Re: Issues with pki-tomcat - CA
by Rob Crittenden
Ian Kumlien wrote:
> On Thu, Jun 13, 2019 at 3:47 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>> Ian Kumlien wrote:
>>> On Thu, Jun 13, 2019 at 12:32 PM Ian Kumlien <ian.kumlien(a)gmail.com> wrote:
>>>>
>>>> On Wed, Jun 12, 2019 at 10:55 PM Ian Kumlien <ian.kumlien(a)gmail.com> wrote:
>>>>>
>>>>> On Wed, Jun 12, 2019 at 10:52 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>>>>>>
>>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>>>> On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>>>>>>>>
>>>>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>>>>>> On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>>>>>>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>>>>
>>>>>>> [--8<--]
>>>>>>>
>>>>>>>>> Certificate Nickname Trust Attributes
>>>>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>>>>
>>>>>>>>> Server-Cert cert-pki-ca u,u,u
>>>>>>>>> transportCert cert-pki-kra u,u,u
>>>>>>>>> storageCert cert-pki-kra u,u,u
>>>>>>>>> auditSigningCert cert-pki-kra u,u,Pu
>>>>>>>>> XERCES.LAN IPA CA CT,C,C
>>>>>>>>> XERCES.LAN IPA CA CT,C,C
>>>>>>>>> XERCES.LAN IPA CA CT,C,C
>>>>>>>>
>>>>>>>>
>>>>>>>> You're missing all the CA certificates except the one that tomcat uses!?
>>>>>>>> That includes the CA signing cert!
>>>>>>>>
>>>>>>>> It should look more like (excluding the *kra certs):
>>>>>>>>
>>>>>>>> caSigningCert cert-pki-ca CTu,Cu,Cu
>>>>>>>> ocspSigningCert cert-pki-ca u,u,u
>>>>>>>> subsystemCert cert-pki-ca u,u,u
>>>>>>>> auditSigningCert cert-pki-ca u,u,Pu
>>>>>>>> Server-Cert cert-pki-ca u,u,u
>>>>>>>>
>>>>>>>> Do the keys for those certs exist?
>>>>>>>>
>>>>>>>> # grep internal /etc/pki/pki-tomcat/password.conf
>>>>>>>> internal=foo
>>>>>>>> # certutil -K -d /etc/pki/pki-tomcat/alias/
>>>>>>>> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
>>>>>>>> Key and Certificate Services"
>>>>>>>> Enter Password or Pin for "NSS Certificate DB": foo
>>>>>>>>
>>>>>>>> Perhaps a bunch of orphans?
>>>>>>>
>>>>>>> Seems like it, I have three orphans and the keys for subsystemCert,
>>>>>>> caSigningCert, ocspSigningCert seems to exists
>>>>>>
>>>>>> You'll need the audit signing cert as well. Hopefully that key is in
>>>>>> there somewhere.
>>>>>>
>>>>>> If you have another master with a CA you can get the cert values from
>>>>>> them using:
>>>>>>
>>>>>> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n "<nickname"> -a >
>>>>>> /tmp/<nickname>
>>>>>>
>>>>>> Or you can get the raw cert values from /etc/pki/pki-tomcat/ca/CS.cfg
>>>>>> from the values:
>>>>>>
>>>>>> ca.audit_signing.cert
>>>>>> ca.ocsp_signing.cert
>>>>>> ca.signing.cert
>>>>>> ca.subsystem.cert
>>>>>>
>>>>>> You'll need to re-format that into PEM format manually.
>>>>>>
>>>>>> Once you have all the certs from either method, add them to the db with:
>>>>>>
>>>>>> # certutil -A -d /etc/pki/pki-tomcat/alias/ -n "<nickname"> -t <trust>
>>>>>> -a -i /tmp/<nickname>
>>>>>>
>>>>>> The trust value will vary by cert. Use the list that I provided in my
>>>>>> last e-mail for the proper values.
>>>>>>
>>>>>> The nickname is important, don't get creative :-) Use the value from my
>>>>>> output.
>>>>>
>>>>> Thanks! Will do, but will do it tomorrow, been a long day and...
>>>>> things might go awry if I try it now, will let you know how it goes!
>>>>
>>>> Ok, so this is interesting...
>>>>
>>>> certutil -A -d /etc/pki/pki-tomcat/alias/ -n "caSigningCert
>>>> cert-pki-ca" -t "CTu,Cu,Cu" -a -i ./ca.signing.cert
>>>> Notice: Trust flag u is set automatically if the private key is present.
>>>> Enter Password or Pin for "NSS Certificate DB":
>>>>
>>>> and:
>>>> echo $?
>>>> 0
>>>>
>>>> But it's not added - and it's still valid... (openssl reads it fine....)
>>>>
>>>> I actually suspect that the "XERCES.LAN IPA CA" certificates are the
>>>> ones we're looking for - just named incorrectly
>>
>> Ok, we could fix that but below is more worrying.
>>
>>> Also, added the others, but i can't set "u"..
>>>
>>> new certs added are now:
>>> ocspSigningCert cert-pki-ca ,,
>>> subsystemCert cert-pki-ca ,,
>>> auditSigningCert cert-pki-ca ,,P
>>
>> This means there is no private key to go along with the certificate.
>>
>> So do you have another working CA somewhere?
>
> No, but i do have backups from 2018, =)
>
> So I assume is should unpack there somewhere and do the old export/import trick
Yes, that would do it. I'd be sure to make a backup of the current db
before doing anything else to it.
> Anything else I should think about? And key is the only missing bit?
> (for the 'u' bit)
The u flag is for user cert and indicates there is a private key
associated with the certificate. It is automatic.
> Also, how do i rename one specific "XERCES.LAN IPA CA" to the caSigningCert bit?
It looks to me like the signing key is missing. You'll want to delete
those three of the "XERCES.LAN IPA CA" certs from the database and
import the CA signing cert from your backup.
rob
2 months, 1 week
Cert expired for pki-tomcat and process would not start
by Sayfiddin, Farhad
We have two replica servers sl1mmgplidm0001/2.
sl1mmgplidm0001 is functioning as CRL master and has no issues.
[root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
IPA CA renewal master: sl1mmgplidm0001
[root@sl1mmgplidm0001 ~]#
[root@sl1mmgplidm0001 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0001 ~]#
sl1mmgplidm0002 is having an issue where pki-tomcat process would not start due to expired cert. It has CA_UNREACHABLE error
[root@sl1mmgplidm0002 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0002 ~]#
[root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200 Request ID '20170214143200':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://sl1mmgplidm0002:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IPA
subject: CN=sl1mmgplidm0002,O=IPA
expires: 2019-01-08 20:16:52 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
[root@sl1mmgplidm0002 ~]#
Tried running renew_ca_cert command and "getcert resubmit -i" with no luck.
Any thoughts?
Also considering to reinstall this replica since it is not CRL master.
Thanks,
Farhad Sayfiddin
2 months, 1 week
Time based OTP enabling
by Eric Fredrickson
Hello,
I was wondering if there was a way or if this is on the roadmap for future work. I have a use case where I'd like to create a user account, but add a rule where OTP must be assigned to the account within a certain time period (e.g. 24 hours). If not, the account is disabled. This leaves the end user with the ability to create their OTP and not have to distribute any secret keys/screenshots of the QR code, while removing administrative burden of manually checking accounts if they have OTP enabled.
2 months, 1 week
Re: Issues with pki-tomcat - CA
by Rob Crittenden
Ian Kumlien wrote:
> On Thu, Jun 13, 2019 at 12:32 PM Ian Kumlien <ian.kumlien(a)gmail.com> wrote:
>>
>> On Wed, Jun 12, 2019 at 10:55 PM Ian Kumlien <ian.kumlien(a)gmail.com> wrote:
>>>
>>> On Wed, Jun 12, 2019 at 10:52 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>>>>
>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>> On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>>>>>>
>>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>>>> On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>>>>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>>
>>>>> [--8<--]
>>>>>
>>>>>>> Certificate Nickname Trust Attributes
>>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>>
>>>>>>> Server-Cert cert-pki-ca u,u,u
>>>>>>> transportCert cert-pki-kra u,u,u
>>>>>>> storageCert cert-pki-kra u,u,u
>>>>>>> auditSigningCert cert-pki-kra u,u,Pu
>>>>>>> XERCES.LAN IPA CA CT,C,C
>>>>>>> XERCES.LAN IPA CA CT,C,C
>>>>>>> XERCES.LAN IPA CA CT,C,C
>>>>>>
>>>>>>
>>>>>> You're missing all the CA certificates except the one that tomcat uses!?
>>>>>> That includes the CA signing cert!
>>>>>>
>>>>>> It should look more like (excluding the *kra certs):
>>>>>>
>>>>>> caSigningCert cert-pki-ca CTu,Cu,Cu
>>>>>> ocspSigningCert cert-pki-ca u,u,u
>>>>>> subsystemCert cert-pki-ca u,u,u
>>>>>> auditSigningCert cert-pki-ca u,u,Pu
>>>>>> Server-Cert cert-pki-ca u,u,u
>>>>>>
>>>>>> Do the keys for those certs exist?
>>>>>>
>>>>>> # grep internal /etc/pki/pki-tomcat/password.conf
>>>>>> internal=foo
>>>>>> # certutil -K -d /etc/pki/pki-tomcat/alias/
>>>>>> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
>>>>>> Key and Certificate Services"
>>>>>> Enter Password or Pin for "NSS Certificate DB": foo
>>>>>>
>>>>>> Perhaps a bunch of orphans?
>>>>>
>>>>> Seems like it, I have three orphans and the keys for subsystemCert,
>>>>> caSigningCert, ocspSigningCert seems to exists
>>>>
>>>> You'll need the audit signing cert as well. Hopefully that key is in
>>>> there somewhere.
>>>>
>>>> If you have another master with a CA you can get the cert values from
>>>> them using:
>>>>
>>>> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n "<nickname"> -a >
>>>> /tmp/<nickname>
>>>>
>>>> Or you can get the raw cert values from /etc/pki/pki-tomcat/ca/CS.cfg
>>>> from the values:
>>>>
>>>> ca.audit_signing.cert
>>>> ca.ocsp_signing.cert
>>>> ca.signing.cert
>>>> ca.subsystem.cert
>>>>
>>>> You'll need to re-format that into PEM format manually.
>>>>
>>>> Once you have all the certs from either method, add them to the db with:
>>>>
>>>> # certutil -A -d /etc/pki/pki-tomcat/alias/ -n "<nickname"> -t <trust>
>>>> -a -i /tmp/<nickname>
>>>>
>>>> The trust value will vary by cert. Use the list that I provided in my
>>>> last e-mail for the proper values.
>>>>
>>>> The nickname is important, don't get creative :-) Use the value from my
>>>> output.
>>>
>>> Thanks! Will do, but will do it tomorrow, been a long day and...
>>> things might go awry if I try it now, will let you know how it goes!
>>
>> Ok, so this is interesting...
>>
>> certutil -A -d /etc/pki/pki-tomcat/alias/ -n "caSigningCert
>> cert-pki-ca" -t "CTu,Cu,Cu" -a -i ./ca.signing.cert
>> Notice: Trust flag u is set automatically if the private key is present.
>> Enter Password or Pin for "NSS Certificate DB":
>>
>> and:
>> echo $?
>> 0
>>
>> But it's not added - and it's still valid... (openssl reads it fine....)
>>
>> I actually suspect that the "XERCES.LAN IPA CA" certificates are the
>> ones we're looking for - just named incorrectly
Ok, we could fix that but below is more worrying.
> Also, added the others, but i can't set "u"..
>
> new certs added are now:
> ocspSigningCert cert-pki-ca ,,
> subsystemCert cert-pki-ca ,,
> auditSigningCert cert-pki-ca ,,P
This means there is no private key to go along with the certificate.
So do you have another working CA somewhere?
rob
2 months, 1 week
Issues with pki-tomcat - CA
by Ian Kumlien
Hi,
I've been confused by this a while... But from talking to people on
#freeipa@freenode this might be the real issue:
certutil -d /etc/pki/pki-tomcat/alias/ -L |grep cert-pki-ca
Server-Cert cert-pki-ca u,u,u
---
I have been trying ipa-.cert-fix, which seems to look at most
certificates but not these.
Also:
ipa-cacert-manage renew
'NoneType' object has no attribute 'is_self_signed'
The ipa-cacert-manage command failed.
Running:
b3a160b70566ba1703a184f07b493246630829a8
From ipa-4.7
(Needed ipa-cert-fix)
Any clues of how to proceed, I'm still trying to understand this thing =)
2 months, 1 week
Re: Issues with pki-tomcat - CA
by Rob Crittenden
Miller, Jim via FreeIPA-users wrote:
>
>
> Sorry for butting in on this discussion, but is this an issue where the cert for that server didn't get renewed and the tomcat-pki service won't start?
>
> I ask because that's an issue we're having and not sure how to address the issue.
Your best bet is to start a new thread otherwise things could get
confusing for both sides.
rob
2 months, 1 week
Re: Issues with pki-tomcat - CA
by Ian Kumlien
On Wed, Jun 12, 2019 at 10:30 PM Miller, Jim <jmiller(a)tkcholdings.com> wrote:
>
>
> -----Original Message-----
> From: Ian Kumlien via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
> Sent: Wednesday, June 12, 2019 3:27 PM
> To: Rob Crittenden <rcritten(a)redhat.com>
> Cc: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Ian Kumlien <ian.kumlien(a)gmail.com>
> Subject: [Freeipa-users] Re: Issues with pki-tomcat - CA
>
> On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
> >
> > Ian Kumlien via FreeIPA-users wrote:
> > > On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
> > >> Ian Kumlien via FreeIPA-users wrote:
>
> [--8<--]
>
> > > Certificate Nickname Trust Attributes
> > >
> > > SSL,S/MIME,JAR/XPI
> > >
> > > Server-Cert cert-pki-ca u,u,u
> > > transportCert cert-pki-kra u,u,u
> > > storageCert cert-pki-kra u,u,u
> > > auditSigningCert cert-pki-kra u,u,Pu
> > > XERCES.LAN IPA CA CT,C,C
> > > XERCES.LAN IPA CA CT,C,C
> > > XERCES.LAN IPA CA CT,C,C
> >
> >
> > You're missing all the CA certificates except the one that tomcat uses!?
> > That includes the CA signing cert!
> >
> > It should look more like (excluding the *kra certs):
> >
> > caSigningCert cert-pki-ca CTu,Cu,Cu
> > ocspSigningCert cert-pki-ca u,u,u
> > subsystemCert cert-pki-ca u,u,u
> > auditSigningCert cert-pki-ca u,u,Pu
> > Server-Cert cert-pki-ca u,u,u
> >
> > Do the keys for those certs exist?
> >
> > # grep internal /etc/pki/pki-tomcat/password.conf internal=foo #
> > certutil -K -d /etc/pki/pki-tomcat/alias/
> > certutil: Checking token "NSS Certificate DB" in slot "NSS User
> > Private Key and Certificate Services"
> > Enter Password or Pin for "NSS Certificate DB": foo
> >
> > Perhaps a bunch of orphans?
>
> Seems like it, I have three orphans and the keys for subsystemCert, caSigningCert, ocspSigningCert seems to exists
>
> Any clue of why this happened, I have two more servers that I can look at if you need clues....
>
> I mainly want to figure this out before my vacation starts ;)
>
> > rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__getfedora.org_code-2...
> List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
> List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
>
>
>
> Sorry for butting in on this discussion, but is this an issue where the cert for that server didn't get renewed and the tomcat-pki service won't start?
>
> I ask because that's an issue we're having and not sure how to address the issue.
Yep, It happened on four servers - I tried to reinstall one and this
fails as well due to the ca server being unavailable...
> --Jim
>
2 months, 1 week
FreeIPA Client AD Trust user look-up latencies and results
by John Desantis
Hello all,
I've pretty much exhausted my searching in order to find a solution to
a problem I've been working on for about a week now, and now I find
myself grasping at straws.
Basically, AD trust user lookups on IPA clients fail several times in
a row before finally returning results (after 8-20 seconds). However,
this does not happen on the IPA servers - even after clearing caches.
Furthermore, querying the same list of users against a non IPA Linux
client that connects directly to our AD domain using nslcd has no
issues querying the same list of users.
From what I understand regarding the anatomy of the FreeIPA - AD Trust
relationship, the FreeIPA servers' sssd caches are queried first by
FreeIPA clients and if there is no result, then the FreeIPA server
queries the AD domain controllers, receives results, caches them, and
then provides the results to the FreeIPA client.
I've tried adjusting the sssd.conf file on both the server and the
client, without any expected results:
ignore_group_members = True
ldap_purge_cache_timeout = (various values)
memcache_timeout = (various values)
cache_first = (various values)
ldap_opt_timeout = (various values)
ldap_search_timeout = (various values)
The trust was established using the range type of "ipa-ad-trust-posix"
since each user has a unique Posix UID and a shared unique Posix GID
(no AD groups are returned).
I've attached logs (dirsrv and sssd) from the IPA server I directly
specified via the client sssd.conf and logs from the client itself.
Any pointers and/or suggestions would be extremely helpful!
Thank you,
John DeSantis
2 months, 1 week
How do you update DNS keys?
by Kristian Petersen
Hey all,
I was looking in my logs and found I was getting the following messages:
Jun 11 11:55:34 ipa1 named-pkcs11[4370]: client 192.168.105.11#59009:
request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure
(BADKEY)
Jun 11 11:55:34 ipa1 named-pkcs11[4370]: client 192.168.105.11#40670:
request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure
(BADKEY)
Jun 11 11:55:34 ipa1 named-pkcs11[4370]: client 192.168.105.10#45311:
request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure
(BADKEY)
Jun 11 11:55:34 ipa1 named-pkcs11[4370]: client 192.168.105.10#57034:
request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure
(BADKEY)
Jun 11 11:55:34 ipa1 named-pkcs11[4370]: client 192.168.105.10#34192:
request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure
(BADKEY)
It looks like perhaps my DNS keys are bas based on what I have read.
However I have no idea how to go about fixing this. Most of what I can
find online is for a standard BIND9 server rather than FreeIPA so I am
unsure about the directions they give and thought I would put somethin out
here for more FreeIPA-specific help.
Thanks in advance!
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
2 months, 1 week
[HAProxy / Keepalive] After installation
by Karim Bourenane
Hello team
Hope you are well.
After an existing installation, we decide to implement a Haproxy +
Keepalive in all our IPA's servers.
The haproxy / keepalive work weel but now the IPA doent run weel, because
he want to listen on all interface in the servers.
Ho i can to modify the IPA (+ all modules KRB5/DNS...) conf server, to bind
only in 1 local interface and not to the VIP interface ?
King regard
2 months, 2 weeks
