Dnssec rejected by Cloudflair, Google, accepted by Verizon, AT&T
by Harry G. Coin
I have a dnssec enabled domain that passes all the verisign and related
dnssec tests (all green, no errors) and dns sources like AT&T and
Verizon. But it fails at some popular dns servers like google and
cloudflair. I'd appreciate what anyone can make of that, there are no
obvious debugging directions when verisgn says 'all good'. If I turn
on the 'cdflag' most all of https://dnschecker.org/#A/quietfountain.com
works. Turn it off, and some report problems. Some clues most welcome!
Harry Coin
Here's Quad9, for example:
[root@registry1 ~]# dig @9.9.9.9 quietfountain.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @9.9.9.9 quietfountain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45758
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;quietfountain.com. IN A
;; ANSWER SECTION:
quietfountain.com. 43200 IN A 147.135.121.120
quietfountain.com. 43200 IN A 51.81.131.192
;; Query time: 1463 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue Jul 26 17:53:39 CDT 2022
;; MSG SIZE rcvd: 78
But, here's cloudflair and google:
[root@registry1 ~]# dig @1.1.1.1 quietfountain.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @1.1.1.1 quietfountain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64113
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for
quietfountain.com.)
;; QUESTION SECTION:
;quietfountain.com. IN A
;; Query time: 2197 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 26 17:51:22 CDT 2022
;; MSG SIZE rcvd: 103
[root@registry1 ~]# dig @8.8.8.8 quietfountain.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @8.8.8.8 quietfountain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61907
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;quietfountain.com. IN A
;; Query time: 2303 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 26 17:51:35 CDT 2022
;; MSG SIZE rcvd: 46
1 year, 8 months
Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
by roy liang
> I made the following soft link
> ln -s /etc/apache2/nssdb /etc/httpd/alias
> But return code 77 as well, so what do I need to do?
>
> root@migration-ipa-65-186:/.ipa/log# tailf renew.log
> 2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=* Trying
> 10.12.65.186...
> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
> * Initializing NSS with certpath: sql:/etc/httpd/alias
> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
> will not work.
> * Closing connection 0
> GET
> "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro..."
> code = 77
> code_text = "Problem with the SSL CA cert (path? access rights?)"
> results = "(null)"
>
> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing principal
> host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
> /etc/krb5.keytab
> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache
> /var/run/certmonger/tmp-FYfJPZ/ccache
> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1: success
> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache
> 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290>
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting external process
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG
> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process finished, return
> code=3
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77 connecting
> to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
> Problem with the SSL CA cert (path? access rights?).
>
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=* Trying
> 10.12.65.186...
> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
> * Initializing NSS with certpath: sql:/etc/httpd/alias
> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
> will not work.
> * Closing connection 0
> GET
> "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro..."
> code = 77
> code_text = "Problem with the SSL CA cert (path? access rights?)"
> results = "(null)"
>
> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing principal
> host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
> /etc/krb5.keytab
> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache
> /var/run/certmonger/tmp-svWgpP/ccache
> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1: success
> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache
> 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80>
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting external process
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG
> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process finished, return
> code=3
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77 connecting
> to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
> Problem with the SSL CA cert (path? access rights?).
>
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=* Trying
> 10.12.65.186...
> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
> * Initializing NSS with certpath: sql:/etc/httpd/alias
> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
> will not work.
> * Closing connection 0
> GET
> "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro..."
> code = 77
> code_text = "Problem with the SSL CA cert (path? access rights?)"
> results = "(null)"
>
> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing principal
> host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
> /etc/krb5.keytab
> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache
> /var/run/certmonger/tmp-DSagx_/ccache
> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1: success
> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache
> 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00>
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting external process
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG
> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process finished, return
> code=3
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77 connecting
> to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
> Problem with the SSL CA cert (path? access rights?).
>
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=* Trying
> 10.12.65.186...
> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
> * Initializing NSS with certpath: sql:/etc/httpd/alias
> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
> will not work.
> * Closing connection 0
> GET
> "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro..."
> code = 77
> code_text = "Problem with the SSL CA cert (path? access rights?)"
> results = "(null)"
>
> root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias
> lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
hello
Can I get some attention?
Using Ubuntu install freeipa is an addition left by the company, I also feel very sorry. If I fix the expiration problem, I will migrate to centos, but I need to solve the certificate expiration problem first, Ubuntu does not use /etc/httpd/alias service and certificate store./etc/apache2/nssdb /apache2/nssdb /etc/apache2/nssdb
1 year, 8 months
Deployment in Docker container on DigitalOcean VPS
by Georgiy Odisharia
Hello there,
I completely newbie in questions of LDAP. I want to deploy FreeIPA to my VPS hosted on DigitalOcean using Docker image, It will be used only for personal purposes.
I have couple of questions.
1, Could I set up FreeIPA with following domains this way:
a. LDAP server is available from freeipa.<my domain>.
b. Web interface is available through services.<my domain>/freeipa.
c. My devices will be in DEVICES.<MY DOMAIN> domain.
2. FreeIPA contains DNS server. I have on my host machine enabled proxy caching DNS server in systemd. I understand I must disable it. Which consequences it will bring? What should I do to have DNS resolving on my host machine and have DNS enabled inside Docker container with DNS server inside it?
3. I want to reuse my acme.sh issued keys by Let's Encrypt for my personal website for FreeIPA. Is it enough and what should I do to achieve that? I don't want to use recommended way to do it, I want to integrate acme.sh issued keys inside FreeIPA container.
1 year, 8 months
Deployment in Docker container on DigitalOcean VPS
by Georgiy Odisharia
Hello there,
I completely newbie in questions of LDAP. I want to deploy FreeIPA to my VPS hosted on DigitalOcean using Docker image, It will be used only for personal purposes.
I have couple of questions.
1, Could I set up FreeIPA with following domains this way:
a. LDAP server is available from freeipa.<my domain>.
b. Web interface is available through services.<my domain>/freeipa.
c. My devices will be in DEVICES.<MY DOMAIN> domain.
2. FreeIPA contains DNS server. I have on my host machine enabled proxy caching DNS server in systemd. I understand I must disable it. Which consequences it will bring? What should I do to have DNS resolving on my host machine and have DNS enabled inside Docker container with DNS server inside it?
3. I want to reuse my acme.sh issued keys by Let's Encrypt for my personal website for FreeIPA. Is it enough and what should I do to achieve that? I don't want to use recommended way to do it, I want to integrate acme.sh issued keys inside FreeIPA container.
1 year, 8 months
road-warrior laptop vs password change in FreeIPA
by Harald Dunkel
Hi folks,
I've got a few colleagues running Debian 10 or 11 on a laptop. Their account
is managed by FreeIPA in the office. On first-time login their laptop is
wired to the office lan.
When they are in home office they have a VPN connection (IPsec, wireguard
or openvpn) to the office, but since both wlan and VPN are usually activated
by Network Manager *after* login time I wonder what needs to be done to
update the login information cached by sssd, esp if the user has changed his
login password in the FreeIPA web interface?
By now I tried
kinit username
sss_cache -E
service restart sssd
This did not help. kinit accepts the new password, of course, but it doesn't
update the cache, nor do the others.
Important point is that the user doesn't lose his cached entry, anyway.
Coming to the office just to register his new password is not an optiom.
Every helpful hint is highly appreciated
Harri
1 year, 8 months
DNS issues with dual boot hosts
by Sameer Gurung
Hello Everyone,
I run a freeipa server that allows users to login to linux (ubuntu) hosts.
These hosts also have windows 10 in them in dual boot mode. Hence I also
run an active directory server, with DHCP. This windows DHCP server also
provides IP addresses to the hosts when they boot into ubuntu. This setup
works fine except that when the hosts are given a different IP address they
do not update the IPA server's DNS with their newly acquired IP address.
When installing ipa on the clients, I had added the --enable-dns-updates
option and setup was smooth without any issues.
Any help in this will be highly appreciated.
*Sameer Kr. Gurung*
--
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message, which arise as a result of e-mail
transmission. If verification is required please request a hard-copy
version. Saint Mary's College, Shillong, Meghalaya, India-793003,
smcs.ac.in <http://smcs.ac.in>
1 year, 8 months
Freeipa in a virtual machine, host being a client
by lol lol
Hello, I'd like to run IPA server in a vm and at the same time use the host OS as an IPA client for a uniform set-up of DNS, NTP, SSO etc across the board.
I have a replica but let's imagine that I don't. So I have only one IPA server running on as a guest on an IPA client host.
I imagine that I would encounter issues at start-up since IPA client services should start AFTER the VM is up and running.
What would be your recommendation of going about it? Should I start libvirt before IPA client services in boot chain (and what exact services?) and then sleep long enough so that VM has the time to start?
Or maybe be I should just restart some IPA client services after booting?
Thank you.
1 year, 8 months
