[Freeipa-users] How to make a FreeIPA node replica become Master?

[Sergio Francisco]

Hi,
We have a deployment of FreeIPA using 3 nodes (Master with more 2 replicas).

Recently, the master node had a problem with the process 'ns-slapd'
consuming 100% of CPU. During this problem, DNS service wasn't working, IPA
admin UI encountered timeout, SSH keys to access the hosts are not being
loaded correctly.

We observed in the logs of "dirsrv" that something related to the cachesize
wasn't enough to the space needed and then ns-slapd started a process to
recover it. We let the server running this operation almost one day and
nothing happened.

Today, we tried to:

1 - remove the failed server from the deployment, using the command below,
but unfortunately, it wasn't possible to do from both the 2 other nodes.

ipa-replica-manage del --force mux-idm-p03.muxi.dc --cacert=/etc/ipa/ca.crt
unexpected error: cannot connect to 'ldaps://localhost.localdomain:636

2 - tried to upgrade the failed server to a most recent version of IPA
using ipa-server-upgrade but it stopped in the step to connect

  [5/10]: starting directory server

2016-09-14T13:43:28Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-09-14T13:43:28Z DEBUG The ipa-server-upgrade command failed,
exception: error: [Errno 111] Connection refused
2016-09-14T13:43:28Z ERROR [Errno 111] Connection refused

3 - tried to recover the 389-ds database with the command "db_recover -f
-v" but nothing happened.
4 - visited similar threads but none of them helped me

https://www.redhat.com/archives/freeipa-users/2013-May/msg00015.html
https://www.redhat.com/archives/freeipa-users/2015-July/msg00188.html

5 - as we need to urgently recover the service, we tried to rebuild the
failed server, removing and reinstalling all the packages needed by
ipa-server (yum install ipa-server bind bind-dyndb-ldap ipa-server-dns) and
tried to re-join the new server as a replica to receive all the data again,
but it doesn't seems to work.

The other nodes are working well, resolving DNS requests, allowing users to
access the servers using SSH, etc.

Any ideas of what I can do to rebuild the server?

Versions
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64
CentOS Linux release 7.2.1511 (Core)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] About AllowGroups with sshd

[Lukas Slebodnik]

On (14/09/16 08:37), Jose Alvarez R. wrote:
>Hi Jakub
>
>Thanks for your response.  It's an option, but my backups servers I will not
>add to the FreeIPA server.
>
>Then, I cannot use the option HBAC, because I want my backup server can
>connect with root to some client server of my FreeIPA Server.
>
root is not handled by sssd/freeIPA. It is a local user;
and thus access cannot be denied by HBAC.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[bahan w]

Here is what I found :

In the catalina.out :
###
May 27, 2016 10:51:35 AM org.apache.catalina.core.StandardWrapperValve
invoke
SEVERE: Servlet.service() for servlet caDisplayBySerial-agent threw
exception
java.io.IOException: CS server is not ready to serve.
at
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:124)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
at java.lang.Thread.run(Thread.java:722)
###

In the selftests.log in /var/log/pki-ca :
###
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading all self test plugin logger parameters
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading all self test plugin instances
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading all self test plugin instance parameters
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading self test plugins in on-demand order
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading self test plugins in startup order
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem:
Running self test plugins specified to be executed at startup:
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] CAPresence:  CA is present
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SystemCertsVerification:
system certs verification failure
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called selftests.container.instance.SystemC
ertsVerification running at startup FAILED!
###

But nothing else.

Best regards.

Bahan

On Wed, Sep 14, 2016 at 7:27 PM, bahan w  wrote:

> I tried also the following commands :
> ###
> # ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
>
> # service ipa status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> ###
>
> I'm checking the /var/log/pki-ca logs to see if I find something.
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 7:02 PM, bahan w  wrote:
>
>> Sorry Martin,
>>
>> This is not the first time I forgot to add back freeipa users.
>> I have problems with gmail, again sorry.
>>
>> Indeed I figured out that I had to restart the ipa server.
>> So I tried to restart ipa server.
>> But it was not working yet.
>>
>> So I thought it was maybe due to the configuration I performed in the
>> nss.conf.
>> So I rollbacked this conf and restarted ipa-server.
>> Then I retried your commands but it is still the same error.
>>
>> ###
>> Request ID '20140528064145':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server.  Certificate operation cannot be completed: Unable to communicate
>> with CMS (Not Found)).
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: 

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[bahan w]

I tried also the following commands :
###
# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

# service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
###

I'm checking the /var/log/pki-ca logs to see if I find something.

Best regards.

Bahan

On Wed, Sep 14, 2016 at 7:02 PM, bahan w  wrote:

> Sorry Martin,
>
> This is not the first time I forgot to add back freeipa users.
> I have problems with gmail, again sorry.
>
> Indeed I figured out that I had to restart the ipa server.
> So I tried to restart ipa server.
> But it was not working yet.
>
> So I thought it was maybe due to the configuration I performed in the
> nss.conf.
> So I rollbacked this conf and restarted ipa-server.
> Then I retried your commands but it is still the same error.
>
> ###
> Request ID '20140528064145':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be completed: Unable to communicate
> with CMS (Not Found)).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=
> subject: CN=,O=
> expires: 2016-05-28 06:41:44 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> ###
>
> Do you know what is the CMS ?
> ###
> (RPC failed at server.  Certificate operation cannot be completed: Unable
> to communicate with CMS (Not Found)).
> ###
>
> Best regards.
>
> Bahan
>
>
>
>
>
> On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti  wrote:
>
>> did you restart IPA when you moved time? Is there are more detailed error
>> description in output of getcert list?
>>
>> On 14.09.2016 18:45, bahan w wrote:
>>
>> I set the date-time when the certificates were valid :
>> ###
>> # date -s '2016-05-27 10:00:00'
>> Fri May 27 10:00:00 CEST 2016
>>
>> # date
>> Fri May 27 10:00:02 CEST 2016
>> ###
>>
>> Then I try to renew them :
>> ###
>> # getcert resubmit -i 20140528063919
>> Resubmitting "20140528063919" to "IPA".
>>
>> # getcert resubmit -i 20140528064145
>> Resubmitting "20140528064145" to "IPA".
>>
>> # getcert resubmit -i 20140528063953
>> Resubmitting "20140528063953" to "IPA".
>> ###
>>
>> But when I do the getcert list after, the result is the same.
>>
>> I guess it is because of this ?
>> CA_UNREACHABLE
>>
>> Any idea ?
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:38 PM, bahan w  wrote:
>>
>>> Ok, I managed to restart the IPA service by adding this line in the file
>>> /etc/httpd/conf.d/nss.conf :
>>> ###
>>> NSSEnforceValidCerts off
>>> ###
>>>
>>> But when I do the getcert now I got the following result :
>>>
>>> ###
>>> # getcert list
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20140528063903':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=
>>> subject: CN=CA Audit,O=
>>> expires: 2018-04-09 11:39:16 UTC
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063904':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=
>>> subject: CN=OCSP Subsystem,O=
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-OCSPSigning
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063905':
>>> status: 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:

On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:

On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:

I've tried that but still the same result.

[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[bahan w]

Sorry Martin,

This is not the first time I forgot to add back freeipa users.
I have problems with gmail, again sorry.

Indeed I figured out that I had to restart the ipa server.
So I tried to restart ipa server.
But it was not working yet.

So I thought it was maybe due to the configuration I performed in the
nss.conf.
So I rollbacked this conf and restarted ipa-server.
Then I retried your commands but it is still the same error.

###
Request ID '20140528064145':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Unable to communicate
with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:41:44 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
###

Do you know what is the CMS ?
###
(RPC failed at server.  Certificate operation cannot be completed: Unable
to communicate with CMS (Not Found)).
###

Best regards.

Bahan





On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti  wrote:

> did you restart IPA when you moved time? Is there are more detailed error
> description in output of getcert list?
>
> On 14.09.2016 18:45, bahan w wrote:
>
> I set the date-time when the certificates were valid :
> ###
> # date -s '2016-05-27 10:00:00'
> Fri May 27 10:00:00 CEST 2016
>
> # date
> Fri May 27 10:00:02 CEST 2016
> ###
>
> Then I try to renew them :
> ###
> # getcert resubmit -i 20140528063919
> Resubmitting "20140528063919" to "IPA".
>
> # getcert resubmit -i 20140528064145
> Resubmitting "20140528064145" to "IPA".
>
> # getcert resubmit -i 20140528063953
> Resubmitting "20140528063953" to "IPA".
> ###
>
> But when I do the getcert list after, the result is the same.
>
> I guess it is because of this ?
> CA_UNREACHABLE
>
> Any idea ?
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:38 PM, bahan w  wrote:
>
>> Ok, I managed to restart the IPA service by adding this line in the file
>> /etc/httpd/conf.d/nss.conf :
>> ###
>> NSSEnforceValidCerts off
>> ###
>>
>> But when I do the getcert now I got the following result :
>>
>> ###
>> # getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20140528063903':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=
>> subject: CN=CA Audit,O=
>> expires: 2018-04-09 11:39:16 UTC
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063904':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=
>> subject: CN=OCSP Subsystem,O=
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063905':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=
>> subject: CN=CA Subsystem,O=
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: 

Re: [Freeipa-users] [E] Migration Question

[Armstrong, Jeffrey]

Ok. Thank you very much for the information.

Jeff



From: Giger, Justean [mailto:jgi...@verizon.com]
Sent: Wednesday, September 14, 2016 11:18 AM
To: Armstrong, Jeffrey ; freeipa-users@redhat.com
Subject: Re: [E] [Freeipa-users] Migration Question

*External E-Mail*
We did the same and have had zero issues. In fact, one overzealous colleague 
moved one out of our 5 IDM servers to Oracle while all the others were still on 
Red Hat and things still worked. I have not tried to get support for IDM with 
Oracle though so not sure how that goes.

From: 
> on 
behalf of "Armstrong, Jeffrey" 
>
Date: Wednesday, September 14, 2016 at 6:20 AM
To: "freeipa-users@redhat.com" 
>
Subject: [E] [Freeipa-users] Migration Question

Hi

My company is migrating from RedHat Linux to Oracle Linux.  I warned them that 
IdM could be a problem. Does anyone know If IPA works after the migration?

Jeff Armstrong



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[Martin Basti]

Please keep freeipa-users in CC, I'm quite lost here

ca-error: Server failed request, will retry: -504 (libcurl failed to 
execute the HTTP POST transaction.  Peer certificate cannot be 
authenticated with known CA certificates).


I'm not sure what this does mean, but if this is caused by invalid httpd 
certificate, solution might be to set time a week before 2016-05-28, 
restart IPA and try to renew certs again



Martin^2


On 14.09.2016 18:38, bahan w wrote:
Ok, I managed to restart the IPA service by adding this line in the 
file /etc/httpd/conf.d/nss.conf :

###
NSSEnforceValidCerts off
###

But when I do the getcert now I got the following result :
###
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140528063903':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=CA Audit,O=
expires: 2018-04-09 11:39:16 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20140528063904':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=OCSP Subsystem,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20140528063905':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=CA Subsystem,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20140528063906':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=IPA RA,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140528063907':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140528063919':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl 
failed to execute the HTTP POST transaction. Peer certificate cannot 
be authenticated with known CA certificates).

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:39:18 UTC
eku: 

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[Martin Basti]

did you restart IPA when you moved time? Is there are more detailed 
error description in output of getcert list?



On 14.09.2016 18:45, bahan w wrote:

I set the date-time when the certificates were valid :
###
# date -s '2016-05-27 10:00:00'
Fri May 27 10:00:00 CEST 2016

# date
Fri May 27 10:00:02 CEST 2016
###

Then I try to renew them :
###
# getcert resubmit -i 20140528063919
Resubmitting "20140528063919" to "IPA".

# getcert resubmit -i 20140528064145
Resubmitting "20140528064145" to "IPA".

# getcert resubmit -i 20140528063953
Resubmitting "20140528063953" to "IPA".
###

But when I do the getcert list after, the result is the same.

I guess it is because of this ?
CA_UNREACHABLE

Any idea ?

Best regards.

Bahan

On Wed, Sep 14, 2016 at 6:38 PM, bahan w > wrote:


Ok, I managed to restart the IPA service by adding this line in
the file /etc/httpd/conf.d/nss.conf :
###
NSSEnforceValidCerts off
###

But when I do the getcert now I got the following result :

###
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140528063903':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=CA Audit,O=
expires: 2018-04-09 11:39:16 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063904':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=OCSP Subsystem,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063905':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=CA Subsystem,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063906':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=IPA RA,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140528063907':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
  

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[bahan w]

I set the date-time when the certificates were valid :
###
# date -s '2016-05-27 10:00:00'
Fri May 27 10:00:00 CEST 2016

# date
Fri May 27 10:00:02 CEST 2016
###

Then I try to renew them :
###
# getcert resubmit -i 20140528063919
Resubmitting "20140528063919" to "IPA".

# getcert resubmit -i 20140528064145
Resubmitting "20140528064145" to "IPA".

# getcert resubmit -i 20140528063953
Resubmitting "20140528063953" to "IPA".
###

But when I do the getcert list after, the result is the same.

I guess it is because of this ?
CA_UNREACHABLE

Any idea ?

Best regards.

Bahan

On Wed, Sep 14, 2016 at 6:38 PM, bahan w  wrote:

> Ok, I managed to restart the IPA service by adding this line in the file
> /etc/httpd/conf.d/nss.conf :
> ###
> NSSEnforceValidCerts off
> ###
>
> But when I do the getcert now I got the following result :
>
> ###
> # getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20140528063903':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=CA Audit,O=
> expires: 2018-04-09 11:39:16 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063904':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=OCSP Subsystem,O=
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063905':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate
> DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate
> DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=CA Subsystem,O=
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063906':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/
> httpd/alias',nickname='ipaCert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=IPA RA,O=
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20140528063907':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
> DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
> DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=,O=
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20140528063919':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction.  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[Martin Basti]

Please keep freeipa-users in CC, there si no sensitive information in 
getcert list output (you sanitized it)



Folowing certificates are expired, please try to to resubmit them. I'm 
also worried about this error message: ca-error: Error setting up ccache 
for local "host" service using default keytab: Cannot contact any KDC 
for realm ''.


is KDC running?



Request ID '20140528063919':
status: MONITORING
ca-error: Error setting up ccache for local "host" service 
using default keytab: Cannot contact any KDC for realm ''.

stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:39:18 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv 


track: yes
auto-renew: yes
Request ID '20140528063953':
status: MONITORING
ca-error: Error setting up ccache for local "host" service 
using default keytab: Cannot contact any KDC for realm ''.

stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:39:52 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv 
PKI-IPA

track: yes
auto-renew: yes
Request ID '20140528064145':
status: MONITORING
ca-error: Error setting up ccache for local "host" service 
using default keytab: Cannot contact any KDC for realm ''.

stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:41:44 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[Martin Basti]

Then you have to start services manually, I don't know if the same steps 
will work with IPA 3.0.0, I don't remember, but you can try :)



On 14.09.2016 18:18, bahan w wrote:

Oh I forgot to add that my version of ipa is quite old :
###
# rpm -qa | grep ipa-server
ipa-server-3.0.0-25.el6.x86_64
###

When I try the command you gave me I got the following error :
###
# ipactl start --force
Usage: ipactl start|stop|restart|status


ipactl: error: no such option: --force
###

Best regards.

Bahan

On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti > wrote:




On 14.09.2016 17:59, bahan w wrote:

Hello !

I send you this mail because I cannot restart my test IPA server.

When I try to start it with service ipa start, I got the
following error message :
###
# service ipa start
Starting Directory Service
Starting dirsrv:
...[14/Sep/2016:17:57:23 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
[  OK  ]
PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
[  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:  [ OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:[  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached: [  OK  ]
Starting HTTP Service
Starting httpd: [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:  [ OK  ]
Stopping Kerberos 5 Admin Server:[  OK  ]
Stopping ipa_memcached: [  OK  ]
Stopping httpd: [FAILED]
Stopping pki-ca: [  OK  ]
Shutting down dirsrv:
... [  OK  ]
PKI-IPA... [  OK  ]
Aborting ipactl

# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###

Do you know how to renew the SSL certificate used for the IPA
Server ?

Best regards.

Bahan






Hello,

please run

# ipactl start --force
# getcert list (to detect which certificate is outdated, I suspect
DS cert (or to get more info why it has not been renewed))

If getcert does work (I'm not sure if ti is able to work without
httpd), you probable need to move time back to past where cert is
valid, start IPA and try again.

Please find ID outdated certificate and try resubmit it (CA and DS
must be running)

# getcert resubmit -i 20160914122036 (use you ID :) )

This should renew cert, check status with getcert list

Move time back to future (if needed)

Try to restart IPA

Martin^2




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[bahan w]

Oh I forgot to add that my version of ipa is quite old :
###
# rpm -qa | grep ipa-server
ipa-server-3.0.0-25.el6.x86_64
###

When I try the command you gave me I got the following error :
###
# ipactl start --force
Usage: ipactl start|stop|restart|status


ipactl: error: no such option: --force
###

Best regards.

Bahan

On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti  wrote:

>
>
> On 14.09.2016 17:59, bahan w wrote:
>
> Hello !
>
> I send you this mail because I cannot restart my test IPA server.
>
> When I try to start it with service ipa start, I got the following error
> message :
> ###
> # service ipa start
> Starting Directory Service
> Starting dirsrv:
> ...[14/Sep/2016:17:57:23 +0200] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
> -8181 - Peer's Certificate has expired.)
>[  OK  ]
> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
> -8181 - Peer's Certificate has expired.)
>[  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:   [  OK  ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server:  [  OK  ]
> Starting MEMCACHE Service
> Starting ipa_memcached:[  OK  ]
> Starting HTTP Service
> Starting httpd:[FAILED]
> Failed to start HTTP Service
> Shutting down
> Stopping Kerberos 5 KDC:   [  OK  ]
> Stopping Kerberos 5 Admin Server:  [  OK  ]
> Stopping ipa_memcached:[  OK  ]
> Stopping httpd:[FAILED]
> Stopping pki-ca:   [  OK  ]
> Shutting down dirsrv:
> ...[  OK  ]
> PKI-IPA... [  OK  ]
> Aborting ipactl
>
> # service ipa status
> Directory Service: STOPPED
> Failed to get list of services to probe status:
> Directory Server is stopped
> ###
>
> Do you know how to renew the SSL certificate used for the IPA Server ?
>
> Best regards.
>
> Bahan
>
>
>
>
>
> Hello,
>
> please run
>
> # ipactl start --force
> # getcert list (to detect which certificate is outdated, I suspect DS cert
> (or to get more info why it has not been renewed))
>
> If getcert does work (I'm not sure if ti is able to work without httpd),
> you probable need to move time back to past where cert is valid, start IPA
> and try again.
>
> Please find ID outdated certificate and try resubmit it (CA and DS must be
> running)
>
> # getcert resubmit -i 20160914122036 (use you ID :) )
>
> This should renew cert, check status with getcert list
>
> Move time back to future (if needed)
>
> Try to restart IPA
>
> Martin^2
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[Martin Basti]

On 14.09.2016 17:59, bahan w wrote:

Hello !

I send you this mail because I cannot restart my test IPA server.

When I try to start it with service ipa start, I got the following 
error message :

###
# service ipa start
Starting Directory Service
Starting dirsrv:
...[14/Sep/2016:17:57:23 +0200] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert 
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape 
Portable Runtime error -8181 - Peer's Certificate has expired.)

[  OK  ]
PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert 
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape 
Portable Runtime error -8181 - Peer's Certificate has expired.)

[  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC: [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached: [  OK  ]
Starting HTTP Service
Starting httpd: [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [  OK  ]
Stopping Kerberos 5 Admin Server: [  OK  ]
Stopping ipa_memcached: [  OK  ]
Stopping httpd: [FAILED]
Stopping pki-ca: [  OK  ]
Shutting down dirsrv:
...[ OK  ]
PKI-IPA... [  OK  ]
Aborting ipactl

# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###

Do you know how to renew the SSL certificate used for the IPA Server ?

Best regards.

Bahan






Hello,

please run

# ipactl start --force
# getcert list (to detect which certificate is outdated, I suspect DS 
cert (or to get more info why it has not been renewed))


If getcert does work (I'm not sure if ti is able to work without httpd), 
you probable need to move time back to past where cert is valid, start 
IPA and try again.


Please find ID outdated certificate and try resubmit it (CA and DS must 
be running)


# getcert resubmit -i 20160914122036 (use you ID :) )

This should renew cert, check status with getcert list

Move time back to future (if needed)

Try to restart IPA

Martin^2
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

[bahan w]

Hello !

I send you this mail because I cannot restart my test IPA server.

When I try to start it with service ipa start, I got the following error
message :
###
# service ipa start
Starting Directory Service
Starting dirsrv:
...[14/Sep/2016:17:57:23 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
   [  OK  ]
PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
   [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd:[FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:   [  OK  ]
Stopping Kerberos 5 Admin Server:  [  OK  ]
Stopping ipa_memcached:[  OK  ]
Stopping httpd:[FAILED]
Stopping pki-ca:   [  OK  ]
Shutting down dirsrv:
...[  OK  ]
PKI-IPA... [  OK  ]
Aborting ipactl

# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###

Do you know how to renew the SSL certificate used for the IPA Server ?

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [E] Migration Question

[Giger, Justean]

We did the same and have had zero issues. In fact, one overzealous colleague 
moved one out of our 5 IDM servers to Oracle while all the others were still on 
Red Hat and things still worked. I have not tried to get support for IDM with 
Oracle though so not sure how that goes.

From: 
> on 
behalf of "Armstrong, Jeffrey" 
>
Date: Wednesday, September 14, 2016 at 6:20 AM
To: "freeipa-users@redhat.com" 
>
Subject: [E] [Freeipa-users] Migration Question

Hi

My company is migrating from RedHat Linux to Oracle Linux.  I warned them that 
IdM could be a problem. Does anyone know If IPA works after the migration?

Jeff Armstrong



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] About AllowGroups with sshd

[Jose Alvarez R.]

Hi Jakub

Thanks for your response.  It's an option, but my backups servers I will not
add to the FreeIPA server.

Then, I cannot use the option HBAC, because I want my backup server can
connect with root to some client server of my FreeIPA Server.

If I'm doing something wrong, please let me know

Thanks, Regards

Jose Alvarez R.







-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
Sent: martes 13 de septiembre de 2016 02:22 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] About AllowGroups with sshd

On Mon, Sep 12, 2016 at 10:00:57AM -0600, Jose Alvarez R. wrote:
> Hello
> 
>  
> 
> I have an question
> 
>  
> 
> I have an FreeIPA 3.0 server(CentOS 6) with some clients servers(CentOS
6).
> I wants enable root a two servers this servers, because they are 
> backup servers.
> 
>  
> 
> I add theses lines in /etc/ssh/sshd_config of a client server.
> 
>  
> 
> AllowUsers root@192.168.20.2
> 
> AllowUsers root@192.168.20.90
> 
> PermitRootLogin yes
> 
>  
> 
> This working, but when try login with my user IPA, I can't login.
> 
>  
> 
> I add the line "AllowGroups" with my group of users_IPA
> 
>  
> 
> AllowGroups 
> 
>  
> 
> But not working, Can you help me ?
> 
>  
> 
> Thanks, Regards
> 
>  
> 
> Jose Alvarez.

I know I'm not answering your question directly, but isn't it better to use
HBAC with IPA and centralize the access control rather than edit config
files on the clients?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Migration Question

[Armstrong, Jeffrey]

Hi

My company is migrating from RedHat Linux to Oracle Linux.  I warned them that 
IdM could be a problem. Does anyone know If IPA works after the migration?

Jeff Armstrong



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Ben Lipton]

This may be resolved already, but just in case it's helpful:

On 09/13/2016 11:26 AM, Rob Crittenden wrote:

Natxo Asenjo wrote:

hi,


On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden > wrote:

Natxo Asenjo wrote:

hi,

I can reproduce this everytime. Restarting httpd fixes it for a
while,
but then ik stops working:

$ ipa cert-show 1
ipa: ERROR: cannot connect to
'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial
':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in
an old,
unsupported format.


It is very strange that it goes from a working to a non-working 
state.


I have only two suggestions:

1. Create /etc/ipa/server.conf with a [global] section and
debug=True in it, restart httpd. Your log will be quite a bit more
verbose but given it reproduces so quickly hopefully won't be too
big a deal. That might show something.


+1 to this. With debug=True there should be tracebacks for your 
CertificateFormatErrors.


2. Try brute force with strace. Finding the right httpd process to
strace can be frustrating but usually there are only 8 and they
rotate so eventually you should get the right one.


Could I send you the log files privately?


Sure.

rob

One other note - this could be a permissions issue. NSS seems to produce 
this confusing error message when it can't access the database, even if 
the format of the database is actually fine.


$ sudo chown root:root /tmp/certs
$ certutil -N -d /tmp/certs
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The 
certificate/key database is in an old, unsupported format.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

[Ludwig Krispenz]

Hi,
On 09/13/2016 07:37 PM, Rakesh Rajasekharan wrote:

Hi All,

Have finally made some progress with this.. after changing the 
checkpoint interval to 180, my hangs have gone down now..


However, I faced a similar hang yesterday... users were not able to 
login.. , though this time the ns-slapd did not had any issues and 
ldapsearch worked fine possibly due to the changes in checpoint. So, I 
think I hit some other issue this time


this is a bit confusing, if your server crashes with the attached 
stacktrace ldapsearch cannot work.


About the core, it looks like you are hitting this  issue: 
https://fedorahosted.org/389/ticket/48388


I had a core genrated and this is the stacktrace of it.. can you 
please go through this and help me identify what could be causing the 
issue this time.. I have put in lot of efforts to debug and really 
would love to have this working in my prod env.. as it does in my 
other envs...


GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/sbin/ns-slapd...
warning: the debug information found in 
"/usr/lib/debug//usr/sbin/ns-slapd.debug" does not match 
"/usr/sbin/ns-slapd" (CRC mismatch).



warning: the debug information found in 
"/usr/lib/debug/usr/sbin/ns-slapd.debug" does not match 
"/usr/sbin/ns-slapd" (CRC mismatch).


Reading symbols from /usr/sbin/ns-slapd...(no debugging symbols 
found)...done.

(no debugging symbols found)...done.
[New LWP 15255]
[New LWP 15286]
[New LWP 15245]
[New LWP 15246]
[New LWP 15247]
[New LWP 15248]
[New LWP 15243]

warning: the debug information found in 
"/usr/lib/debug//usr/lib64/dirsrv/libslapd.so.0.0.0.debug" does not 
match "/usr/lib64/dirsrv/libslapd.so.0" (CRC mismatch).



warning: the debug information found in 
"/usr/lib/debug/usr/lib64/dirsrv/libslapd.so.0.0.0.debug" does not 
match "/usr/lib64/dirsrv/libslapd.so.0" (CRC mismatch).


[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

warning: the debug information found in 
"/usr/lib/debug//usr/lib64/dirsrv/plugins/libsyntax-plugin.so.debug" 
does not match "/usr/lib64/dirsrv/plugins/libsyntax-plugin.so" (CRC 
mismatch).



warning: the debug information found in 
"/usr/lib/debug/usr/lib64/dirsrv/plugins/libsyntax-plugin.so.debug" 
does not match "/usr/lib64/dirsrv/plugins/libsyntax-plugin.so" (CRC 
mismatch).



warning: the debug information found in 
"/usr/lib/debug//usr/lib64/dirsrv/plugins/libbitwise-plugin.so.debug" 
does not match "/usr/lib64/dirsrv/plugins/libbitwise-plugin.so" (CRC 
mismatch).



warning: the debug information found in 
"/usr/lib/debug/usr/lib64/dirsrv/plugins/libbitwise-plugin.so.debug" 
does not match "/usr/lib64/dirsrv/plugins/libbitwise-plugin.so" (CRC 
mismatch).


...skipping...
-rw---. 1 dirsrv dirsrv  0 Sep  8 02:55 audit
-rw---. 1 dirsrv dirsrv 2551824384 Sep 12 17:32 core.10450
-rw---. 1 dirsrv dirsrv 1464463360 Sep 12 19:35 core.14709
-rw---. 1 dirsrv dirsrv 4483862528 Sep 13 01:05 core.15243
-rw---. 1 dirsrv dirsrv   66288165 Sep 13 02:10 errors
-rw---. 1 dirsrv dirsrv  104964391 Sep 13 08:30 access.20160913-074214
-rw---. 1 dirsrv dirsrv  105021859 Sep 13 09:26 access.20160913-083046
-rw---. 1 dirsrv dirsrv  104861746 Sep 13 10:31 access.20160913-092646
-rw---. 1 dirsrv dirsrv  105069140 Sep 13 11:36 access.20160913-103137
-rw---. 1 dirsrv dirsrv  104913480 Sep 13 12:41 access.20160913-113638
-rw---. 1 dirsrv dirsrv  105186788 Sep 13 13:46 access.20160913-124118
-rw---. 1 dirsrv dirsrv  105162159 Sep 13 14:51 access.20160913-134619
-rw---. 1 dirsrv dirsrv  105256624 Sep 13 15:56 access.20160913-145120
-rw---. 1 dirsrv dirsrv  105231158 Sep 13 17:01 access.20160913-155620
-rw---. 1 dirsrv dirsrv   1044 Sep 13 17:01 access.rotationinfo
-rw-r--r--. 1 root   root19287 Sep 13 17:28 
stacktrace.1473787719.txt

-rw---. 1 dirsrv dirsrv   45608914 Sep 13 17:29 access
[root@prod-ipa-master-int slapd-SPRINKLR-COM]# gdb -ex 'set confirm 
off' -ex 'set pagination off' -ex 'thread apply all bt full' -ex 
'quit' /usr/sbin/ns-slapd 
/var/log/dirsrv/slapd-SPRINKLR-COM/core.15243 stacktrace.`date 
+%s`.txt 2>&1^C
[root@prod-ipa-master-int slapd-SPRINKLR-COM]# gdb -ex 'set confirm 
off' -ex 'set pagination off' -ex 'thread apply all bt full' -ex 
'quit' /usr/sbin/ns-slapd 
/var/log/dirsrv/slapd-SPRINKLR-COM/core.15243 > stacktrace.`date 
+%s`.txt 2>&1

[root@prod-ipa-master-int slapd-SPRINKLR-COM]# ls -ltr
total 6404952
-rw---. 1 dirsrv dirsrv   

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Natxo Asenjo]

hi,

On Tue, Sep 13, 2016 at 9:36 PM, Endi Sukma Dewata 
wrote:

> On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:
>
>> On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:
>>
>>> I've tried that but still the same result.
>>>
>>> [root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
>>> localhost -b "uid=admin,ou=people,o=ipaca"
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base