HTTP certificate expired
by Juan Pablo Lorier
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
I got it to this state:
Request ID '20191219011208':
status: MONITORING
ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired).
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after?
Thanks in advance
1 year, 4 months
Using Python kernel
by Philippe de Rochambeau
Hello,
while reading the manual (man ipa), I’ve noticed there’s a way to access the Python « kernel », for lack of a better word.
What is that « kernel »’s exact purpose?
Many thanks.
Philippe
1 year, 4 months
Adding roles
by Philippe de Rochambeau
Hello,
is there an ipa command called role-add? I couldn’t find it in the man.
Furthermore, let’s say you wish to 400 roles to FreeIPA using the CLI.
Would you recommend backing-up FreeIPA before issuing 400 role-adds?
Can role-adds fail or cause exceptions?
Many thanks.
Philippe
1 year, 4 months
ipa-healthcheck errors
by Rob Verduijn
Hello,
After todays update I noticed I am now running rocky 8.7
freeipa was updated just fine and is working nicely.
However after running ipa-healthcheck I was treated with a HUGE amount of
errors.
After some digging I found that certmonger stopped tracking of all my certs.
Figuring out how to get all the certs tracked again took quite some time
examples or hints on how to do this are sadly missing in ipa-healthcheck
they would have been very usefull
So now all untracked certs are tracked and no longer in ipa-healthcheck
output.
But there are still quite a few errors left which have no clue
Does anybody know how to fix the errors from ipa-healthcheck ? (see txt
below)
Any help would be appreciated
Rob
ipa-healthcheck
args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object',
'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0,
'(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'],
'serverctrls': None, '
clientctrls': None, 'escapehatch': 'i am sure'}) on instance
TJAKO-THUIS"},)
[
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "CRITICAL",
"uuid": "711d096f-c1a8-4528-873d-522498811fbf",
"when": "20221118235210Z",
"duration": "2.149582",
"kw": {
"exception": "bus, object_path and dbus_interface must not be None."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "CRITICAL",
"uuid": "06997e50-52cd-4240-9b90-41cd7bf9e9f6",
"when": "20221118235212Z",
"duration": "2.599630",
"kw": {
"exception": "bus, object_path and dbus_interface must not be None."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "CRITICAL",
"uuid": "5fe7388f-6ec6-433f-87df-4596eabee060",
"when": "20221118235224Z",
"duration": "2.801779",
"kw": {
"exception": "bus, object_path and dbus_interface must not be None."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerCA",
"result": "ERROR",
"uuid": "7a588ee8-f3f0-4db4-91d0-b236a9dcbb81",
"when": "20221118235224Z",
"duration": "0.009275",
"kw": {
"key": "dogtag-ipa-ca-renew-agent-reuse",
"msg": "Certmonger CA '{key}' missing"
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "CRITICAL",
"uuid": "2e82818e-7210-4cf2-bd99-7490841348c6",
"when": "20221118235226Z",
"duration": "0.199291",
"kw": {
"exception": "bus, object_path and dbus_interface must not be None."
}
}
]
1 year, 4 months
'transportCert cert-pki-kra' mix up
by GH
I've got two ancient (3.1?) IPA servers that have been upgraded over time. Last January things got really goofy with certificates and I got it all sorted. However, now I've got an old issue creeping back in. The 'transportCert cert-pki-kra' is mismatched between the CS.cfg and the tracked certificate. This is a multi-master setup. The signing master seems to be the one that's off. It's tracking the updated original 'transportCert cert-pki-kra' certificate. However, the "secondary" master is tracking a newly generated 'transportCert cert-pki-kra', which is also what both CS.cfg's are referencing. Neither one of the certificates is expired. Everything else seems to be in working order. Here is ipa-healthcheck's only relevant error:
"source": "ipahealthcheck.dogtag.ca",
"kw": {
"msg": "Certificate 'transportCert cert-pki-kra' does not match the value of ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"directive": "ca.connector.KRA.transportCert",
"key": "transportCert cert-pki-kra"
},
So, what should I copy where to get this sorted? It seems like the updated original 'transportCert cert-pki-kra' should be copied into the CS.cfg and then manually scp the NSS files from "primary" to "secondary"? What commands would you use to do this? I've got a lot of commands noted and am beginning to get confused as to which ones should be used to get this sorted. Thanks.
1 year, 4 months
Indirect/nested group membership behaviour change in 4.6.8
by Mark Stewart
All, We have a RHEL estate currently at Red Hat release 4.9 This included an IPA upgrade to 4.6.8. As soon as the upgrade was complete the various applications that we have integrated with FreeIPA/IdM ceased to recognise nested group membership. We opened a case with Red Hat who reported that nothing had changed that would cause that behaviour. I'm just checking if anyone is aware of what may have changed in this IPA release, or part of the configuration that we should verify?
Thanks.
1 year, 4 months