Hi List,
I am running in to an issue joining a new replica to our IPA environment.
It’s worth noting that we have had issues with expired certs on our master server for a while but I thought we had resolved them, and when I connect to ports 443 and 636 on the master server I get certs back expiring in 2020.
So I have run IPA-client-install and the client joins successfully.
I can ‘kinit admin’ and kerberos auth appears to work.
When I run ipa-replica-install it hangs on step 27 restarting directory server.
When I check syslog I see that dirsrv has failed to restart, and the following message.
Jan 8 02:20:11 ds02 certmonger[8516]: 2019-01-08 02:20:11 [8516] Server at https://ds01.prod.xyz.internal/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ds01.prod.xyz.internal:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
Where ds02 is the new replica I am installing and ds01 is the original master.
Running FreeIPA 4.3.1.
Any suggestions on how to move past this point would be greatly appreciated.
Thanks in advance.
On 1/8/19 4:37 AM, Mitchell Smith via FreeIPA-users wrote:
Hi List,
I am running in to an issue joining a new replica to our IPA environment.
It’s worth noting that we have had issues with expired certs on our master server for a while but I thought we had resolved them, and when I connect to ports 443 and 636 on the master server I get certs back expiring in 2020.
So I have run IPA-client-install and the client joins successfully.
I can ‘kinit admin’ and kerberos auth appears to work.
When I run ipa-replica-install it hangs on step 27 restarting directory server.
When I check syslog I see that dirsrv has failed to restart, and the following message.
Jan 8 02:20:11 ds02 certmonger[8516]: 2019-01-08 02:20:11 [8516] Server at https://ds01.prod.xyz.internal/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ds01.prod.xyz.internal:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
Where ds02 is the new replica I am installing and ds01 is the original master.
Running FreeIPA 4.3.1.
Any suggestions on how to move past this point would be greatly appreciated.
Thanks in advance.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
can you check on ds02 if certmonger was able to get cert for the LDAP server (with "getcert list")? If not, I suspect that the IPA RA agent certificate is expired and as a consequence the installer was not able to get a cert for LDAP and HTTPs (the IPA RA agent cert is used to authenticate to Dogtag, which is the component delivering certs).
On the master, IPA RA agent is stored in /etc/httpd/alias with the nickname ipaCert. Check if it is still valid with # certutil -L -d /etc/httpd/alias -n ipaCert | grep "Not After"
If it is expired, you need to fix this issue first (it requires to move the date back in time, so that the cert is still valid, and let certmonger renew it).
If it is not expired, check that the entry uid=ipara,ou=People,o=ipaca has been updated with the most recent IPA RA agent certificate: 1. get the serial from the cert in the NSS db: # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 7 (0x7)
2. get the whole cert in a single-line, without the header and trailer: # certutil -L -d /etc/httpd/alias -n ipaCert -a | tail -n +2 | head -n -1 | tr -d '\r\n' MIIDv...
3. Check the content of the entry in LDAP: # ldapsearch -D "cn=directory manager" -W -LLL -o ldif-wrap=no -b uid=ipara,ou=people,o=ipaca description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM usercertificate:: MIIDv...
The description attribute must contain 2;<Serial from step 1>;CN=Certificate Authority,O=<DOMAIN.COM>;CN=IPA RA,O=<DOMAIN.COM> (replace <DOMAIN.COM> with your own domain). The usercertificate attribute must contain the same value as obtained in step 2. If it is not the case, you can use ldapmodify to update the certificate with the value obtained in step 2 (do not forget to replace DOMAIN.COM with your own domain).
# ldapmodify -x -D 'cn=directory manager' -w password dn: uid=ipara,ou=people,o=ipaca changetype: modify add: usercertificate usercertificate:: MIIDv... - replace: description description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM <extra blank line to finish>
HTH, flo
Hi,
Thanks for the reply, I appreciate it. It looks like that is exactly the issue.
On the master server….
# certutil -L -d /etc/apache2/nssdb -n ipaCert | grep "Not After" Not After : Wed Nov 21 01:25:31 2018
Also in ‘getcert list’ on the master….
Request ID '20161201012533': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ds01.xyz.internal:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights ?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XYZ.INTERNAL subject: CN=CA Audit,O=XYZ.INTERNAL expires: 2018-11-21 01:25:11 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes
The issue appears to be exactly as described in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I’m pretty sure I’ve tried all the steps described in that thread, but I’ll go back and double check.
Cheers
On Jan 8, 2019, at 8:03 PM, Florence Blanc-Renaud flo@redhat.com wrote:
On 1/8/19 4:37 AM, Mitchell Smith via FreeIPA-users wrote:
Hi List, I am running in to an issue joining a new replica to our IPA environment. It’s worth noting that we have had issues with expired certs on our master server for a while but I thought we had resolved them, and when I connect to ports 443 and 636 on the master server I get certs back expiring in 2020. So I have run IPA-client-install and the client joins successfully. I can ‘kinit admin’ and kerberos auth appears to work. When I run ipa-replica-install it hangs on step 27 restarting directory server. When I check syslog I see that dirsrv has failed to restart, and the following message. Jan 8 02:20:11 ds02 certmonger[8516]: 2019-01-08 02:20:11 [8516] Server at https://ds01.prod.xyz.internal/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ds01.prod.xyz.internal:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). Where ds02 is the new replica I am installing and ds01 is the original master. Running FreeIPA 4.3.1. Any suggestions on how to move past this point would be greatly appreciated. Thanks in advance. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
can you check on ds02 if certmonger was able to get cert for the LDAP server (with "getcert list")? If not, I suspect that the IPA RA agent certificate is expired and as a consequence the installer was not able to get a cert for LDAP and HTTPs (the IPA RA agent cert is used to authenticate to Dogtag, which is the component delivering certs).
On the master, IPA RA agent is stored in /etc/httpd/alias with the nickname ipaCert. Check if it is still valid with # certutil -L -d /etc/httpd/alias -n ipaCert | grep "Not After"
If it is expired, you need to fix this issue first (it requires to move the date back in time, so that the cert is still valid, and let certmonger renew it).
If it is not expired, check that the entry uid=ipara,ou=People,o=ipaca has been updated with the most recent IPA RA agent certificate:
- get the serial from the cert in the NSS db:
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 7 (0x7)
- get the whole cert in a single-line, without the header and trailer:
# certutil -L -d /etc/httpd/alias -n ipaCert -a | tail -n +2 | head -n -1 | tr -d '\r\n' MIIDv...
- Check the content of the entry in LDAP:
# ldapsearch -D "cn=directory manager" -W -LLL -o ldif-wrap=no -b uid=ipara,ou=people,o=ipaca description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM usercertificate:: MIIDv...
The description attribute must contain 2;<Serial from step 1>;CN=Certificate Authority,O=<DOMAIN.COM>;CN=IPA RA,O=<DOMAIN.COM> (replace <DOMAIN.COM> with your own domain). The usercertificate attribute must contain the same value as obtained in step 2. If it is not the case, you can use ldapmodify to update the certificate with the value obtained in step 2 (do not forget to replace DOMAIN.COM with your own domain).
# ldapmodify -x -D 'cn=directory manager' -w password dn: uid=ipara,ou=people,o=ipaca changetype: modify add: usercertificate usercertificate:: MIIDv...
replace: description description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
<extra blank line to finish>
HTH, flo
freeipa-users@lists.fedorahosted.org