Re: [Freeipa-users] Building previous release rpms are failing
On Tue, Aug 5, 2014 at 11:26 PM, Rob Crittenden rcrit...@redhat.com wrote: Curtis L. Knight wrote: On Tue, Aug 5, 2014 at 7:21 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 08/05/2014 12:32 PM, Martin Kosek wrote: On 08/05/2014 12:05 PM, Curtis L. Knight wrote: ... #./make-lint $(LINT_OPTIONS) run 'make rpms' again to get beyond lint errors shown below cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib; fi ./make-lint Traceback (most recent call last): File ./make-lint, line 272, in module sys.exit(main()) File ./make-lint, line 243, in main linter.check(files) File /usr/lib/python2.7/site-packages/pylint/lint.py, line 626, in check self.check_astroid_module(astroid, walker, rawcheckers, tokencheckers) File /usr/lib/python2.7/site-packages/pylint/lint.py, line 712, in check_astroid_module walker.walk(astroid) File /usr/lib/python2.7/site-packages/pylint/utils.py, line 715, in walk self.walk(child) File /usr/lib/python2.7/site-packages/pylint/utils.py, line 715, in walk self.walk(child) File /usr/lib/python2.7/site-packages/pylint/utils.py, line 712, in walk cb(astroid) File /usr/lib/python2.7/site-packages/pylint/checkers/newstyle.py, line 135, in visit_function args=(call.args[0].name, )) AttributeError: 'Getattr' object has no attribute 'name' make: *** [lint] Error 1 This is new, I created upstream ticket to timely fix it: https://fedorahosted.org/freeipa/ticket/4475 Ticket 4475 is now fixed, thanks to Jan Cholasta. ipa-3-3 branch should now build OK again. Martin Hey Martin, Tested ipa-3-3 and generated rpms from that branch. Many thanks for the resolution. Just a note, but I verified that ipa-3-2 and ipa-3-1 are in need of the same ipa-3-3 dependency patch. Both also complained that make-lint needed pylint installed which it already was. With the lint failure and rhino patch, ipa-3-2 did generate rpms. With the lint failure and rhino patch, ipa-3-1 did not generate rpms and gave the following logs. I guess it becomes a bit fuzzy, especially with these versions. We don't usually offer any guarantees that older releases will build against more modern distros, but both 3.1.5 and 3.2.0 crossed that line, with Fedora builds in two releases (F18/19 and F19/20 respectively). Do you have a requirement to use these older releases or are you just offering this data point in case anyone else runs into this? regards rob Hello Rob, Yes this is additional information and is not any requirement for me. I was not sure which branches were being maintained for F20. My interest was to see if I could help the freeipa developers build rpms easily from git with Docker images/containers. That is just about finished. My next thought was about using a Docker containers to test code from a git working directory quickly. That workflow could be a) to build rpms from a git commit, install the generated rpms or b) push changed code into an existing freeipa installation (probably not recommended but maybe necessary for testing). I did read a couple of places that it seems to take less time and or RAM to build code within Docker then other methods. Overall there does not seem to be enough people that are doing it yet for a lot of data points. Does any of that sound beneficial to the team? Regards, Curtis -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replica does not start Bind but runs Manually
On 5.8.2014 11:24, Matt . wrote: Hi, I got this solved but the replica doesn't do it's forwards on the zone's it need to foreward for, the master with the same settings does. I have done a new install but the same happens. WHat could be wrong here ? Please provide us with installation logs /var/log/ipaserver-install.log so we can investigate it. Petr^2 Spacek Cheers, Matt 2014-08-04 10:13 GMT+02:00 Martin Kosek mko...@redhat.com: On 08/04/2014 09:40 AM, Matt . wrote: Hi, Yes I did in the past. THe DNS tabs are there and named is installed. You probably installed DNS service on another FreeIPA server. However, there is a configuration space telling which server has which services configured. It seems that it does not see your current server as the DNS server. Can I run that over without any issue ? Yes, If it detects that DNS service was already installed there it will error out. Then we will do different route. In any other case I just can reinstall the ipa software on the replica and create a new setup for it... Let's not go this way (yet), simple DNS service installation should be work. Martin -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Ubuntu updates, client backport for 12.04
Hi So the archive version of freeipa-client on Ubuntu 12.04 has been in a limbo state until now, because the package got reworked too much for newer releases that trying to push updates would have taken a lot of paperwork and other effort.. But 14.10/utopic finally has a smoothly installing client based on 3.3.4, and I've also pushed the updates fixing ntp/chronyd issues to 14.04 (not accepted to trusty-proposed yet) and backported this version to 12.04 too. You can install it for 12.04 from the freeipa ppa: apt-add-repository ppa:freeipa https://launchpad.net/~freeipa/+archive/ubuntu/ppa/+packages and for this you also need the sssd ppa: apt-add-repository ppa:sssd/updates https://launchpad.net/~sssd/+archive/ubuntu/updates I've verified that install/uninstall works fine, certmonger stop/start fails on uninstall but it should be harmless. Only thing missing from it that I know of is that --mkhomedir does not work because of https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1336869 Also, beware that the version of nss on the ppa gets obsolete when a new security release is published, which means that new installs should create nssdb's by hand, or forcefully install the ppa version once and then upgrade.. the db's shouldn't vanish on upgrade. ps. server is still WIP, currently blocked on getting Dogtag deps accepted in the Debian archive, but the goal is still to have everything in by November before 'jessie' freezes.. we'll see -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Building previous release rpms are failing
On 08/07/2014 01:39 PM, Curtis L. Knight wrote: On Tue, Aug 5, 2014 at 11:26 PM, Rob Crittenden rcrit...@redhat.com wrote: Curtis L. Knight wrote: On Tue, Aug 5, 2014 at 7:21 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 08/05/2014 12:32 PM, Martin Kosek wrote: On 08/05/2014 12:05 PM, Curtis L. Knight wrote: ... #./make-lint $(LINT_OPTIONS) run 'make rpms' again to get beyond lint errors shown below cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib; fi ./make-lint Traceback (most recent call last): File ./make-lint, line 272, in module sys.exit(main()) File ./make-lint, line 243, in main linter.check(files) File /usr/lib/python2.7/site-packages/pylint/lint.py, line 626, in check self.check_astroid_module(astroid, walker, rawcheckers, tokencheckers) File /usr/lib/python2.7/site-packages/pylint/lint.py, line 712, in check_astroid_module walker.walk(astroid) File /usr/lib/python2.7/site-packages/pylint/utils.py, line 715, in walk self.walk(child) File /usr/lib/python2.7/site-packages/pylint/utils.py, line 715, in walk self.walk(child) File /usr/lib/python2.7/site-packages/pylint/utils.py, line 712, in walk cb(astroid) File /usr/lib/python2.7/site-packages/pylint/checkers/newstyle.py, line 135, in visit_function args=(call.args[0].name, )) AttributeError: 'Getattr' object has no attribute 'name' make: *** [lint] Error 1 This is new, I created upstream ticket to timely fix it: https://fedorahosted.org/freeipa/ticket/4475 Ticket 4475 is now fixed, thanks to Jan Cholasta. ipa-3-3 branch should now build OK again. Martin Hey Martin, Tested ipa-3-3 and generated rpms from that branch. Many thanks for the resolution. Just a note, but I verified that ipa-3-2 and ipa-3-1 are in need of the same ipa-3-3 dependency patch. Both also complained that make-lint needed pylint installed which it already was. With the lint failure and rhino patch, ipa-3-2 did generate rpms. With the lint failure and rhino patch, ipa-3-1 did not generate rpms and gave the following logs. I guess it becomes a bit fuzzy, especially with these versions. We don't usually offer any guarantees that older releases will build against more modern distros, but both 3.1.5 and 3.2.0 crossed that line, with Fedora builds in two releases (F18/19 and F19/20 respectively). Do you have a requirement to use these older releases or are you just offering this data point in case anyone else runs into this? regards rob Hello Rob, Yes this is additional information and is not any requirement for me. I was not sure which branches were being maintained for F20. My interest was to see if I could help the freeipa developers build rpms easily from git with Docker images/containers. That is just about finished. My next thought was about using a Docker containers to test code from a git working directory quickly. That workflow could be a) to build rpms from a git commit, install the generated rpms or b) push changed code into an existing freeipa installation (probably not recommended but maybe necessary for testing). I did read a couple of places that it seems to take less time and or RAM to build code within Docker then other methods. Overall there does not seem to be enough people that are doing it yet for a lot of data points. Does any of that sound beneficial to the team? Regards, Curtis Your efforts do sound interesting for the development team. I would like to encourage you to send your results to the freeipa-devel list, so that developers can give you proper feedback. I was already pondering whether containers could be utilized for our integration tests: http://www.freeipa.org/page/Testing#Integration_tests Currently, we use full VMs and that is obviously not so fast. If containers could be utilized, things could get much faster (I hope). Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Building previous release rpms are failing
On (07/08/14 07:39), Curtis L. Knight wrote: On Tue, Aug 5, 2014 at 11:26 PM, Rob Crittenden rcrit...@redhat.com wrote: Curtis L. Knight wrote: On Tue, Aug 5, 2014 at 7:21 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 08/05/2014 12:32 PM, Martin Kosek wrote: On 08/05/2014 12:05 PM, Curtis L. Knight wrote: ... #./make-lint $(LINT_OPTIONS) run 'make rpms' again to get beyond lint errors shown below cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib; fi ./make-lint Traceback (most recent call last): File ./make-lint, line 272, in module sys.exit(main()) File ./make-lint, line 243, in main linter.check(files) File /usr/lib/python2.7/site-packages/pylint/lint.py, line 626, in check self.check_astroid_module(astroid, walker, rawcheckers, tokencheckers) File /usr/lib/python2.7/site-packages/pylint/lint.py, line 712, in check_astroid_module walker.walk(astroid) File /usr/lib/python2.7/site-packages/pylint/utils.py, line 715, in walk self.walk(child) File /usr/lib/python2.7/site-packages/pylint/utils.py, line 715, in walk self.walk(child) File /usr/lib/python2.7/site-packages/pylint/utils.py, line 712, in walk cb(astroid) File /usr/lib/python2.7/site-packages/pylint/checkers/newstyle.py, line 135, in visit_function args=(call.args[0].name, )) AttributeError: 'Getattr' object has no attribute 'name' make: *** [lint] Error 1 This is new, I created upstream ticket to timely fix it: https://fedorahosted.org/freeipa/ticket/4475 Ticket 4475 is now fixed, thanks to Jan Cholasta. ipa-3-3 branch should now build OK again. Martin Hey Martin, Tested ipa-3-3 and generated rpms from that branch. Many thanks for the resolution. Just a note, but I verified that ipa-3-2 and ipa-3-1 are in need of the same ipa-3-3 dependency patch. Both also complained that make-lint needed pylint installed which it already was. With the lint failure and rhino patch, ipa-3-2 did generate rpms. With the lint failure and rhino patch, ipa-3-1 did not generate rpms and gave the following logs. I guess it becomes a bit fuzzy, especially with these versions. We don't usually offer any guarantees that older releases will build against more modern distros, but both 3.1.5 and 3.2.0 crossed that line, with Fedora builds in two releases (F18/19 and F19/20 respectively). Do you have a requirement to use these older releases or are you just offering this data point in case anyone else runs into this? regards rob Hello Rob, Yes this is additional information and is not any requirement for me. I was not sure which branches were being maintained for F20. My interest was to see if I could help the freeipa developers build rpms easily from git with Docker images/containers. That is just about finished. My next thought was about using a Docker containers to test code from a git working directory quickly. That workflow could be a) to build rpms from a git commit, install the generated rpms or b) push changed code into an existing freeipa installation (probably not recommended but maybe necessary for testing). I did read a couple of places that it seems to take less time and or RAM to build code within Docker then other methods. Overall there does not seem to What kind of other methods did you try? I doubt it is more efficient then mock [1] be enough people that are doing it yet for a lot of data points. Does any of that sound beneficial to the team? LS [1] http://fedoraproject.org/wiki/Projects/Mock -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi,
thanks for the reply, with Cherrypy 3.2.2 it works. Unfortunately now when
I try to login with 'admin' account ('admin' user created previously during
the installation of ipa-server) I can't see the Administration tab.
Basically this condition (in /usr/share/ipsilon/templates/index.html) is
not satisfied:
{% if user.is_admin %}
a href={{ basepath }}/admin id=adminAdministration/a |
{% endif %}
For ipsilon-server installation I run:
ipsilon-server-install --secure=no --ipa=yes --krb=yes
because I read that 'admin' is default.
When I login with 'admin' in IPA Identity Management it is all ok (I login
as administrator), with IPSILON I can login but not as administrator.
I used the last version of jinja2 (jinja2 2.7.2).
Log of ipsilon-server-install:
[2014-08-07 17:48:11,242] Intallation arguments:
[2014-08-07 17:48:11,242] admin_user: admin
[2014-08-07 17:48:11,242] config_profile: None
[2014-08-07 17:48:11,242] hostname: ltartari3.cern.ch
[2014-08-07 17:48:11,242] instance: idp
[2014-08-07 17:48:11,242] ipa: yes
[2014-08-07 17:48:11,243] krb: yes
[2014-08-07 17:48:11,243] krb_httpd_keytab: /etc/httpd/conf/http.keytab
[2014-08-07 17:48:11,243] krb_realms: None
[2014-08-07 17:48:11,243] lm_order: ['krb']
[2014-08-07 17:48:11,243] pam: no
[2014-08-07 17:48:11,243] pam_service: remote
[2014-08-07 17:48:11,243] saml2: yes
[2014-08-07 17:48:11,243] secure: no
[2014-08-07 17:48:11,243] server_debugging: False
[2014-08-07 17:48:11,244] system_user: ipsilon
[2014-08-07 17:48:11,244] testauth: no
[2014-08-07 17:48:11,244] uninstall: False
[2014-08-07 17:48:11,244] Installation initiated
[2014-08-07 17:48:11,244] Installing default config files
[2014-08-07 17:48:11,461] Configuring environment helpers
Searching for keytab in: /etc/httpd/conf/http.keytab ... Found!
Searching for keytab in: /etc/httpd/conf/ipa.keytab ... Found!
[2014-08-07 17:48:11,486] Configuring login managers
Cannot set persistent booleans without managed policy.
[2014-08-07 17:48:12,126] Configuring Authentication Providers
Generating a 2048 bit RSA private key
.+++
..+++
writing new private key to '/var/lib/ipsilon/idp/saml2/idp.key'
-
Installation complete.
Please restart HTTPD to enable the IdP instance.
Thanks in advance.
Luca Tartarini
2014-08-06 17:37 GMT+02:00 Simo Sorce sso...@redhat.com:
On Wed, 2014-08-06 at 17:20 +0200, Luca Tartarini wrote:
Hi,
Thanks for the replies. I updated the line with:
plugins_by_name = dict((p.name, p) for p in
self._site[FACILITY]['enabled'])
and it works (the installation is completed succesfully).
But now when I try to connect to:
https://myidp.example.com/idp
or I try to configure ipsilon-client (ipsilon-client-install ...) I got
HTTP 500 Internal Error (with ipsilon background). I put debug = True
in /etc/ipsilon/idp/ipsilon.conf and I got this (in
/var/log/httpd/error_log):
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Available
providers: ['saml2']
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
storage path: /var/lib/ipsilon/idp/saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
metadata file: metadata.xml
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
storage path: /var/lib/ipsilon/idp/saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
key
file: /var/lib/ipsilon/idp/saml2/idp.key
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
storage path: /var/lib/ipsilon/idp/saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
certificate file: /var/lib/ipsilon/idp/saml2/idp.pem
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider
registered: saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2]
enabled:
1
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider
enabled: saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login
plugin: krb
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login
plugin: pam
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] username
text: Username
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] password
text: Password
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] service
name: remote
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] help
text:
Insert your Username and Password and then submit.
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login
plugin: testauth
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth]
username text: Username
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth]
password text: Password
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth]
help
text: Insert your Username and Password and then submit.
[Wed Aug
[Freeipa-users] Certificate system unavailable
Hello, I'm a bit of a pickle with the PKI system. I have three replicas, but only one contains the CA. I realize how poor a decision it was to do that. I plan to create more complete replicas, but right now I can't even create a replica file, much less a full replica. The problem started when the CA subsystem certificates expired. I read several threads explaining how to roll back time and renew them, but I then discovered that the host and HTTP certificates for the server were missing. I checked for backups, but we erroneously did not cover those files. Because they are missing I was unable to rewnew any certificates. Is there a way to manually create host and service certificates? When I search for this, the manual procedure listed in the documentation requires `ipa cert-request` which does not work. I did try installing a self-signed cert for HTTP with `ipa-server-certinstall`. That changed the errors, but the commands still fail. The pki-ca services is running OK, as far as I can tell. I also tried adding a CA instance to one of the other replicas with `ipa-ca-install`, but it failed during the configuration phase. -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium
Chris Whittle wrote: I'm currently working on a trial with OKTA and have installed their server agent with no issues. Now I'm trying to map FreeIPA attributes with OKTA's I'm getting no entries found, which leads me to think I'm missing something Inline image 1 Inline image 2 Inline image 3 Thanks! Try these changes: User Unique Identifier Attribute: ipaUniqueID Object Class: posixAccount Password Attribute: userPassword Group Object Class: posixGroup I don't think their Role maps directly with our Role, not sure you should try. You may need to define a new area in the DIT for this. Otherwise the settings look correct to me. Once you get something working it would be great if you could write something on on our Wiki about it under http://www.freeipa.org/page/HowTos rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate system unavailable
Lucas Yamanishi wrote: Hello, I'm a bit of a pickle with the PKI system. I have three replicas, but only one contains the CA. I realize how poor a decision it was to do that. I plan to create more complete replicas, but right now I can't even create a replica file, much less a full replica. The problem started when the CA subsystem certificates expired. I read several threads explaining how to roll back time and renew them, but I then discovered that the host and HTTP certificates for the server were missing. I checked for backups, but we erroneously did not cover those files. Because they are missing I was unable to rewnew any certificates. Is there a way to manually create host and service certificates? When I search for this, the manual procedure listed in the documentation requires `ipa cert-request` which does not work. I did try installing a self-signed cert for HTTP with `ipa-server-certinstall`. That changed the errors, but the commands still fail. The pki-ca services is running OK, as far as I can tell. I also tried adding a CA instance to one of the other replicas with `ipa-ca-install`, but it failed during the configuration phase. The subsystem certificate renewal should be independent of the web (and host) certificates. I'd focus on getting the CA back up, then we can see about getting a new web server certificate. Can you share the output of: getcert list You'll probably want to obfuscate the output as it contains the PIN to the private key database of the CA. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate system unavailable
On 08/07/2014 01:25 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: Hello, I'm a bit of a pickle with the PKI system. I have three replicas, but only one contains the CA. I realize how poor a decision it was to do that. I plan to create more complete replicas, but right now I can't even create a replica file, much less a full replica. The problem started when the CA subsystem certificates expired. I read several threads explaining how to roll back time and renew them, but I then discovered that the host and HTTP certificates for the server were missing. I checked for backups, but we erroneously did not cover those files. Because they are missing I was unable to rewnew any certificates. Is there a way to manually create host and service certificates? When I search for this, the manual procedure listed in the documentation requires `ipa cert-request` which does not work. I did try installing a self-signed cert for HTTP with `ipa-server-certinstall`. That changed the errors, but the commands still fail. The pki-ca services is running OK, as far as I can tell. I also tried adding a CA instance to one of the other replicas with `ipa-ca-install`, but it failed during the configuration phase. The subsystem certificate renewal should be independent of the web (and host) certificates. I'd focus on getting the CA back up, then we can see about getting a new web server certificate. Can you share the output of: getcert list You'll probably want to obfuscate the output as it contains the PIN to the private key database of the CA. rob Here you go. I've also included `certutil -L` outputs. The *auditSigningCert* I tried resubmitting with the time rolled back. The post-save command was also updated, because it wasn't done a year or two back when it replaced our old CRL-signer. `getcert list`: ``` Number of certificates and requests being tracked: 7. Request ID '20130321103859': status: CA_UNREACHABLE ca-error: Error 35 connecting to https://badca.example.com:9443/ca/agent/ca/profileReview: SSL connect error. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2014-07-31 21:29:35 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert auditSigningCert cert-pki-ca track: yes auto-renew: yes Request ID '20130321103900': status: NEED_GUIDANCE stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2014-07-31 21:29:33 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad ocspSigningCert cert-pki-ca track: yes auto-renew: yes Request ID '20130321103901': status: NEED_GUIDANCE stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2014-07-31 21:29:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad subsystemCert cert-pki-ca track: yes auto-renew: yes Request ID '20130321103902': status: NEED_GUIDANCE stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2014-07-31 21:30:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command:
Re: [Freeipa-users] FreeIPA + Chef
Thank You for the link. We are a chef shop so ill be working on this in chef. Ill see what i can use from Sean's repo and from the one you provided. If anyone have any recommendations/suggestions feel free to post them. Thank You ash On Thu, Jul 31, 2014 at 2:55 PM, James purplei...@gmail.com wrote: On Thu, Jul 31, 2014 at 11:55 AM, Ash Alam a...@paperlesspost.com wrote: Hi I am currently deploying CentOS and FreeIPA and i am looking for some recommendation on chef cookbooks. I have googled around but haven't found anything that is current. I found a git repo from Sean OMeara but last contribution was 3 years ago. If anyone can point me in the right direction i would very grateful. Thank You I've got a puppet module that I'm actively working on... https://github.com/purpleidea/puppet-ipa If you don't find a ready chef module, you can consider using puppet instead, or start porting it to chef. A lot of the code can be re-used, since my module contains a good amount of puppet. HTH, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate system unavailable
Lucas Yamanishi wrote: On 08/07/2014 01:25 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: Hello, I'm a bit of a pickle with the PKI system. I have three replicas, but only one contains the CA. I realize how poor a decision it was to do that. I plan to create more complete replicas, but right now I can't even create a replica file, much less a full replica. The problem started when the CA subsystem certificates expired. I read several threads explaining how to roll back time and renew them, but I then discovered that the host and HTTP certificates for the server were missing. I checked for backups, but we erroneously did not cover those files. Because they are missing I was unable to rewnew any certificates. Is there a way to manually create host and service certificates? When I search for this, the manual procedure listed in the documentation requires `ipa cert-request` which does not work. I did try installing a self-signed cert for HTTP with `ipa-server-certinstall`. That changed the errors, but the commands still fail. The pki-ca services is running OK, as far as I can tell. I also tried adding a CA instance to one of the other replicas with `ipa-ca-install`, but it failed during the configuration phase. The subsystem certificate renewal should be independent of the web (and host) certificates. I'd focus on getting the CA back up, then we can see about getting a new web server certificate. Can you share the output of: getcert list You'll probably want to obfuscate the output as it contains the PIN to the private key database of the CA. rob Here you go. I've also included `certutil -L` outputs. The *auditSigningCert* I tried resubmitting with the time rolled back. The post-save command was also updated, because it wasn't done a year or two back when it replaced our old CRL-signer. `getcert list`: ``` Number of certificates and requests being tracked: 7. [ snip ] What version of IPA is this? You need to modify a few more of these. Take a look at http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master When you roll back time are you restarting the pki-cad service? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate system unavailable
On 08/07/2014 04:48 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/07/2014 01:25 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: Hello, I'm a bit of a pickle with the PKI system. I have three replicas, but only one contains the CA. I realize how poor a decision it was to do that. I plan to create more complete replicas, but right now I can't even create a replica file, much less a full replica. The problem started when the CA subsystem certificates expired. I read several threads explaining how to roll back time and renew them, but I then discovered that the host and HTTP certificates for the server were missing. I checked for backups, but we erroneously did not cover those files. Because they are missing I was unable to rewnew any certificates. Is there a way to manually create host and service certificates? When I search for this, the manual procedure listed in the documentation requires `ipa cert-request` which does not work. I did try installing a self-signed cert for HTTP with `ipa-server-certinstall`. That changed the errors, but the commands still fail. The pki-ca services is running OK, as far as I can tell. I also tried adding a CA instance to one of the other replicas with `ipa-ca-install`, but it failed during the configuration phase. The subsystem certificate renewal should be independent of the web (and host) certificates. I'd focus on getting the CA back up, then we can see about getting a new web server certificate. Can you share the output of: getcert list You'll probably want to obfuscate the output as it contains the PIN to the private key database of the CA. rob Here you go. I've also included `certutil -L` outputs. The *auditSigningCert* I tried resubmitting with the time rolled back. The post-save command was also updated, because it wasn't done a year or two back when it replaced our old CRL-signer. `getcert list`: ``` Number of certificates and requests being tracked: 7. [ snip ] What version of IPA is this? Sorry. It's 3.0.0-37.el6 on Scientific Linux 6x. 389ds is 1.2.11.15-32.el6_5 and Dogtag is 9.0.3-32.el6. You need to modify a few more of these. Take a look at http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master Thanks. That was in my notes to do for the resubmits. The CS.cfg changes were made a long while back, before the guide. I think the ipa-pki-proxy.conf change was inherited with an upgrade. Those are awesome, BTW, the rpm automated upgrades! The renew_ra_cert script, too. When you roll back time are you restarting the pki-cad service? I think I did, but I can't recall. I will be sure to do it this weekend when I try again. rob Since you pointed out that the certificates and ipa commands should not be dependent on each other I discovered that the host ticket needed renewing. The version was out of sync. Running `kinit -kt /etc/krb5.keytab host/badca.example@example.com` fixed the ipa commands and I now get the expected SSL_ERROR_EXPIRED_CERT_ALERT code when doing a cert-request. Is there anything else I should look at? -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
