We are unable to login to the FreeIPA web console. However, it is able to tell when I use an incorrect password (shows "The password you entered is incorrect.") Also one of the CentOS servers getting ssh login credentials from our ipa server is using my old password (expired several weeks ago.)
These lines are from httpd error.log ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) SSL Library Error: -12269 The server has rejected your certificate as expired I've spent quite a bit of time researching the issue. At first I thought it was because a recent upgrade to FreeIPA (CentOS 7) ipa-server-4.6.6-11.el7.centos.x86_64 But when I looked back in /var/log/messages I can see the error(s) appear to have started occurring before the upgrade. from journalctl: Jun 03 22:41:52 ipa.michiganlabs.com systemd[1]: Started IPA key daemon. Jun 03 22:41:54 ipa.michiganlabs.com python2[14471]: GSSAPI client step 1 Jun 03 22:41:54 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: ipa-dnskeysyncd: INFO LDAP bind... Jun 03 22:41:54 ipa.michiganlabs.com python2[14471]: GSSAPI client step 1 Jun 03 22:41:54 ipa.michiganlabs.com python2[14471]: GSSAPI client step 1 Jun 03 22:41:54 ipa.michiganlabs.com python2[14471]: GSSAPI client step 2 Jun 03 22:41:54 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: ipa-dnskeysyncd: INFO Commencing sync process Jun 03 22:41:54 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Jun 03 22:41:55 ipa.michiganlabs.com python2[14481]: GSSAPI client step 1 Jun 03 22:41:55 ipa.michiganlabs.com python2[14481]: GSSAPI client step 1 Jun 03 22:41:55 ipa.michiganlabs.com python2[14481]: GSSAPI client step 1 Jun 03 22:41:55 ipa.michiganlabs.com python2[14481]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/softhsm/tokens/ Jun 03 22:41:55 ipa.michiganlabs.com python2[14481]: SoftHSM.cpp(476): Could not load the object store Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: Traceback (most recent call last): Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 116, in <module> Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_poll Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: self.syncrepl_refreshdone() Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 126, in syncrepl_refreshdon Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: self.hsm_replica_sync() Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 192, in hsm_replica_sync Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: raise CalledProcessError(p.returncode, arg_string, str(output)) Jun 03 22:41:55 ipa.michiganlabs.com ipa-dnskeysyncd[14471]: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit Jun 03 22:41:55 ipa.michiganlabs.com systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE Jun 03 22:41:55 ipa.michiganlabs.com systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. Jun 03 22:41:55 ipa.michiganlabs.com systemd[1]: ipa-dnskeysyncd.service failed. Jun 03 22:42:55 ipa.michiganlabs.com systemd[1]: ipa-dnskeysyncd.service holdoff time over, scheduling restart. Jun 03 22:42:55 ipa.michiganlabs.com systemd[1]: Stopped IPA key daemon. possibly relevant output of > getcert list -c IPA Number of certificates and requests being tracked: 8. Request ID '20170928130908': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-MICHIGANLABS-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-MICHIGANLABS-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-MICHIGANLABS-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-MICHIGANLABS-COM track: yes auto-renew: yes possibly relevant SELinux info: > ausearch -m AVC,USER_AVC -ts recent type=PROCTITLE msg=audit(1591756304.759:2543): proctitle=2F7573722F62696E2F707974686F6E32002F7573722F6C6962657865632F6970612F6970612D646E736B657973796E632D7265706C696361 type=SYSCALL msg=audit(1591756304.759:2543): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=de4478 a2=90800 a3=0 items=0 ppid=22017 pid=22027 auid=4294967295 uid=994 gid=25 euid=994 suid=994 fsuid=994 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysync-" exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null) type=AVC msg=audit(1591756304.759:2543): avc: denied { read } for pid=22027 comm="ipa-dnskeysync-" name="tokens" dev="dm-6" ino=1373802 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=dir permissive=0 output of > ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful NOTE: it hangs for like at least 30 seconds when trying to display "ipa-dnskeysyncd Service: RUNNING" This server was setup slightly less than two years ago using this as a basis of instructions: https://www.digitalocean.com/community/tutorials/how-to-set-up-centralized-linux-authentication-with-freeipa-on-centos-7 Also there was this note: "ipa.michiganlabs.com - Delegate ipa. dns to FreeIPA server" Thanks for any assistance _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org