Yes /tmp is writable for everyone. drwxrwxrwt. root root 4.0K tmp
[root@ipa5 centos]# kinit admin Password for ad...@fixedandmobile.com: The output for /etc/krb5.keytab [root@ipa5 centos]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- On Tue, Mar 10, 2020 at 1:59 AM Robbie Harwood <rharw...@redhat.com> wrote: > Faraz Younus <fara...@gmail.com> writes: > > > Robbie Harwood <rharw...@redhat.com> wrote: > >> Faraz Younus writes: > >> > >>> Hello , > >>> > >>> I'm getting failed when updating new certificate whether it is > external & > >>> Letsencrypt. Previously I was installing successfully letsencrypt > >>> certificate 15 days ago. > >>> > >>> I'm following below github repo to setup freeipa. > >>> > >>> https://github.com/freeipa/ansible-freeipa/tree/master/roles > >>> > >>> root# ipa-server-certinstall -w -d ipa5.fixedandmobile.com.p12 > >>> > >>> Peer's certificate issuer is not trusted (certutil: certificate is > >> invalid: > >>> Peer's Certificate issuer is not recognized. > >>> > >>> ). Please run ipa-cacert-manage install and ipa-certupdate to install > the > >>> CA certificate. > >>> > >>> The ipa-server-certinstall command failed. > >>> > >>> root# ipa-certupdate -v > >>> > >>> ipapython.admintool: DEBUG: Not logging to a file > >>> > >>> ipalib.rpc: DEBUG: failed to find session_cookie in persistent storage > >> for > >>> principal 'ad...@fixedandmobile.com' > >>> > >>> ipalib.rpc: INFO: trying https://ipa5.fixedandmobile.com/ipa/json > >>> > >>> ipalib.rpc: DEBUG: New HTTP connection (ipa5.fixedandmobile.com) > >>> > >>> ipalib.rpc: DEBUG: received Set-Cookie (<type > >>> > >> > 'list'>)'['ipa_session=MagBearerToken=7%2feoIywViL2KTkXiG1w0hP0DdWEaK4pE75LdZtDKSRPqBDLuzEqJdY%2fUnrwLqOBnhZBTqjj8gdAGD%2fSWn%2bwq1xLTiDo7%2f8CRETD%2bW5AvHT1VNFFRZibPfE1JS2BVE09q%2bdQrPAV60PA4cth2Qcdsvfp0U2oLj1xML6eRsoXG00REURhaFp8cCaB9AuQVKLbO8Byf3Pie3qafgN1SJ04jzA%3d%3d;path=/ipa;httponly;secure;']' > >>> > >>> ipalib.rpc: DEBUG: storing cookie > >>> > >> > 'ipa_session=MagBearerToken=7%2feoIywViL2KTkXiG1w0hP0DdWEaK4pE75LdZtDKSRPqBDLuzEqJdY%2fUnrwLqOBnhZBTqjj8gdAGD%2fSWn%2bwq1xLTiDo7%2f8CRETD%2bW5AvHT1VNFFRZibPfE1JS2BVE09q%2bdQrPAV60PA4cth2Qcdsvfp0U2oLj1xML6eRsoXG00REURhaFp8cCaB9AuQVKLbO8Byf3Pie3qafgN1SJ04jzA%3d%3d;' > >>> for principal ad...@fixedandmobile.com > >>> > >>> ipalib.backend: DEBUG: Created connection > >> context.rpcclient_139889220220816 > >>> > >>> ipalib.rpc: INFO: [try 1]: Forwarding 'schema' to json server ' > >>> https://ipa5.fixedandmobile.com/ipa/json' > >>> > >>> ipalib.rpc: DEBUG: HTTP connection keep-alive (ipa5.fixedandmobile.com > ) > >>> > >>> ipalib.rpc: DEBUG: received Set-Cookie (<type > >>> > >> > 'list'>)'['ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;path=/ipa;httponly;secure;']' > >>> > >>> ipalib.rpc: DEBUG: storing cookie > >>> > >> > 'ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;' > >>> for principal ad...@fixedandmobile.com > >>> > >>> ipalib.backend: DEBUG: Destroyed connection > >>> context.rpcclient_139889220220816 > >>> > >>> ipalib.plugable: DEBUG: importing all plugin modules in > >>> ipaclient.remote_plugins.schema$79e69edd... > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >>> ipaclient.remote_plugins.schema$79e69edd.plugins > >>> > >>> ipalib.plugable: DEBUG: importing all plugin modules in > >> ipaclient.plugins... > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.automember > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.automount > >>> > >>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca > >>> > >>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > ipaclient.plugins.certmap > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >>> ipaclient.plugins.certprofile > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > ipaclient.plugins.csrgen > >>> > >>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.hbacrule > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.hbactest > >>> > >>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > ipaclient.plugins.idrange > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.internal > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.location > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.migration > >>> > >>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.otptoken > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >>> ipaclient.plugins.otptoken_yubikey > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > ipaclient.plugins.passwd > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.permission > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.rpcclient > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > ipaclient.plugins.server > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > ipaclient.plugins.service > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.sudorule > >>> > >>> ipalib.plugable: DEBUG: importing plugin module > >> ipaclient.plugins.topology > >>> > >>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust > >>> > >>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user > >>> > >>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault > >>> > >>> ipalib.rpc: DEBUG: found session_cookie in persistent storage for > >> principal > >>> 'ad...@fixedandmobile.com', cookie: > >>> > >> > 'ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d' > >>> > >>> ipalib.rpc: DEBUG: setting session_cookie into context > >>> > >> > 'ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;' > >>> > >>> ipalib.rpc: INFO: trying > >> https://ipa5.fixedandmobile.com/ipa/session/json > >>> > >>> ipalib.rpc: DEBUG: New HTTP connection (ipa5.fixedandmobile.com) > >>> > >>> ipalib.rpc: DEBUG: received Set-Cookie (<type > >>> > >> > 'list'>)'['ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;path=/ipa;httponly;secure;']' > >>> > >>> ipalib.rpc: DEBUG: storing cookie > >>> > >> > 'ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;' > >>> for principal ad...@fixedandmobile.com > >>> > >>> ipalib.backend: DEBUG: Created connection > >> context.rpcclient_139889190138192 > >>> > >>> ipalib.install.kinit: DEBUG: Initializing principal host/ > >>> ipa5.fixedandmobile....@fixedandmobile.com using keytab > /etc/krb5.keytab > >>> > >>> ipalib.install.kinit: DEBUG: using ccache /tmp/tmp-Rln5Jh/ccache > >>> > >>> ipapython.admintool: DEBUG: File > >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in > >>> execute > >>> > >>> return_value = self.run() > >>> > >>> File > >>> "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py", > >>> line 62, in run > >>> > >>> run_with_args(api) > >>> > >>> File > >>> "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py", > >>> line 83, in run_with_args > >>> > >>> kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_name) > >>> > >>> File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line > >> 47, > >>> in kinit_keytab > >>> > >>> cred = gssapi.Credentials(name=name, store=store, usage='initiate') > >>> > >>> File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, > in > >>> __new__ > >>> > >>> store=store) > >>> > >>> File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, > in > >>> acquire > >>> > >>> usage) > >>> > >>> File "ext_cred_store.pyx", line 182, in > >>> gssapi.raw.ext_cred_store.acquire_cred_from > >>> (gssapi/raw/ext_cred_store.c:1732) > >>> > >>> > >>> ipapython.admintool: DEBUG: The ipa-certupdate command failed, > exception: > >>> GSSError: Major (851968): Unspecified GSS failure. Minor code may > >> provide > >>> more information, Minor (2529639107): No credentials cache found > >>> > >>> ipapython.admintool: ERROR: Major (851968): Unspecified GSS failure. > >> Minor > >>> code may provide more information, Minor (2529639107): No credentials > >> cache > >>> found > >>> > >>> ipapython.admintool: ERROR: The ipa-certupdate command failed. > >>> _______________________________________________ > >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >>> To unsubscribe send an email to > >> freeipa-users-le...@lists.fedorahosted.org > >>> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> List Archives: > >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> > >> Did you kinit first? This probably should have a better UI than dying > >> in exception... > > > > Yes I did the kinit admin before running the update > > (Please keep the list in CC.) > > Is /tmp writeable? What's the output of `klist -kt /etc/krb5.keytab`? > > Thanks, > --Robbie >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org