Tristan Weis via FreeIPA-users wrote: > Hey Rob, > thank you so much for your help! > > I just checked certutil... it works with the added -d database location. > Upon trying to create a new certificate for HTTP, ipa-getcert list gives me: > >> Request ID '20191115101517': >> status: CA_UNREACHABLE >> ca-error: Server at https://ipa.*.*/ipa/xml failed request, will retry: >> -504 (HTTP POST to URL 'https://ipa.*.*/ipa/xml' failed. libcurl failed >> even to execute the HTTP transaction, explaining: Failed to connect to >> ipa.*.* port 443: Connection refused). >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/nssdb/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert' >> CA: IPA >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes
Apache doesn't seem to be listening on port 443. VirtualHost configuration: *:443 ipa.example.test (/etc/httpd/conf.d/ssl.conf:56) For RHEL/CentOS 7 you'll see nss.conf instead of ssl.conf. This is not the way to get a new certificate for an IPA service. You are quite likely to break something further doing this if per chance it were successful. rob > > Output of ipactl status: >> Directory Service: RUNNING >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> httpd Service: RUNNING >> ipa-custodia Service: RUNNING >> pki-tomcatd Service: RUNNING >> smb Service: RUNNING >> winbind Service: RUNNING >> ipa-otpd Service: RUNNING > > And to answer: >> Are you just trying random commands? > Those are outputs I collected during all my attempts to fix it. Also I tried > various (afaik) non-destructive commands to see what works and what doesn't > to hopefully close in on what's wrong. > >> Based on above I'm guessing you didn't kinit first. > Always made sure to have active Kerberos credentials! Definitely used kinit > first. > >> Knowing what services are running is more > important at this point. > > Here's the output of systemctl status for the relevant processes: > gssproxy >> gssproxy.service - GSSAPI Proxy Daemon >> Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor >> preset: disabled) >> Active: active (running) since Fri 2019-11-15 11:41:16 CET; 7s ago >> Process: 2656 ExecReload=/bin/kill -HUP $MAINPID (code=exited, >> status=0/SUCCESS) >> Process: 20319 ExecStart=/usr/sbin/gssproxy -D (code=exited, >> status=0/SUCCESS) >> Main PID: 20320 (gssproxy) >> Tasks: 6 (limit: 52428) >> Memory: 1.6M >> CGroup: /system.slice/gssproxy.service >> └─20320 /usr/sbin/gssproxy -D > > ipa >> ipa.service - Identity, Policy, Audit >> Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor >> preset: disabled) >> Active: active (exited) since Thu 2019-11-14 15:10:30 CET; 20h ago >> Process: 11849 ExecStart=/usr/sbin/ipactl start (code=exited, >> status=0/SUCCESS) >> Main PID: 11849 (code=exited, status=0/SUCCESS) >> >> Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting Directory Service >> Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting krb5kdc Service >> Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting kadmin Service >> Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting httpd Service >> Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting ipa-custodia Service >> Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting pki-tomcatd Service >> Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting smb Service >> Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting winbind Service >> Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting ipa-otpd Service >> Nov 14 15:10:30 ipa.*.* systemd[1]: Started Identity, Policy, Audit. > > httpd >> httpd.service - The Apache HTTP Server >> Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor >> preset: disabled) >> Drop-In: /etc/systemd/system/httpd.service.d >> └─ipa.conf >> /usr/lib/systemd/system/httpd.service.d >> └─php-fpm.conf >> Active: active (running) since Fri 2019-11-15 11:38:13 CET; 7min ago >> Docs: man:httpd.service(8) >> Process: 19582 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >> (code=exited, status=0/SUCCESS) >> Main PID: 19587 (httpd) >> Status: "Total requests: 2; Idle/Busy workers 100/0;Requests/sec: 0.00437; >> Bytes served/sec: 16 B/se> >> Tasks: 330 (limit: 52428) >> Memory: 386.6M >> CGroup: /system.slice/httpd.service >> ├─19587 /usr/sbin/httpd -DFOREGROUND >> ├─19592 /usr/sbin/httpd -DFOREGROUND >> ├─19593 (wsgi:kdcproxy) -DFOREGROUND >> ├─19594 (wsgi:kdcproxy) -DFOREGROUND >> ├─19595 (wsgi:ipa) -DFOREGROUND >> ├─19596 (wsgi:ipa) -DFOREGROUND >> ├─19597 (wsgi:ipa) -DFOREGROUND >> ├─19598 (wsgi:ipa) -DFOREGROUND >> ├─19599 /usr/sbin/httpd -DFOREGROUND >> ├─19601 /usr/sbin/httpd -DFOREGROUND >> ├─19602 /usr/sbin/httpd -DFOREGROUND >> └─19935 /usr/sbin/httpd -DFOREGROUND >> >> Nov 15 11:38:12 ipa.*.* systemd[1]: Starting The Apache HTTP Server... >> Nov 15 11:38:13 ipa.*.* ipa-httpd-kdcproxy[19582]: ipa: INFO: KDC proxy >> enabled >> Nov 15 11:38:13 ipa.*.* ipa-httpd-kdcproxy[19582]: ipa-httpd-kdcproxy: INFO >> KDC proxy e> >> Nov 15 11:38:13 ipa.*.* httpd[19587]: AH00558: httpd: Could not reliably >> determine the serv> >> Nov 15 11:38:13 ipa.*.* httpd[19587]: Server configured, listening on: >> 192.168.178.101 port> >> Nov 15 11:38:13 ipa.*.* systemd[1]: Started The Apache HTTP Server. >> >> Nov 15 11:41:15 ipa.*.* systemd[1]: Starting GSSAPI Proxy Daemon... >> Nov 15 11:41:16 ipa.*.* systemd[1]: Started GSSAPI Proxy Daemon. > > The whole systemctl status >> UNIT LOAD ACTIVE SUB DESCRIPTION >> >> proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable >> File Formats File System Au> >> init.scope loaded active running System and Service >> Manager >> session-1015.scope loaded active running Session 1015 of user >> eelocal >> session-37.scope loaded active running Session 37 of user >> eelocal >> atd.service loaded active running Job spooling tools >> >> auditd.service loaded active running Security Auditing >> Service >> certmonger.service loaded active running Certificate >> monitoring and PKI enrollment >> chronyd.service loaded active running NTP client/server >> >> crond.service loaded active running Command Scheduler >> >> dbus.service loaded active running D-Bus System Message >> Bus >> dirsrv@EAGLEEYE-FILM-DE.service loaded active running 389 Directory Server >> EAGLEEYE-FILM-DE. >> firewalld.service loaded active running firewalld - dynamic >> firewall daemon >> getty@tty1.service loaded active running Getty on tty1 >> >> gssproxy.service loaded active running GSSAPI Proxy Daemon >> >> httpd.service loaded active running The Apache HTTP >> Server >> ipa-custodia.service loaded active running IPA Custodia Service >> >> irqbalance.service loaded active running irqbalance daemon >> >> kadmin.service loaded active running Kerberos 5 >> Password-changing and Administration >> krb5kdc.service loaded active running Kerberos 5 KDC >> >> libstoragemgmt.service loaded active running libstoragemgmt >> plug-in server daemon >> mcelog.service loaded active running Machine Check >> Exception Logging Daemon >> multipathd.service loaded active running Device-Mapper >> Multipath Device Controller >> mysqld.service loaded active running MySQL 8.0 database >> server >> NetworkManager.service loaded active running Network Manager >> >> nfs-idmapd.service loaded active running NFSv4 ID-name >> mapping service >> nfs-mountd.service loaded active running NFS Mount Daemon >> >> nginx.service loaded active running The nginx HTTP and >> reverse proxy server >> nmb.service loaded active running Samba NMB Daemon >> >> oddjobd.service loaded active running privileged >> operations for unprivileged applicati> >> php-fpm.service loaded active running The PHP FastCGI >> Process Manager >> pki-tomcatd@pki-tomcat.service loaded active running PKI Tomcat Server >> pki-tomcat >> polkit.service loaded active running Authorization >> Manager >> postfix.service loaded active running Postfix Mail >> Transport Agent >> postgresql.service loaded active running PostgreSQL database >> server >> redis.service loaded active running Redis persistent >> key-value database >> rngd.service loaded active running Hardware RNG Entropy >> Gatherer Daemon >> rpc-gssd.service loaded active running RPC security service >> for NFS client and server >> rpc-statd.service loaded active running NFS status monitor >> for NFSv2/3 locking. >> rpcbind.service loaded active running RPC Bind >> >> rsyslog.service loaded active running System Logging >> Service >> smartd.service loaded active running Self Monitoring and >> Reporting Technology (SMART)> >> smb.service loaded active running Samba SMB Daemon >> >> sshd.service loaded active running OpenSSH server >> daemon >> sssd.service loaded active running System Security >> Services Daemon >> systemd-journald.service loaded active running Journal Service >> >> systemd-logind.service loaded active running Login Service >> >> systemd-udevd.service loaded active running udev Kernel Device >> Manager >> tuned.service loaded active running Dynamic System >> Tuning Daemon >> user@1000.service loaded active running User Manager for UID >> 1000 >> winbind.service loaded active running Samba Winbind Daemon >> >> zou-events.service loaded active running Gunicorn instance to >> serve the Zou Events API >> zou-jobs.service loaded active running RQ Job queue to run >> asynchronous job from Zou >> zou.service loaded active running Gunicorn instance to >> serve the Zou API >> dbus.socket loaded active running D-Bus System Message >> Bus Socket >> multipathd.socket loaded active running multipathd control >> socket >> rpcbind.socket loaded active running RPCbind Server >> Activation Socket >> systemd-journald-dev-log.socket loaded active running Journal Socket >> (/dev/log) >> systemd-journald.socket loaded active running Journal Socket >> >> systemd-udevd-control.socket loaded active running udev Control Socket >> >> systemd-udevd-kernel.socket loaded active running udev Kernel Socket > > There are no degraded services. Everything seems to be running fine. > Nginx is listening on a different network interface than apache; had no > problems with that setup before. Tried with nginx disabled as well, no > difference. > Tried disabling the firewall; problem persists. SELinux is set to > 'permissive'. > >> Doesn't sound cert related and you said the KDC is working. > It seems to ONLY affect authorization via HTTP (preauth?). Apache itself is > running without any other errors. I can access the FreeIPA WebUI from any > browser. ONLY when I try to login it produces an error. Before the server > restart, all browsers with log in cookies for the WebUI were still logged in > and could operate the WebUI; only the 'Authentication' tab already gave me a > http error while trying to list certificates. > > I hope that's enough info for a good overview. > > All the best and thanks, > Tristan > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
