Problems after replacing SSL certificates
by Andreas Bulling
Dear all,
I have recently started using FreeIPA (4.8.1 on Ubuntu) and now wanted to replace the original SSL certificates for the web UI and the LDAP server with official ones issued by our university.
I've followed the procedure described here (no errors):
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
I could confirm in the browser that the certificate for the web UI has been replaced and I therefore assume so has the LDAP certificate. Authentication from other hosts/services using LDAP still works but in the server log file I see errors like these for all hosts in the domain:
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: NEEDED_PREAUTH: host/X@X for krbtgt/X@X, Additional pre-authentication required
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for krbtgt/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for ldap/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Also, ipa-certupdate on the respective clients shows
ipa-certupdate
trying https://X/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://X/ipa/json'
cannot connect to 'https://X/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
The ipa-certupdate command failed.
Also, I can't login to the web UI anymore. I tried
ipa-getkeytab -s X -p HTTP/X@X -k /var/lib/ipa/gssproxy/http.keytab
on the freeipa server (followed by ipactl restart) but this didn't help.
Any idea/suggestions for how to get everything working again?
Thanks a lot!
2 months, 4 weeks
User in AD not found by IPA
by Marc Boorshtein
We added a new account to AD that has a domain trust with FreeIPA. This
one user is having an issue where IPA can't find him. The user is in the
same OU as other users that work fine. The user is unlocked
(userAccountControl is 512) and the userprincipalname is set. When I try
to add the user to an id view or an external group IPA gives me the error
"trusted domain object not found" . Not really sure where to look next to
figure out what's wrong. We see the user when we make LDAP calls to AD.
Thanks
Marc
3 months
Cannot add externally-signed IPA CA certificate
by Dmitry Perets
Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with openssl. So I've signed the FreeIPA's request with my self-signed "root ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem --external-cert-file=/root/rootca/certs/ipacert.pem
<...skipped...>
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a CA certificate
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The subj above is my self-made root CA cert, so it looks like something is missing in it. But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is required, so that FreeIPA accepts it as a root CA?
Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Validity
Not Before: Oct 24 11:43:13 2018 GMT
Not After : Oct 21 11:43:13 2028 GMT
Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<...skipped...>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Authority Key Identifier:
keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<...skipped...>
Thanks!!
4 months, 3 weeks
FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
by Anthony Joseph Messina
After upgrading FreeIPA from F31 to F32, on startup I now see a lot of these errors from certmonger, ns-slapd, java, etc.
May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:30 ns-slapd[67]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:42 java[640]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
The server seems to come up without issue, but can you point me in the right direction to resolve these errors?
freeipa-server-4.8.6-1.fc32.x86_64
opendnssec-2.1.6-5.fc32.x86_64
opencryptoki-3.13.0-1.fc32.x86_64
I've installed a fresh F32 freeipa-server (on a test domain) and I don't see these errors.
Thanks. -A
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
6 months, 2 weeks
dirsrv hangs soon after reboot
by Kees Bakker
Hey,
I'm looking for advice how to analyse/debug this.
On one of the masters the dirsrv is unresponsive. It runs, but every
attempt to connect it hangs.
The command "systemctl status" does not show anything alarming
● dirsrv(a)EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
Active: active (running) since vr 2020-04-17 13:46:25 CEST; 1h 33min ago
Process: 3123 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
Main PID: 3134 (ns-slapd)
Status: "slapd started: Ready to process requests"
CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)EXAMPLE-COM.service
└─3134 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-COM -i /var/run/dirsrv/slapd-EXAMPLE-COM.pid
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 2
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 2
However, an ldapsearch command hangs forever
[root@rotte ~]# ldapsearch -H ldaps://linge.example.com -D uid=keesbtest,cn=users,cn=accounts,dc=example,dc=com -W -LLL -o ldif-wrap=no -b cn=users,cn=accounts,dc=example,dc=com '(&(objectClass=person)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' uid
Enter LDAP Password:
Even if I use the socket (ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket) the ldapsearch
command hangs.
"ipactl status" hangs
"kinit" hangs
--
Kees Bakker
8 months
Something changed regarding enrollment permissions?
by Ronald Wimmer
Today we did not manage to enroll new hosts with our enrollment user.
The only thing we changed is that we added the Permission "System:
Remove hosts" to the "Host Enrollment" role. The error we get is:
Joining realm failed: Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: Insufficient access rights
Failed to get keytab!
Failed to get keytab
child exited with 9
When I try to add the same host with my admin user it works without any
problems.
Cheers,
Ronald
11 months
Unable to install ipa client centos 7.5.1804 (Core)
by William Graboyes
Hello List,
I have been searching around for the day and have found an answer for
the error I am getting when I am trying to install the client on a brand
new install:
Version:
ipa-client-4.5.4-10.el7.centos.3.x86_64
ipa-client-common-4.5.4-10.el7.centos.3.noarch
The error is below (run as root, not via sudo):
ipa-client-install
Traceback (most recent call last):
File "/sbin/ipa-client-install", line 22, in <module>
from ipaclient.install import ipa_client_install
File
"/usr/lib/python2.7/site-packages/ipaclient/install/ipa_client_install.py",
line 5, in <module>
from ipaclient.install import client
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
line 34, in <module>
from ipalib import api, errors, x509
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 45, in
<module>
from pyasn1_modules import rfc2315, rfc2459
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 67, in <module>
class DigestedData(univ.Sequence):
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 72, in DigestedData
namedtype.NamedType('digest', Digest)
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 115, in __init__
self.__ambiguousTypes = 'terminal' not in kwargs and
self.__computeAmbiguousTypes() or {}
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 232, in __computeAmbiguousTypes
ambigiousTypes[idx] = NamedTypes(*partialAmbigiousTypes,
**dict(terminal=True))
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 114, in __init__
self.__tagToPosMap = self.__computeTagToPosMap()
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 205, in __computeTagToPosMap
for _tagSet in tagMap.presentTypes:
AttributeError: 'property' object has no attribute 'presentTypes'
Any help would be greatly appreciated.
Thanks,
Bill G.
11 months
FreeIPA certificate doesn't validate in iOS
by Jochen Kellner
Hello,
I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and pki-server-10.9.0-0.4
Today the certificate of my IMAP server (running on Debian Buster) was
automatically refreshed:
,----
| Request ID '20181003215953':
| status: MONITORING
| stuck: no
| key pair storage: type=FILE,location='/etc/ssl/private/imap.jochen.org.key'
| certificate: type=FILE,location='/etc/ssl/certs/imap.jochen.org.crt'
| CA: IPA
| issuer: CN=Certificate Authority,O=JOCHEN.ORG
| subject: CN=imap.jochen.org,O=JOCHEN.ORG
| expires: 2022-09-07 09:30:16 CEST
| dns: imap.jochen.org
| principal name: imap/jupiter.jochen.org(a)JOCHEN.ORG
| key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
| eku: id-kp-serverAuth,id-kp-clientAuth
| pre-save command:
| post-save command: /root/refresh_cyrus_certificate.sh
| track: yes
| auto-renew: yes
`----
On an iPhone one of my users gets a message that the certificate is not valid.
Reason seems to be this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html
When I look at the certificate with openssl I see:
,----
| X509v3 extensions:
| X509v3 Authority Key Identifier:
| keyid:4F:F8:45:3D:E8:06:4B:8D:BB:9D:D2:D1:8B:00:43:A1:07:16:A1:17
|
| Authority Information Access:
| OCSP - URI:http://ipa-ca.jochen.org/ca/ocsp
|
| X509v3 Key Usage: critical
| Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
| X509v3 Extended Key Usage:
| TLS Web Server Authentication, TLS Web Client Authentication
`----
My current guess is that the "Key Usage: critical" is the reason for the iOS error.
I've looked for the certprofiles and found these files:
,----
| [root@freeipa3 /]# find . -name \*caIPAserviceCert\* -ls
| 8510694 8 -rw-rw---- 1 pkiuser pkiuser 6218 Mär 4 2020 ./var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
| 9332162 4 -rw-r--r-- 1 root root 229 Aug 20 12:38 ./usr/lib/python3.8/site-packages/ipaclient/csrgen/profiles/caIPAserviceCert.json
| 26138015 8 -rw-r--r-- 1 root root 7014 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.UPGRADE.cfg
| 26138016 8 -rw-r--r-- 1 root root 7294 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.cfg
| 9323278 8 -rw-r--r-- 1 root root 6272 Jun 25 23:53 ./usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
`----
These files contain:
,----
| policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
| policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
| policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
| policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
`----
So I think this is where the critical comes from and the keyUsage defaults come from.
What I could use help with is the following:
1. I didn't find reports about the problem in pagure or the mailing
list. Am I really alone with this?
2. My FreeIPA has been installed years ago on Fedora, moved to CentOS
and this year back to Fedora by creating replicas. Has there been a
problem with upgrading the certprofiles?
3. How can I remove the options from the certificate request so that
certmonger gets a valid certificate?
Do I miss something else?
--
This space is intentionally left blank.
11 months
Stateless Machines and Force Join
by Mark Potter
We boot everything stateless in our environment and are using FreeIPA for
authentication. I started discussing this a while ago but ended up with
other things taking priority. The number of machines we have make managing
keys an untenable solution so we are using
ipa-client-install -U -q -p <join user> -w <password --domain=domain.com
--server=ipaserver.domain.com --fixed-primary --force-join
called from rc.local during boot to rejoin machines to the FreeIPA
environment (we will be moving away from --fixed-primary but aren't there
yet). While this works it, potentially, exposes a password. I am looking
for a better way to handle machines that need to re-join at every boot.
We have access to ansible as well a decent, in house, templating system for
configuration. Please forgive my starting this discussion anew and not
resurrecting a zombie and thanks in advance for your help!
--
*Mark Potter*
Senior Linux Administrator
1 year, 1 month
