I consider to deploy FreeIPA in my home network.
In this network I run several servers and workstations with both Linux and Windows.
In addition I have setup some Webservices running in containers (LXC).
I have only one public IP and manage the (privately hosted) Webservices with a reverse proxy.
The network architecture includes several networks, e.g. LAN, DMZ, ...
All networks are secured by relevant iptables roules.
I want a central user management strong security management.
This is included in FreeIPA.
In addition FreeIPA includes some network related features, e.g. DNS.
And here starts my problem.
Currently I manage the DNS of my public domain with the domain provider.
If I install FreeIPA I need to shutdown the DNS management with the domain provider and manage this by myself.
Can I shutdown this DNS service before starting FreeIPA installation w/o impacting DNS resolution to my domain?
What happens if FreeIPA is down? Should there be any redundancy?
I have executed script setup.sh from package "freeipa-letsencrypt".
The installation finished with this error message:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140228802354200
ipapython.admintool: INFO: The ipa-certupdate command was successful
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization.
What's causing this error?
And how can I fix this?
The file "httpd-csr.der" in working directory (in my case /etc/ssl/ipa-le/) is 0 bytes. Therefore I conclude that the installation was not successful.
[root@ipa freeipa-letsencrypt]# ls -lR /etc/ssl/ipa-le/
drwxr-xr-x. 2 root root 187 3. Nov 19:49 ca
-rw-r-----. 1 root root 0 3. Nov 20:19 httpd-csr.der
-rw-r--r--. 1 root root 1220 3. Nov 19:49 DSTRootCAX3.pem
-rw-r--r--. 1 root root 1967 3. Nov 19:49 isrgrootx1.pem
-rw-r--r--. 1 root root 1702 3. Nov 19:49 LetsEncryptAuthorityX1.pem
-rw-r--r--. 1 root root 1675 3. Nov 19:49 LetsEncryptAuthorityX2.pem
-rw-r--r--. 1 root root 1647 3. Nov 19:49 LetsEncryptAuthorityX3.pem
-rw-r--r--. 1 root root 1647 3. Nov 19:49 LetsEncryptAuthorityX4.pem
I have these errors in the syslog of the primary, the syslog on the secondary is clean.
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.104092627 -0700] agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389) - Can't locate CSN 5afd9651000200600000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized.
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105088278 -0700] NSMMReplicationPlugin - changelog program - agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389): CSN 5afd9651000200600000 not found, we aren't as up to date, or we purged
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105750108 -0700] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized.
I initiated a resync, but the errors continue to pile up on the primary.
grant@ef-idm02:~[20181030-9:36][#115]$ ipa-replica-manage force-sync --from ef-idm01.production.efilm.com
Directory Manager password: ********
ipa: INFO: Setting agreement cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping tree,cn=config
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
Running a FreeIPA cluster, the master has fallen over and refuses to get back up:
Failed to read data from service file: Unknown error when retrieving list of services from LDAP: Insufficient access: SASL(-4): no mechanism available: (Unknown authentication method)
I was wondering where the best place for logs is to get myself out of this hole, as it's the "super master" i'd rather not have to delete it, promote another, etc etc.
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
I am having trouble with ntpd on my IPA server. For whatever reason,
chrony seems to work when I manually stop ntpd.
I would like to remove ntpd as an IPA-managed service. I found an old
thread on this list that says I need to remove:
Assuming that this is correct, how do I do that?
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
We have FreeIPA running on Ubuntu 16.04 since about two years
now. For the last few day we see these messages in the log
Oct 22 17:32:14 ipasrv certmonger: 2018-10-22 17:32:14  Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3
Where should I start looking to recover from this?
I am looking at using FreeIPA without CA, using external signed certificates, reading the documentations it looks possible using —dirsrv-certfile, —http-cert-file and —point-certfile. Should I just create a CSR for the hostname by by hand and get it signed? Also is there any good reason for having different certs for http, ldap and pkinit? Can I just use one certificate for all services and for all servers and replicas using Subject Alternative Names?
I have issued a certificate for an AWS ELB.
The certificate is attached to a psedo-host and service named lb.example.com.
There is a certificate and the certificate ID is 21.
The certificate was created on the FreeIPA server.
(as indicated here https://www.redhat.com/archives/freeipa-users/2015-September/msg00127.html)
I also created 2 more certificates for the back-end servers, installed them and the work just fine when I connect directly to the back-end server.
However, when I connect thought the LB browsers are complaining because the back-end certificate does not contain the DNS name of the LB.
So, I revoked the previous certificates and tried to re-create them via:
sudo ipa-getcert request -f ~/certificates/certs/http_certificate.pem -k ~/certificates/keys/host_key.key -K HTTP/$(hostname -f) -N CN=$(hostname),O=EXAMPLE.COM -g 2048 -D lb.example.com -D host01.example.com -D aws-host01-example.com -D webserver01.example.com
(The command was executed on the back-end servers in order to avoid transferring the files)
The request fails with this error:
ca-error: Server at https://ipa01.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name 'lb.example.com'.).
Do I get this error because there is a certificate for this service already? If so, how can I bypass this?
If it's not possible, I will recreate the LB certificate and add all DNS names in that, but it's less than ideal since if I add a new server in the future, I will need to re-issue the certificate.