Am 07.05.2019 08:39, schrieb Florence Blanc-Renaud via FreeIPA-users:
On 5/3/19 11:47 AM, H. Frenzel via FreeIPA-users wrote:
Am 03.05.2019 10:18, schrieb Florence Blanc-Renaud via
FreeIPA-users:
On 5/2/19 7:08 PM, H. Frenzel via FreeIPA-users wrote:
What next? Can those other two certificates been removed?
Hi,
it's not a problem if the previous certs are still present in LDAP,
you can keep them here. It looks like the content of the NSSDB and
LDAP are consistent.
A few other things to check:
- Are there any replication conflicts (if you have multiple CA
masters)?
$ ldapsearch -D "cn=Directory Manager" -W -b o=ipaca
"(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \*
nsds5ReplConflict
It seems there are no conflicts:
# search result
search: 2
result: 0 Success
The multiple CA masters setup didn't work (s.
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/TPYKB7LW6GGIHDPNX4MFDZOUCA7MLUSH/)
- In /etc/pki/pki-tomcat/ca/CS.cfg, the line starting with
'ca.subsystem.cert=' must contain the same cert as 'subsystemCert
cert-pki-ca' in /etc/pki/pki-tomcat/alias
It is as expected.
- Are there any specific errors in /var/log/pki/pki-tomcat/ca/debug?
When the CA subsystem properly starts, you should see lines about
'subsystemCert cert-pki-ca' and SSL handshake like the following:
[date][localhost-startStop-1]:
ldapconn/PKISocketFactory.makeSSLSocket: begins
[date][localhost-startStop-1]: SSLClientCertificateSelectionCB:
Setting desired cert nickname to: subsystemCert cert-pki-ca
[date][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert
nickname subsystemCert cert-pki-ca
[date][localhost-startStop-1]: SSLClientCertificatSelectionCB:
Entering!
[date][localhost-startStop-1]: Candidate cert: subsystemCert
cert-pki-ca
[date][localhost-startStop-1]: SSLClientCertificateSelectionCB:
desired cert found in list: subsystemCert cert-pki-ca
[date][localhost-startStop-1]: SSLClientCertificateSelectionCB:
returning: subsystemCert cert-pki-ca
[date][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted: begins
[date][localhost-startStop-1]: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
[date][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted:
CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
[date][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted: clientIP=<local IP>
serverIP=<local IP> serverPort=31746
[date][localhost-startStop-1]: SSL handshake happened
[date][localhost-startStop-1]: Established LDAP connection with SSL
client auth to <local hostname>:636
so any error related to subsystemCert cert-pki-ca may help us
diagnose.
[07/May/2019:14:19:33][localhost-startStop-1]:
ldapconn/PKISocketFactory.makeSSLSocket: begins
[07/May/2019:14:19:33][localhost-startStop-1]:
SSLClientCertificateSelectionCB: Setting desired cert nickname to:
subsystemCert cert-pki-ca
[07/May/2019:14:19:33][localhost-startStop-1]: LdapJssSSLSocket: set
client auth cert nickname subsystemCert cert-pki-ca
[07/May/2019:14:19:33][localhost-startStop-1]:
SSLClientCertificatSelectionCB: Entering!
[07/May/2019:14:19:33][localhost-startStop-1]: Candidate cert:
EXAMPLE.COM IPA CA
[07/May/2019:14:19:33][localhost-startStop-1]: Candidate cert:
Server-Cert cert-pki-ca
[07/May/2019:14:19:33][localhost-startStop-1]:
SSLClientCertificateSelectionCB: returning: null
[07/May/2019:14:19:33][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted: begins
[07/May/2019:14:19:33][localhost-startStop-1]: SignedAuditLogger:
event CLIENT_ACCESS_SESSION_ESTABLISH
[07/May/2019:14:19:33][localhost-startStop-1]: LogFile: event type
not selected: CLIENT_ACCESS_SESSION_ESTABLISH
[07/May/2019:14:19:33][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted:
CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
[07/May/2019:14:19:33][localhost-startStop-1]:
PKIClientSocketListener.handshakeCompleted: clientIP=10.1.1.101
serverIP=10.1.1.101 serverPort=31746
[07/May/2019:14:19:33][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host ipa.example.com port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
There are even no errors within /var/log/dirsrv/slapd-EXAMPLE-COM/error
of this try.
But I found some warnings within /var/log/messages, might be those are
related somehow?
2019-05-07T14:19:28.494819+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'enableOCSP' to 'false' did not find a matching property.
2019-05-07T14:19:28.495201+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderURL' to 'http://ipa.example.com:8080/ca/ocsp' did not find
a matching property.
2019-05-07T14:19:28.495495+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not
find a matching property.
2019-05-07T14:19:28.495775+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspCacheSize' to '1000' did not find a matching property.
2019-05-07T14:19:28.496412+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMinCacheEntryDuration' to '60' did not find a matching property.
2019-05-07T14:19:28.497308+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
2019-05-07T14:19:28.498213+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspTimeout' to '10' did not find a matching property.
2019-05-07T14:19:28.499134+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'strictCiphers' to 'true' did not find a matching property.
2019-05-07T14:19:28.500062+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching
property.
2019-05-07T14:19:28.500918+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl2Ciphers' to
'-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5'
did not find a matching property.
2019-05-07T14:19:28.502491+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl3Ciphers' to
'-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'
did not find a matching property.
2019-05-07T14:19:28.504300+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'tlsCiphers' to
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA'
did not find a matching property.
2019-05-07T14:19:28.505563+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching
property.
2019-05-07T14:19:28.506169+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching
property.
2019-05-07T14:19:28.506856+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslRangeCiphers' to
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA
_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA'
did not find a matching property.
2019-05-07T14:19:28.508160+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'serverCertNickFile' to
'/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
matching property.
2019-05-07T14:19:28.508811+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
find a matching property.
2019-05-07T14:19:28.509434+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile'
did not find a matching property.
2019-05-07T14:19:28.510180+02:00 ipa server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
property.
2019-05-07T14:19:28.537648+02:00 ipa server: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.
2019-05-07T14:19:28.538024+02:00 ipa server: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property.
2019-05-07T14:19:33.518554+02:00 ipa server:
CMSEngine.initializePasswordStore() begins
2019-05-07T14:19:33.520758+02:00 ipa server:
CMSEngine.initializePasswordStore(): tag=internaldb
2019-05-07T14:19:33.521107+02:00 ipa server:
CMSEngine.initializePasswordStore(): tag=replicationdb
2019-05-07T14:19:33.882875+02:00 ipa server: Internal Database Error
encountered: Could not connect to LDAP server host ipa.example.com port
636 Error netscape.ldap.LDAPException: Authentication failed (48)
Thanks for your help
H.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org