June 2019 - FreeIPA-users - Fedora mailing-lists

Re: Cert expired for pki-tomcat and process would not start
by Sayfiddin, Farhad 24 Jun '19

24 Jun '19

This still remains an issue...any thoughts??? ############## To: 'FreeIPA users list' <freeipa-users(a)lists.fedorahosted.org>; Florence Blanc-Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com> Subject: RE: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not start This is affecting 3 out of 4 our IPA servers. Would you recommend any other solution for this issue? We have only one CRL Master IPA server does not have this issue. Would breaking the replication and recreating replica from one good CRL Master IPA server could work? -----Original Message----- From: Sayfiddin, Farhad via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Sent: Wednesday, June 19, 2019 2:51 PM To: Florence Blanc-Renaud <flo(a)redhat.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Rob Crittenden <rcritten(a)redhat.com> Subject: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not start Thanks for your reply. In the journal I did not see anything meaningful when I ran "certmonger resubmit -i 20170214143200 " Jan 07 20:23:29 sl1mmgplidm0002.ipa.gen.zone kernel: FINAL_REJECT: IN=ens192 OUT= MAC=00:50:56:b2:39:92:00:1c:7f:61:a6:27:08:00 SRC=10.48.10.142 DST=172.20.0.36 LEN=89 TOS=0x00 PREC=0x00 TTL=126 ID=28772 PROTO=UDP SPT=52233 DPT=161 LEN=69 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: [07/Jan/2019:20:23:32.598658399 -0600] csngen_new_csn - Warning: too much time skew (-14058896 secs). Current seqnum=1 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 1 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 2 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 3 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: [07/Jan/2019:20:23:32.630614940 -0600] csngen_new_csn - Warning: too much time skew (-14058897 secs). Current seqnum=1 Jan 07 20:23:38 sl1mmgplidm0002.ipa.gen.zone kernel: FINAL_REJECT: IN=ens192 OUT= MAC=00:50:56:b2:39:92:00:1c:7f:61:a6:27:08:00 SRC=10.48.10.142 DST=172.20.0.36 LEN=89 TOS=0x00 PREC=0x00 TTL=126 ID=28773 PROTO=UDP SPT=59164 DPT=161 LEN=69 Jan 07 20:23:45 sl1mmgplidm0002.ipa.gen.zone certmonger[6749]: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20190108201652. /var/log/pki/pki-tomcat/ca/debug did not generate anything when I ran "certmonger resubmit -i 20170214143200 " Any thoughts? -----Original Message----- From: Florence Blanc-Renaud <flo(a)redhat.com> Sent: Tuesday, June 18, 2019 11:20 AM To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Rob Crittenden <rcritten(a)redhat.com> Subject: Re: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not start > Thanks for your response Rob, really appreciate it. > > I have stopped the IPA and went back in time of Jan 7 of 2019 since > Server-Cert cert-pki-ca would expire on: 2019-01-08 20:16:52 UTC > > Started dirsrv, krb5kdc and pki-tomcatd(a)pki-tomcat.service manually. > > [root@sl1mmgplidm0002 ~]# date > Mon Jan 7 20:23:50 CST 2019 > [root@sl1mmgplidm0002 ~]# > > [root@sl1mmgplidm0002 ~]# ipactl status Directory Service: RUNNING > krb5kdc Service: RUNNING kadmin Service: STOPPED named Service: > STOPPED ipa_memcached Service: STOPPED httpd Service: STOPPED > ipa-custodia Service: STOPPED pki-tomcatd Service: STOPPED smb > Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED > ipa-dnskeysyncd Service: STOPPED > ipa: INFO: The ipactl command was successful > [root@sl1mmgplidm0002 ~]# systemctl status > pki-tomcatd(a)pki-tomcat.service ● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat > Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) > Active: active (running) since Mon 2019-01-07 20:17:53 CST; 4min 59s ago > Process: 58524 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS) > Main PID: 58637 (java) > CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service > └─58637 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tom... > > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: > Starting ProtocolHandler ["http-bio-8443"] Jan 07 20:17:57 > sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, 2019 8:17:57 PM > org.apache.coyote.AbstractProtocol start Jan 07 20:17:57 > sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Starting > ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"] Jan 07 20:17:57 > sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: > org.apache.catalina.core.StandardServer[after_start] > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Subsystem CA is disabled. > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: To enable the subsystem: > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: pki-server subsystem-enable -i pki-tomcat ca > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, > 2019 8:17:57 PM org.apache.catalina.startup.Catalina start Jan 07 > 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Server > startup in 2477 ms > [root@sl1mmgplidm0002 ~]# > > Ran " certmonger resubmit -i 20170214143200" but cert is still showing to expires on same date, it is not forcing for it to update. > > Status is changed to Monitoring now, but it is only because I went back in time. > > Request ID '20170214143200': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IPA.GEN.ZONE > subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE > expires: 2019-01-08 20:16:52 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > > I have tried to restart certmonger with no luck. Please advise. > Hi, when you run certmonger resubmit, please have a look at the logs generated in the journal. When everything goes smoothly, you should be able to see the following steps in the journal (may be separated by other unrelated logs): dogtag-ipa-ca-renew-agent-submit[20831]: Forwarding request to dogtag-ipa-renew-agent dogtag-ipa-ca-renew-agent-submit[20831]: dogtag-ipa-renew-agent returned 5 The above 2 lines may appear multiple times and show that the CA helper is using another helper. This other command is directly contacting PKI and authenticates with the RA cert (the 'ipaCert' stored in /etc/http/alias). It is calling the profileSubmit API, then the profileReview API. Then at around the same time in /var/log/pki/pki-tomcat/ca/debug, check if there is a line with "uri = /ca/ee/ca/profileSubmit" and another one with "uri = /ca/ee/ca/profileReview". This shows that the PKI server received a renewal request. The following lines may help diagnose any issue (for instance the authentication failed). flo > -----Original Message----- > From: Rob Crittenden <rcritten(a)redhat.com> > Sent: Monday, June 17, 2019 2:17 PM FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process > would not start > >> Here is the output of getcert list > > I think if you stop IPA, go back in time to when this server cert is > valid (it is the TLS cert for the CA server) and manually start > dirsrv, dogtag and krb5 then run certmonger resubmit -i 20170214143200 > > You want to be sure ntpd (or chronyc) isn't running to force time back to now. > > rob > >> >> [root@sl1mmgplidm0002 ~]# getcert list Number of certificates and >> requests being tracked: 8. >> Request ID '20170214143155': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=CA Audit,O=IPA.GEN.ZONE >> expires: 2020-12-01 18:52:55 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143156': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=OCSP Subsystem,O=IPA.GEN.ZONE >> expires: 2020-12-01 18:52:54 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143157': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=CA Subsystem,O=IPA.GEN.ZONE >> expires: 2020-12-01 18:53:15 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143158': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=Certificate Authority,O=IPA.GEN.ZONE >> expires: 2037-01-18 20:02:36 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143159': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=IPA RA,O=IPA.GEN.ZONE >> expires: 2020-12-01 18:52:44 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20170214143200': >> status: CA_UNREACHABLE >> ca-error: Error 60 connecting to https://sl1mmgplidm0002.ipa.gen.zone:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE >> expires: 2019-01-08 20:16:52 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143201': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-GEN-ZONE/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE >> expires: 2020-12-23 03:40:21 UTC >> principal name: ldap/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-GEN-ZONE >> track: yes >> auto-renew: yes >> Request ID '20170214143202': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE >> expires: 2020-12-23 03:40:31 UTC >> principal name: HTTP/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> Already tried this solution with no luck: >> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpre >> s >> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dw >> i >> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrp >> S >> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnO >> q >> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn >> 3 >> 204Kkt_3BRIc80&e= >> >> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -L >> >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,u >> ipaCert u,u,u >> IPA.GEN.ZONE IPA CA CT,C,C >> >> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t ',,' >> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t 'CT,C,C' >> >> Curl command still fails >> >> [root@sl1mmgplidm0002 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://urldefense.proofpoint.com/v2/url?u=https-3A__-2560hostname-2560-3A8… >> % Total % Received % Xferd Average Speed Time Time Time Current >> Dload Upload Total Spent Left Speed >> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to sl1mmgplidm0002.ipa.gen.zone port 8443 (#0) >> * Trying 172.20.0.36... >> * Connected to sl1mmgplidm0002.ipa.gen.zone (172.20.0.36) port 8443 >> (#0) >> * Initializing NSS with certpath: sql:/etc/httpd/alias/ >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * Server certificate: >> * subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE >> * start date: Jan 18 20:16:52 2017 GMT >> * expire date: Jan 08 20:16:52 2019 GMT >> * common name: sl1mmgplidm0002.ipa.gen.zone >> * issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> * NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE) >> * Peer's Certificate has expired. >> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 >> * Closing connection 0 >> curl: (60) Peer's Certificate has expired. >> More details here: >> https://urldefense.proofpoint.com/v2/url?u=http-3A__curl.haxx.se_docs >> _ >> sslcerts.html&d=DwIDaQ&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I& >> r >> =d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=Z8zd7LpACPgATImRFhdrk5 >> 2 >> 3IIIKpfTP44sN22Z5k5k&s=PkVO7ngwiWZqwUzfzDqJ6HiWaal9XEglmhYc4u_gkps&e= >> >> curl performs SSL certificate verification by default, using a "bundle" >> of Certificate Authority (CA) public keys (CA certs). If the default >> bundle file isn't adequate, you can specify an alternate file >> using the --cacert option. >> If this HTTPS server uses a certificate signed by a CA represented in >> the bundle, the certificate verification probably failed due to a >> problem with the certificate (it might be expired, or the name might >> not match the domain name in the URL). >> If you'd like to turn off curl's verification of the certificate, use >> the -k (or --insecure) option. >> >> >> -----Original Message----- >> From: Rob Crittenden <rcritten(a)redhat.com> >> Sent: Thursday, June 13, 2019 4:08 PM >> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> >> Cc: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com> >> Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process >> would not start >> >>> We have two replica servers sl1mmgplidm0001/2. >>> >>> >>> >>> sl1mmgplidm0001 is functioning as CRL master and has no issues. >>> >>> >>> >>> [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master' >>> >>> IPA CA renewal master: sl1mmgplidm0001 >>> >>> [root@sl1mmgplidm0001 ~]# >>> >>> >>> >>> [root@sl1mmgplidm0001 ~]# ipactl status >>> >>> Directory Service: RUNNING >>> >>> krb5kdc Service: RUNNING >>> >>> kadmin Service: RUNNING >>> >>> named Service: RUNNING >>> >>> ipa_memcached Service: RUNNING >>> >>> httpd Service: RUNNING >>> >>> ipa-custodia Service: RUNNING >>> >>> pki-tomcatd Service: RUNNING >>> >>> smb Service: RUNNING >>> >>> winbind Service: RUNNING >>> >>> ipa-otpd Service: RUNNING >>> >>> ipa-dnskeysyncd Service: RUNNING >>> >>> ipa: INFO: The ipactl command was successful >>> >>> [root@sl1mmgplidm0001 ~]# >>> >>> >>> >>> sl1mmgplidm0002 is having an issue where pki-tomcat process would >>> not start due to expired cert. It has CA_UNREACHABLE error >>> >>> >>> >>> [root@sl1mmgplidm0002 ~]# ipactl status >>> >>> Directory Service: RUNNING >>> >>> krb5kdc Service: RUNNING >>> >>> kadmin Service: RUNNING >>> >>> named Service: RUNNING >>> >>> ipa_memcached Service: RUNNING >>> >>> httpd Service: RUNNING >>> >>> ipa-custodia Service: RUNNING >>> >>> pki-tomcatd Service: STOPPED >>> >>> smb Service: RUNNING >>> >>> winbind Service: RUNNING >>> >>> ipa-otpd Service: RUNNING >>> >>> ipa-dnskeysyncd Service: RUNNING >>> >>> ipa: INFO: The ipactl command was successful >>> >>> [root@sl1mmgplidm0002 ~]# >>> >>> >>> >>> [root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200 >>> Request ID '20170214143200': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Error 60 connecting to >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__sl1mmgplidm0002 >>> - >>> 3 >>> A8443_ca_agent_ca_profileReview&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOqUeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=EvNOXdLcm_vL9kIJfZltxwLVIojayf1wau_ByrzA_m0&e= : Peer certificate cannot be authenticated with given CA certificates. >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer >>> t cert-pki-ca',token='NSS Certificate DB',pin set >>> >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer >>> t cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=IPA >>> >>> subject: CN=sl1mmgplidm0002,O=IPA >>> >>> expires: 2019-01-08 20:16:52 UTC >>> >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> >>> [root@sl1mmgplidm0002 ~]# >>> >>> >>> >>> Tried running renew_ca_cert command and "getcert resubmit -i" with no luck. >> >> Don't run ipa-cacert-manage renew. It renews only the root CA cert which won't help. >> >> We need to see the full output of getcert list to see what status all the certs are in. >> >> You might also try this: >> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpre >> s >> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dw >> i >> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrp >> S >> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnO >> q >> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn >> 3 >> 204Kkt_3BRIc80&e= >> >> rob >> > > _______________________________________________ _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org… List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki… List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org…

1 0

AD's users ssh to IPA's client - should it work?
by lejeczek 24 Jun '19

24 Jun '19

hi guys I think it was asked on the list before but I still cannot find the thread. Should AD's users be able to login to IPA's clients(non-replica) in a pretty vanilla setup? Those users can login to IPA masters okey. I have not created any HBACs yet, nor added new hostgroups etc. When I ssh to IPA's client that client denies that user & shows: pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied) ... many thanks, L.

2 11

pki-tomcat generating ~280MB debug logs per day - best practices for managing disk usage?
by Jonathan Vaughn 21 Jun '19

21 Jun '19

Is it safe to nuke older log files? Some of our CA instances are on VMs which were only allocated a reasonable amount of space for just running FreeIPA, and this adds up fast. The ones on physical have space to spare for some time yet, but some day it would be an issue for them too. Is there a "best" way to control this? I know I can meddle with the pki-tomcat config but I assume it's set to generate all this hilariously verbose logging by default for a reason (or perhaps it's just an oversight that FreeIPA doesn't set this to a sane production configuration?). Also, I don't want to make a change then have it reverted by FreeIPA later...

1 0

Help Needed Rebuilding FreeIPA domain
by Sina Owolabi 21 Jun '19

21 Jun '19

Hi Friends A few months ago I reported a problem with my FreeIPA domain where my master IPA server could not start pki-tomcatd, and I could not find what was causing the problem. Operations such as host deletion, DNS modifications failed with "ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)" on the master but worked on the replicas. I couldnt find a solution, also after seeking help on the list. Now the replicas have the same problem, and I wonder if it would be possible to setup a new master, migrate all existing configuration to this new master, and recreate the domain on the problematic servers? If this is kind of clean sweep is possible, can someone more skilled than I, please advise on how to do this?

2 2

cannot access webui
by Peter Zoltan Keresztes (zozo) 21 Jun '19

21 Jun '19

Hello, I have just installed the new freeipa on ubuntu18.04 and I am trying to login as admin in the web ui but I am not able to do it so. I was looking for any kind of logs but I don’t seam to find a way to debug the problem Any suggestion where to start looking? Regards Peter

4 4

IPA's clients deny password auth to ssh - 6 (Permission denied) - but gssapi works.
by lejeczek 21 Jun '19

21 Jun '19

hi guys A Putty ssh off a AD's Win10 client to IPA's client (non-master) works with gssapi but without it and when need to use password I see: pam_sss(sshd:auth): received for user myuser(a)mine.private: 6 (Permission denied) To make it more bizarre, that same Win10 client does ssh with password(and gssapi) to IPA's masters just fine. My IPA is pretty "vanilla" default after AD trust installation. Any suggestions as to a cause of this misbehavior of IPA clients? many thanks, L.

2 3

kadmin service not running after installing ipa server
by Peter Zoltan Keresztes (zozo) 20 Jun '19

20 Jun '19

Hello I have just installed ipa-server on ubuntu 18.04 and I have observed that the kadmin service is not running. While investigating the issue I’ve seen that is complaining about the not existance of the /etc/krb5kdc/kadm5.acl. ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful systemctl status krb5-admin-server.service ● krb5-admin-server.service - Kerberos 5 Admin Server Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; disabled; vendor preset: enabled) Drop-In: /lib/systemd/system/krb5-admin-server.service.d └─slapd-before-kdc.conf Active: failed (Result: exit-code) since Thu 2019-06-20 16:36:34 EDT; 3min 9s ago Process: 13426 ExecStart=/usr/sbin/kadmind -nofork $DAEMON_ARGS (code=exited, status=1/FAILURE) Main PID: 13426 (code=exited, status=1/FAILURE) Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: setsockopt(11,IPV6_V6ONLY,1) worked Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: Setting up RPC socket for address 0.0.0.0.749 Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: Setting up RPC socket for address ::.749 Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: setsockopt(13,IPV6_V6ONLY,1) worked Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: set up 6 sockets Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: No such file or directory while opening ACL file /etc/krb5kdc/kadm5.acl Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: Cannot open /etc/krb5kdc/kadm5.acl: No such file or directory while initializing ACL file, aborting Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: kadmind: kadmind: Cannot open /etc/krb5kdc/kadm5.acl: No such file or directory while initializing ACL file, aborting Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> systemd[1]: krb5-admin-server.service: Main process exited, code=exited, status=1/FAILURE Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> systemd[1]: krb5-admin-server.service: Failed with result 'exit-code’. is there any way I can fix this? regards, Peter

2 2

kadmin service not running after installing ipa server
by Keresztes Péter-Zoltán 20 Jun '19

20 Jun '19

Hello I have just installed ipa-server on ubuntu 18.04 and I have observed that the kadmin service is not running. While investigating the issue I’ve seen that is complaining about the not existance of the /etc/krb5kdc/kadm5.acl. ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful systemctl status krb5-admin-server.service ● krb5-admin-server.service - Kerberos 5 Admin Server Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; disabled; vendor preset: enabled) Drop-In: /lib/systemd/system/krb5-admin-server.service.d └─slapd-before-kdc.conf Active: failed (Result: exit-code) since Thu 2019-06-20 16:36:34 EDT; 3min 9s ago Process: 13426 ExecStart=/usr/sbin/kadmind -nofork $DAEMON_ARGS (code=exited, status=1/FAILURE) Main PID: 13426 (code=exited, status=1/FAILURE) Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: setsockopt(11,IPV6_V6ONLY,1) worked Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: Setting up RPC socket for address 0.0.0.0.749 Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: Setting up RPC socket for address ::.749 Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: setsockopt(13,IPV6_V6ONLY,1) worked Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: set up 6 sockets Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: No such file or directory while opening ACL file /etc/krb5kdc/kadm5.acl Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: Cannot open /etc/krb5kdc/kadm5.acl: No such file or directory while initializing ACL file, aborting Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: kadmind: kadmind: Cannot open /etc/krb5kdc/kadm5.acl: No such file or directory while initializing ACL file, aborting Jun 20 16:36:34 ipadev.redcapcloud.com systemd[1]: krb5-admin-server.service: Main process exited, code=exited, status=1/FAILURE Jun 20 16:36:34 ipadev.redcapcloud.com systemd[1]: krb5-admin-server.service: Failed with result 'exit-code’. is there any way I can fix this? regards, Peter

1 0

Re: Cert expired for pki-tomcat and process would not start
by Sayfiddin, Farhad 20 Jun '19

20 Jun '19

This is affecting 3 out of 4 our IPA servers. Would you recommend any other solution for this issue? We have only one CRL Master IPA server does not have this issue. Would breaking the replication and recreating replica from one good CRL Master IPA server could work? -----Original Message----- From: Sayfiddin, Farhad via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Sent: Wednesday, June 19, 2019 2:51 PM To: Florence Blanc-Renaud <flo(a)redhat.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Rob Crittenden <rcritten(a)redhat.com> Subject: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not start Thanks for your reply. In the journal I did not see anything meaningful when I ran "certmonger resubmit -i 20170214143200 " Jan 07 20:23:29 sl1mmgplidm0002.ipa.gen.zone kernel: FINAL_REJECT: IN=ens192 OUT= MAC=00:50:56:b2:39:92:00:1c:7f:61:a6:27:08:00 SRC=10.48.10.142 DST=172.20.0.36 LEN=89 TOS=0x00 PREC=0x00 TTL=126 ID=28772 PROTO=UDP SPT=52233 DPT=161 LEN=69 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: [07/Jan/2019:20:23:32.598658399 -0600] csngen_new_csn - Warning: too much time skew (-14058896 secs). Current seqnum=1 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 1 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 2 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 3 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: [07/Jan/2019:20:23:32.630614940 -0600] csngen_new_csn - Warning: too much time skew (-14058897 secs). Current seqnum=1 Jan 07 20:23:38 sl1mmgplidm0002.ipa.gen.zone kernel: FINAL_REJECT: IN=ens192 OUT= MAC=00:50:56:b2:39:92:00:1c:7f:61:a6:27:08:00 SRC=10.48.10.142 DST=172.20.0.36 LEN=89 TOS=0x00 PREC=0x00 TTL=126 ID=28773 PROTO=UDP SPT=59164 DPT=161 LEN=69 Jan 07 20:23:45 sl1mmgplidm0002.ipa.gen.zone certmonger[6749]: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20190108201652. /var/log/pki/pki-tomcat/ca/debug did not generate anything when I ran "certmonger resubmit -i 20170214143200 " Any thoughts? -----Original Message----- From: Florence Blanc-Renaud <flo(a)redhat.com> Sent: Tuesday, June 18, 2019 11:20 AM To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Rob Crittenden <rcritten(a)redhat.com> Subject: Re: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not start > Thanks for your response Rob, really appreciate it. > > I have stopped the IPA and went back in time of Jan 7 of 2019 since > Server-Cert cert-pki-ca would expire on: 2019-01-08 20:16:52 UTC > > Started dirsrv, krb5kdc and pki-tomcatd(a)pki-tomcat.service manually. > > [root@sl1mmgplidm0002 ~]# date > Mon Jan 7 20:23:50 CST 2019 > [root@sl1mmgplidm0002 ~]# > > [root@sl1mmgplidm0002 ~]# ipactl status Directory Service: RUNNING > krb5kdc Service: RUNNING kadmin Service: STOPPED named Service: > STOPPED ipa_memcached Service: STOPPED httpd Service: STOPPED > ipa-custodia Service: STOPPED pki-tomcatd Service: STOPPED smb > Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED > ipa-dnskeysyncd Service: STOPPED > ipa: INFO: The ipactl command was successful > [root@sl1mmgplidm0002 ~]# systemctl status > pki-tomcatd(a)pki-tomcat.service ● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat > Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) > Active: active (running) since Mon 2019-01-07 20:17:53 CST; 4min 59s ago > Process: 58524 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS) > Main PID: 58637 (java) > CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service > └─58637 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tom... > > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: > Starting ProtocolHandler ["http-bio-8443"] Jan 07 20:17:57 > sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, 2019 8:17:57 PM > org.apache.coyote.AbstractProtocol start Jan 07 20:17:57 > sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Starting > ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"] Jan 07 20:17:57 > sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: > org.apache.catalina.core.StandardServer[after_start] > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Subsystem CA is disabled. > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: To enable the subsystem: > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: pki-server subsystem-enable -i pki-tomcat ca > Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, > 2019 8:17:57 PM org.apache.catalina.startup.Catalina start Jan 07 > 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Server > startup in 2477 ms > [root@sl1mmgplidm0002 ~]# > > Ran " certmonger resubmit -i 20170214143200" but cert is still showing to expires on same date, it is not forcing for it to update. > > Status is changed to Monitoring now, but it is only because I went back in time. > > Request ID '20170214143200': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IPA.GEN.ZONE > subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE > expires: 2019-01-08 20:16:52 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > > I have tried to restart certmonger with no luck. Please advise. > Hi, when you run certmonger resubmit, please have a look at the logs generated in the journal. When everything goes smoothly, you should be able to see the following steps in the journal (may be separated by other unrelated logs): dogtag-ipa-ca-renew-agent-submit[20831]: Forwarding request to dogtag-ipa-renew-agent dogtag-ipa-ca-renew-agent-submit[20831]: dogtag-ipa-renew-agent returned 5 The above 2 lines may appear multiple times and show that the CA helper is using another helper. This other command is directly contacting PKI and authenticates with the RA cert (the 'ipaCert' stored in /etc/http/alias). It is calling the profileSubmit API, then the profileReview API. Then at around the same time in /var/log/pki/pki-tomcat/ca/debug, check if there is a line with "uri = /ca/ee/ca/profileSubmit" and another one with "uri = /ca/ee/ca/profileReview". This shows that the PKI server received a renewal request. The following lines may help diagnose any issue (for instance the authentication failed). flo > -----Original Message----- > From: Rob Crittenden <rcritten(a)redhat.com> > Sent: Monday, June 17, 2019 2:17 PM FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process > would not start > >> Here is the output of getcert list > > I think if you stop IPA, go back in time to when this server cert is > valid (it is the TLS cert for the CA server) and manually start > dirsrv, dogtag and krb5 then run certmonger resubmit -i 20170214143200 > > You want to be sure ntpd (or chronyc) isn't running to force time back to now. > > rob > >> >> [root@sl1mmgplidm0002 ~]# getcert list Number of certificates and >> requests being tracked: 8. >> Request ID '20170214143155': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=CA Audit,O=IPA.GEN.ZONE >> expires: 2020-12-01 18:52:55 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143156': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=OCSP Subsystem,O=IPA.GEN.ZONE >> expires: 2020-12-01 18:52:54 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143157': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=CA Subsystem,O=IPA.GEN.ZONE >> expires: 2020-12-01 18:53:15 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143158': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=Certificate Authority,O=IPA.GEN.ZONE >> expires: 2037-01-18 20:02:36 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143159': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=IPA RA,O=IPA.GEN.ZONE >> expires: 2020-12-01 18:52:44 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20170214143200': >> status: CA_UNREACHABLE >> ca-error: Error 60 connecting to https://sl1mmgplidm0002.ipa.gen.zone:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE >> expires: 2019-01-08 20:16:52 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20170214143201': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-GEN-ZONE/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE >> expires: 2020-12-23 03:40:21 UTC >> principal name: ldap/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-GEN-ZONE >> track: yes >> auto-renew: yes >> Request ID '20170214143202': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE >> expires: 2020-12-23 03:40:31 UTC >> principal name: HTTP/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> Already tried this solution with no luck: >> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpre >> s >> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dw >> i >> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrp >> S >> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnO >> q >> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn >> 3 >> 204Kkt_3BRIc80&e= >> >> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -L >> >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,u >> ipaCert u,u,u >> IPA.GEN.ZONE IPA CA CT,C,C >> >> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t ',,' >> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t 'CT,C,C' >> >> Curl command still fails >> >> [root@sl1mmgplidm0002 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://urldefense.proofpoint.com/v2/url?u=https-3A__-2560hostname-2560-3A8… >> % Total % Received % Xferd Average Speed Time Time Time Current >> Dload Upload Total Spent Left Speed >> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to sl1mmgplidm0002.ipa.gen.zone port 8443 (#0) >> * Trying 172.20.0.36... >> * Connected to sl1mmgplidm0002.ipa.gen.zone (172.20.0.36) port 8443 >> (#0) >> * Initializing NSS with certpath: sql:/etc/httpd/alias/ >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * Server certificate: >> * subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE >> * start date: Jan 18 20:16:52 2017 GMT >> * expire date: Jan 08 20:16:52 2019 GMT >> * common name: sl1mmgplidm0002.ipa.gen.zone >> * issuer: CN=Certificate Authority,O=IPA.GEN.ZONE >> * NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE) >> * Peer's Certificate has expired. >> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 >> * Closing connection 0 >> curl: (60) Peer's Certificate has expired. >> More details here: >> https://urldefense.proofpoint.com/v2/url?u=http-3A__curl.haxx.se_docs >> _ >> sslcerts.html&d=DwIDaQ&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I& >> r >> =d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=Z8zd7LpACPgATImRFhdrk5 >> 2 >> 3IIIKpfTP44sN22Z5k5k&s=PkVO7ngwiWZqwUzfzDqJ6HiWaal9XEglmhYc4u_gkps&e= >> >> curl performs SSL certificate verification by default, using a "bundle" >> of Certificate Authority (CA) public keys (CA certs). If the default >> bundle file isn't adequate, you can specify an alternate file >> using the --cacert option. >> If this HTTPS server uses a certificate signed by a CA represented in >> the bundle, the certificate verification probably failed due to a >> problem with the certificate (it might be expired, or the name might >> not match the domain name in the URL). >> If you'd like to turn off curl's verification of the certificate, use >> the -k (or --insecure) option. >> >> >> -----Original Message----- >> From: Rob Crittenden <rcritten(a)redhat.com> >> Sent: Thursday, June 13, 2019 4:08 PM >> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> >> Cc: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com> >> Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process >> would not start >> >>> We have two replica servers sl1mmgplidm0001/2. >>> >>> >>> >>> sl1mmgplidm0001 is functioning as CRL master and has no issues. >>> >>> >>> >>> [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master' >>> >>> IPA CA renewal master: sl1mmgplidm0001 >>> >>> [root@sl1mmgplidm0001 ~]# >>> >>> >>> >>> [root@sl1mmgplidm0001 ~]# ipactl status >>> >>> Directory Service: RUNNING >>> >>> krb5kdc Service: RUNNING >>> >>> kadmin Service: RUNNING >>> >>> named Service: RUNNING >>> >>> ipa_memcached Service: RUNNING >>> >>> httpd Service: RUNNING >>> >>> ipa-custodia Service: RUNNING >>> >>> pki-tomcatd Service: RUNNING >>> >>> smb Service: RUNNING >>> >>> winbind Service: RUNNING >>> >>> ipa-otpd Service: RUNNING >>> >>> ipa-dnskeysyncd Service: RUNNING >>> >>> ipa: INFO: The ipactl command was successful >>> >>> [root@sl1mmgplidm0001 ~]# >>> >>> >>> >>> sl1mmgplidm0002 is having an issue where pki-tomcat process would >>> not start due to expired cert. It has CA_UNREACHABLE error >>> >>> >>> >>> [root@sl1mmgplidm0002 ~]# ipactl status >>> >>> Directory Service: RUNNING >>> >>> krb5kdc Service: RUNNING >>> >>> kadmin Service: RUNNING >>> >>> named Service: RUNNING >>> >>> ipa_memcached Service: RUNNING >>> >>> httpd Service: RUNNING >>> >>> ipa-custodia Service: RUNNING >>> >>> pki-tomcatd Service: STOPPED >>> >>> smb Service: RUNNING >>> >>> winbind Service: RUNNING >>> >>> ipa-otpd Service: RUNNING >>> >>> ipa-dnskeysyncd Service: RUNNING >>> >>> ipa: INFO: The ipactl command was successful >>> >>> [root@sl1mmgplidm0002 ~]# >>> >>> >>> >>> [root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200 >>> Request ID '20170214143200': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Error 60 connecting to >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__sl1mmgplidm0002 >>> - >>> 3 >>> A8443_ca_agent_ca_profileReview&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOqUeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=EvNOXdLcm_vL9kIJfZltxwLVIojayf1wau_ByrzA_m0&e= : Peer certificate cannot be authenticated with given CA certificates. >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer >>> t cert-pki-ca',token='NSS Certificate DB',pin set >>> >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer >>> t cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=IPA >>> >>> subject: CN=sl1mmgplidm0002,O=IPA >>> >>> expires: 2019-01-08 20:16:52 UTC >>> >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> >>> [root@sl1mmgplidm0002 ~]# >>> >>> >>> >>> Tried running renew_ca_cert command and "getcert resubmit -i" with no luck. >> >> Don't run ipa-cacert-manage renew. It renews only the root CA cert which won't help. >> >> We need to see the full output of getcert list to see what status all the certs are in. >> >> You might also try this: >> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpre >> s >> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dw >> i >> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrp >> S >> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnO >> q >> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn >> 3 >> 204Kkt_3BRIc80&e= >> >> rob >> > > _______________________________________________ _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org… List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki… List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org…

1 0

Password policy character classes - 8-bit characters?
by Jonathan Vaughn 19 Jun '19

19 Jun '19

If I am reading the documentation right, the effect of having the "8-bit" character class (decimal 128 or less - though this seems more like 7 bit plus decimal 128) is that if you change the password policy character classes from 0 (no checking) to 1, almost anything will match, but unicode characters wouldn't match (so you'd require at least 1 non-unicode non-high ASCII character, excepting of course the oddball decimal 128). Thus, ignoring unicode, if you want to match at least 3 of the other normal classes (upper/lower/digits/special) you'd actually need to set this value to 4? Also, is there a particular reason this character class exists (not to mention the cutoff being 128 "8-bit" not 127 for 7-bit or 255 for 8-bit)? I'm not seeing an obvious use for it other than to be confusing (and potentially reduce your intended complexity by one if you weren't paying attention)

1 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2019