Thanks for the update Alexander will check this and get back to you, wanted to check on another thing as well.
Can you please help us to understand this error that we see for the cert in pki [root@ipa1 nikita.d]# for i in $(certutil -d /etc/pki/pki-tomcat/alias -L | grep cert-pki-ca | awk '{print $1}');do certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n "$i cert-pki-ca";done certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 249cfa8ef238a902bd45ce397eda0a8ce8dda01d caSigningCert cert-pki-ca certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. These are the cert which is present /etc/pki/pki-tomcat/alias [root@ipa1 nikita.d]# certutil -L -d /etc/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO CA BUNDLE CT,C,C ocspSigningCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u Regards Nikita S On Wed, Nov 6, 2019 at 9:52 PM Alexander Bokovoy <aboko...@redhat.com> wrote: > On ke, 06 marras 2019, Nikita Deeksha via FreeIPA-users wrote: > >2. > > > >Status SUBMITTING means the renewal is not yet completed. It will not > >complete until you get Dogtag working. > > > >But now the status says CA_UNEACHABLE > > > >Request ID '20180412150739': > >status: CA_UNREACHABLE > >ca-error: Server at https://ipa1.xxx.xxxx.com/ipa/xml failed request, > will > >retry: -504 (libcurl failed to execute the HTTP POST transaction, > >explaining: Peer's Certificate has expired.). > > This is exactly an issue with expired HTTP certificate. > I guess you'd need to roll back time to when the certificate was valid > (before 2019-10-25) and restart certmonger. > > See discussion in this thread: > https://www.redhat.com/archives/freeipa-users/2016-July/msg00270.html > > In newer RHEL version (RHEL 7.7) there is a special tool, ipa-cert-fix, > that can help with fixing these issues. However, since you are on the > version before it, you need to do manual renewal. > > >stuck: no > >key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='CN= > >ipa1.xxx.xxxx.com,O=CORP.ENDURANCE.COM',token='NSS Certificate > >DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >certificate: type=NSSDB,location='/etc/httpd/alias',nickname='CN= > >ipa1.xxx.xxxx.com,O=CORP.ENDURANCE.COM',token='NSS Certificate DB' > >CA: IPA > >issuer: CN=Certificate Authority,O=xxx.xxxx.COM > >subject: CN=ipa1.xxxx.xxxxx.com,O=xxx.xxxx.COM > >expires: 2019-10-25 20:16:38 UTC > >principal name: krbtgt/xxx.xxxxx....@xxx.xxxx.com > >key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >eku: id-kp-serverAuth,id-pkinit-KPKdc > >pre-save command: > >post-save command: /usr/libexec/ipa/certmonger/restart_httpd > >track: yes > > > > > > > > > >*Issue2:* > > > >We are getting this alert while we log in to UI in httpd error logs > > > > > >#ipa: INFO: 401 Unauthorized: kinit: Preauthentication failed while > getting > >initial credentials > > > >and PKINIT was disabled > > > >[root@ipa2 httpd]# ipa-pkinit-manage status > >PKINIT is disabled > > > >While I tried to enable this > > > >[root@ipa2 httpd]# ipa-pkinit-manage enable > >Configuring Kerberos KDC (krb5kdc) > > [1/1]: installing X509 Certificate for PKINIT > > > >the process was getting stuck, so I had to terminate it manually. After > >trying to enable, I'm getting "Login failed due to an unknown reason." > >error in web UI when I try to login > > > >*Error in httpd:* > > > >[Wed Nov 06 10:13:37.465318 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] mod_wsgi (pid=24416): Exception occurred processing WSGI > >script '/usr/share/ipa/wsgi.py'. > >[Wed Nov 06 10:13:37.465433 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] Traceback (most recent call last): > >[Wed Nov 06 10:13:37.468706 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] File "/usr/share/ipa/wsgi.py", line 59, in application > >[Wed Nov 06 10:13:37.470083 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] return api.Backend.wsgi_dispatch(environ, > >start_response) > >[Wed Nov 06 10:13:37.470146 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in > >__call__ > >[Wed Nov 06 10:13:37.473376 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] return self.route(environ, start_response) > >[Wed Nov 06 10:13:37.473437 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in > >route > >[Wed Nov 06 10:13:37.473462 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] return app(environ, start_response) > >[Wed Nov 06 10:13:37.473475 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in > >__call__ > >[Wed Nov 06 10:13:37.476093 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] self.kinit(user_principal, password, > ipa_ccache_name) > >[Wed Nov 06 10:13:37.478843 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in > >kinit > >[Wed Nov 06 10:13:37.478864 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] pkinit_anchors=[paths.KDC_CERT, > >paths.KDC_CA_BUNDLE_PEM], > >[Wed Nov 06 10:13:37.478878 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] File > >"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in > >kinit_armor > >[Wed Nov 06 10:13:37.484351 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] run(args, env=env, raiseonerr=True, > capture_error=True) > >[Wed Nov 06 10:13:37.484381 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] File > >"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run > >[Wed Nov 06 10:13:37.487470 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] raise CalledProcessError(p.returncode, arg_string, > >str(output)) > >[Wed Nov 06 10:13:37.488932 2019] [:error] [pid 24416] [remote > >172.27.10.113:0] CalledProcessError: Command '/usr/bin/kinit -n -c > >/var/run/ipa/ccaches/armor_24416 -X > >X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X > >X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned > >non-zero exit status 1 > > > >And when I try to list the certificates using *getcert list,* there is a > >new cert which was added > > > >Request ID '20191106100258': > >status: CA_UNREACHABLE > >ca-error: Server at https://ipa2.xxx.xxxxx.com/ipa/xml failed request, > will > >retry: 907 (RPC failed at server. cannot connect to ' > >https://ipa1.xxx.xxxxx.com:443/ca/rest/account/login': [SSL: > >CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)). > >stuck: no > >key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > >certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > >CA: IPA > >issuer: > >subject: > >expires: unknown > >pre-save command: > >post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > >track: yes > >auto-renew: yes > > > > > >Regards > >Nikita S > > > >When > >On Wed, Nov 6, 2019 at 6:39 PM Alexander Bokovoy <aboko...@redhat.com> > >wrote: > > > >> On ti, 05 marras 2019, Nikita Deeksha via FreeIPA-users wrote: > >> >Hi Team, > >> >We have 2 IPA servers in Mater-Master setup are we facing the below > issue > >> >on these servers. > >> > > >> >Isuue1: > >> >Our httpd certificate has expired because of which our IPA1 UI wasn't > >> >working, we are getting “*loging failed due to an unknown reason*” > error > >> >while we log in to the UI > >> > > >> > > >> >1. First, the IPA console was not working as httpd service was stopped, > >> >httpd was not starting as HTTP certificate is expired. Added > >> >*NSSEnforceValidCerts > >> >off* line in nss.conf to start the service. > >> > > >> >2. After the change IPA console was loading we are not able to login to > >> the > >> >console as pki-tomcatd service was not running, > >> >[root@ipa1 ca]# ipactl status > >> >Directory Service: RUNNING > >> >krb5kdc Service: RUNNING > >> >kadmin Service: RUNNING > >> >httpd Service: RUNNING > >> >ipa-custodia Service: RUNNING > >> >ntpd Service: RUNNING > >> >pki-tomcatd Service: STOPPED > >> >ipa-otpd Service: RUNNING > >> > > >> ># systemctl status pki-tomcatd@pki-tomcat.service -l > >> >● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat > >> > Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; > >> >vendor preset: disabled) > >> > Active: active (running) since Tue 2019-11-05 10:16:50 GMT; 31min > ago > >> > Process: 97068 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, > >> >status=0/SUCCESS) > >> > Main PID: 97233 (java) > >> > CGroup: > >> > >/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service > >> > └─97233 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java > >> >-DRESTEASY_LIB=/usr/share/java/resteasy-base > >> >-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath > >> > >> > >/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > >> >-Dcatalina.base=/var/lib/pki/pki-tomcat > -Dcatalina.home=/usr/share/tomcat > >> >-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > >> > >> > >-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > >> >-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > >> >-Djava.security.manager > >> >-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy > >> >org.apache.catalina.startup.Bootstrap start > >> > > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: WARNING: Exception > >> >processing realm com.netscape.cms.tomcat.ProxyRealm@1896e072 > background > >> >process > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: > >> >javax.ws.rs.ServiceUnavailableException: Subsystem unavailable > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at > >> > >com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at > >> > >> > >org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at > >> > >> > >org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at > >> > >> > >org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at > >> > >> > >org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at > >> > >> > >org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at > >> > >> > >org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) > >> >Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at > >> >java.lang.Thread.run(Thread.java:748) > >> > > >> > > >> >This service wasn’t starting with this error > >> > > >> ># less /var/log/pki/pki-tomcat/ca/debug > >> >31/Oct/2019:13:24:23][localhost-startStop-1]: > >> >SSLClientCertificateSelectionCB: desired cert found in list: > subsystemCert > >> >cert-pki-ca > >> >[31/Oct/2019:13:24:23][localhost-startStop-1]: > >> >SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca > >> >[31/Oct/2019:13:24:23][localhost-startStop-1]: SSL handshake happened > >> >Could not connect to LDAP server host ipa1.xxx.xxxx.com port 636 Error > >> >netscape.ldap.LDAPException: Authentication failed (49) > >> > >> Authentication failed means the RA agent certificate dogtag uses to > >> authenticate to LDAP server is not the same as the one mentioned in the > >> LDAP entry for RA agent. > >> > >> I think there was some procedure to fix it but I don't have links handy. > >> Also, you did not specify what versions of FreeIPA you run. > >> > >> > >> >at > >> > >> > >com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > >> > at > >> > >> > >com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) > >> > at > >> > >> > >com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) > >> > at > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > >> > at > >> >com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176) > >> > at > >> >com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082) > >> > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572) > >> > at com.netscape.certsrv.apps.CMS.init(CMS.java:189) > >> > at com.netscape.certsrv.apps.CMS.start(CMS.java:1631) > >> > at > >> > >> > >com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) > >> > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> > at > >> > >> > >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > >> > at > >> > >> > >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >> > at java.lang.reflect.Method.invoke(Method.java:498) > >> > at > >> >org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > >> > at > >> >org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > >> > at java.security.AccessController.doPrivileged(Native Method) > >> > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > >> > at > >> > >org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > >> > at > >> > >> > >org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > >> > at > >> > >> > >org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > >> > at > >> > >> > >org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) > >> > at > >> > >> > >org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) > >> > at > >> > >org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) > >> > at > >> > >> > >org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) > >> > at > >> > >> > >org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) > >> > at > >> >org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) > >> > at > >> > >> > >org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > >> > at > >> > >org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > >> > at > >> > >> > >org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > >> > at > >> > >> > >org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > >> > at java.security.AccessController.doPrivileged(Native Method) > >> > at > >> >org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > >> > at > >> >org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > >> > at > >> > >> > >org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > >> > at > >> > >> > >org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > >> > at > >> >java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > >> > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >> > at > >> > >> > >java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > >> > at > >> > >> > >java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > >> > at java.lang.Thread.run(Thread.java:748) > >> >Internal Database Error encountered: Could not connect to LDAP server > host > >> >ipa1.xxx.xxx.com port 636 Error netscape.ldap.LDAPException: > >> Authentication > >> >failed (49) > >> > at > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > >> > at > >> >com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176) > >> > at > >> >com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082) > >> > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572) > >> > at com.netscape.certsrv.apps.CMS.init(CMS.java:189) > >> > at com.netscape.certsrv.apps.CMS.start(CMS.java:1631) > >> > at > >> > >> > >com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) > >> > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> > at > >> > >> > >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > >> > at > >> > >> > >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >> > at java.lang.reflect.Method.invoke(Method.java:498) > >> > at > >> >org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > >> > at > >> >org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > >> > at java.security.AccessController.doPrivileged(Native Method) > >> > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > >> > at > >> > >org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > >> > at > >> > >> > >org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > >> > at > >> > >> > >org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > >> > at > >> > >> > >org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) > >> > at > >> > >> > >org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) > >> > at > >> > >org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) > >> > at > >> > >> > >org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) > >> > at > >> > >> > >org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) > >> > at > >> >org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) > >> > at > >> > >> > >org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > >> > at > >> > >org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > >> > at > >> > >> > >org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > >> > at > >> > >> > >org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > >> > at java.security.AccessController.doPrivileged(Native Method) > >> > at > >> >org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > >> > at > >> >org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > >> > at > >> > >> > >org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > >> > at > >> > >> > >org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > >> > at > >> >java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > >> > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >> > at > >> > >> > >java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > >> > at > >> > >> > >java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > >> > at java.lang.Thread.run(Thread.java:748) > >> > > >> ># getcert list > >> >Request ID '20180412150739': > >> >status: SUBMITTING > >> >stuck: no > >> >key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='CN= > >> >ipa1.xxxx.xxxxx.com,O=xxx.xxxx.COM',token='NSS Certificate > >> >DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >> >certificate: type=NSSDB,location='/etc/httpd/alias',nickname='CN= > >> >ipa1.xxxx.xxxxx.com,O=xxx.xxxxx.COM',token='NSS Certificate DB' > >> >CA: IPA > >> >issuer: CN=Certificate Authority,O=xxx.xxxxx.COM > >> >subject: CN=ipa1.xxxx.xxxx.com,O=xxx.xxxxx.COM > >> >expires: 2019-10-25 20:16:38 UTC > >> >principal name: krbtgt/xxxx.xxxx....@xxxx.xxxx.com > >> >key usage: > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >> >eku: id-kp-serverAuth,id-pkinit-KPKdc > >> >pre-save command: > >> >post-save command: /usr/libexec/ipa/certmonger/restart_httpd > >> >track: yes > >> >auto-renew: yes > >> > >> Status SUBMITTING means the renewal is not yet completed. It will not > >> complete until you get Dogtag working. > >> > >> > > >> >Issue2: > >> > > >> >On the IPA2 server, we are unable to login with the admin user > credentials > >> >without OTP, but when an AD user is trying to login with 2FA (i.e, > >> >password and OTP) we are getting this error *"The password you entered > is > >> >incorrect."* > >> > >> AD users cannot use multifactor authentication defined in IPA. > >> > >> > >> ># [root@ipa2 log]# ipactl status > >> >Directory Service: RUNNING > >> >krb5kdc Service: RUNNING > >> >kadmin Service: RUNNING > >> >httpd Service: RUNNING > >> >ipa-custodia Service: RUNNING > >> >ntpd Service: RUNNING > >> >ipa-otpd Service: STOPPED > >> >ipa: INFO: The ipactl command was successful > >> > > >> ># systemctl status ipa-otpd.socket -l > >> >● ipa-otpd.socket - ipa-otpd socket > >> > Loaded: loaded (/usr/lib/systemd/system/ipa-otpd.socket; disabled; > >> >vendor preset: disabled) > >> > Active: failed (Result: resources) since Tue 2019-11-05 08:19:04 > GMT; > >> 1h > >> >31min ago > >> > Listen: /var/run/krb5kdc/DEFAULT.socket (Stream) > >> > Accepted: 2; Connected: 0 > >> > > >> >Nov 05 07:42:53 ipa2.xxxx.xxxx.com systemd[1]: Listening on ipa-otpd > >> socket. > >> >Nov 05 08:19:04 ipa2.xxxx.xxxx.com systemd[1]: ipa-otpd.socket failed > to > >> >queue service startup job (Maybe the service file is missing or not a > >> >template unit?): Resource temporarily unavailable > >> >Nov 05 08:19:04 ipa2.xxxx.xxxx.com systemd[1]: Unit ipa-otpd.socket > >> entered > >> >failed state. > >> > > >> ># cat /usr/lib/systemd/system/ipa-otpd.socket > >> >[Unit] > >> >Description=ipa-otpd socket > >> > > >> >[Socket] > >> >ListenStream=/var/run/krb5kdc/DEFAULT.socket > >> >RemoveOnStop=true > >> >SocketMode=0600 > >> >Accept=true > >> > > >> >[Install] > >> >WantedBy=krb5kdc.service > >> > > >> > > >> > > >> >We see that data replication is broken between the 2 IPA servers, as > the > >> >changes made on IPA2 is not reflecting on IPA1 > >> This is most likely because your LDAP server certificate expired as > >> well. > >> > >> > >> >We the below errors as well. > >> > > >> >IPA1 > >> >Nov 05 10:09:23 ipa1.xxx.xxxx.com krb5kdc[28021](info): TGS_REQ (8 > etypes > >> >{18 17 20 19 16 23 25 26}) x.x.x.x: ISSUE: authtime 1572948563, etypes > >> >{rep=18 tkt=18 ses=18}, ldap/ipa1.xxxxx.xxxx....@xxxx.xxxxx.com for > ldap/ > >> >ipa2.xxxx.xxxx....@xxxx.xxxx.com > >> >Nov 05 10:14:24 ipa1.corp.endurance.com krb5kdc[28021](info): TGS_REQ > (8 > >> >etypes {18 17 20 19 16 23 25 26}) x.x.x.x: ISSUE: authtime 1572948863, > >> >etypes {rep=18 tkt=18 ses=18}, ldap/ipa1.xxxx.xxx....@xxxx.xxxx.com > for > >> >ldap/ipa2.xxxx.xxxx....@xxxx.xxxx.com > >> > >> These aren't errors. They are normal operations: ldap/ipa1 service (LDAP > >> server on IPA1) asked for a Kerberos service ticket to LDAP service on > >> IPA2 and was granted it. This is just as it should be for replication. > >> > >> > > >> >IPA2 > >> ># tailf krb5kdc.log > >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): AS_REQ (8 > etypes > >> >{18 17 20 19 16 23 25 26}) y.y.y.y: NEEDED_PREAUTH: ldap/ > >> >ipa2.xxxx.xxxx....@xxx.xxxx.com for krbtgt/xxxx.xxxx....@xxxx.xxxx.com > , > >> >Additional pre-authentication required > >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): closing down > fd > >> 11 > >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): AS_REQ (8 > etypes > >> >{18 17 20 19 16 23 25 26}) y.y.y.y: ISSUE: authtime 1572947965, etypes > >> >{rep=18 tkt=18 ses=18}, ldap/ipa2.xxxx.xxxx....@xxx.xxxx.com for > krbtgt/ > >> >xxx.xxxx....@xxx.xxxx.com > >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): closing down > fd > >> 11 > >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): TGS_REQ (8 > etypes > >> >{18 17 20 19 16 23 25 26}) y.y.y.y: ISSUE: authtime 1572947965, etypes > >> >{rep=18 tkt=18 ses=18}, ldap/ipa2.xxxx.xxxx....@xxxx.xxxx.com for > ldap/ > >> >ipa2.xxxx.xxxx....@xxx.xxxx.com > >> >Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): closing down > fd > >> 11 > >> > >> Same here. LDAP server on IPA2 operated against itself here. > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > >> > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org