Oh wait!!! Which set of certs do I need to test against for my certificate chain?
I realized I didn't include the proper path when testing. It should be something
like-
# openssl verify -verbose -show_chain -CAfile <path to root or intermediate cert>
/etc/ipa/ca.crt
# openssl verify -verbose -show_chain -CAfile <path to root or intermediate cert>
/var/lib/ipa/certs/httpd.crt
This would give you output (presuming you are using the correct set of certs)
/etc/ipa/ca.crt: OK
/var/lib/ipa/certs/httpd.crt: OK
Which path contains the intermediate or root CA certs I need to test against?
[root@utility ~]# ls -la | find / -name *.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
/etc/pki/tls/certs/localhost.crt
/etc/pki/pki-tomcat/alias/ca.crt
/etc/ipa/ca.crt
/etc/dirsrv/ssca/ca.crt
/etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt
/etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt
/var/lib/ipa/certs/httpd.crt
/var/kerberos/krb5kdc/kdc.crt
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
/usr/share/ipa/html/ca.crt
________________________________
From: Jeremy Tourville <jeremy_tourville(a)hotmail.com>
Sent: Thursday, September 9, 2021 3:13 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running
ipa-dns-install? (Was - Unable to start directory server after updates)
>>It isn't complaining that the certificate isn't valid,
it's complaining that it isn't trusted.
Thanks for pointing out my mistake.
I'm wearing some egg on my face. I was thinking about it wrong at the time of my
reply.
I attempted to verify trust-
[root@utility ipa]# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
^C
[root@utility ipa]# openssl verify -verbose -show_chain -CAfile
/var/lib/ipa/certs/httpd.crt
^C
As you can see, no output, so yeah, they are not trusted.
>Where did httpd.crt come from/what issuer?
I recall not
using a 3rd party CA. The certs were just self-signed when the ipa server was initially
built. I never did replace the certs as it wasn't required for our situation.
Next steps I guess would be to generate some new certs? Thoughts?
________________________________
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Thursday, September 9, 2021 12:53 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Florence Renaud <flo(a)redhat.com>; Jeremy Tourville
<jeremy_tourville(a)hotmail.com>
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running
ipa-dns-install? (Was - Unable to start directory server after updates)
Jeremy Tourville via FreeIPA-users wrote:
/var/lib/ipa/certs/httpd.crt
looks valid and has a 3 year validity date starting from Nov 23, 2020
/etc/ipa/ca.crt
looks valid and has a 20 year validity date starting from Nov 23, 2020
It isn't complaining that the certificate isn't valid, it's complaining
that it isn't trusted. You also need to look at the signer and ensure
that the system trusts it globally. Where did httpd.crt come from/what
issuer?
You might try running:
openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
/var/lib/ipa/certs/httpd.crt
See the default.conf(5) man page for a description of default.conf,
server.conf, etc. In this case server is a context so the configuration
only applies there.
rob
------------------------------------------------------------------------
*From:* Florence Renaud <flo(a)redhat.com>
*Sent:* Tuesday, September 7, 2021 11:38 AM
*To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
*Cc:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
*Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
running ipa-dns-install? (Was - Unable to start directory server after
updates)
Hi Jeremy,
to enable debugging you can simply create /etc/ipa/server.conf if the
file does not exist:
# cat /etc/ipa/server.conf
[global]
debug=True
# systemctl restart httpd
The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
examine its content with
# openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
If the IPA deployment includes an embedded CA, the CA that issued the
httpd cert is stored in /etc/ipa/ca.crt and can also be checked with
openssl command.
flo
On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville
<jeremy_tourville(a)hotmail.com <mailto:jeremy_tourville@hotmail.com>> wrote:
I think I see the issue but I am unsure what to do to fix it. See
below.
To answer your question, yes I did accept the security exception.
Also, I don't see a server.conf file at /etc/ipa so that I may
enable debugging. What can you suggest for this issue?
[root@utility ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@utility ~]# kinit admin
Password for admin(a)IDM.NAC-ISSA.ORG <mailto:admin@IDM.NAC-ISSA.ORG>:
[root@utility ~]# klist
Ticket cache: KCM:0:43616
Default principal: admin(a)IDM.NAC-ISSA.ORG
<mailto:admin@IDM.NAC-ISSA.ORG>
Valid starting Expires Service principal
09/07/2021 10:59:23 09/08/2021 10:09:04
krbtgt/IDM.NAC-ISSA.ORG(a)IDM.NAC-ISSA.ORG
<mailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG>
[root@utility ~]# ipa config-show
ipa: ERROR: cannot connect to
'https://utility.idm.nac-issa.org/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
------------------------------------------------------------------------
*From:* Florence Renaud <flo(a)redhat.com <mailto:flo@redhat.com>>
*Sent:* Tuesday, September 7, 2021 10:47 AM
*To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
*Cc:* Jeremy Tourville <jeremy_tourville(a)hotmail.com
<mailto:jeremy_tourville@hotmail.com>>
*Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken
after running ipa-dns-install? (Was - Unable to start directory
server after updates)
Hi Jeremy,
Did you accept the security exception displayed by the browser (I'm
trying to eliminate obvious issues)?
If nothing is displayed, can you check if ipa command-line is
working as expected (for instance do "kinit admin; ipa config-show")?
You may want to enable debug logs (add debug=True to the [global]
section of /etc/ipa/server.conf and restart httpd service), retry
WebUI authentication and check the generated logs in
/var/log/http/error_log
flo
On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
OK,
Why don't I see anything on the initial login page?
All I see is the URL and the fact that the certificate is not
trusted. The certificate is not expired yet. Not until Nov 2021.
The login in page is mostly solid white with no login or
password field.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure