Hello, In my case this error message was directly related to security hardening with openscap using disa stig for rhel 7 policy.
First clue of problems was with the webui on freshly installed primary, with admin account always got every time error ”login failed for unknown reason”. Replica installation failed with ca_unreachable. After playing around with oscap and many tests I found that when section ”Secure Session Configuration for Login Access” was left out from remediation, both webui and replica installation worked without problems. I have ticket open to redhat support so that exact setting causing trouble will be identified. br, risto Sent from my iPad > On 19 Apr 2018, at 22.06, Alexander Bokovoy <aboko...@redhat.com> wrote: > >> On to, 19 huhti 2018, r hartikainen via FreeIPA-users wrote: >> Hello >> >> I got this same error with replica installation on rhel 7.4 after the >> OS was hardened with openscap. Pure base OS install without any >> additional hardening did work without problems. I was doing replica >> immediately after setting up the new primary. >> >> Also, with same scap policy the fresh primary ipa did not allow any >> login at webui. In my case I believe it was about some security setting >> but have not yet had time to debug which one. Dunno where to start the >> debug though. > Please file bugs and attach the logs (audit.log most likely). We > definitely want to play well with openscap. > >> >> br, >> risto >> >> Sent from my iPad >> >>> On 19 Apr 2018, at 18.24, Jan Gardian via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org> wrote: >>> >>> Hello, >>> >>> We had two ipa replicas ipa1 with CA and ipa2. Those servers were on Ubuntu >>> 16. >>> >>> I successfully installed ipa3 replica with CA that is running on newer >>> version of IPA and Centos 7. After that I stopped old ipa2 and successfully >>> installed new ipa2 with CA on Centos 7. Lastly I setup CA master to be new >>> ipa2 following >>> https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_4.0_or_later >>> and turned off old ipa1 server. >>> >>> Problem occurred when I was installing replica with CA to new ipa1 server >>> running at Centos 7. >>> I can successfully install ipa client and create ticket under admin user >>> but when trying to install replica it fails with "ERROR Certificate >>> issuance failed (CA_UNREACHABLE)". Somehow it tries to get certificates >>> during replica install from ipa1 server when it does not have yet httpd >>> installed. >>> >>> I thought it could be problem that certificate was primary created at old >>> ipa1 and we have it signed by our own certificates as well so I created >>> another ipa4 server on Centos 7. And again it crashed at the same point >>> trying to get certificate from itself when it did not have httpd installed >>> yet. >>> >>> OS: CentOS Linux release 7.4.1708 >>> IPA: VERSION: 4.5.0, API_VERSION: 2.228 >>> >>> Attached are logs from ipa client installation and ipa replica installation >>> for ipa4 server. >>> Please ask if you require any different logs. I tried also to follow >>> debugging from >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/SZKAQDRCRGWV3ZIEJNAVRG2LHLDIS3MJ/ >>> but in my case it end earlier because it try to get certificate from >>> itself and does not get to master. This can be also seen in output of >>> command getcert list(in attachement). >>> >>> >>> Thank you for checking. >>> >>> >>> With kind regards, >>> Ján Gardian >>> Administrator >>> <ipa4_debug> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WRARIII7P4CNTYRJYDXTEZA4ES3JJBF5/
