Re: SSL error after upgrade
by Nathanaël Blanchet
Thanks to all for the fix, you save my day!
Le 25/12/2021 à 17:06, Dungan, Scott A. via FreeIPA-users a écrit :
>
> Hi, Per.
>
> I ran into the same problem and Alexander referred me to this link:
> https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg1258...
>
> The fix for us was is pretty easy:
>
> 1. Make a backup of /etc/pki/pki-tomcat/server.xml
> 2. On lines 129 and 171 of server.xml, you’ll see a value for
> “secret=” and “sharedSecret=.” Those values will be different and
> that is the cause of the problem. Both values should match what is
> found in the ProxyPassMatch statements located in the file
> /etc/httpd/conf.d/ipa-pki-proxy.conf. In my case, the value for
> secret= was correct and I just had to change the sharedSecert= to
> match.
> 3. Restart services with ipactl restart
>
> -Scott
>
> *From:* Per Qvindesland via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org>
> *Sent:* Wednesday, December 22, 2021 7:22 AM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Per Qvindesland <perq(a)icloud.com>
> *Subject:* [Freeipa-users] SSL error after upgrade
>
> Hi All
>
> After an update to 4.9.6-10, I am unable to view any of the
> certificates that the IPA server has signed, I get error: An error has
> occurred (IPA Error 4301: CertificateOperationError) when I click on
> Authnticaiton -> Certificates, if I click on "Certificate Autorities"
> then I get popup message with the error "Failed to authenticate to CA
> REST API" and "An error has occurred (IPA Error 4016:
> RemoteRetrieveError)" is showing on the screen.
>
> ipactl status is showing everything as running:
>
> ipactl status
>
> Directory Service: RUNNING
>
> krb5kdc Service: RUNNING
>
> kadmin Service: RUNNING
>
> named Service: RUNNING
>
> httpd Service: RUNNING
>
> ipa-custodia Service: RUNNING
>
> pki-tomcatd Service: RUNNING
>
> smb Service: RUNNING
>
> winbind Service: RUNNING
>
> ipa-otpd Service: RUNNING
>
> ipa-dnskeysyncd Service: RUNNING
>
> ipa: INFO: The ipactl command was successful
>
> Does anyone know what's causing this error?
>
> I ran ipa-healthcheck and pasted the output below, it reports that
> it's missing SRV records but the IPA server is the DNS server and it
> has the SRV records.
>
> Regards
>
> Per
>
> ipa-healthcheck
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> [
>
> {
>
> "source": "ipahealthcheck.dogtag.ca",
>
> "check": "DogtagCertsConnectivityCheck",
>
> "result": "ERROR",
>
> "uuid": "ac0200eb-3ec8-405f-ba5e-523cbb40ad6b",
>
> "when": "20211222151125Z",
>
> "duration": "0.016156",
>
> "kw": {
>
> "msg": "Request for certificate failed, Certificate operation
> cannot be completed: Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "2f010c35-7d7d-431f-89b0-c342516cf296",
>
> "when": "20211222151130Z",
>
> "duration": "0.412221",
>
> "kw": {
>
> "key": "20211104170633",
>
> "serial": 7,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "10a946e2-e511-417a-b189-a66f1b555470",
>
> "when": "20211222151130Z",
>
> "duration": "0.519989",
>
> "kw": {
>
> "key": "20211104170628",
>
> "serial": 5,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "7c85e383-8508-4b8e-a10b-838b0b70eb73",
>
> "when": "20211222151130Z",
>
> "duration": "0.618106",
>
> "kw": {
>
> "key": "20211104170629",
>
> "serial": 2,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "1776678c-d997-435b-b809-52576128a2e9",
>
> "when": "20211222151130Z",
>
> "duration": "0.709013",
>
> "kw": {
>
> "key": "20211104170630",
>
> "serial": 4,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "f02ff5d9-13cf-4582-9bd3-7567b32c415d",
>
> "when": "20211222151130Z",
>
> "duration": "0.789825",
>
> "kw": {
>
> "key": "20211104170631",
>
> "serial": 1,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "d30b17b3-f45e-4317-bf8e-c1c13c3f77e3",
>
> "when": "20211222151131Z",
>
> "duration": "0.903311",
>
> "kw": {
>
> "key": "20211104170632",
>
> "serial": 3,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "32ff9bb7-69b8-4af3-8c20-9f2ab4394a73",
>
> "when": "20211222151131Z",
>
> "duration": "0.969296",
>
> "kw": {
>
> "key": "20211104170635",
>
> "serial": 34,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "18fb96f0-7a64-4c1c-b03b-bb21e3f90bf1",
>
> "when": "20211222151131Z",
>
> "duration": "1.065584",
>
> "kw": {
>
> "key": "20211104170634",
>
> "serial": 8,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "d82cdf6d-4d4b-44e4-9aa8-33211aa55c96",
>
> "when": "20211222151131Z",
>
> "duration": "1.116597",
>
> "kw": {
>
> "key": "20210811074531",
>
> "serial": 10,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "cc0c7d5c-1132-4b18-ac8e-c7625d3963f0",
>
> "when": "20211222151131Z",
>
> "duration": "0.015692",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key": "_ldap._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "f0d6873f-b681-457d-8006-9e5bb051b9df",
>
> "when": "20211222151131Z",
>
> "duration": "0.017296",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "92a5517d-5f73-4f49-8874-bf6bbeb2ed9d",
>
> "when": "20211222151131Z",
>
> "duration": "0.018275",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "7f1994fb-e1dc-4d8c-93c5-5ba2e6652427",
>
> "when": "20211222151131Z",
>
> "duration": "0.019243",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos-master._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "e9bbd202-8f37-4a44-b9b0-377ae5a53d08",
>
> "when": "20211222151131Z",
>
> "duration": "0.020150",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos-master._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "2d4a438f-6271-470e-a6f5-68a30858d928",
>
> "when": "20211222151131Z",
>
> "duration": "0.021502",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kpasswd._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "828efbaf-2071-4693-94f4-0e4c2ec884c0",
>
> "when": "20211222151131Z",
>
> "duration": "0.022772",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kpasswd._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "b0a73e45-da65-43a6-a540-8e092e3e4d76",
>
> "when": "20211222151131Z",
>
> "duration": "0.023895",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com.:lda...."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "3329eea5-c794-4201-a973-82f22b58f151",
>
> "when": "20211222151131Z",
>
> "duration": "0.025341",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_ldap._tcp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "dde9dd12-e044-4bde-a75f-2ea4d96910dc",
>
> "when": "20211222151131Z",
>
> "duration": "0.027364",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com....."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "9ebec84f-aa7d-4ba9-8c4e-ca8dd2aa98c8",
>
> "when": "20211222151131Z",
>
> "duration": "0.029421",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com....."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "cd921441-98bf-4fc1-a043-ed35a056e818",
>
> "when": "20211222151131Z",
>
> "duration": "0.030800",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._tcp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "93f21c35-a10d-418b-a549-c0c70d6330cd",
>
> "when": "20211222151131Z",
>
> "duration": "0.031808",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._udp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "331ef74f-e5d6-47d8-a666-a352320772de",
>
> "when": "20211222151131Z",
>
> "duration": "0.034319",
>
> "kw": {
>
> "msg": "Got {count} ipa-ca A records, expected {expected}",
>
> "count": 0,
>
> "expected": 1
>
> }
>
> }
>
> ]
>
>
> _______________________________________________
> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure
--
Nathanaël Blanchet
Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (0)4 67 54 84 14
blanchet(a)abes.fr
3 months, 4 weeks
403 Error
by Christian Reiss
Hey folks,
happyily using FreeIPA in my personal hobbyist space across 50vms and 8
hosts. It worked like a charm. Ever since a few days ago I am unable to
delete hosts, disabling/ enabling users for example works, but not
deleting hosts. I am using AlmaLinux 8 with vendor-supplied FreeIPA version.
I duckduckgo'd around the net, tried to solve the issue myself. But no
errors our there helped me debug. I think I found the issue with
ipa-healthcheck, but I am unsure on how to fix. This is the output:
---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ----
Internal server error 403 Client Error: 403 for url:
http://auth1.alpha-labs.net:80/ca/rest/securityDomain/domainInfo
Directory Server CA certificate not found, assuming 3rd party
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "c76c5f53-1869-4cd5-95e3-dd7f3e0b7e0c",
"when": "20220128091051Z",
"duration": "0.361963",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not match
the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
},
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "e98075a4-5d85-4ccf-a97e-b202fcc92789",
"when": "20220128091054Z",
"duration": "0.566005",
"kw": {
"msg": "Request for certificate failed, Certificate operation
cannot be completed: Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "d9dcf871-1a5d-47a6-8d2e-bcf4f61f09d1",
"when": "20220128091056Z",
"duration": "0.788714",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 4 conflict entries found under the replication
suffix \"dc=alpha-labs,dc=net\"."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "ERROR",
"uuid": "1c96ee54-e8ca-4045-9bfc-294c261e4ab8",
"when": "20220128091101Z",
"duration": "0.198242",
"kw": {
"key": "caSigningCert cert-pki-ca",
"nickname": "caSigningCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "{nickname} certificate in NSS DB {dbdir} does not match
entry in LDAP"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "17140733-ba3f-4d34-a48c-3b1e159b3488",
"when": "20220128091105Z",
"duration": "0.731259",
"kw": {
"key": "20201208073945",
"serial": 1073676292,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "9833fce2-5f98-480b-9a69-d2d41db21ef0",
"when": "20220128091105Z",
"duration": "0.888676",
"kw": {
"key": "20201208073937",
"serial": 1073676293,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c3f1b686-a74b-42d6-8b55-b6fe36671933",
"when": "20220128091105Z",
"duration": "1.065141",
"kw": {
"key": "20201208073940",
"serial": 1073676291,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "f6073d14-b9eb-466b-ab29-6151c857d387",
"when": "20220128091105Z",
"duration": "1.226933",
"kw": {
"key": "20201208073942",
"serial": 1073676290,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "a465aaca-67b8-419e-8a38-a16c227d5db1",
"when": "20220128091105Z",
"duration": "1.394251",
"kw": {
"key": "20201208073943",
"serial": 20,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "33de05f4-1e8b-4d26-94ec-e742f4b7b8dc",
"when": "20220128091106Z",
"duration": "1.569087",
"kw": {
"key": "20201208073944",
"serial": 268238852,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "d723658c-74ab-41a4-a3e0-5b643a70e15d",
"when": "20220128091106Z",
"duration": "1.676748",
"kw": {
"key": "20201208073949",
"serial": 1073676289,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "5d67c6e0-785e-456c-9ae3-b2199c5d2051",
"when": "20220128091106Z",
"duration": "1.855003",
"kw": {
"key": "20201208073947",
"serial": 268238849,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "9c0441dc-2f20-41b0-816e-7690fca47448",
"when": "20220128091106Z",
"duration": "1.945158",
"kw": {
"key": "20200406205351",
"serial": 268238851,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.dna",
"check": "IPADNARangeCheck",
"result": "WARNING",
"uuid": "480e0baf-8814-47d5-bb71-e8d780867107",
"when": "20220128091107Z",
"duration": "0.687667",
"kw": {
"range_start": 0,
"range_max": 0,
"next_start": 0,
"next_max": 0,
"msg": "No DNA range defined. If no masters define a range then
users and groups cannot be created."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "37d1c6ed-982c-4046-b6b3-4c47ef6ed249",
"when": "20220128091107Z",
"duration": "0.779401",
"kw": {
"msg": "Got {count} ipa-ca A records, expected {expected}",
"count": 2,
"expected": 3
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "ERROR",
"uuid": "a7a5039b-7e4d-4501-ac39-f6b1d2080107",
"when": "20220128091108Z",
"duration": "0.006982",
"kw": {
"key": "_etc_hosts_mode",
"path": "/etc/hosts",
"type": "mode",
"expected": "0644",
"got": "0444",
"msg": "Permissions of /etc/hosts are too restrictive: 0444 and
should be 0644"
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "WARNING",
"uuid": "71556f6a-b914-41a5-8f88-932b37edcf35",
"when": "20220128091108Z",
"duration": "0.007897",
"kw": {
"key": "_var_log_kadmind.log_mode",
"path": "/var/log/kadmind.log",
"type": "mode",
"expected": "0600",
"got": "0640",
"msg": "Permissions of /var/log/kadmind.log are too permissive:
0640 and should be 0600"
}
}
]
---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ----
Any help is sooo greatly appreciated!
--
with kind regards,
mit freundlichen Gruessen,
Christian Reiss
3 months, 4 weeks
parse the audit logs
by Kathy Zhu
Hello list,
I had FreeIPA audit log on. I feed audit logs to Graylog. Since there are
multiple lines of logs for each event, I could not find a suitable
extractor to parse the logs. Therefore, the logs are very hard to read.
Could anyone in the list share how you process the logs if you are in a
similar situation?
Thanks!
Kathy.
4 months
FreeIPA and XCP hosts
by Christian Reiss
Hey folks,
I am running into a bit of trouble installing the FreeIPA Client on
XCP-NG (https://xcp-ng.org/, Fork of XenServer). They are based on CentOS 7.
Running "yum install --enablerepo=epel,base freeipa-client" results in this:
--> Running transaction check
---> Package ipa-client.x86_64 0:4.6.8-5.el7.centos will be installed
--> Processing Dependency: ntp for package:
ipa-client-4.6.8-5.el7.centos.x86_64
Package ntp-4.2.6p5-29.el7.centos.2.x86_64 is obsoleted by
xcp-ng-deps-8.2.0-10.noarch which is already installed
---> Package python-tdb.x86_64 0:1.3.18-1.el7 will be installed
--> Finished Dependency Resolution
Error: Package: ipa-client-4.6.8-5.el7.centos.x86_64 (base)
Requires: ntp
Available: ntp-4.2.6p5-29.el7.centos.2.x86_64 (base)
ntp = 4.2.6p5-29.el7.centos.2
any chance of getting this resolved in any way?
Thanks for your kind help :-)
--
with kind regards,
mit freundlichen Gruessen,
Christian Reiss
4 months
Question about autoregistration
by Boris Behrens
Hi,
this might be a dump question:
Is there a way to let hosts register themself and force them into a
hostgroup?
Currently we have one enrollment user that allows systems to join our IPA
installation. This user is in a lot of our automation scripts.
Now I want to have some customer facing systems enrolled with IPA but I
want to force these hosts into a specific host group. Because of the nature
of the systems it's hard to determine the hosts via hostname or IP address.
Cheers
Boris
--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im
groüen Saal.
4 months
first replica master - Internal error testing KRA clone
by lejeczek
Hi guys.
I believe that is reproducible every time - clean
deployment, first master's ipa-healthcheck no problems,
replica added still no problems, then on that first replica
'ipa-kra-install' and immediately:
-> $ ipa-healthcheck
Internal error testing KRA clone. KRA clone problem detected
Host: swir.mine.private Port: 443
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
[
{
"source":
"pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "eed4f41f-27fe-4f37-aa01-d47602f2c58f",
"when": "20220126174106Z",
"duration": "1.207738",
"kw": {
"status": "ERROR: pki-tomcat : Internal error
testing KRA clone. Host: swir.mine.private Port: 443"
}
}
]
How critical is that and what to do to fix it?
many thanks, L.
4 months
crypto policies but for SAMBA only - ?
by lejeczek
Hi guys.
If that can be a news for some - I'd like to share a finding: it's
possible to have ipa-integrated Samba serving non-enrolled clients, both
Linux & Windows, with passwords for authentication. (which has been long
& will continue to be a must-have for me)
Question for @devel - above I get with simply by switching to 'LEGACY' -
is it possible to do that but only for IPA-Samba(+ whatever required
bits) as oppose to system-widely?
It would be great to have IPA capable of that - perhaps an "enhancement"
to future releases.
many thanks, L.
4 months
IPA removal/uninstall renders box unable to login, including console - ?
by lejeczek
Hi guys.
Has anybody seen, experienced that/similar? - this is a second master
from which I uninstalled IPA successfully, cleanly and immediately after
reboot system does not login users(not even tty console)
Something to do with SELinux/fcontext - I had to def-policy-relabeled
whole '/etc'
many thanks, L.
4 months
[SSSD] Announcing SSSD 2.6.3
by Pavel Březina
# SSSD 2.6.3
The SSSD team is proud to announce the release of version 2.6.3 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.6.3
See the full release notes at:
https://sssd.io/release-notes/sssd-2.6.3.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### Important fixes
* A regression introduced in sssd-2.6.2 in the IPA provider that
prevented users from login was fixed. Access control always denied
access because the selinux_child returned an unexpected reply.
* A critical regression that prevented authentication of users via AD
and IPA providers was fixed. LDAP port was reused for Kerberos
communication and this provider would send incomprehensible information
to this port.
* When authenticating AD users, backtrace was triggered even though
everything was working correctly. This was caused by a search in the
global catalog. Servers from the global catalog are filtered out of the
list before writing the KDC info file. With this fix, SSSD does not
attempt to write to the KDC info file when performing a GC lookup.
4 months
IPA yubikey duo
by Per Qvindesland
Hi
Is there any information on how to implement IPA with yubikey duo? I had a look and it seems straightforward enough to implement duo and ssh https://duo.com/docs/duounix but it would be nice to be able to manage it through ipa.
Regards
Per
Sent from my Commodore 64
4 months
