<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>On 11/29/2016 10:50 AM, Tomas Krizek wrote:</tt><tt><br>
</tt>
<blockquote
cite="mid:fed94be4-d92c-4df3-e475-ab777e6774fd@redhat.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<tt> </tt><tt>On 11/28/2016 05:38 PM, Robert Kudyba wrote:</tt><tt><br>
</tt>
<blockquote
cite="mid:60257124-FA5E-4972-889E-0441005D111A@fordham.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div class=""><tt>There seems to be a problem either with
Kerberos and/or using a self signed certificate vs. Let’s
Encrypt. I tried to run the set up script from </tt><tt><a
moz-do-not-send="true"
href="https://github.com/freeipa/freeipa-letsencrypt"
class="">https://github.com/freeipa/freeipa-letsencrypt</a></tt><tt> and
below are some errors and logs. </tt></div>
<div class=""><tt><br class="">
</tt> </div>
<div class=""><tt>Within the </tt><tt><span style="font-size:
11px;" class="">/etc/httpd/conf.d/ipa.conf</span></tt><tt><font
style="font-size: 11px;" class=""> </font></tt><tt>file I
commented out these directives as I had some Apache
redirects that were breaking:</tt></div>
<div class=""><tt><br class="">
</tt> </div>
<div class="">
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">#WSGIDaemonProcess ipa
processes=2 threads=1 maximum-requests=500 \</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class=""> display-name=%{GROUP}
socket-timeout=2147483647</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">#WSGIImportScript
/usr/share/ipa/wsgi.py process-group=ipa
application-group=ipa</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">#WSGIScriptAlias /ipa
/usr/share/ipa/wsgi.py</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">#WSGIScriptReloading Off</span></tt></div>
</div>
<div class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></tt></div>
<div class="">
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">./setup-le.sh </span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">Last metadata expiration
check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">Package
certbot-0.9.3-1.fc25.noarch is already installed,
skipping.</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">Dependencies resolved.</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">Nothing to do.</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">Complete!</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">Installing CA certificate,
please wait</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">Not a valid CA
certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the
user. (visit <a moz-do-not-send="true"
href="http://www.freeipa.org/page/Troubleshooting"
class="">http://www.freeipa.org/page/Troubleshooting</a>
for troubleshooting guide)</span></tt></div>
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">The ipa-cacert-manage
command failed.</span></tt></div>
</div>
<div class=""><tt><br class="">
</tt> </div>
<div class="">
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">ipactl status</span></tt></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">Directory Service:
RUNNING</span></tt></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">krb5kdc Service: RUNNING</span></tt></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">kadmin Service: RUNNING</span></tt></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">ipa_memcached Service:
RUNNING</span></tt></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">ipa-custodia Service:
RUNNING</span></tt></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">ntpd Service: RUNNING</span></tt></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">pki-tomcatd Service:
RUNNING</span></tt></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">ipa-otpd Service: RUNNING</span></tt></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class="">ipa: INFO: The ipactl
command was successful</span></tt></div>
</div>
<div class=""><tt><span style="font-variant-ligatures:
no-common-ligatures;" class=""><br class="">
</span></tt></div>
<div class=""><tt><span style="font-size: 11px;" class="">kinit
admin</span></tt></div>
<div class="">
<div style="margin: 0px; font-size: 11px; line-height:
normal;" class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class="">kinit: Generic
preauthentication failure while getting initial
credentials</span></tt></div>
</div>
<div style="margin: 0px; font-size: 11px; line-height: normal;"
class=""><tt><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></tt></div>
<div style="margin: 0px; line-height: normal;" class=""><tt><span
style="font-variant-ligatures: no-common-ligatures;"
class="">
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">journalctl -u
named-pkcs11</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">-- No entries —</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">journalctl -u named</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">-- No entries —</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""> file
/var/named/data/named.run</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">/var/named/data/named.run:
cannot open `/var/named/data/named.run' (No such file
or directory)</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">ldapsearch -Y GSSAPI
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">SASL/GSSAPI
authentication started</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">ldap_sasl_interactive_bind_s:
Local error (-2)</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>additional
info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (No Kerberos credentials available
(default cache: KEYRING:persistent:0))</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">
<div style="margin: 0px; line-height: normal;"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">ipa help krbtpolicy</span></div>
<div style="margin: 0px; line-height: normal;"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">ipa: ERROR: did not
receive Kerberos credentials</span></div>
</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="margin: 0px; line-height: normal;" class=""><font
class="" size="2"><span style="font-variant-ligatures:
no-common-ligatures;" class="">In </span>/var/log/krb5kdc.log:</font></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">
<div style="margin: 0px; line-height: normal;"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">Nov 28 05:19:49
krb5kdc[19575](info): closing down fd 11</span></div>
<div style="margin: 0px; line-height: normal;"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">Nov 28 11:04:40
krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16
23 25 26}) ip: NEEDED_PREAUTH: admin@for
krbtgt/ourdomain@ ourdomain, Additional
pre-authentication required</span></div>
<div style="margin: 0px; line-height: normal;"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">Nov 28 11:04:40
krb5kdc[19575](info): closing down fd 11</span></div>
<div style="margin: 0px; line-height: normal;"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">Nov 28 11:15:35
krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16
23 25 26}) ip: NEEDED_PREAUTH: admin@for
krbtgt/ourdomain@ ourdomain, Additional
pre-authentication required</span></div>
<div style="margin: 0px; line-height: normal;"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">Nov 28 11:15:35
krb5kdc[19573](info): closing down fd 11</span></div>
</span></div>
<div style="font-size: 11px; margin: 0px; line-height:
normal;" class=""><br class="">
</div>
</span></tt></div>
<tt><br>
</tt>
<fieldset class="mimeAttachmentHeader"></fieldset>
<tt><br>
</tt> </blockquote>
<tt>Hi,</tt><tt><br>
</tt> <tt><br>
</tt><tt> you're hitting an issue with Let's Encrypt setup. </tt><tt><br>
</tt> <tt><br>
</tt> <tt><a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/freeipa/freeipa-letsencrypt/issues/1">https://github.com/freeipa/freeipa-letsencrypt/issues/1</a></tt><tt><br>
</tt> <tt><br>
</tt><tt> unfortunately, I'm not aware of any workaround or
solution as of now.</tt><tt><br>
</tt>
<pre class="moz-signature" cols="72">--
Tomas Krizek</pre>
<tt><br>
</tt>
<fieldset class="mimeAttachmentHeader"></fieldset>
<tt><br>
</tt>
</blockquote>
<tt>The issue should be fixed now. Please try to setup Let's Encrypt
again. In case it does not work, you might need to reinstall IPA
before setting up Let's Encrypt.<br>
</tt>
<pre class="moz-signature" cols="72">--
Tomas Krizek</pre>
</body>
</html>