[Freeipa-users] Re: Last FreeIPA master is failing

Thu, 11 Jun 2020 09:06:25 -0700 

Hi Florence,

Thank you for your reply.
Rob had pointed me on that direction but now when I try to run the setup-le script with that version I get the following error: 

1.
   ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
2.
   ipalib.backend: DEBUG: Destroyed connection
   context.rpcclient_140213913461328
3.
   ipapython.admintool: INFO: The ipa-certupdate command was successful
4.
   certutil: Server-Certisneither a key-typenor a nickname nor a
   key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.

And the correct setup of certificates fails.


Using the freeipa-letsencrypt commit 601f03b before "Move from mod_nss 
to mod_ssl". Not sure what to do next.




On 11/06/2020 08:31, Florence Blanc-Renaud wrote:

On 6/10/20 8:42 PM, Ricardo Mendes via FreeIPA-users wrote:

Hi Rob,

Thanks a lot for your reply.


It's because you are in the middle of an upgrade. You can add 
--skip-version-check to not do the upgrade until after the certs are 
renewed.


Amazing! So I turned back the clock and:

# ipactl restart --ignore-service-failure --skip-version-check
Skipping version check

Failed to get service list from file: Unknown error when retrieving 
list of services from file: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'

Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Failed to restart pki-tomcatd Service

Forced restart, ignoring pki-tomcatd Service, continuing normal 
operation

Restarting ipa-otpd Service
Restarting ipa-ods-exporter Service
Restarting ods-enforcerd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

I did as Florence said and set the time back.

Then I imported the github.com/freeipa/freeipa-letsencrypt, edited as 
necessary and ran setup-le.sh



It shows some errors like, I am including the full output here: 
https://pastebin.com/S07vqXLy


In the end has this:

ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.

ipalib.backend: DEBUG: Destroyed connection 
context.rpcclient_140667189670224

ipapython.admintool: INFO: The ipa-certupdate command was successful
Error opening Private Key /var/lib/ipa/private/httpd.key

139927634605968:error:02001002:system library:fopen:No such file or 
directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r')
139927634605968:error:20074002:BIO routines:FILE_CTRL:system 
lib:bss_file.c:404:

unable to load Private Key


The version of freeipa-letsencrypt that you are using is written for 
IPA 4.7+, with httpd's private key stored in 
/var/lib/ipa/private/httpd.key.



From your earlier messages it looks like you're using ipa 4.6, meaning 
that httpd is configured with mod_nss (ie getting its cert/key from a 
NSS database) instead of mod_ssl (ie getting its cert/key from a file).
In this case you should use an earlier version of freeipa-letsencrypt, 
before the following commit:

cfaf511 Move from mod_nss to mod_ssl

HTH,
flo


These are just two different wrappers around let's encrypt 
certificates. As long as it can find the key(s) then it should work 
either way (one uses HTTP and one uses DNS). The real trick is what 
version(s) of IPA those support and where it is looking for the 
certificates. The cert locations and storage are different depending 
on the version of IPA.



I am assuming the script from antevens uses DNS. But how can it not 
matter if someone is using an up to date version of freeipa and 
Florence mentioned



- ipaCert is not stored any more in the NSS database 
/etc/httpd/alias,  it is now in /var/lib/ipa/ra-agent.{key|pem}



So if this has changed and the scripts of that letsencrypt repo 
haven't been edited in over an year, is it supposed to work? Or is it 
not compliant with the latest IPA versions?



Btw, after setup-le.sh finished I set the time back and rebooted the 
server. It seems like now it's not coming up at all ..... I'll have 
to VNC to it and see what happened....

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org





--
Ricardo Mendes

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
























					Reply via email to