Re: [Freeipa-users] Certificate format error: [Errno -8018]

2014-01-29 Thread craig . freeipa
On Wed, Jan 29, 2014 at 09:22:35PM -0500, Rob Crittenden wrote:
> craig.free...@noboost.org wrote:
> >Well progress :) just not quite fully fixed, seems three certificates have 
> >updated just not the others yet. Do I need to "tell them to update", or let 
> >the server roll over until it hits Jan 14?
> >
> >Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
> >ipa-server-3.0.0-37.el6.x86_64
> >ipa-client-3.0.0-37.el6.x86_64
> >---
> >~/Scripts>date
> >Sat Jan 11 19:29:02 EST 2014
> >---
> >~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
> > Not After : Fri Jan 01 07:44:45 2016
> >---
> >Ran script:
> >for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" 
> >"subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
> >do
> > echo $nickname
> > certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
> >done
> >
> >---
> >auditSigningCert cert-pki-ca
> > Not After : Thu Jul 10 07:45:42 2014
> > Not After : Tue Jan 14 06:45:05 2014
> >ocspSigningCert cert-pki-ca
> > Not After : Fri Jan 01 07:44:43 2016
> >subsystemCert cert-pki-ca
> > Not After : Fri Jan 01 07:44:44 2016
> >Server-Cert cert-pki-ca
> > Not After : Tue Jan 14 06:45:05 2014
> >---
> >
> >The apache cert did update which is good!
> >~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
> > Not After : Fri Jan 01 07:44:45 2016
> >
> >cya
> >
> >Craig
> >
> 
> For those not yet renewed I'd do a getcert list to find them and
> getcert resubmit -i  to force renewal.
> 
> The CA won't start without a valid audit cert.
> 
> rob
Thanks for all the help, looks like all is fixed. I moved the dates back
to normal and all the services are working :)

I did notice the "auditSigningCert cert-pki-ca" has two certificates, one old 
one and a new one. The getcert list command is only showing the new one, so I 
figure all is well. 


auditSigningCert cert-pki-ca
Certificate:
Validity:
Not Before: Sat Jan 11 07:45:42 2014
Not After : Thu Jul 10 07:45:42 2014

Data:
Validity:
Not Before: Wed Jan 25 06:45:05 2012
Not After : Tue Jan 14 06:45:05 2014

cya

Craig

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Certificate format error: [Errno -8018]

2014-01-29 Thread Rob Crittenden

craig.free...@noboost.org wrote:

Well progress :) just not quite fully fixed, seems three certificates have updated just 
not the others yet. Do I need to "tell them to update", or let the server roll 
over until it hits Jan 14?

Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-server-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
---
~/Scripts>date
Sat Jan 11 19:29:02 EST 2014
---
~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
 Not After : Fri Jan 01 07:44:45 2016
---
Ran script:
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert 
cert-pki-ca" "Server-Cert cert-pki-ca"
do
 echo $nickname
 certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
done

---
auditSigningCert cert-pki-ca
 Not After : Thu Jul 10 07:45:42 2014
 Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
 Not After : Fri Jan 01 07:44:43 2016
subsystemCert cert-pki-ca
 Not After : Fri Jan 01 07:44:44 2016
Server-Cert cert-pki-ca
 Not After : Tue Jan 14 06:45:05 2014
---

The apache cert did update which is good!
~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
 Not After : Fri Jan 01 07:44:45 2016

cya

Craig



For those not yet renewed I'd do a getcert list to find them and getcert 
resubmit -i  to force renewal.


The CA won't start without a valid audit cert.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Certificate format error: [Errno -8018]

2014-01-29 Thread craig . freeipa
On Wed, Jan 29, 2014 at 09:15:50AM -0500, Rob Crittenden wrote:
> craig.free...@noboost.org wrote:
> >On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:
> >>craig.free...@noboost.org wrote:
> >>>On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
> >On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:
> >>Hi Guys,
> >>
> >>I'm sure this is an easy issue to fix!
> >>
> >>First the specs;
> >>Red Hat Enterprise Linux Server release 6.3 (Santiago)
> >>ipa-client-2.2.0-16.el6.x86_64
> >>ipa-server-2.2.0-16.el6.x86_64
> >>
> >>
> >>Issue:
> >>When I click on the hosts TAB from inside the Identity Managemnt GUI, I
> >>get the following error;
> >>* Certificate format error: [Errno -8018] None (repeated many times)
> >>
> >>* Cannot connect to
> >>'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
> >>
> >>[Errno -8018] None
> >>
> >>Also seen this error;
> >>cannot connect to
> >>'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
> >>[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
> >>certificate as expired.
> >>
> >>
> >>Any advise would be greatly appreciated!
> >http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> >
> >Since you have FreeIPA before 3.4, you need to follow manual procedure
> >outlined on that page. 2.2 might also be a bit different than 3.x but
> >this is a starting point.
> >
> >
> 
> For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
> 
> rob
> 
> >>>Just running into a couple of issues with then manual SSL cert process;
> >>>
> >>>1) ERROR when telling certmonger about all the CA certificates
> >>>
> >>>#Command:
> >>>for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert 
> >>>cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
> >>>do
> >>> echo $nickname
> >>> certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
> >>>done
> >>>
> >>>
> >>>#Result:
> >>>auditSigningCert cert-pki-ca
> >>> Not After : Tue Jan 14 06:45:05 2014
> >>>ocspSigningCert cert-pki-ca
> >>> Not After : Tue Jan 14 06:45:05 2014
> >>>subsystemCert cert-pki-ca
> >>> Not After : Tue Jan 14 06:45:05 2014
> >>>Server-Cert cert-pki-ca
> >>> Not After : Tue Jan 14 06:45:05 2014
> >>>
> >>>#Command:
> >>>for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert 
> >>>cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
> >>>do
> >>> /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n 
> >>> "${nickname}" -c dogtag-ipa-renew-agent -P 70511423
> >>>done
> >>>
> >>>#Result:
> >>>No CA with name "dogtag-ipa-renew-agent" found.
> >>>No CA with name "dogtag-ipa-renew-agent" found.
> >>>No CA with name "dogtag-ipa-renew-agent" found.
> >>>No CA with name "dogtag-ipa-renew-agent" found.
> >>>
> >>>
> >>>2)Upgrade instead?
> >>>I could potentionally upgrade the ipa-server to "3.0.0-37.el6", would this 
> >>>version be able to automatically update the certificates?
> >>>
> >>>cya
> >>>
> >>>Craig
> >>>
> >>
> >>You need certmonger-0.58-1 or higher to get the
> >>dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
> >>that, sorry for the oversight.
> >>
> >>You could try updating to 3.0. If you do decide to try upgrading I
> >>think I'd go back in time when all the certs are valid first as some
> >>services will be restarted during the upgrade and we don't want the
> >>upgrade blowing up in the middle because of expired certs.
> >>
> >>rob
> >I'll give the upgrade a go, say I go back to the older date and IPA
> >starts fine. Won't the certs still have a hard expiry date on them, so
> >I'll need to follow the
> >http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
> 
> It depends in part how far back in time you go. I'd go back a day or
> two before the oldest date (not all certs expire at the same time).
> 
> The upgrade will configure automatic renewal. I think what I'd
> recommend is do the upgrade then restart the certmonger service on
> the machine.
> 
> Run `getcert list` to check the status of the certs. After the
> restart they should all renew.
> 
> rob
Well progress :) just not quite fully fixed, seems three certificates have 
updated just not the others yet. Do I need to "tell them to update", or let the 
server roll over until it hits Jan 14?

Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-server-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
---
~/Scripts>date
Sat Jan 11 19:29:02 EST 2014
---
~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
---
Ran script:
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" 
"subsystemCert cert-pki-ca" "Server

Re: [Freeipa-users] Certificate format error: [Errno -8018]

2014-01-29 Thread Rob Crittenden

craig.free...@noboost.org wrote:

On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:

craig.free...@noboost.org wrote:

On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:

Alexander Bokovoy wrote:

On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:

Hi Guys,

I'm sure this is an easy issue to fix!

First the specs;
Red Hat Enterprise Linux Server release 6.3 (Santiago)
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64


Issue:
When I click on the hosts TAB from inside the Identity Managemnt GUI, I
get the following error;
* Certificate format error: [Errno -8018] None (repeated many times)

* Cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':

[Errno -8018] None

Also seen this error;
cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.


Any advise would be greatly appreciated!

http://www.freeipa.org/page/Howto/CA_Certificate_Renewal

Since you have FreeIPA before 3.4, you need to follow manual procedure
outlined on that page. 2.2 might also be a bit different than 3.x but
this is a starting point.




For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal

rob


Just running into a couple of issues with then manual SSL cert process;

1) ERROR when telling certmonger about all the CA certificates

#Command:
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert 
cert-pki-ca" "Server-Cert cert-pki-ca"
do
 echo $nickname
 certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
done


#Result:
auditSigningCert cert-pki-ca
 Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
 Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
 Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
 Not After : Tue Jan 14 06:45:05 2014

#Command:
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert 
cert-pki-ca" "Server-Cert cert-pki-ca"
do
 /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n "${nickname}" 
-c dogtag-ipa-renew-agent -P 70511423
done

#Result:
No CA with name "dogtag-ipa-renew-agent" found.
No CA with name "dogtag-ipa-renew-agent" found.
No CA with name "dogtag-ipa-renew-agent" found.
No CA with name "dogtag-ipa-renew-agent" found.


2)Upgrade instead?
I could potentionally upgrade the ipa-server to "3.0.0-37.el6", would this 
version be able to automatically update the certificates?

cya

Craig



You need certmonger-0.58-1 or higher to get the
dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
that, sorry for the oversight.

You could try updating to 3.0. If you do decide to try upgrading I
think I'd go back in time when all the certs are valid first as some
services will be restarted during the upgrade and we don't want the
upgrade blowing up in the middle because of expired certs.

rob

I'll give the upgrade a go, say I go back to the older date and IPA
starts fine. Won't the certs still have a hard expiry date on them, so
I'll need to follow the
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?


It depends in part how far back in time you go. I'd go back a day or two 
before the oldest date (not all certs expire at the same time).


The upgrade will configure automatic renewal. I think what I'd recommend 
is do the upgrade then restart the certmonger service on the machine.


Run `getcert list` to check the status of the certs. After the restart 
they should all renew.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Deploying freeipa behind nginx

2014-01-29 Thread Dmitri Pal
On 01/28/2014 05:29 PM, Steve Severance wrote:
> Hi Everyone,
>
> I have deployed freeipa inside our production network. I want to be
> able to access the web ui so I am attempting to add it to our nginx
> edge machine. I can pass the requests upstream just fine but I am
> unable to login using a username/password. I have enabled password
> authentication in the kerberos section of the freeipa httpd config
> file. In the logs it looks like the authentication succeeds and a
> ticket is issued. I assume that the cookie that is returned
> (ipa_session) has the authentication information in it. The subsequent
> call to get json data fails and I am prompted to login again.
>
> I found this thread
> (https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> which has instructions on adding ipa.mydomain.com
>  to the keytab. When I call ipa-getkeytab it
> hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't
> contact LDAP server (-1) 
>
> Digging into this if I run: ldapsearch -d 1 -v -H
> ldaps://ldap.mydomain.com  
>
> I get:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
>
> So we seem to have a SASL problem. If I run ldapsearch with -x simple
> authentication works just fine.
>
> Do I need to do something special to enable SASL so I can get the
> keytab? The ipa-getkeytab command does not seem to have an option to
> use simple authentication.
>
> Thanks.
>
> Steve
>
>

To be able to help a small diagram would be really helpful.
The error above indicates that there is an entity that tries to connect
to the LDAP using Kerberos GSSAPI and can't because it either does not
have kerberos identity or keys or it is misconfigured and can't get to
them. The diagram of request flow would help to troubleshoot the issue.

What version of FreeIPA you are using? What platform? 

> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Disabling anonymous binds breaks OS X (10.8.5 and 10.9.1) UI logins.

2014-01-29 Thread Dmitri Pal
On 01/28/2014 03:33 PM, Guillermo Fuentes wrote:
>
> Hello,
>
>  
>
> We are deploying FreeIPA (which it's a great project BTW) as our
> Identity Management System. As we don't want any info from the
> directory to be publically available, we tried disabling anonymous
> binds but it breaks UI logins on Macs (10.8.5 and 10.9.1)
>
>  
>
> FreeIPA logs show that OS X retrieves attributes using anonymous bind
> and when it's disabled it logs:
>
> ... authzid="(null)", anonymous search not allowed
>
>  
>
> Has anyone been able to get this setup working properly?
>

You need to look on the Mac side.
It seems that in the configuration you used Mac tries to do a lookup
after anonymous bind. It might be that you need to configure a special
account on Mac to be able to work around this issue.

>  
>
> Thanks in advance,
>
> Guillermo
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deploying freeipa behind nginx

2014-01-29 Thread Sumit Bose
On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
> Hi Everyone,
> 
> I have deployed freeipa inside our production network. I want to be able to
> access the web ui so I am attempting to add it to our nginx edge machine. I
> can pass the requests upstream just fine but I am unable to login using a
> username/password. I have enabled password authentication in the kerberos
> section of the freeipa httpd config file. In the logs it looks like the
> authentication succeeds and a ticket is issued. I assume that the cookie
> that is returned (ipa_session) has the authentication information in it.
> The subsequent call to get json data fails and I am prompted to login again.
> 
> I found this thread (
> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> which has instructions on adding ipa.mydomain.com to the keytab. When I
> call ipa-getkeytab it hangs for a bit before returning: 
> ldap_sasl_bind(SIMPLE):
> Can't contact LDAP server (-1)
> 
> Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com
> 
> I get:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:

Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
GSSAPI ' ?

bye,
Sumit

> 
> So we seem to have a SASL problem. If I run ldapsearch with -x simple
> authentication works just fine.
> 
> Do I need to do something special to enable SASL so I can get the keytab?
> The ipa-getkeytab command does not seem to have an option to use simple
> authentication.
> 
> Thanks.
> 
> Steve

> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users