:25:36 HOSTNAME systemd[1]: Failed to start Certificate monitoring
and PKI enrollment.
Dec 21 13:25:36 HOSTNAME systemd[1]: Unit certmonger.service entered failed
state.
========
Does anyone know how to deal with it?
Thanks!
--
Best regards, Andrew.
6 years, 3 months
Renew expired certs with certmonger
by Qing Chang
Greetings,
we have some certs expired on Dec 27, ipaCert among them, IPA (VERSION:
4.4.0, API_VERSION: 2.213) stopped working.
I have spent many hours to renew the certs to no avail.
I have followed a collection of tips on this list:
rolled back the clock to before the expiry (Dec 23),
enabled debug logs for certmonger renewal log (getcert modify-ca -c
dogtag-ipa-ca-renew-agent -e '/usr/libexec/certmonger/
dogtag-ipa-ca-renew-agent-submit -vv')
added debug=true to /etc/ipa/default.conf
ipactl start starts everything successfully
systemctl start pki-tomcatd@pki-tomcat
systemctl restart certmonger
Before resubmit, "getcert list" has this, note ca-error: Invalid cookie: '':
-----
getcert list
Number of certificates and requests being tracked: 8.
Request ID '20170201190112':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=CA Audit,O=CAMHRES.CA
expires: 2017-12-27 14:36:44 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190113':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=OCSP Subsystem,O=CAMHRES.CA
expires: 2017-12-27 14:36:43 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190114':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=CA Subsystem,O=CAMHRES.CA
expires: 2017-12-27 14:36:43 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190115':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=Certificate Authority,O=CAMHRES.CA
expires: 2036-01-07 14:36:42 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190116':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=IPA RA,O=CAMHRES.CA
expires: 2017-12-27 14:37:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170201190117':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-11-19 19:38:26 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190118':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/
dirsrv/slapd-CAMHRES-CA',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-CAMHRES-CA/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-CAMHRES-CA',
nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-12-11 19:38:29 UTC
principal name: ldap/rprshipav01.camhres.ca(a)CAMHRES.CA
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
CAMHRES-CA
track: yes
auto-renew: yes
Request ID '20170201190119':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-12-11 19:38:38 UTC
principal name: HTTP/rprshipav01.camhres.ca(a)CAMHRES.CA
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
-----
After resubmitting:
ipa-getcert resubmit -i 20170201190112
ipa-getcert resubmit -i 20170201190113
ipa-getcert resubmit -i 20170201190114
ipa-getcert resubmit -i 20170201190116
getcert list shows this, note status: CA_WORKING:
-----
Number of certificates and requests being tracked: 8.
Request ID '20170201190112':
status: CA_WORKING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=CA Audit,O=CAMHRES.CA
expires: 2017-12-27 14:36:44 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190113':
status: CA_WORKING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=OCSP Subsystem,O=CAMHRES.CA
expires: 2017-12-27 14:36:43 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190114':
status: CA_WORKING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=CA Subsystem,O=CAMHRES.CA
expires: 2017-12-27 14:36:43 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190115':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=Certificate Authority,O=CAMHRES.CA
expires: 2036-01-07 14:36:42 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190116':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=IPA RA,O=CAMHRES.CA
expires: 2017-12-27 14:37:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170201190117':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-11-19 19:38:26 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190118':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/
dirsrv/slapd-CAMHRES-CA',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-CAMHRES-CA/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-CAMHRES-CA',
nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-12-11 19:38:29 UTC
principal name: ldap/rprshipav01.camhres.ca(a)CAMHRES.CA
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
CAMHRES-CA
track: yes
auto-renew: yes
Request ID '20170201190119':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-12-11 19:38:38 UTC
principal name: HTTP/rprshipav01.camhres.ca(a)CAMHRES.CA
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
-----
Nothing happens from now on and /var/log/ipa/renew.log does not log new
message after these:
-----
2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG
Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using keytab
/etc/krb5.keytab
2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG using
ccache /var/run/certmonger/tmp-1aYw7c/ccache
2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG Attempt
1/1: success
2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG Loading
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-12-23T05:55:52Z 5538 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Created connection context.ldap2_80840016
2017-12-23T05:55:52Z 5538 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x41b2170>
2017-12-23T05:55:52Z 5538 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Destroyed connection context.ldap2_80840016
2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG
Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using keytab
/etc/krb5.keytab
2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG using
ccache /var/run/certmonger/tmp-VDJjQv/ccache
2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG Attempt
1/1: success
2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG Loading
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-12-23T05:56:03Z 5543 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Created connection context.ldap2_77880784
2017-12-23T05:56:03Z 5543 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4a46e60>
2017-12-23T05:56:03Z 5543 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Destroyed connection context.ldap2_77880784
2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG
Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using keytab
/etc/krb5.keytab
2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG using
ccache /var/run/certmonger/tmp-BQMLXO/ccache
2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG Attempt
1/1: success
2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG Loading
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-12-23T05:56:12Z 5548 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Created connection context.ldap2_82537872
2017-12-23T05:56:12Z 5548 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eba710>
2017-12-23T05:56:13Z 5548 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Destroyed connection context.ldap2_82537872
2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG
Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using keytab
/etc/krb5.keytab
2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG using
ccache /var/run/certmonger/tmp-zvyYAy/ccache
2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG Attempt
1/1: success
2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG Loading
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-12-23T05:56:22Z 5549 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Created connection context.ldap2_104689040
2017-12-23T05:56:22Z 5549 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x63dbea8>
2017-12-23T05:56:23Z 5549 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Destroyed connection context.ldap2_104689040
-----
/var/log/pki/pki-tomcat/ca/ selftests.log does nt log any errores:
-----
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be executed at
startup:
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1] CAPresence:
CA is present
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
startup!
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be executed at
startup:
0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1] CAPresence:
CA is present
0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1]
SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
startup!
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be executed at
startup:
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1] CAPresence:
CA is present
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
startup!
-----
Can someone shed some light on this? I may have missed some logs but can
provide them if required.
Many thanks,
Qing
6 years, 3 months
How to disable browser-based Kerberos?
by Anthony Clark
In the previous versions of FreeIPA, this worked to disable the
browser-side Kerberos login prompt:
# version 27 ipa.conf
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
<If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</If>
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors 'none'"
</Location>
I've been asked to disable the password dialog popup because it is
confusing to end users.
Before, in ipa.conf this worked to disable the dialog popup:
# version 22 ipa.conf
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
<If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</If>
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors 'none'"
</Location>
But inserting the "If useragent = chrome/ie" now just gives me a
"forbidden" popup.
Does anyone know of a way to disable the browser's Kerberos password popup?
Thanks,
Anthony Clark
6 years, 3 months
I can't login with ipa user
by Miguel Angel Coa M.
Hello,
I'm connect my Centos 5.6 to IPA server (VERSION: 4.5.0). The connection
with ipa-client is ok, but i try login with ipa user from server client but
say "...... user does not exist"
[..................]
[root@av125 ~]# su - pruebas.sistemas
su: user pruebas.sistemas does not exist
[..................]
I try restart sssd service but i have the next error:
[..................]
[root@av125 ~]# /etc/init.d/sssd restart
Stopping sssd: cat: /var/run/sssd.pid: No such file or directory
[FAILED]
Starting sssd: [FAILED]
[..................]
My config file are:
1. /etc/sssd/sssd.conf:
[..................]
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = example.com
[nss]
[pam]
[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, im.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9
[..................]
2. /etc/nsswitch.conf
[..................]
...
...
*sudoers: files ldap*
[..................]
3. sudo-ldap.conf
[..................]
sudoers_debug 2
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw passWD..
ssl start_tls
tls_cacert /etc/ipa/ca.crt
tls_checkpeer yes
uri ldap://im.example.com
sudoers_base ou=sudoers,dc=example,dc=com
[..................]
4. /etc/krb5.con
[..................]
#File modified by ipa-client-install
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[..................]
Thanks.
6 years, 3 months
Re: api scripts
by Andrew Meyer
Thank you
On Thursday, December 21, 2017 4:31 AM, Jens Timmerman via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
Hi Andrew,
On 20/12/2017 22:42, Andrew Meyer via FreeIPA-users wrote:
> Does anyone have any examples or could share what they have written?
>
> I am trying to write a script and not sure what components I need.
I've been working on a python client for a bit. It will probably be made
public when I'm done.
But at the moment I'm just adding methods as I need them.
You can find what I'm allowed to share at the moment at
https://gist.github.com/JensTimmerman/c123d5f6291e4cd542473241ce7bf4c9
feedback greatly appreciated.
Regards,
Jens Timmerman
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
6 years, 3 months
Update: Renew expired certs with certmonger - solved
by Qing Chang
In case someone else has the same trouble.
It turns out that for some reason I do not have a caRenewalMaster...
By adding the attribute per following:
-----
dn: cn=CA,cn=rprshipav01.camhres.ca
,cn=masters,cn=ipa,cn=etc,dc=camhres,dc=ca
changetype:modify
add:ipaConfigString
ipaConfigString: caRenewalMaster
-----
And restart pki-tomcatd as well as certmonger, certs are renewed.
Regards,
Qing
On Sat, Dec 30, 2017 at 6:18 PM, Qing Chang <tmpchq(a)gmail.com> wrote:
> Greetings,
>
> we have some certs expired on Dec 27, ipaCert among them, IPA (VERSION:
> 4.4.0, API_VERSION: 2.213) stopped working.
>
> I have spent many hours to renew the certs to no avail.
>
> I have followed a collection of tips on this list:
> rolled back the clock to before the expiry (Dec 23),
> enabled debug logs for certmonger renewal log (getcert modify-ca -c
> dogtag-ipa-ca-renew-agent -e '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
> -vv')
> added debug=true to /etc/ipa/default.conf
>
> ipactl start starts everything successfully
> systemctl start pki-tomcatd@pki-tomcat
> systemctl restart certmonger
>
> Before resubmit, "getcert list" has this, note ca-error: Invalid cookie:
> '':
> -----
> getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20170201190112':
> status: MONITORING
> ca-error: Invalid cookie: ''
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=CA Audit,O=CAMHRES.CA
> expires: 2017-12-27 14:36:44 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190113':
> status: MONITORING
> ca-error: Invalid cookie: ''
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=OCSP Subsystem,O=CAMHRES.CA
> expires: 2017-12-27 14:36:43 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190114':
> status: MONITORING
> ca-error: Invalid cookie: ''
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=CA Subsystem,O=CAMHRES.CA
> expires: 2017-12-27 14:36:43 UTC
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190115':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=Certificate Authority,O=CAMHRES.CA
> expires: 2036-01-07 14:36:42 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190116':
> status: MONITORING
> ca-error: Invalid cookie: ''
> stuck: no
> key pair storage: type=NSSDB,location='/etc/http
> d/alias',nickname='ipaCert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/http
> d/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=IPA RA,O=CAMHRES.CA
> expires: 2017-12-27 14:37:02 UTC
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20170201190117':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
> expires: 2019-11-19 19:38:26 UTC
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190118':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirs
> rv/slapd-CAMHRES-CA',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd-CAMHRES-CA/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirs
> rv/slapd-CAMHRES-CA',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
> expires: 2019-12-11 19:38:29 UTC
> principal name: ldap/rprshipav01.camhres.ca(a)CAMHRES.CA
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
> CAMHRES-CA
> track: yes
> auto-renew: yes
> Request ID '20170201190119':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/http
> d/alias',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/http
> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
> expires: 2019-12-11 19:38:38 UTC
> principal name: HTTP/rprshipav01.camhres.ca(a)CAMHRES.CA
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> -----
>
> After resubmitting:
> ipa-getcert resubmit -i 20170201190112
> ipa-getcert resubmit -i 20170201190113
> ipa-getcert resubmit -i 20170201190114
> ipa-getcert resubmit -i 20170201190116
>
> getcert list shows this, note status: CA_WORKING:
> -----
> Number of certificates and requests being tracked: 8.
> Request ID '20170201190112':
> status: CA_WORKING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=CA Audit,O=CAMHRES.CA
> expires: 2017-12-27 14:36:44 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190113':
> status: CA_WORKING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=OCSP Subsystem,O=CAMHRES.CA
> expires: 2017-12-27 14:36:43 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190114':
> status: CA_WORKING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=CA Subsystem,O=CAMHRES.CA
> expires: 2017-12-27 14:36:43 UTC
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190115':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=Certificate Authority,O=CAMHRES.CA
> expires: 2036-01-07 14:36:42 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190116':
> status: CA_WORKING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/http
> d/alias',nickname='ipaCert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/http
> d/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=IPA RA,O=CAMHRES.CA
> expires: 2017-12-27 14:37:02 UTC
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20170201190117':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
> expires: 2019-11-19 19:38:26 UTC
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170201190118':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirs
> rv/slapd-CAMHRES-CA',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd-CAMHRES-CA/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirs
> rv/slapd-CAMHRES-CA',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
> expires: 2019-12-11 19:38:29 UTC
> principal name: ldap/rprshipav01.camhres.ca(a)CAMHRES.CA
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
> CAMHRES-CA
> track: yes
> auto-renew: yes
> Request ID '20170201190119':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/http
> d/alias',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/http
> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=CAMHRES.CA
> subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
> expires: 2019-12-11 19:38:38 UTC
> principal name: HTTP/rprshipav01.camhres.ca(a)CAMHRES.CA
> key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> -----
>
> Nothing happens from now on and /var/log/ipa/renew.log does not log new
> message after these:
> -----
> 2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG
> Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using
> keytab /etc/krb5.keytab
> 2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG using
> ccache /var/run/certmonger/tmp-1aYw7c/ccache
> 2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG Attempt
> 1/1: success
> 2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG Loading
> StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-12-23T05:55:52Z 5538 MainThread
> ipa.ipaserver.plugins.ldap2.ldap2 DEBUG Created connection
> context.ldap2_80840016
> 2017-12-23T05:55:52Z 5538 MainThread
> ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for
> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x41b2170>
> 2017-12-23T05:55:52Z 5538 MainThread
> ipa.ipaserver.plugins.ldap2.ldap2 DEBUG Destroyed connection
> context.ldap2_80840016
> 2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG
> Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using
> keytab /etc/krb5.keytab
> 2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG using
> ccache /var/run/certmonger/tmp-VDJjQv/ccache
> 2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG Attempt
> 1/1: success
> 2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG Loading
> StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-12-23T05:56:03Z 5543 MainThread
> ipa.ipaserver.plugins.ldap2.ldap2 DEBUG Created connection
> context.ldap2_77880784
> 2017-12-23T05:56:03Z 5543 MainThread
> ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for
> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4a46e60>
> 2017-12-23T05:56:03Z 5543 MainThread
> ipa.ipaserver.plugins.ldap2.ldap2 DEBUG Destroyed connection
> context.ldap2_77880784
> 2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG
> Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using
> keytab /etc/krb5.keytab
> 2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG using
> ccache /var/run/certmonger/tmp-BQMLXO/ccache
> 2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG Attempt
> 1/1: success
> 2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG Loading
> StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-12-23T05:56:12Z 5548 MainThread
> ipa.ipaserver.plugins.ldap2.ldap2 DEBUG Created connection
> context.ldap2_82537872
> 2017-12-23T05:56:12Z 5548 MainThread
> ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for
> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eba710>
> 2017-12-23T05:56:13Z 5548 MainThread
> ipa.ipaserver.plugins.ldap2.ldap2 DEBUG Destroyed connection
> context.ldap2_82537872
> 2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG
> Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using
> keytab /etc/krb5.keytab
> 2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG using
> ccache /var/run/certmonger/tmp-zvyYAy/ccache
> 2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG Attempt
> 1/1: success
> 2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG Loading
> StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-12-23T05:56:22Z 5549 MainThread
> ipa.ipaserver.plugins.ldap2.ldap2 DEBUG Created connection
> context.ldap2_104689040
> 2017-12-23T05:56:22Z 5549 MainThread
> ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for
> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x63dbea8>
> 2017-12-23T05:56:23Z 5549 MainThread
> ipa.ipaserver.plugins.ldap2.ldap2 DEBUG Destroyed connection
> context.ldap2_104689040
> -----
>
> /var/log/pki/pki-tomcat/ca/ selftests.log does nt log any errores:
> -----
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SelfTestSubsystem: Initializing self test plugins:
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SelfTestSubsystem: loading all self test plugin logger parameters
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SelfTestSubsystem: loading all self test plugin instances
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SelfTestSubsystem: loading all self test plugin instance parameters
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SelfTestSubsystem: loading self test plugins in on-demand order
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SelfTestSubsystem: loading self test plugins in startup order
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SelfTestSubsystem: Self test plugins have been successfully loaded!
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SelfTestSubsystem: Running self test plugins specified to be executed at
> startup:
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1] CAPresence:
> CA is present
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SystemCertsVerification: system certs verification success
> 0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
> SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
> startup!
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
> SelfTestSubsystem: Initializing self test plugins:
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
> SelfTestSubsystem: loading all self test plugin logger parameters
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
> SelfTestSubsystem: loading all self test plugin instances
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
> SelfTestSubsystem: loading all self test plugin instance parameters
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
> SelfTestSubsystem: loading self test plugins in on-demand order
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
> SelfTestSubsystem: loading self test plugins in startup order
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
> SelfTestSubsystem: Self test plugins have been successfully loaded!
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1]
> SelfTestSubsystem: Running self test plugins specified to be executed at
> startup:
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1] CAPresence:
> CA is present
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1]
> SystemCertsVerification: system certs verification success
> 0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1]
> SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
> startup!
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SelfTestSubsystem: Initializing self test plugins:
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SelfTestSubsystem: loading all self test plugin logger parameters
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SelfTestSubsystem: loading all self test plugin instances
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SelfTestSubsystem: loading all self test plugin instance parameters
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SelfTestSubsystem: loading self test plugins in on-demand order
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SelfTestSubsystem: loading self test plugins in startup order
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SelfTestSubsystem: Self test plugins have been successfully loaded!
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SelfTestSubsystem: Running self test plugins specified to be executed at
> startup:
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1] CAPresence:
> CA is present
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SystemCertsVerification: system certs verification success
> 0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
> SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
> startup!
> -----
>
> Can someone shed some light on this? I may have missed some logs but can
> provide them if required.
>
> Many thanks,
> Qing
>
>
>
>
6 years, 3 months
WebUI: Login failed due to an unknown reason after upgrade from CentOS 7.3 to 7.4
by Michal Sladek
Hello,
I am another user who can't log to WebUI after upgrade:
CentOS Linux release 7.4.1708
ipa-server-4.5.0-22.el7.centos.x86_64
I have already enabled the debug and see this in Apache error log:
[Thu Dec 28 17:33:28.198853 2017] [auth_gssapi:error] [pid 4808] [client 10.10.10.13:53343] NO AUTH DATA Client did not send any authentication headers, referer: https://ipa.ph.brotel.cz/ipa/ui/
[Thu Dec 28 17:33:28.233411 2017] [auth_gssapi:error] [pid 4808] [client 10.10.10.13:53343] NO AUTH DATA Client did not send any authentication headers, referer: https://ipa.ph.brotel.cz/ipa/ui/
[Thu Dec 28 17:33:44.935521 2017] [:error] [pid 2979] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Thu Dec 28 17:33:44.935646 2017] [:error] [pid 2979] ipa: DEBUG: WSGI login_password.__call__:
[Thu Dec 28 17:33:44.936036 2017] [:error] [pid 2979] ipa: DEBUG: Obtaining armor in ccache /var/run/ipa/ccaches/armor_2979
[Thu Dec 28 17:33:44.936149 2017] [:error] [pid 2979] ipa: DEBUG: Initializing anonymous ccache
[Thu Dec 28 17:33:44.936320 2017] [:error] [pid 2979] ipa: DEBUG: Starting external process
[Thu Dec 28 17:33:44.936418 2017] [:error] [pid 2979] ipa: DEBUG: args=/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_2979 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[Thu Dec 28 17:33:45.001036 2017] [:error] [pid 2979] ipa: DEBUG: Process finished, return code=0
[Thu Dec 28 17:33:45.001105 2017] [:error] [pid 2979] ipa: DEBUG: stdout=
[Thu Dec 28 17:33:45.001138 2017] [:error] [pid 2979] ipa: DEBUG: stderr=
[Thu Dec 28 17:33:45.001250 2017] [:error] [pid 2979] ipa: DEBUG: Initializing principal admin using password
[Thu Dec 28 17:33:45.001282 2017] [:error] [pid 2979] ipa: DEBUG: Using armor ccache /var/run/ipa/ccaches/armor_2979 for FAST webauth
[Thu Dec 28 17:33:45.001309 2017] [:error] [pid 2979] ipa: DEBUG: Using enterprise principal
[Thu Dec 28 17:33:45.001372 2017] [:error] [pid 2979] ipa: DEBUG: Starting external process
[Thu Dec 28 17:33:45.001401 2017] [:error] [pid 2979] ipa: DEBUG: args=/usr/bin/kinit admin -c /var/run/ipa/ccaches/kinit_2979 -T /var/run/ipa/ccaches/armor_2979 -E
[Thu Dec 28 17:33:45.020263 2017] [:error] [pid 2979] ipa: DEBUG: Process finished, return code=0
[Thu Dec 28 17:33:45.020329 2017] [:error] [pid 2979] ipa: DEBUG: stdout=Password for admin(a)PH.BROTEL.CZ:
[Thu Dec 28 17:33:45.020333 2017] [:error] [pid 2979]
[Thu Dec 28 17:33:45.020386 2017] [:error] [pid 2979] ipa: DEBUG: stderr=
[Thu Dec 28 17:33:45.020469 2017] [:error] [pid 2979] ipa: DEBUG: Cleanup the armor ccache
[Thu Dec 28 17:33:45.020533 2017] [:error] [pid 2979] ipa: DEBUG: Starting external process
[Thu Dec 28 17:33:45.020600 2017] [:error] [pid 2979] ipa: DEBUG: args=/usr/bin/kdestroy -A -c /var/run/ipa/ccaches/armor_2979
[Thu Dec 28 17:33:45.025960 2017] [:error] [pid 2979] ipa: DEBUG: Process finished, return code=0
[Thu Dec 28 17:33:45.026016 2017] [:error] [pid 2979] ipa: DEBUG: stdout=
[Thu Dec 28 17:33:45.026045 2017] [:error] [pid 2979] ipa: DEBUG: stderr=
[Thu Dec 28 17:33:46.223658 2017] [:error] [pid 2979] ipa: INFO: 401 Unauthorized: No session cookie found
I would be grateful for any suggestions...
Michal
6 years, 3 months
ipa-replica-manage DNS backend issues?
by Jonathan Kelley
Hi,
Running IPA-server 4.5.0-21
I lost 2/3 IPA servers from power failure, replication didn't recover. I
want to drop the replicas and add new ones, but can't see a list of
replicas. It's giving me SERVFAIL for google DNS which seems unlikely.
Anyone know of a trick forward to recovery?
[root@auth1 root]# ipa-replica-manage list
ipa: ERROR: DNS query for auth1.example.com. A failed: All nameservers
failed to answer the query auth1.example.com. IN A: Server 8.8.8.8 UDP port
53 answered SERVFAIL
Re-run /sbin/ipa-replica-manage with --verbose option to get more
information
Unexpected error: All nameservers failed to answer the query
gvoauth1.gvoperations.com. IN A: Server 8.8.8.8 UDP port 53 answered
SERVFAIL
The worst part: it seems like DNS works great and FreeIPA has hit a snag. =(
# from freeipa
[root@auth1 iptables]# dig google.com @8.8.8.8
;; ANSWER SECTION:
google.com. 299 IN A 216.58.218.110
# from workstation to freeipa server
mac:~$ dig google.com @auth1
; <<>> DiG 9.8.3-P1 <<>> google.com @auth1
;; global options: +cmd
;; ANSWER SECTION:
google.com. 300 IN A 216.58.218.110
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error, please notify the system manager.
Please note that any views or opinions presented in this email are solely
those of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the
presence of viruses. The company accepts no liability for any damage caused
by any virus transmitted by this email.
6 years, 3 months
freeipa in amazon
by Andrew Meyer
My company is looking to migrate a lot of our stuff to amazon and shut down what we have in the data-centers. However there was no plan to migrate the ldap system we have. I have since suggested that we look into FreeIPA. This is well liked but my boss wants to use Route53 for split horizon DNS. What I am wanting to know is 1) how well does FreeIPA handle Split Horizon DNS? 2) if we decided to not use DNS w/ FreeIPA and put the records in Amazon, will that suffice? I have read other threads where it has been recommended to NOT forgo DNS setup w/ FreeIPA.
Thoughts, comments, suggestions?
Thank you!
6 years, 3 months
AD trust
by Николай Савельев
Hello.
I'm setting up AD trust by this article https://www.freeipa.org/page/Active_Directory_trust_setup
I don't undestend one moment.
I must run
ipa-adtrust-install --netbios-name=ipa_netbios -a mypassword1
and
ipa trust-add --type=ad ad_domain --admin Administrator --password
on every ipa server or not?
--
С уважением, Николай.
6 years, 3 months
