<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <tt>On 11/29/2016 10:50 AM, Tomas Krizek wrote:</tt><tt><br> </tt> <blockquote cite="mid:fed94be4-d92c-4df3-e475-ab777e6774fd@redhat.com" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <tt> </tt><tt>On 11/28/2016 05:38 PM, Robert Kudyba wrote:</tt><tt><br> </tt> <blockquote cite="mid:60257124-FA5E-4972-889E-0441005D111A@fordham.edu" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <div class=""><tt>There seems to be a problem either with Kerberos and/or using a self signed certificate vs. Let’s Encrypt. I tried to run the set up script from </tt><tt><a moz-do-not-send="true" href="https://github.com/freeipa/freeipa-letsencrypt" class="">https://github.com/freeipa/freeipa-letsencrypt</a></tt><tt> and below are some errors and logs. </tt></div> <div class=""><tt><br class=""> </tt> </div> <div class=""><tt>Within the </tt><tt><span style="font-size: 11px;" class="">/etc/httpd/conf.d/ipa.conf</span></tt><tt><font style="font-size: 11px;" class=""> </font></tt><tt>file I commented out these directives as I had some Apache redirects that were breaking:</tt></div> <div class=""><tt><br class=""> </tt> </div> <div class=""> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class=""> display-name=%{GROUP} socket-timeout=2147483647</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">#WSGIScriptReloading Off</span></tt></div> </div> <div class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""> </span></tt></div> <div class=""> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">./setup-le.sh </span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">Dependencies resolved.</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">Nothing to do.</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">Complete!</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">Installing CA certificate, please wait</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. (visit <a moz-do-not-send="true" href="http://www.freeipa.org/page/Troubleshooting" class="">http://www.freeipa.org/page/Troubleshooting</a> for troubleshooting guide)</span></tt></div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">The ipa-cacert-manage command failed.</span></tt></div> </div> <div class=""><tt><br class=""> </tt> </div> <div class=""> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">ipactl status</span></tt></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">Directory Service: RUNNING</span></tt></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">krb5kdc Service: RUNNING</span></tt></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">kadmin Service: RUNNING</span></tt></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">ipa_memcached Service: RUNNING</span></tt></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">ipa-custodia Service: RUNNING</span></tt></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">ntpd Service: RUNNING</span></tt></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">pki-tomcatd Service: RUNNING</span></tt></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">ipa-otpd Service: RUNNING</span></tt></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class="">ipa: INFO: The ipactl command was successful</span></tt></div> </div> <div class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class=""><br class=""> </span></tt></div> <div class=""><tt><span style="font-size: 11px;" class="">kinit admin</span></tt></div> <div class=""> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class="">kinit: Generic preauthentication failure while getting initial credentials</span></tt></div> </div> <div style="margin: 0px; font-size: 11px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""> </span></tt></div> <div style="margin: 0px; line-height: normal;" class=""><tt><span style="font-variant-ligatures: no-common-ligatures;" class=""> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">journalctl -u named-pkcs11</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">-- No entries —</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""> </span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">journalctl -u named</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">-- No entries —</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""> </span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> file /var/named/data/named.run</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">/var/named/data/named.run: cannot open `/var/named/data/named.run' (No such file or directory)</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""> </span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">ldapsearch -Y GSSAPI '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">SASL/GSSAPI authentication started</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">ldap_sasl_interactive_bind_s: Local error (-2)</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:0))</span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""> </span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> <div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">ipa help krbtpolicy</span></div> <div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">ipa: ERROR: did not receive Kerberos credentials</span></div> </span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""> </span></div> <div style="margin: 0px; line-height: normal;" class=""><font class="" size="2"><span style="font-variant-ligatures: no-common-ligatures;" class="">In </span>/var/log/krb5kdc.log:</font></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""> </span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> <div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11</span></div> <div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional pre-authentication required</span></div> <div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11</span></div> <div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional pre-authentication required</span></div> <div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11</span></div> </span></div> <div style="font-size: 11px; margin: 0px; line-height: normal;" class=""><br class=""> </div> </span></tt></div> <tt><br> </tt> <fieldset class="mimeAttachmentHeader"></fieldset> <tt><br> </tt> </blockquote> <tt>Hi,</tt><tt><br> </tt> <tt><br> </tt><tt> you're hitting an issue with Let's Encrypt setup. </tt><tt><br> </tt> <tt><br> </tt> <tt><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/freeipa/freeipa-letsencrypt/issues/1">https://github.com/freeipa/freeipa-letsencrypt/issues/1</a></tt><tt><br> </tt> <tt><br> </tt><tt> unfortunately, I'm not aware of any workaround or solution as of now.</tt><tt><br> </tt> <pre class="moz-signature" cols="72">-- Tomas Krizek</pre> <tt><br> </tt> <fieldset class="mimeAttachmentHeader"></fieldset> <tt><br> </tt> </blockquote> <tt>The issue should be fixed now. Please try to setup Let's Encrypt again. In case it does not work, you might need to reinstall IPA before setting up Let's Encrypt.<br> </tt> <pre class="moz-signature" cols="72">-- Tomas Krizek</pre> </body> </html>