How to extract the SSL key and certificate used by FreeIPA on it's HTTPS interface?
by Chris Dagdigian
Got a strange one for the list ...
I've got a lovely multi-region replicating FreeIPA cluster spanning a
few AWS VPCs that is doing a fantastic job stitching together a complex
Active Directory topology
Now, however I have a need to support clients in a different, less
trusted VPC and the firewall people want to do a MiTM attack on the
TLS/HTTPS streams so they can intercept, decrypt and monitor HTTPS
traffic -- including apparently to and from the IPA nodes.
They want the SSL cert and key used by the HTTPS interface on the IPA
systems so they can set up the intercept properly.
My main question -- how do I properly extract the key and certificate
from FreeIPA?
From reading and poking around it looks like the certs I want are in
/etc/httpd/alias but must be access by the 'certutil' utility which
seems .. under documented ... both in the IPA docs as well as from what
I can tell online.
I'm sort of terrified of breaking my installation by screwing up
certificate work.
Can anyone provide tips, URLs or a cheatsheet for pulling SSL
certificates and keys out of FreeIPA? Particularly the cert and key that
is used on the HTTPS TCP:443 interface?
Thanks!
Chris
4 years, 10 months
IdM + AD - restrict KDC servers for login
by Jean Figarella
Hello all,
In a IdM + AD trust setup; has anyone ever had the need to restrict IPA
client logins to a specific Active Directory server when using their AD
credentials?
The problem I am having is that the one of my clients has a AD cluster and
some of the kdc servers in that cluster have clocks that are not
synchronized. Whenever someone tries to log in using their AD account, if
they hit a un-synchronized server then they get hit with the "kinit: clock
skew too great ..." error.
Since we don't control the AD server and since they refused to fix their
time sync issues, I have been trying to restrict AD logins to a specific
kdc server, but have been unable to do it. I have tried to edit the
sssd.conf and krb5.conf configuration files, but nothing seems to work.
Any suggestions?
Thanks
Jean Figarella
4 years, 10 months
Fedora 30 Client
by Christian Reiss
Hey folks,
after testing servers, replications et all (all with awesome success) I
am getting to test with clients.
Everything is working except Fedora 30 (Workstation, not Server). I can
do the usual ipa-client-install dance, which will create the kerberos
information. I can get a kerberos ticket using kinit as well as logging
in from a remote host to this one.
However, it is not possible to do a local (gdm) login with valid IPA
account. Neither with "Other User" nor via normal Linux Console (tty*).
sudo denies everything but the local login.
Hint: I am trying to login into the machine that has an existing user
account. Wait, what?
[ 10 Minutes later ]
I created a new user in IPA and logged in from that one. Worked like
magic. So no non-existent users.
So assuming that there might be some users that might have accounts
(read: all and everyone) -- what's the smartest way to mitigate or migrate?
Thanks!
-Chris.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
4 years, 10 months
Replication-install Tomcat error stage 1:/28 / Need help
by Karim Bourenane
Hello All
I have follow the step from stepes from Freeipa web + Redhat to prepare the
replicat by commands :
DNS+Reverse : OK
On IPA Master : ipa-replica-prepare --password=XXXXX replicat.example.com
Scp the Gpg file from the Master to slave/replicat as root to /var/lib/ipa
On IPA Replicat : ipa-replica-install --password=XXXXX
/var/lib/ipa/replica-fil.gpg --setup-kra --setup-ca --setup-dns
--no-forwarders
After several secondes, the installation stop on stage :
[1/28] Configuring centificat server instaance
The first ERROR line: ipaserver.install.dogtaginstance: CRITICAL Failed to
configure CA instance: Command '/usr/sbin/pkispanw -s CA -f /tmp/tmMg7KE'
returned non-zero exist statut 1
The second ERROR line: ipaserver.install.dogtaginstance: CRITICAL See
installation....
The third ERROR line : ipaserver.install.dogtaginstance:CRITICAL
[error] RuntimeError: CA configuration failed.
My IPA Master was in Centos 7.3 IPA:v4.5.0
The replica server in Centos 7.6 IPA:v4.6.4
Can you help to resolve this pb ?
Regards
Mr Karim Bourenane
4 years, 10 months
Re: IPA Client failed login after screen lock
by Boyd Ako
Yeah, adding the KDC cert didn't help. At this point managers are down the
throat on getting it going whatever. Is there a way to migrate from using
the external CA for everything except HTTP to setting it up as an IPA CA?
Or I gotta rebuild the IPA stuff from scratch?
------------------------------
Thank you for your time,
Boyd H. Ako
boyd.hanalei.ako(a)gmail.com
https://www.boydhanaleiako.me
PGP/GPG Public Key:
https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
------------------------------
On Thu, Jun 27, 2019 at 10:57 PM Sumit Bose <sbose(a)redhat.com> wrote:
> On Wed, Jun 26, 2019 at 04:14:27PM -1000, Boyd Ako wrote:
> > Thanks for all the help!
> >
> > But, still nothing after uncommenting the pki anchors line. I added the
> > same tar ball with the configs and logs. Also threw in a tail snippet I
> had
> > running when trying to login.
>
> Hi,
>
> it looks like PKINIT is currently not configured completely on the
> IPA server. I added a couple of options how to move forward to the case.
>
> bye,
> Sumit
>
> >
> >
> >
> > ------------------------------
> > Thank you for your time,
> >
> > Boyd H. Ako
> >
> > boyd.hanalei.ako(a)gmail.com
> > https://www.boydhanaleiako.me
> >
> > PGP/GPG Public Key:
> > https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
> > ------------------------------
> >
> >
> > On Tue, Jun 25, 2019 at 11:45 PM Sumit Bose <sbose(a)redhat.com> wrote:
> >
> > > On Tue, Jun 25, 2019 at 04:33:10PM -1000, Boyd Ako wrote:
> > > > I did the kerberos cert change as stated and it's still the same.
> > >
> > > Hi,
> > >
> > > I added a new comment to the case, I think we are near a solution.
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > >
> > > >
> > > > ------------------------------
> > > > Thank you for your time,
> > > >
> > > > Boyd H. Ako
> > > >
> > > > boyd.hanalei.ako(a)gmail.com
> > > > https://www.boydhanaleiako.me
> > > >
> > > > PGP/GPG Public Key:
> > > >
> https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
> > > > ------------------------------
> > > >
> > > >
> > > > On Mon, Jun 24, 2019 at 10:06 PM Sumit Bose <sbose(a)redhat.com>
> wrote:
> > > >
> > > > > On Fri, Jun 21, 2019 at 01:04:32PM +0200, Sumit Bose wrote:
> > > > > > On Thu, Jun 20, 2019 at 11:28:54PM -1000, Boyd Ako wrote:
> > > > > > > CASE 02390764
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > I have added a comment to the case to keep support in the loop as
> > > well.
> > > > > >
> > > > > > Please let's continue in the case.
> > > > >
> > > > > Hi,
> > > > >
> > > > > sorry for the delay but I didn't had a chance to check the logs
> > > > > yesterday. I added a new comment to the case.
> > > > >
> > > > > bye,
> > > > > Sumit
> > > > >
> > > > > >
> > > > > > bye,
> > > > > > Sumit
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > On Jun 20, 2019, at 22:30, Sumit Bose via FreeIPA-users <
> > > > > freeipa-users(a)lists.fedorahosted.org> wrote:
> > > > > > > >
> > > > > > > > On Fri, Jun 21, 2019 at 01:14:33AM -0000, Boyd Ako via
> > > FreeIPA-users
> > > > > wrote:
> > > > > > > >> So, I created a Red Hat ticket to assist and the support is
> > > pretty
> > > > > non-productive.
> > > > > > > >>
> > > > > > > >> I have a RHEL 7 "Workstation" setup as an IPA client that
> most
> > > of
> > > > > the time works. However, there are occasions when the screen locks
> out
> > > due
> > > > > to inactivity that I can't log back in. Most of the time it occurs
> > > when I
> > > > > use smartcard x.509 to login; but it also occasionally happens I
> use
> > > > > password to login intially. It's not very consistent on the
> failures.
> > > The
> > > > > only way to login AFTER that is to annoyingly reboot or console in
> as
> > > root
> > > > > and start a kerberos session.
> > > > > > > >>
> > > > > > > >> The IPA server is using an external CA. On the client, the
> CA
> > > certs
> > > > > on the smartcard are in /etc/pki/nssdb. The chain is Root CA -> ID
> > > > > Intermediate CA -> x.509 cert on token. All the CA's are external.
> The
> > > > > token cert did validate when using the Root Ca and ID CA certs
> tacked
> > > > > together for the CAfile in `openssl verify`. I added the following
> to
> > > the
> > > > > sssd.conf:
> > > > > > > >>
> > > > > > > >> ===============================
> > > > > > > >> [domain/mydomain.com]
> > > > > > > >> debug_level = 8
> > > > > > > >> account_cache_expiration = 5
> > > > > > > >> entry_cache_timeout = 28800
> > > > > > > >>
> > > > > > > >> [pam]
> > > > > > > >> debug_level = 8
> > > > > > > >> offline_credentials_expiration = 5
> > > > > > > >> ===============================
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > did you add logs with debug_level=8 to the case you have
> > > mentioned?
> > > > > If
> > > > > > > > yes, please let me know the case number so that I can have a
> > > look. If
> > > > > > > > not, please send the logs. If you prefer to not share them on
> > > this
> > > > > list
> > > > > > > > feel free to send them to me directly.
> > > > > > > >
> > > > > > > > bye,
> > > > > > > > Sumit
> > > > > > > >
> > > > > > > >>
> > > > > > > >> "pam_cert_auth = True" is in the PAM sect. I did run the
> script
> > > > > from the `ipa-advise` client-smart_card_script.
> > > > > > > >> _______________________________________________
> > > > > > > >> FreeIPA-users mailing list --
> > > freeipa-users(a)lists.fedorahosted.org
> > > > > > > >> To unsubscribe send an email to
> > > > > freeipa-users-leave(a)lists.fedorahosted.org
> > > > > > > >> Fedora Code of Conduct:
> > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > > > >> List Guidelines:
> > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > > >> List Archives:
> > > > >
> > >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > > > > > _______________________________________________
> > > > > > > > FreeIPA-users mailing list --
> > > freeipa-users(a)lists.fedorahosted.org
> > > > > > > > To unsubscribe send an email to
> > > > > freeipa-users-leave(a)lists.fedorahosted.org
> > > > > > > > Fedora Code of Conduct:
> > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > > > > List Guidelines:
> > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > > > List Archives:
> > > > >
> > >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Domo,
> > > > > > >
> > > > > > > Boyd H. Ako
> > > > > > >
> > > > > > >
> > > > > > > boyd.hanalei.ako(a)gmail.com
> > > > > > > (424) 244-9653
> > > > > > > https://www.boydhanaleiako.me
> > > > > > >
> > > > > > > “Coming together is a beginning. Keeping together is progress.
> > > Working
> > > > > together is success.” -Henry Ford
> > > > > > >
> > > > > > > PGP/GPG Public Key:
> > > > >
> https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > >
>
4 years, 10 months