Alexander,
Please find output below:
[root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer:
O=NIX.MYDOMAIN.COM,
CN=ipa-server-01.nix.MYDOMAIN.COM
Validity
Not Before: Nov 30 18:06:04 2017 GMT
Not After : Nov 30 18:06:04 2018 GMT
Subject:
O=NIX.MYDOMAIN.COM,
CN=ipa-server-01.nix.MYDOMAIN.COM
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e1:55:dc:8d:f5:0f:01:f1:75:dd:88:21:53:2e:
...output omitted...
49:b8:c6:59:c3:89:d7:5e:20:a9:81:fe:93:60:b2:
38:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
othername:<unsupported>, othername:<unsupported>
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
81:12:0E:48:6A:43:93:92:03:18:29:D3:3B:E2:71:8B:B4:A9:42:7E
1.3.6.1.4.1.311.20.2:
.".K.D.C.s._.P.K.I.N.I.T._.C.e.r.t.s
Signature Algorithm: sha256WithRSAEncryption
ba:01:72:0b:2f:9d:3f:39:cf:84:be:cd:85:70:08:79:60:9e:
...output omitted...
f4:0d:27:9e:41:bd:71:c9:0d:51:e1:3c:1e:4f:8e:89:71:f3:
e9:fe:40:74
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MRYwFAYDVQQKDA1OSVgu
...output omitted...
ZYDW6cyjBkmRmaelKXZEm81ezY+s9A0nnkG9cckNUeE8Hk+OiXHz6f5AdA==
-----END CERTIFICATE-----
[root@ipa-server-01 ~]#
[root@ipa-server-01 krb5kdc]# rm -f kdc.crt
[root@ipa-server-01 krb5kdc]# rm -f kdc.key
[root@ipa-server-01 krb5kdc]#
[root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@ipa-server-01 krb5kdc]# ls -la
total 20
drwxr-xr-x. 2 root root 82 Dec 4 08:16 .
drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
-rw-r--r-- 1 root root 1298 Dec 4 08:16 cacert.pem
-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
-rw-r--r-- 1 root root 1667 Dec 4 08:16 kdc.crt
-rw------- 1 root root 1704 Dec 4 08:16 kdc.key
[root@ipa-server-01 krb5kdc]#
After certificate update it looks like Web GUI is working.
Thank you so much for your help!
Regards,
Andrey
On 12/4/18, 02:02, "Alexander Bokovoy" <abokovoy(a)redhat.com> wrote:
On ti, 04 joulu 2018, Andrey Ptashnik wrote:
Alexander,
Thank you for your time,
# getcert list -f /var/kerberos/krb5kdc/kdc.crt
No request found that matched arguments.
#
# ls -la /var/kerberos/krb5kdc/
total 16
drwxr-xr-x. 2 root root 82 Dec 3 22:56 .
drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
-rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem
-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
-rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt
-rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key
#
What does 'openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt' say?
Are you using integrated CA?
If you are using integrated CA, then please move away kdc.crt and
kdc.key and run
ipa-pkinit-manage enable
I used following commands:
# yum upgrade ipa-server
# ipa-server-upgrade
to upgrade packages, and agreed to any proposed dependencies (there were about 90 of
them).
Thanks,
Andrey
On 12/4/18, 01:28, "Alexander Bokovoy" <abokovoy(a)redhat.com> wrote:
On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:
>Dear FreeIPA Team,
>
>I have an issue with Web GUI throwing error message "Login failed due to an
unknown reason" when login through Web interface.
>Other functionality like directory service, DNS and authentication with
ipa-clients seems to work fine.
>
>I first spotted this issue in 4.5.0 and tried troubleshooting steps
>from previous thread, however that did not help. Hoping that issue is
>solved in higher versions I tried upgrading ipa-server packages via:
>
># yum upgrade ipa-server
># ipa-server-upgrade
>
>However it did not solve the issue in 4.6.6 and exactly the same
>behavior I saw in version 4.5.0
>
># rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64
cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64
>ipa-server-4.6.4-10.el7.centos.x86_64
>krb5-libs-1.15.1-34.el7.x86_64
>krb5-server-1.15.1-34.el7.x86_64
>cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
>sssd-krb5-1.16.2-13.el7.x86_64
>httpd-2.4.6-88.el7.centos.x86_64
>
># cat /etc/*release*
>CentOS Linux release 7.4.1708 (Core)
Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA
packages selectively to a version from CentOS 7.6.1810 without updating
whole distribution to that version, there is no guarantee everything is
working.
>What could be the next troubleshooting step in my case?
Please show
getcert list -f /var/kerberos/krb5kdc/kdc.crt
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland