I have strange problem on replication server. I set master server and I generate and set Let's encrypt.
On replica server I do same step but when I try to install pk12 I get error about invalid credentials. For private key unlock password I using weak pass which I set in the proces of generated pk12 in step before. Directory Manager password is right, because when I do:
ldapsearch -x -D "cn=directory manager" -w mypassword -s base -b "" "objectclass=*"
I get this, which mean DM pass is ok.
# extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL # . . . . lastusn: 2382 changeLog: cn=changelog firstchangenumber: 0 lastchangenumber: 0 ipatopologypluginversion: 1.0 ipatopologyismanaged: on ipaDomainLevel: 1
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
When I try to install cert:
ipa-server-certinstall -w /path/to/.pk12
I get this error:
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 110, in run api.Backend.ldap2.connect(bind_pw=self.options.dirman_password) File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 175, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1142, in simple_bind bind_dn, bind_password, server_controls, client_controls) File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1030, in error_handler raise errors.ACIError(info="%s %s" % (info, desc))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ACIError: Insufficient access: Invalid credentials ipapython.admintool: ERROR: Insufficient access: Invalid credentials ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
*—*
*Petar Kozić*
Petar Kozić via FreeIPA-users wrote:
I have strange problem on replication server. I set master server and I generate and set Let's encrypt.
On replica server I do same step but when I try to install pk12 I get error about invalid credentials. For private key unlock password I using weak pass which I set in the proces of generated pk12 in step before. Directory Manager password is right, because when I do:
ldapsearch -x -D "cn=directory manager" -w mypassword -s base -b "" "objectclass=*"
I get this, which mean DM pass is ok.
# extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL # . . . . lastusn: 2382 changeLog: cn=changelog firstchangenumber: 0 lastchangenumber: 0 ipatopologypluginversion: 1.0 ipatopologyismanaged: on ipaDomainLevel: 1
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
When I try to install cert:
ipa-server-certinstall -w /path/to/.pk12
I get this error:
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 110, in run api.Backend.ldap2.connect(bind_pw=self.options.dirman_password) File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 175, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1142, in simple_bind bind_dn, bind_password, server_controls, client_controls) File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1030, in error_handler raise errors.ACIError(info="%s %s" % (info, desc))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ACIError: Insufficient access: Invalid credentials ipapython.admintool: ERROR: Insufficient access: Invalid credentials ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
I'm guessing that you're running 4.6.something...
I don't have a 4.6 install handy but my 4.7+ it prompts for DM and then the pin for the PKCS#12 file.
Hard to say other than you typed the DM password in wrong. It is just doing a simple bind here. You might check the 389-ds access log to see what it logged but it's likely something like:
[27/Dec/2019:21:25:19.929737344 -0500] conn=133590 op=0 BIND dn="cn=directory manager" method=128 version=3 [27/Dec/2019:21:25:19.951792182 -0500] conn=133590 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0022220750 - Invalid credentials [27/Dec/2019:21:25:19.998492817 -0500] conn=133590 op=1 UNBIND
Which is bad password.
Note that the log is buffered so you may have to wait a bit for the log msg to appear.
rob
freeipa-users@lists.fedorahosted.org
-
Petar Kozić -
Rob Crittenden