Auto cleanup old enrolled hosts
by Russ Long
We're adding FreeIPA to an immutable, often rotated environment (AWS ECS Hosts). These hosts are spun up and down at least daily. Is there a way to check FreeIPA to see when a host has last communicated with the FreeIPA Cluster? I'd like to use this information to auto-delete hosts that have not reported in from the FreeIPA host list.
1 week, 2 days
certgmonger not able to renew a certificate: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
by Sam Morris
Hi folks, I've got a machine where certmonger is unable to renew a
certificate request:
# getcert list -i 20220519165212
Number of certificates and requests being tracked: 2.
Request ID '20220519165212':
status: MONITORING
ca-error: Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
stuck: no
key pair storage: type=FILE,location='/etc/cockpit/ws-certs.d/51-xoanon.key'
certificate: type=FILE,location='/etc/cockpit/ws-certs.d/51-xoanon.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
subject: CN=xoanon.ipa.example.com,O=IPA.EXAMPLE.COM
issued: 2023-06-21 07:49:49 UTC
expires: 2023-09-19 07:49:49 UTC
dns: xoanon.ipa.example.com
principal name: host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
I'm manually attempting to renew the certificate with:
[root@xoanon ~]# getcert resubmit -w -v -i 20220519165212
Resubmitting "20220519165212" to "IPA".
State GENERATING_CSR, stuck: no.
State SUBMITTING, stuck: no.
State MONITORING, stuck: no.
On the server side, I'm unable to find any errors being logged anywhere.
Even after I set 'debug = true' in /etc/ipa/default.conf & restarted
httpd.service, the only log messages are:
==> /var/log/httpd/error_log <==
[Wed Aug 23 10:59:50.765980 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Aug 23 10:59:50.766232 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Aug 23 10:59:50.766352 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: KerberosWSGIExecutioner.__call__:
==> /var/log/httpd/access_log <==
192.168.88.3 - host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM [23/Aug/2023:10:59:50 +0000] "POST /ipa/json HTTP/1.1" 200 526
... which show that the API call was successful. On the other hand,
according to 'ipa cert-find --subject=xoanon.ipa.example.com', no
certificates have been issued.
It looks like the API isn't calling out to PKI/Dogtag, since nothing is
logged to /var/log/pki/pki-tomcat/localhost_access_log.*.txt or
/var/log/pki/pki-tomcat/ca/debug.*.log.
I also looked for AVC denials and didn't see anything in /var/log/audit.
So, back to the client. certmonger logs the following:
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_SUBJECT" to "CN=xoanon.ipa.example.com" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_HOSTNAME" to "xoanon.ipa.example.com" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_PRINCIPAL" to "host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CSR" to "-----BEGIN CERTIFICATE REQUEST-----
MIIEpzCCAw8CAQAwIzEhMB8GA1UEAxMYeG9hbm9uLmlwYS5yb2JvdHMub3JnLnVr
[...]
4d6BlUMScGAgCAxfxEb1eXymTxVm/Do/liHaOqnHGVIr+1OjZNftrUODFQ==
-----END CERTIFICATE REQUEST-----
" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_SPKAC" to "[...]" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_SPKI" to "[...]" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_LOCAL_CA_DIR" to "/var/lib/certmonger/local" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_KEY_TYPE" to "RSA" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CA_NICKNAME" to "IPA" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CERTIFICATE" to "-----BEGIN CERTIFICATE-----
MIIFajCCBFKgAwIBAgIET/8AJDANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFJ
[...]
dF6L+2tIIpjYylCxKQISWaexKkv1jVQaIPB1foIKyLGaf9YtyaIwyoM9G80UaQ==
-----END CERTIFICATE-----
" for child.
2023-08-23 11:15:50 [836073] Redirecting stdin to /dev/null, leaving stdout and stderr open for child "/usr/libexec/certmonger/ipa-submit".
2023-08-23 11:15:50 [836073] Running enrollment helper "/usr/libexec/certmonger/ipa-submit".
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
Submitting request to "https://ipa5.ipa.example.com/ipa/json".
JSON-RPC error: 2100: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
2023-08-23 11:15:50 [834693] Certificate submission still ongoing.
2023-08-23 11:15:50 [834693] Certificate submission attempt complete.
2023-08-23 11:15:50 [834693] Child status = 2.
2023-08-23 11:15:50 [834693] Child output:
"Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
"
2023-08-23 11:15:50 [834693] Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
2023-08-23 11:15:50 [834693] Certificate not (yet?) issued.
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
I found that I could add 'OPTS=-d9' to /etc/sysconfig/certmonger &
restart certmonger.service, which does cause it to log more, but it
doesn't give any further insight into the messages exchanged with the
server.
Does anyone know where I can look next?
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
1 week, 5 days
New plugin almost ready - postfixadmin
by Francis Augusto Medeiros-Logeay
Hi,
I have almost finished a plugin for FreeIPA, so that admins can have similar functionality found on Postfix Admin.
https://github.com/oculos/freeipa-postfixadmin/blob/main/README.md
freeipa-postfixadmin/README.md at main · oculos/freeipa-postfixadmin
github.com
There is already a good plugin that does a bit of that, but the goal is a bit different. My main goal is not to mix up postfix configuration with groups and hosts, but have separate entities for domain, aliases and virtual domains, in addition to mailboxes.
It was written mostly to allow me to migrate my mailboxes from MySQL to FreeIPA, and I don’t have a huge postfix configuration - I only have multiple domains, mailboxes, aliases and virtual domains, so that’s the functionality I wanted with this plugin.
There are a few things missing before this can go in production («production» here means to actually migrate my mailboxes to FreeIPA), adding a mailbox to ipa users on the gui being the most important one.
I would appreciate any comments and feedbacks regarding this plugin. It wasn’t easy to understand the logic on how to write one, but I got the hang of it (for simple stuff).
Best,
Francis
4 weeks
Allow sysaccount to view its own entry
by Adam Bishop
I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Many Thanks,
Adam Bishop
1 month
Installing FreeIPA server + replica using Ansible Role FreeIPA
by Finn Fysj
The installation of IPA server and replica does not produce desired result.
Even though the mkhomedir is set to true the feature is not enabled in the authselect. Also the replica server does not replicate SUDO and HBAC rules from the IPA master.
Is the only solution to re-install the whole IPA server/replicas stuff? Kinda stupid.
Example of the IPA server role:
- role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver: "{{ ansible_hostname }}.example"
ipaserver_hostname: "{{ ansible_hostname }}.example"
ipaadmin_password: "test123"
ipadm_password: "test321"
ipaserver_domain: "example.com"
ipaserver_realm: "EXAMPLE.COM"
ipaserver_no_host_dns: true
ipaserver_mem_check: true
ipaserver_install_packages: true
ipaserver_setup_dns: false
ipaserver_no_pkinit: true
ipaserver_no_hbac_allow: true
ipaserver_no_ui_redirect: false
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_no_sudo: false
1 month, 2 weeks
Free IPA DNS Issues
by Pradeep KNS
Hello Team,
While setting up Freeipa in my Linux infrastructure.I noticed a strange
warning. I would like to clarify before rolling into production.
*DNS zone alpha-grep.com <http://alpha-grep.com>. already exists in DNS and
is handled by server(s): ['ns2.', 'ns1.'] Please make sure that the domain
is properly delegated to this IPA server.*
Detailed installation log i have updated in this link. Please suggest me
will it be any security flaw in future.Before installing it on production.
https://bpa.st/AMITK
2 months
IPA Upgrade failure during CA phase
by Vinícius Ferrão
Hello,
After running yum update on a EL7.9 system FreeIPA was unable to start asking for manual upgrade.
So I performed the required command, without success:
[root@headnode pki]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/9]: saving configuration
[2/9]: disabling listeners
[3/9]: enabling DS global lock
[4/9]: disabling Schema Compat
[5/9]: starting directory server
[6/9]: updating schema
[7/9]: upgrading server
[8/9]: stopping directory server
[9/9]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
CA did not start in 300.0s
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Tha /var/log/ipaupgrade.log file is 75k lines long, but looking at it after some hours I think the relevant data is the following:
2023-09-26T22:22:23Z DEBUG stdout=ERROR: No kra subsystem in instance pki-tomcat.
2023-09-26T22:22:35Z DEBUG stderr=
2023-09-26T22:22:35Z DEBUG Starting pki-tomcatd@pki-tomcat.
2023-09-26T22:22:35Z DEBUG Starting external process
2023-09-26T22:22:35Z DEBUG args=/bin/systemctl start pki-tomcatd(a)pki-tomcat.service
2023-09-26T22:22:36Z DEBUG Process finished, return code=0
2023-09-26T22:22:36Z DEBUG stdout=
2023-09-26T22:22:36Z DEBUG stderr=
2023-09-26T22:22:36Z DEBUG Starting external process
2023-09-26T22:22:36Z DEBUG args=/bin/systemctl is-active pki-tomcatd(a)pki-tomcat.service
2023-09-26T22:22:36Z DEBUG Process finished, return code=0
2023-09-26T22:22:36Z DEBUG stdout=active
2023-09-26T22:22:36Z DEBUG stderr=
2023-09-26T22:22:36Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300
2023-09-26T22:22:36Z DEBUG waiting for port: 8080
2023-09-26T22:22:36Z DEBUG Failed to connect to port 8080 tcp on ::1
2023-09-26T22:22:36Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1
2023-09-26T22:22:38Z DEBUG SUCCESS: port: 8080
2023-09-26T22:22:38Z DEBUG waiting for port: 8443
2023-09-26T22:22:38Z DEBUG SUCCESS: port: 8443
2023-09-26T22:22:38Z DEBUG Start of pki-tomcatd(a)pki-tomcat.service complete
2023-09-26T22:22:38Z DEBUG Waiting until the CA is running
2023-09-26T22:22:38Z DEBUG request POST http://DOMAIN:8080/ca/admin/ca/getStatus
2023-09-26T22:22:38Z DEBUG request body ''
2023-09-26T22:22:42Z DEBUG response status 500
2023-09-26T22:22:42Z DEBUG response headers Server: Apache-Coyote/1.1
2023-09-26T22:22:42Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:750)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>'
2023-09-26T22:22:42Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2023-09-26T22:22:42Z DEBUG Waiting for CA to start…
So it seems that the CA is broken.
On /var/log/pki; I can find this:
cat pki-server-upgrade-10.5.*
Upgrading PKI server configuration at Mon Sep 18 01:38:43 -03 2023.
Upgrading from version 10.5.9 to 10.5.17:
1. Update audit events
Upgrading from version 10.5.17 to 10.5.18:
1. Fix EC admin certificate profile
Upgrading from version 10.5.18 to 10.5.18:
1. Add caAuditSigningCert profile
2. Fix the authentication for caServerKeygen_UserCert profile
ERROR: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg'
Failed upgrading pki-tomcat/ca subsystem.
Upgrade failed in pki-tomcat/ca: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg'
Continue (Yes/No) [Y]? Traceback (most recent call last):
File "/sbin/pki-server-upgrade", line 211, in <module>
main(sys.argv)
File "/sbin/pki-server-upgrade", line 204, in main
upgrader.upgrade()
File "/usr/lib/python2.7/site-packages/pki/upgrade.py", line 623, in upgrade
self.upgrade_version(version)
File "/usr/lib/python2.7/site-packages/pki/upgrade.py", line 613, in upgrade_version
case_sensitive=False).lower()
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 142, in read_text
value = input(message)
EOFError: EOF when reading a line
But nothing more.
Any ideia of what I should be looking for?
Thanks.
2 months, 2 weeks
Keytab issues after upgrade to Fedora 38
by Djerk Geurts
Today was my second attempt to lift FreeIPA servers to Fedora 38 from 37. Again it failed.
Sync and healthchecks were fine, but an (admin) user can't log into the WebUI and can't do sudo. Login works because I do key based authentication.
Kinit admin works, but kinit alone doesn't.
I have a hunch that a keytab gets corrupted somewhere, but I'm baffled as to why this wouldn't present as different errors.
Has anyone experienced similar issues? I've rolled the servers back, so don't have much in the way of logs at the moment.
2 months, 2 weeks
