*** EXTERNAL E-MAIL ***
On 13-07-2021 17:24, Kees Bakker via FreeIPA-users wrote:
> On 13-07-2021 17:08, Rob Crittenden wrote:
>> Kees Bakker wrote:
>>> On 12-07-2021 21:51, Rob Crittenden wrote:
>>>> Kees Bakker via FreeIPA-users wrote:
>>>>> Hi Flo,
>>>>>
>>>>> Do you have a hint how I can get to the point where I can execute
>>>>> the pki securitydomain-host-del command? All examples [2] on the
>>>>> Internet
>>>>> are from the time when there was a /root/ca-agent.p12 and ipaCert.
>>>>> I think that has been migrated to /var/lib/ipa/ra-agent.{key,pem}
[1].
>>>>>
>>>>> Maybe you are going to say that I shouldn't need that pki
command. But I
>>>>> have two deleted masters in the pki database. Using
>>>>> pki securitydomain-host-del seems the only way to get rid of them.
If
>>>>> you
>>>>> have a better suggestion then please let me know.
>>>>>
>>>>> [1]
https://www.freeipa.org/page/Releases/4.8.1
>>>>> [2]
https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup
>>>> The CA agent is something different and not used by IPA at all. If your
>>>> installation is > 2 years old it is expired anyway.
>>>>
>>>> The dogtag documentation is woefully out-of-date in this regard
>>>> unfortunately (and yes, I realize I also live in a glass house regarding
>>>> wikis).
>>>>
>>>> You don't need to import anything, the entries you need are already
>>>> there. Try:
>>>>
>>>> # pki -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert
cert-pki-ca' -C
>>>> /etc/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del 'CA
>>>> ipa.example.test 443'
>>> Thanks Rob,
>>>
>>> That did it.
>>>
>>> I'm now almost there to get a clean outcome of ipa-healthcheck.
>>> It reports no errors anymore, but ... there is one healthcheck that
>>> wants a password. I have no idea what or why.
>>>
>>> [root@linge ~]# /usr/bin/ipa-healthcheck --source
>>> pki.server.healthcheck.clones.connectivity_and_data
>>> keyctl_search: Required key not available
>>> Enter password for Internal Key Storage Token:
>>> []
>> This comes out of the pki healthcheck plugins.
>>
>> The check does some client cert connections, so I assume it needs the
>> NSS database password. I'm guessing it looks in the kernel keyring
>> (keyctl_search) and then prompts the user.
>>
>> You can open an issue against them at
>>
https://github.com/dogtagpki/pki/issues
> See
https://github.com/dogtagpki/pki/issues/3650
I wrote some more details in the issue. First part of the problem is
that I have this in /etc/pki/pki-tomcat/ca/CS.cfg
ca.subsystem.tokenname=Internal Key Storage Token
The second part of the problem is that this name should be
normalized to "internal".
In pki.nssdb there is a normalize function but that is not called
in the case. Furthermore, the function is not implemented as I
would have done it.
If the above two problems were to be solved then the plugin would
get the password from /etc/pki/pki-tomcat/password.conf
I am a bit surprised that nobody has this problem but me. The solution
is probably as simple as this:
diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
index bea2872ea..2472f35b5 100644
--- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
+++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
@@ -168,7 +168,7 @@ class ClonesPlugin(Plugin):
# Set some vars we will be using later
self.db_dir = self.security_domain.config.get('jss.configDir')
self.subsystem_token =
self.security_domain.config.get('ca.subsystem.tokenname')
- self.passwd = self.instance.get_password(self.subsystem_token)
+ self.passwd = self.instance.get_token_password(self.subsystem_token)
return sec_domain, sechost, secport
-- Kees
>>
>> rob
>>
>>> -- Kees
>>>> rob
>>>>
>>>>> -- Kees
>>>>>
>>>>> On 12-07-2021 15:01, Kees Bakker via FreeIPA-users wrote:
>>>>>> It is now time for me to try and follow the suggested pki
commands.
>>>>>> However, I don't have a /root/ca-agent.p12
>>>>>>
>>>>>> There is quite a bit of documentation on the Internet, but it
might
>>>>>> not all be
>>>>>> up-to-date.
>>>>>>
>>>>>> Here [1] the file /root/ca-agent.p12 is mentioned under "PKI
Admin
>>>>>> Certificate".
>>>>>>
>>>>>> "PKI admin certificate is stored in several locations:
>>>>>>
>>>>>> /root/ca-agent.p12 with nickname ipa-ca-agent (misleading
>>>>>> nickname).
>>>>>> /root/.dogtag/pki-tomcat/ca_admin.cert
>>>>>> /root/.dogtag/pki-tomcat/ca_admin.cert.der
>>>>>> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to
>>>>>> /root/ca-agent.p12)
>>>>>> "
>>>>>>
>>>>>> I don't have any of them. Then [1] continues with
>>>>>>
>>>>>> "PKI Agent Certificate
>>>>>>
>>>>>> PKI agent certificate is stored in /etc/httpd/alias and tracked
by IPA:
>>>>>>
>>>>>> ipaCert (CN=IPA RA)
>>>>>>
>>>>>> For IPA Password Vault the certificate is exported and cached
into
>>>>>> /etc/httpd/alias/kra-agent.pem since python-requests does not
support
>>>>>> NSS. The cache is invalidated if the KRA authentication fails.
>>>>>> IPA Certificates
>>>>>>
>>>>>> IPA certificates are stored in /etc/httpd/alias:
>>>>>>
>>>>>> <REALM> IPA CA (CN=Certificate Authority)
>>>>>> <External CA DN>
>>>>>> ipa-ca-agent (CN=ipa-ca-agent)
>>>>>> ipaCert (CN=IPA RA)
>>>>>> Signing-Cert (CN=Object Signing Cert)
>>>>>> "
>>>>>>
>>>>>> But all I have in /etc/httpd/alias is a file ipasession.key
>>>>>>
>>>>>> I'm confused.
>>>>>>
>>>>>> [1]
https://www.dogtagpki.org/wiki/IPA_Certificates
>>>>>> -- Kees
>>>>>>
>>>>>> On 14-06-2021 16:39, github--- via FreeIPA-users wrote:
>>>>>>> On 29-05-2021 10:21, Alexander Bokovoy wrote:
>>>>>>>> But I did use "ipa-csreplica-manage del" as
well. However, I
>>>>>>>> remember that it
>>>>>>>> complained it couldn't remove that host. I was
assuming it was
>>>>>>>> already gone.
>>>>>>>> When I list with ipa-csreplica-manage then I don't
see the old hosts
>>>>>>>> anymore.
>>>>>>> Its worth noting my install (4.9.3) on Fedora
`ipa-csreplica-manage
>>>>>>> del` just prints a deprecated message and doesn't seem to
do anything.
>>>>>>>
>>>>>>>> So, two things
>>>>>>>> 1) "ipa-csreplica-manage del" somehow failed
(it's probably too late
>>>>>>>> to look
>>>>>>>> at logs)
>>>>>>>> 2) how can I still remove the old hosts?
>>>>>>> I have/had the same problem. I used
>>>>>>>
https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup to help me
auth
>>>>>>> into the CA to remove the dead host.
>>>>>>>
>>>>>>> pki client-cert-import --pkcs12 /root/ca-agent.p12
>>>>>>> --pkcs12-password [redact]
>>>>>>> pki -n ipa-ca-agent securitydomain-host-find
>>>>>>> # you need the full Host ID section to remove
>>>>>>> pki -n ipa-ca-agent securitydomain-host-del "CA
>>>>>>>
freeipa2[redact].net 443"
>>>>>>>
>>>>>>> Keep in mind I'm fairly new to IPA, so maybe you
don't want to do
>>>>>>> this on a production system without someone else more
experienced
>>>>>>> chiming in. But, so far, the health check stopped
complaining,
>>>>>>> replication is fine, and all my users can still log in.
>>>>>>> _______________________________________________
>>>>>>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
>>>>>>> To unsubscribe send an email to
>>>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>>>> Fedora Code of Conduct:
>>>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>>> List Guidelines:
>>>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>> List Archives:
>>>>>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>>>>
>>>>>>>
>>>>>>> Do not reply to spam on the list, report it:
>>>>>>>
https://pagure.io/fedora-infrastructure
>>>>>> _______________________________________________
>>>>>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
>>>>>> To unsubscribe send an email to
>>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>>> Fedora Code of Conduct:
>>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>> List Archives:
>>>>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>>>
>>>>>>
>>>>>> Do not reply to spam on the list, report it:
>>>>>>
https://pagure.io/fedora-infrastructure
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>> To unsubscribe send an email to
>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>> Fedora Code of Conduct:
>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives:
>>>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>>
>>>>>
>>>>> Do not reply to spam on the list, report it:
>>>>>
https://pagure.io/fedora-infrastructure
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure