July 2020 - FreeIPA-users - Fedora Mailing-Lists

Providing service level access without granting sudo access

by Saurabh Garg

Hi All, We have a requirement where we need to give a user access to stop and start a service like tomcat8 without giving sudo access on that machine. I tried adding tomcat8 service (running on an ubuntu host) on the Idm server using "ipa service-add" command. Later, when I tried creating a hbac policy to provide access to a user on that service, it doesn't show up. Is there any other way of providing service level access to a user on Redhat IdM? Please advice. Thanks, Saurabh Garg

1 year, 10 months

2
1
0 / 0

idm user access write issue

by Kannappan M

Hi All, i have granted a bunch of users to a list of servers but except one server all the user are able to touch the files once they login to 3out of 4 servers , in one server alone am able to switch to user but not able to touch any files getting message as permission denied Regards Kanna

1 year, 10 months

2
3
0 / 0

Re: Last FreeIPA master is failing

by Ricardo Mendes

Hi all, Came around to post the definite fix for my problem, don't know if it will help anyone since it was all a mess. As mentioned previously: > There's the expected "slapd-DOMAIN-IO" but I also have a "try_ca_renew-slapd-DOMAIN-IO" dir dated from 8 of June that resembles a copy of "slapd-DOMAIN-IO" so I was wondering if between one and other maybe copying some files would work? So I did this, then the error that I got on pki-tomcat/ca/debug was the old message of peer certificate expired. So since I had already reverted to self signed certificates I issued ipa-cert-fix command, failed. [root@main ~]# ipa-cert-fix Failed to get Server-Cert The ipa-cert-fix command failed. Then I tried the 'ipa-cacert-manage renew' command which completed successfully. [root@main ~]# ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful And then all ipa services were able to start correctly (finally able to leave out both the --skip-version-check and --ignore-service-failure): [root@main ~]# ipactl restart IPA version error: data needs to be upgraded (expected version '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-ods-exporter Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful

1 year, 10 months

1
0
0 / 0

write permission to all users in idm server

by Kannappan M

Hi All i have problem with Write permission of all the users in a particular server alone server list 10.1.2.3 10.1.2.4 10.1.2.5 10.1.2.6 users list sam kim alias moore In the above users and servers list all the users are able to access all the 2.3,2.4 and 2.5 but non of the users are able to touch any files or folders in 10.1.2.6 but after login to 10.1.2.6 when i give the id sam or id kim or id alias or id moore all the ids are reflecting but non of the users not able to touch the files or folders please guide me to fix the issue. Regards Kanna

1 year, 10 months

1
0
0 / 0

RADIUS proxy in FreeIPA

by Max Muller

Hi all! I keep trying to tune my FreeIPA server with FreeRADIUS. I deployed the FreeRADIUS for control authentication on VPN-server and I want use FreeIPA as RADIUS proxy (I want control from FreeIPA which users can use VPN). FreeRADIUS and FreeIPA run on one server. I add RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest" from this server work fine. What am I doing wrong? Thanks for reply. [root@ipa ~]# ipa radiusproxy-find ----------------------------- 1 RADIUS proxy server matched ----------------------------- RADIUS proxy server name: radius Server: localhost.localdomain ---------------------------- Number of entries returned 1 ----------------------------

1 year, 10 months

2
3
0 / 0

Is it normal to ID overrides not show on IPA Replica with its names?

by Vinícius Ferrão

Hello, I have two FreeIPA servers with AD trust enabled. Usually I do everything on the IPA #1 server, but I just observed that SIDs aren’t resolved on the replica, is it normal? I’m attaching a picture of the issue to illustrate it. [cid:E1C493F7-5F5F-437D-BF6F-4A33BDAB61FC] If this is not right, someone can help with debugging steps? I observed that I can’t do getent passwd ferrao on the replica either. Only on master: [root@ipa1 ~]# getent passwd ferrao ferrao(a)ad.example.com<mailto:ferrao@ad.example.com>:*:1499401105:1499401105:Vinícius Ferrão:/home/ferrao: [root@ipa2 ~]# getent passwd ferrao Thanks,

1 year, 10 months

2
9
0 / 0

Adding new replica with CA fails.

by Guillermo Fuentes

Hi all, I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range. This is the error logged in /var/log/pki/pki-tomcat/ca/debug: ###### ... [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=ca, ou=requests,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating nextRange from 80000001 to 90000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new range object: cn=80000001,ou=requests, ou=ranges,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 80000001 - 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min serial number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers left in range: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial number: 2415656960 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers available: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water mark: 33554432 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=certificateRepository, ou=ca,o=ipaca java.lang.NumberFormatException: For input string: "e0000001" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.math.BigInteger.<init>(BigInteger.java:470) at java.math.BigInteger.<init>(BigInteger.java:606) at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) ... ###### This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: ###### ... 2020-06-20 15:09:47 pkispawn : INFO ....... executing 'systemctl stop pki-tomcatd(a)pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL server cert from internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n Server-Cert cert-pki-ca 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent SSL server cert into internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd(a)pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is NOT enabled on this operating system. 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - server may still be down ... repeats every second 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1304, in spawn raise RuntimeError("server failed to restart") ###### And here is the failure in /var/log/ipareplica-ca-install.log: ###### ... --------------- Import complete --------------- Imported certificates into /etc/pki/pki-tomcat/alias: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Third-party RSA CA C,, caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Third-party Root CA C,, ocspSigningCert cert-pki-ca u,u,u Installation failed: server failed to restart 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server failed to restart 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit status 1 2020-06-20T15:10:50Z CRITICAL See the installation logs and the following files/directories for more information: 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 675, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 167, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 408, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. ... ###### Has anyone run into this? Is this a known bug/issue? Current environment of all replicas: - CentOS 7.8 - FreeIPA 4.6.6 Any help/guidance on fixing this would be really appreciated. Thanks so much, Guillermo -- *CONFIDENTIALITY NOTICE:* This e-mail message may contain material protected by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and other state and federal laws and legal privileges. This message is only for the personal and confidential use of the individuals or organization to whom the message is addressed. If you are an unintended recipient, you have received this message in error, and any reading, distributing, copying or disclosure is unauthorized and strictly prohibited. All recipients are hereby notified that any unauthorized receipt does not waive any confidentiality obligations or privileges. If you have received this message in error, please notify the sender immediately at the above email address and confirm that you have deleted or destroyed the message.

1 year, 11 months

1
0
0 / 0

User based access control to services?

by Dominik Vogt

In our setup, a service is running on some server machine, say, "sample/servername.domain" and a client for that service is running on a workstation (using the sample gssapi client and server code from the kerberos sources). Now, what is the proper way to do this in freeipa? 1. Allow users foo and bar to log in to the workstation but to no other machine of the kerberos real. 2. Deny access to sample/servername.domain from any host except from the workstation. 3. Allow user foo access the service. 4. Deny user bar access the service. 5. Deny both users access to anything else on the server. I don't quite understand how that fits into chapter 10/19 or 31 of the "Linux Domain Identity, Authentication, and Policy Guide" for RHEL 7". Chapter 10 deals with access to freeipa internal objects, and chapter 31 describes host based access control. But how is access control done for someuser@clientmachine -> service@servermachine? Ciao Dominik ^_^ ^_^ -- Dominik Vogt

1 year, 11 months

2
2
0 / 0

Re: ipa-server-upgrade failed after yum update on CentOS7

by Florence Blanc-Renaud

Hi, as you have installed 4.6.5-11, the command ipa-cert-fix is available and should ease fixing the expired certs. The topology looks simple enough (a single master), so no need to worry about which server to fix first. More info available in [1] and in ipa-cert-fix man page. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... On 7/1/20 6:01 AM, Mariusz Stolarczyk via FreeIPA-users wrote: > The kinit command wouldn't work so it prevented the other commands. One > of my issues is that the IPA server tries to update itself: > > # ipactl start > IPA version error: data needs to be upgraded (expected version > '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4') > Automatically running upgrade, for details see /var/log/ipaupgrade.log > > > This seemed to get me past that: > > # ipactl start --skip-version-check --ignore-service-failure > Skipping version check > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting httpd Service > Failed to start httpd Service > Forced start, ignoring httpd Service, continuing normal operation > Starting ipa-custodia Service > Starting ntpd Service > Starting pki-tomcatd Service > Failed to start pki-tomcatd Service > Forced start, ignoring pki-tomcatd Service, continuing normal operation > Starting smb Service > Starting winbind Service > Starting ipa-otpd Service > Starting ipa-dnskeysyncd Service > ipa: INFO: The ipactl command was successful > > > However I found some instructions to rollback the system clock to get > certmonger to renewal the expired certs. Now the httpd.service starts > but not the pki-tomcatd. > > > # ipactl start --skip-version-check --ignore-service-failure > Skipping version check > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting httpd Service > Starting ipa-custodia Service > Starting ntpd Service > Starting pki-tomcatd Service > Failed to start pki-tomcatd Service > Forced start, ignoring pki-tomcatd Service, continuing normal operation > Starting smb Service > Starting winbind Service > Starting ipa-otpd Service > Starting ipa-dnskeysyncd Service > ipa: INFO: The ipactl command was successful > > > Now I was able to get the outputs: > > # ipa config-show | grep "CA renewal" > IPA CA renewal master: FAKE-HOST.FAKE-IPA-DOMAIN.lan > > > # ipa server-role-find > ---------------------- > 6 server roles matched > ---------------------- > Server name: FAKE-HOST.FAKE-IPA-DOMAIN.lan > Role name: CA server > Role status: enabled > > Server name: FAKE-HOST.FAKE-IPA-DOMAIN.lan > Role name: DNS server > Role status: enabled > > Server name: FAKE-HOST.FAKE-IPA-DOMAIN.lan > Role name: NTP server > Role status: enabled > > Server name: FAKE-HOST.FAKE-IPA-DOMAIN.lan > Role name: AD trust agent > Role status: enabled > > Server name: FAKE-HOST.FAKE-IPA-DOMAIN.lan > Role name: KRA server > Role status: absent > > Server name: FAKE-HOST.FAKE-IPA-DOMAIN.lan > Role name: AD trust controller > Role status: enabled > ---------------------------- > Number of entries returned 6 > ---------------------------- > > > # getcert list > Number of certificates and requests being tracked: 9. > Request ID '20171108154417': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: SelfSign > issuer: CN=FAKE-HOST.FAKE-IPA-DOMAIN.lan,O=FAKE-IPA-DOMAIN.LAN > subject: CN=FAKE-HOST.FAKE-IPA-DOMAIN.lan,O=FAKE-IPA-DOMAIN.LAN > expires: 2020-09-13 20:50:34 UTC > principal name: krbtgt/FAKE-IPA-DOMAIN.LAN(a)FAKE-IPA-DOMAIN.LAN > certificate template/profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20181122014941': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN > subject: CN=CA Audit,O=FAKE-IPA-DOMAIN.LAN > expires: 2022-05-18 03:13:17 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20181122014942': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN > subject: CN=OCSP Subsystem,O=FAKE-IPA-DOMAIN.LAN > expires: 2020-06-24 23:56:43 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20181122014943': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN > subject: CN=CA Subsystem,O=FAKE-IPA-DOMAIN.LAN > expires: 2022-05-18 03:11:57 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20181122014944': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN > subject: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN > expires: 2036-08-12 21:35:52 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20181122014945': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://FAKE-HOST.FAKE-IPA-DOMAIN.lan:8443/ca/agent/ca/profileReview: > Peer certificate cannot be authenticated with given CA certificates. > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN > subject: CN=IPA RA,O=FAKE-IPA-DOMAIN.LAN > expires: 2020-06-24 23:56:33 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20181122014946': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://FAKE-HOST.FAKE-IPA-DOMAIN.lan:8443/ca/agent/ca/profileReview: > Peer certificate cannot be authenticated with given CA certificates. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN > subject: CN=FAKE-HOST.FAKE-IPA-DOMAIN.lan,O=FAKE-IPA-DOMAIN.LAN > expires: 2020-06-24 23:55:43 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20181122014947': > status: CA_UNREACHABLE > ca-error: Server at https://FAKE-HOST.FAKE-IPA-DOMAIN.lan/ipa/xml failed > request, will retry: -504 (libcurl failed to execute the HTTP POST > transaction, explaining: Failed connect to > FAKE-HOST.FAKE-IPA-DOMAIN.lan:443; Connection refused). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-FAKE-IPA-DOMAIN-LAN',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-FAKE-IPA-DOMAIN-LAN/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-FAKE-IPA-DOMAIN-LAN',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN > subject: CN=FAKE-HOST.FAKE-IPA-DOMAIN.lan,O=FAKE-IPA-DOMAIN.LAN > expires: 2020-07-17 16:47:45 UTC > principal name: ldap/FAKE-HOST.FAKE-IPA-DOMAIN.lan(a)FAKE-IPA-DOMAIN.LAN > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > FAKE-IPA-DOMAIN-LAN > track: yes > auto-renew: yes > Request ID '20181122014948': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN > subject: CN=FAKE-HOST.FAKE-IPA-DOMAIN.lan,O=FAKE-IPA-DOMAIN.LAN > expires: 2022-03-16 22:14:54 UTC > dns: FAKE-HOST.FAKE-IPA-DOMAIN.lan > principal name: HTTP/FAKE-HOST.FAKE-IPA-DOMAIN.lan(a)FAKE-IPA-DOMAIN.LAN > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > I am also able to restart pki-tomcatd service after two restart attempts: > > > # systemctl restart pki-tomcatd(a)pki-tomcat.service > # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: STOPPED > smb Service: RUNNING > winbind Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > # systemctl restart pki-tomcatd(a)pki-tomcat.service > # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: RUNNING > smb Service: RUNNING > winbind Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > # systemctl status pki-tomcatd(a)pki-tomcat.service > ● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat > Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; > vendor preset: disabled) > Active: active (running) since Tue 2020-06-30 20:55:41 PDT; 20s ago > Process: 9567 ExecStop=/usr/libexec/tomcat/server stop (code=exited, > status=0/SUCCESS) > Process: 9612 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, > status=0/SUCCESS) > Main PID: 9749 (java) > CGroup: > /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service > └─9749 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java > -DRESTEASY_LIB=/usr/share/java/resteasy-base > -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath > /usr/share/tomcat/bin/bo... > > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: Jun 30, > 2020 8:55:56 PM org.apache.catalina.loader.WebappClassLoaderBase > clearReferencesThreads > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: SEVERE: > The web application [/ca] appears to have started a thread named > [LDAPConnThread-0 ldaps://FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan:636] > ...emory leak. > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: Jun 30, > 2020 8:55:56 PM org.apache.catalina.loader.WebappClassLoaderBase > clearReferencesThreads > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: SEVERE: > The web application [/ca] appears to have started a thread named > [LDAPConnThread-2 ldaps://FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan:636] > ...emory leak. > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: Jun 30, > 2020 8:55:56 PM org.apache.catalina.loader.WebappClassLoaderBase > clearReferencesThreads > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: SEVERE: > The web application [/ca] appears to have started a thread named > [authorityMonitor] but has failed to stop it. Thi...emory leak. > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: Jun 30, > 2020 8:55:56 PM org.apache.catalina.loader.WebappClassLoaderBase > clearReferencesThreads > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: SEVERE: > The web application [/ca] appears to have started a thread named > [LDAPConnThread-3 ldaps://FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan:636] > ...emory leak. > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: Jun 30, > 2020 8:55:56 PM org.apache.catalina.loader.WebappClassLoaderBase > clearReferencesThreads > Jun 30 20:55:56 FAKE-IPA-HOST.FAKE-IPA-DOMAIN.lan server[9749]: SEVERE: > The web application [/ca] appears to have started a thread named > [profileChangeMonitor] but has failed to stop it....emory leak. > Hint: Some lines were ellipsized, use -l to show in full. > > > Not sure what to do next. > > Thanks, > -ms > > ------------------------------------------------------------------------ > *From:* Rob Crittenden <rcritten(a)redhat.com> > *Sent:* Tuesday, June 30, 2020 8:20 PM > *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; > Florence Blanc-Renaud <flo(a)redhat.com> > *Cc:* Mariusz Stolarczyk <zeusuofm(a)hotmail.com> > *Subject:* Re: [Freeipa-users] Re: ipa-server-upgrade failed after yum > update on CentOS7 > Mariusz Stolarczyk via FreeIPA-users wrote: >> Thanks for the response. >> >> This is my main IPA server the rest of my small network are just linux >> clients. >> >> >> kinit: Cannot contact any KDC for realm 'FAKE-IPA-DOMAIN.LAN' while >> getting initial credentials > > The other information that Flo requested is needed as well. > > Three of your certificates expired on June 24 and to create a plan to > fix it we need the other info. > > rob > >> >> >> # getcert list >> Number of certificates and requests being tracked: 9. >> Request ID '20171108154417': >> status: MONITORING >> stuck: no >> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' >> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' >> CA: SelfSign >> issuer: CN=sol.FAKE-IPA-DOMAIN.LAN,O=FAKE-IPA-DOMAIN.LAN >> subject: CN=sol.FAKE-IPA-DOMAIN.LAN,O=FAKE-IPA-DOMAIN.LAN >> expires: 2020-09-13 20:50:34 UTC >> principal name: krbtgt/FAKE-IPA-DOMAIN.LAN(a)FAKE-IPA-DOMAIN.LAN >> certificate template/profile: KDCs_PKINIT_Certs >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert >> track: yes >> auto-renew: yes >> Request ID '20181122014941': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN >> subject: CN=CA Audit,O=FAKE-IPA-DOMAIN.LAN >> expires: 2022-05-18 03:13:17 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20181122014942': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN >> subject: CN=OCSP Subsystem,O=FAKE-IPA-DOMAIN.LAN >> expires: 2020-06-24 23:56:43 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20181122014943': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN >> subject: CN=CA Subsystem,O=FAKE-IPA-DOMAIN.LAN >> expires: 2022-05-18 03:11:57 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20181122014944': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN >> subject: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN >> expires: 2036-08-12 21:35:52 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20181122014945': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN >> subject: CN=IPA RA,O=FAKE-IPA-DOMAIN.LAN >> expires: 2020-06-24 23:56:33 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20181122014946': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN >> subject: CN=sol.FAKE-IPA-DOMAIN.LAN,O=FAKE-IPA-DOMAIN.LAN >> expires: 2020-06-24 23:55:43 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "Server-Cert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20181122014947': >> status: CA_UNREACHABLE >> ca-error: Error setting up ccache for "host" service on client using >> default keytab: Cannot contact any KDC for realm 'FAKE-IPA-DOMAIN.LAN'. >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-FAKE-IPA-DOMAIN-LAN',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-FAKE-IPA-DOMAIN-LAN/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-FAKE-IPA-DOMAIN-LAN',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN >> subject: CN=sol.FAKE-IPA-DOMAIN.LAN,O=FAKE-IPA-DOMAIN.LAN >> expires: 2020-07-17 16:47:45 UTC >> principal name: ldap/sol.FAKE-IPA-DOMAIN.LAN(a)FAKE-IPA-DOMAIN.LAN >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv >> FAKE-IPA-DOMAIN-LAN >> track: yes >> auto-renew: yes >> Request ID '20181122014948': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=FAKE-IPA-DOMAIN.LAN >> subject: CN=sol.FAKE-IPA-DOMAIN.LAN,O=FAKE-IPA-DOMAIN.LAN >> expires: 2022-03-16 22:14:54 UTC >> dns: sol.FAKE-IPA-DOMAIN.LAN >> principal name: HTTP/sol.FAKE-IPA-DOMAIN.LAN(a)FAKE-IPA-DOMAIN.LAN >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> >> What can I do next? >> >> Thanks, >> -ms >> >> >> >> ------------------------------------------------------------------------ >> *From:* Florence Blanc-Renaud <flo(a)redhat.com> >> *Sent:* Tuesday, June 30, 2020 1:45 AM >> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> >> *Cc:* Mariusz Stolarczyk <zeusuofm(a)hotmail.com> >> *Subject:* Re: [Freeipa-users] ipa-server-upgrade failed after yum >> update on CentOS7 >> >> On 6/30/20 10:24 AM, Mariusz Stolarczyk via FreeIPA-users wrote: >>> All, >>> >>> I did a routine server updates last night on my IPA server. After the >>> reboot I first noticed the DNS was not resolving and the ipa.service >>> failed. The ipa.service failed to start so I ran the following: >>> >>> >>> # ipactl start >>> IPA version error: data needs to be upgraded (expected version >>> '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4') >>> Automatically running upgrade, for details see /var/log/ipaupgrade.log >>> Be patient, this may take a few minutes. >>> Automatic upgrade failed: Update complete >>> Upgrading the configuration of the IPA services >>> [Verifying that root certificate is published] >>> [Migrate CRL publish directory] >>> CRL tree already moved >>> [Verifying that CA proxy configuration is correct] >>> [Verifying that KDC configuration is using ipa-kdb backend] >>> [Fix DS schema file syntax] >>> Syntax already fixed >>> [Removing RA cert from DS NSS database] >>> RA cert already removed >>> [Enable sidgen and extdom plugins by default] >>> [Updating HTTPD service IPA configuration] >>> [Updating HTTPD service IPA WSGI configuration] >>> Nothing to do for configure_httpd_wsgi_conf >>> [Updating mod_nss protocol versions] >>> Protocol versions already updated >>> [Updating mod_nss cipher suite] >>> [Updating mod_nss enabling OCSP] >>> [Fixing trust flags in /etc/httpd/alias] >>> Trust flags already processed >>> [Moving HTTPD service keytab to gssproxy] >>> [Removing self-signed CA] >>> [Removing Dogtag 9 CA] >>> [Checking for deprecated KDC configuration files] >>> [Checking for deprecated backups of Samba configuration files] >>> [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration] >>> [Update 'max smbd processes' in Samba configuration to prevent unlimited >>> SMBLoris attack amplification] >>> [Add missing CA DNS records] >>> IPA CA DNS records already processed >>> [Removing deprecated DNS configuration options] >>> [Ensuring minimal number of connections] >>> [Updating GSSAPI configuration in DNS] >>> [Updating pid-file configuration in DNS] >>> [Checking global forwarding policy in named.conf to avoid conflicts with >>> automatic empty zones] >>> Changes to named.conf have been made, restart named >>> [Upgrading CA schema] >>> CA schema update complete (no changes) >>> [Verifying that CA audit signing cert has 2 year validity] >>> [Update certmonger certificate renewal configuration] >>> Certmonger certificate renewal configuration already up-to-date >>> [Enable PKIX certificate path discovery and validation] >>> PKIX already enabled >>> [Authorizing RA Agent to modify profiles] >>> [Authorizing RA Agent to manage lightweight CAs] >>> [Ensuring Lightweight CAs container exists in Dogtag database] >>> [Adding default OCSP URI configuration] >>> [Ensuring CA is using LDAPProfileSubsystem] >>> [Migrating certificate profiles to LDAP] >>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >>> command ipa-server-upgrade manually. >>> Unexpected error - see /var/log/ipaupgrade.log for details: >>> NetworkError: cannot connect to >>> 'https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffake-ip...': >> >>> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) >>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>> more information >>> >>> See the upgrade log for more details and/or run >>> /usr/sbin/ipa-server-upgrade again >>> Aborting ipactl >>> >>> >>> The end of the /var/log/ipaupgrade.log file: >>> >>> 2020-06-29T22:43:38Z DEBUG stderr= >>> 2020-06-29T22:43:38Z DEBUG Loading Index file from >>> '/var/lib/ipa/sysrestore/sysrestore.index' >>> 2020-06-29T22:43:38Z DEBUG Starting external process >>> 2020-06-29T22:43:38Z DEBUG args=/usr/bin/certutil -d >>> dbm:/etc/pki/pki-tomcat/alias -L -f /etc/pki/pki-tomcat/alias/pwdfile.txt >>> 2020-06-29T22:43:38Z DEBUG Process finished, return code=0 >>> 2020-06-29T22:43:38Z DEBUG stdout= >>> Certificate Nickname Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Trust >>> Attributes >>> >>> Â SSL,S/MIME,JAR/XPI >>> >>> caSigningCert cert-pki-ca Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â CTu,Cu,Cu >>> subsystemCert cert-pki-ca Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â u,u,u >>> Server-Cert cert-pki-ca Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â u,u,u >>> ocspSigningCert cert-pki-ca Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â u,u,u >>> auditSigningCert cert-pki-ca Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â u,u,Pu >>> >>> 2020-06-29T22:43:38Z DEBUG stderr= >>> 2020-06-29T22:43:38Z INFO Certmonger certificate renewal configuration >>> already up-to-date >>> 2020-06-29T22:43:38Z INFO [Enable PKIX certificate path discovery and >>> validation] >>> 2020-06-29T22:43:38Z DEBUG Loading StateFile from >>> '/var/lib/ipa/sysupgrade/sysupgrade.state' >>> 2020-06-29T22:43:38Z INFO PKIX already enabled >>> 2020-06-29T22:43:38Z INFO [Authorizing RA Agent to modify profiles] >>> 2020-06-29T22:43:38Z INFO [Authorizing RA Agent to manage lightweight CAs] >>> 2020-06-29T22:43:38Z INFO [Ensuring Lightweight CAs container exists in >>> Dogtag database] >>> 2020-06-29T22:43:38Z DEBUG Created connection context.ldap2_140346851657552 >>> 2020-06-29T22:43:38Z DEBUG flushing >>> ldapi://%2fvar%2frun%2fslapd-FAKE-IPA-DOMAIN-LAN.socket from SchemaCache >>> 2020-06-29T22:43:38Z DEBUG retrieving schema for SchemaCache >>> url=ldapi://%2fvar%2frun%2fslapd-FAKE-IPA-DOMAIN-LAN.socket >>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fa50c3e8e60> >>> 2020-06-29T22:43:39Z DEBUG Destroyed connection >>> context.ldap2_140346851657552 >>> 2020-06-29T22:43:39Z INFO [Adding default OCSP URI configuration] >>> 2020-06-29T22:43:39Z INFO [Ensuring CA is using LDAPProfileSubsystem] >>> 2020-06-29T22:43:39Z INFO [Migrating certificate profiles to LDAP] >>> 2020-06-29T22:43:39Z DEBUG Created connection context.ldap2_140346825804304 >>> 2020-06-29T22:43:39Z DEBUG flushing >>> ldapi://%2fvar%2frun%2fslapd-FAKE-IPA-DOMAIN-LAN.socket from SchemaCache >>> 2020-06-29T22:43:39Z DEBUG retrieving schema for SchemaCache >>> url=ldapi://%2fvar%2frun%2fslapd-FAKE-IPA-DOMAIN-LAN.socket >>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fa50ac19b90> >>> 2020-06-29T22:43:39Z DEBUG Destroyed connection >>> context.ldap2_140346825804304 >>> 2020-06-29T22:43:39Z DEBUG request GET >>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffake-ip... >>> 2020-06-29T22:43:39Z DEBUG request body '' >>> 2020-06-29T22:43:39Z DEBUG httplib request failed: >>> Traceback (most recent call last): >>> Â File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line >>> 220, in _httplib_request >>> Â Â conn.request(method, path, body=request_body, headers=headers) >>> Â File "/usr/lib64/python2.7/httplib.py", line 1056, in request >>> Â Â self._send_request(method, url, body, headers) >>> Â File "/usr/lib64/python2.7/httplib.py", line 1090, in _send_request >>> Â Â self.endheaders(body) >>> Â File "/usr/lib64/python2.7/httplib.py", line 1052, in endheaders >>> Â Â self._send_output(message_body) >>> Â File "/usr/lib64/python2.7/httplib.py", line 890, in _send_output >>> Â Â self.send(msg) >>> Â File "/usr/lib64/python2.7/httplib.py", line 852, in send >>> Â Â self.connect() >>> Â File "/usr/lib64/python2.7/httplib.py", line 1275, in connect >>> Â Â server_hostname=sni_hostname) >>> Â File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket >>> Â Â _context=self) >>> Â File "/usr/lib64/python2.7/ssl.py", line 609, in __init__ >>> Â Â self.do_handshake() >>> Â File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake >>> Â Â self._sslobj.do_handshake() >>> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed >>> (_ssl.c:618) >>> 2020-06-29T22:43:39Z ERROR IPA server upgrade failed: Inspect >>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>> 2020-06-29T22:43:39Z DEBUG Â File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in >>> execute >>> Â Â return_value = self.run() >>> Â File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>> line 54, in run >>> Â Â server.upgrade() >>> Â File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>> line 2166, in upgrade >>> Â Â upgrade_configuration() >>> Â File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>> line 2038, in upgrade_configuration >>> Â Â ca_enable_ldap_profile_subsystem(ca) >>> Â File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>> line 425, in ca_enable_ldap_profile_subsystem >>> Â Â cainstance.migrate_profiles_to_ldap() >>> Â File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >>> 2027, in migrate_profiles_to_ldap >>> Â Â _create_dogtag_profile(profile_id, profile_data, overwrite=False) >>> Â File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >>> 2033, in _create_dogtag_profile >>> Â Â with api.Backend.ra_certprofile as profile_api: >>> Â File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", >>> line 1311, in __enter__ >>> Â Â method='GET' >>> Â File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line >>> 167, in https_request >>> Â Â method=method, headers=headers) >>> Â File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line >>> 229, in _httplib_request >>> Â �� raise NetworkError(uri=uri, error=str(e)) >>> >>> 2020-06-29T22:43:39Z DEBUG The ipa-server-upgrade command failed, >>> exception: NetworkError: cannot connect to >>> 'https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffake-ip...': >> >>> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) >>> 2020-06-29T22:43:39Z ERROR Unexpected error - see >>> /var/log/ipaupgrade.log for details: >>> NetworkError: cannot connect to >>> 'https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffake-ip...': >> >>> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) >>> 2020-06-29T22:43:39Z ERROR The ipa-server-upgrade command failed. See >>> /var/log/ipaupgrade.log for more information >>> >>> >>> What should be my next debug steps? >>> >> Hi, >> >> I would check whether any certificate expired: >> $ getcert list >> >> Look specifically for the "status: " and "expires: " labels. If some >> certs have expired, you will need to find the CA renewal master and fix >> this host first. To find the CA renewal master: >> $ kinit admin >> $ ipa config-show | grep "CA renewal" >> >> If you need help, please mention: >> - the output of "ipa server-role-find" >> - the output of "getcert list" on all the server nodes >> - are the httpd and ldap server certificates issued by IPA CA or by an >> external Certificate Authority? >> >> HTH, >> flo >> >>> Thanks in advance, >>> -ms >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >>> Fedora Code of Conduct: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe... >>> List Guidelines: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap... >>> List Archives: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f... >>> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >> Fedora Code of Conduct: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe... >> List Guidelines: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap... >> List Archives: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f... >> > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >

1 year, 11 months

2
1
0 / 0

Change password hash for LDAP

by Max Muller

Hi all! I want use FreeIPA with FreeRADIUS. As I can know, FreeIPA use PBKDF2_SHA256 hashes. But actual FreeRADIUS not support PBKDF2_SHA256 hashes. Is there way to change hash in FreeIPA? About FreeRADIUS and PBKDF2_SHA256 https://github.com/FreeRADIUS/freeradius-server/issues/2649

1 year, 11 months

2
2
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users July 2020