[Freeipa-users] Let's Encrypt along with FreeIPA
Joseph Flynn
jjflynn22 at gmail.com
Sun Dec 4 23:25:13 UTC 2016
Sorry if this is not the appropriate forum for discussing this topic.
I have installed a FreeIPA system on CentOS 7 and am trying to get the
Let's Encrypt scripts to work as defined in
https://github.com/freeipa/freeipa-letsencrypt
I hand to tinker with a combination of enabling/disabling EPEL and this new
tool DNF that I am not too familiar with but eventually got the script to
run.
It is ending with the following error:
ipa: INFO: Systemwide CA database updated.
> ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate command
> was successful
> Directory Manager password:
>
> Installing CA certificate, please wait
> Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate
> issuer is not recognized. (visit
> http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
>
>
Does anyone recognize this situation?
I have installed this on a VirtualBox client in Bridge Network mode.
Prior to trying to use a real certificate, I could access the FreeIPA UI
from Firefox on both the VM and other computers in the home. I've gotten a
domain name and have that domain name pointed to my home router with a
handful of ports (those listed at the end of the FreeIPA install) forwarded
to my VM.
For completeness, I have included the history below along with the full
output including a couple of highlighted areas that could be errors.
Thanks for any assistance from anyone who might notice an error in my ways.
Joe
History:
1 ifconfig -a
2 sudo yum -y update
3 cat /etc/hostname
4 sudo echo 192.168.1.201 ipa-1.kkgpitt.org ipa-1 >> /etc/hosts
5 sudo vi /etc/hosts
7 sudo reboot now
8 hostname
9 ifconfig -a
11 sudo visudo
12 sudo ls # just to set pw
13 sudo yum install epel-release -y
14 sudo yum install -y haveged
15 sudo systemctl start haveged.service
16 sudo ipa-server-install
17 kinit admin
18 firewall-cmd --permanent --add-service=ntp
19 firewall-cmd --permanent --add-service=http
20 firewall-cmd --permanent --add-service=https
21 firewall-cmd --permanent --add-service=ldap
22 firewall-cmd --permanent --add-service=ldaps
23 firewall-cmd --permanent --add-service=kerberos
24 firewall-cmd --permanent --add-service=kpasswd
26 sudo authconfig --enablemkhomedir --update
27 sudo chkconfig sssd on
28 git config --global user.name "Joe Flynn"
29 git config --global user.email "jjflynn22 at gmail.com"
30 mkdir ~/.ssh
31 cd ~/.ssh
32 vi id_rsa
33 vi id_rsa.pub
34 chmod 700 ~/.ssh
35 chmod 600 ~/.ssh/*
36 ssh-add ~/.ssh/id_rsa
37 sudo yum install -y letsencrypt
38 sudo cp -r /etc/httpd/alias /etc/httpd/alias_backup
39 cd ~
40 git clone https://github.com/freeipa/freeipa-letsencrypt.git
41 sudo cp -r freeipa-letsencrypt /root/ipa-le
42 sudo vi /root/ipa-le/renew-le.sh
43 sudo yum install -y dnf
44 sudo yum remove -y epel-release
45 sudo dnf repolist
46 sudo /root/ipa-le/setup-le.sh
47 history
> [jjflynn22 at ipa-1 ~]$ sudo visudo
> [sudo] password for jjflynn22:
> [jjflynn22 at ipa-1 ~]$ sudo yum install epel-release -y
> Loaded plugins: fastestmirror, langpacks
> base
> | 3.6 kB 00:00:00
> extras
> | 3.4 kB 00:00:00
> updates
> | 3.4 kB 00:00:00
> Loading mirror speeds from cached hostfile
> * base: repo1.ash.innoscale.net
> * extras: mirrors.advancedhosters.com
> * updates: mirror.cs.vt.edu
> Resolving Dependencies
> --> Running transaction check
> ---> Package epel-release.noarch 0:7-6 will be installed
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
>
> =============================================================================================================================
> Package Arch
> Version Repository Size
>
> =============================================================================================================================
> Installing:
> epel-release noarch
> 7-6 extras 14 k
>
> Transaction Summary
>
> =============================================================================================================================
> Install 1 Package
>
> Total download size: 14 k
> Installed size: 24 k
> Downloading packages:
> epel-release-7-6.noarch.rpm
> | 14 kB 00:00:00
> Running transaction check
> Running transaction test
> Transaction test succeeded
> Running transaction
> Installing :
> epel-release-7-6.noarch
> 1/1
> Verifying :
> epel-release-7-6.noarch
> 1/1
>
> Installed:
> epel-release.noarch
> 0:7-6
>
>
> Complete!
> [jjflynn22 at ipa-1 ~]$ sudo yum install -y haveged
> Loaded plugins: fastestmirror, langpacks
> epel/x86_64/metalink
> | 13 kB 00:00:00
> epel
> | 4.3 kB 00:00:00
> (1/3):
> epel/x86_64/updateinfo
> | 676 kB 00:00:00
> (2/3):
> epel/x86_64/group_gz
> | 170 kB 00:00:00
> (3/3):
> epel/x86_64/primary_db
> | 4.4 MB 00:00:01
> Loading mirror speeds from cached hostfile
> * base: repo1.ash.innoscale.net
> * epel: ftp.osuosl.org
> * extras: mirror.fusioncloud.co
> * updates: ftp.osuosl.org
> Resolving Dependencies
> --> Running transaction check
> ---> Package haveged.x86_64 0:1.9.1-1.el7 will be installed
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
>
> =============================================================================================================================
> Package Arch
> Version Repository Size
>
> =============================================================================================================================
> Installing:
> haveged x86_64
> 1.9.1-1.el7 epel 61 k
>
> Transaction Summary
>
> =============================================================================================================================
> Install 1 Package
>
> Total download size: 61 k
> Installed size: 181 k
> Downloading packages:
> warning:
> /var/cache/yum/x86_64/7/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm:
> Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
> Public key for haveged-1.9.1-1.el7.x86_64.rpm is not installed
> haveged-1.9.1-1.el7.x86_64.rpm
> | 61 kB 00:00:00
> Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
> Importing GPG key 0x352C64E5:
> Userid : "Fedora EPEL (7) <epel at fedoraproject.org>"
> Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
> Package : epel-release-7-6.noarch (@extras)
> From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
> Running transaction check
> Running transaction test
> Transaction test succeeded
> Running transaction
> Installing :
> haveged-1.9.1-1.el7.x86_64
> 1/1
> Verifying :
> haveged-1.9.1-1.el7.x86_64
> 1/1
>
> Installed:
> haveged.x86_64
> 0:1.9.1-1.el7
>
>
> Complete!
> [jjflynn22 at ipa-1 ~]$ sudo systemctl start haveged.service
> [jjflynn22 at ipa-1 ~]$
> [jjflynn22 at ipa-1 ~]$
> [jjflynn22 at ipa-1 ~]$
> [jjflynn22 at ipa-1 ~]$
> [jjflynn22 at ipa-1 ~]$ sudo ipa-server-install
>
> The log file for this installation can be found in
> /var/log/ipaserver-install.log
>
> ==============================================================================
> This program will set up the IPA Server.
>
> This includes:
> * Configure a stand-alone CA (dogtag) for certificate management
> * Configure the Network Time Daemon (ntpd)
> * Create and configure an instance of Directory Server
> * Create and configure a Kerberos Key Distribution Center (KDC)
> * Configure Apache (httpd)
>
> To accept the default shown in brackets, press the Enter key.
>
> WARNING: conflicting time&date synchronization service 'chronyd' will be
> disabled
> in favor of ntpd
>
> Do you want to configure integrated DNS (BIND)? [no]:
>
> Enter the fully qualified domain name of the computer
> on which you're setting up server software. Using the form
> <hostname>.<domainname>
> Example: master.example.com.
>
>
> Server host name [ipa-1.kkgpitt.org]:
>
> The domain name has been determined based on the host name.
>
> Please confirm the domain name [kkgpitt.org]:
>
> The kerberos protocol requires a Realm name to be defined.
> This is typically the domain name converted to uppercase.
>
> Please provide a realm name [KKGPITT.ORG]:
> Certain directory server operations require an administrative user.
> This user is referred to as the Directory Manager and has full access
> to the Directory for system management tasks and will be added to the
> instance of directory server created for IPA.
> The password must be at least 8 characters long.
>
> Directory Manager password:
> Password (confirm):
>
> The IPA server requires an administrative user, named 'admin'.
> This user is a regular system account used for IPA server administration.
>
> IPA admin password:
> Password (confirm):
>
>
> The IPA Master Server will be configured with:
> Hostname: ipa-1.kkgpitt.org
> IP address(es): 192.168.1.201
> Domain name: kkgpitt.org
> Realm name: KKGPITT.ORG
>
> Continue to configure the system with these values? [no]: yes
>
> The following operations may take some minutes to complete.
> Please wait until the prompt is returned.
>
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
> [1/42]: creating directory server user
> [2/42]: creating directory server instance
> [3/42]: adding default schema
> [4/42]: enabling memberof plugin
> [5/42]: enabling winsync plugin
> [6/42]: configuring replication version plugin
> [7/42]: enabling IPA enrollment plugin
> [8/42]: enabling ldapi
> [9/42]: configuring uniqueness plugin
> [10/42]: configuring uuid plugin
> [11/42]: configuring modrdn plugin
> [12/42]: configuring DNS plugin
> [13/42]: enabling entryUSN plugin
> [14/42]: configuring lockout plugin
> [15/42]: creating indices
> [16/42]: enabling referential integrity plugin
> [17/42]: configuring certmap.conf
> [18/42]: configure autobind for root
> [19/42]: configure new location for managed entries
> [20/42]: configure dirsrv ccache
> [21/42]: enable SASL mapping fallback
> [22/42]: restarting directory server
> [23/42]: adding default layout
> [24/42]: adding delegation layout
> [25/42]: creating container for managed entries
> [26/42]: configuring user private groups
> [27/42]: configuring netgroups from hostgroups
> [28/42]: creating default Sudo bind user
> [29/42]: creating default Auto Member layout
> [30/42]: adding range check plugin
> [31/42]: creating default HBAC rule allow_all
> [32/42]: adding entries for topology management
> [33/42]: initializing group membership
> [34/42]: adding master entry
> [35/42]: initializing domain level
> [36/42]: configuring Posix uid/gid generation
> [37/42]: adding replication acis
> [38/42]: enabling compatibility plugin
> [39/42]: activating sidgen plugin
> [40/42]: activating extdom plugin
> [41/42]: tuning directory server
> [42/42]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
> [1/28]: creating certificate server user
> [2/28]: configuring certificate server instance
> [3/28]: stopping certificate server instance to update CS.cfg
> [4/28]: backing up CS.cfg
> [5/28]: disabling nonces
> [6/28]: set up CRL publishing
> [7/28]: enable PKIX certificate path discovery and validation
> [8/28]: starting certificate server instance
> [9/28]: creating RA agent certificate database
> [10/28]: importing CA chain to RA certificate database
> [11/28]: fixing RA database permissions
> [12/28]: setting up signing cert profile
> [13/28]: setting audit signing renewal to 2 years
> [14/28]: restarting certificate server
> [15/28]: requesting RA certificate from CA
> [16/28]: issuing RA agent certificate
> [17/28]: adding RA agent as a trusted user
> [18/28]: authorizing RA to modify profiles
> [19/28]: configure certmonger for renewals
> [20/28]: configure certificate renewals
> [21/28]: configure RA certificate renewal
> [22/28]: configure Server-Cert certificate renewal
> [23/28]: Configure HTTP to proxy connections
> [24/28]: restarting certificate server
> [25/28]: migrating certificate profiles to LDAP
> [26/28]: importing IPA certificate profiles
> [27/28]: adding default CA ACL
> [28/28]: updating IPA configuration
> Done configuring certificate server (pki-tomcatd).
> Configuring directory server (dirsrv). Estimated time: 10 seconds
> [1/3]: configuring ssl for ds instance
> [2/3]: restarting directory server
> [3/3]: adding CA certificate entry
> Done configuring directory server (dirsrv).
> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
> [1/10]: adding sasl mappings to the directory
> [2/10]: adding kerberos container to the directory
> [3/10]: configuring KDC
> [4/10]: initialize kerberos container
> [5/10]: adding default ACIs
> [6/10]: creating a keytab for the directory
> [7/10]: creating a keytab for the machine
> [8/10]: adding the password extension to the directory
> [9/10]: starting the KDC
> [10/10]: configuring KDC to start on boot
> Done configuring Kerberos KDC (krb5kdc).
> Configuring kadmin
> [1/2]: starting kadmin
> [2/2]: configuring kadmin to start on boot
> Done configuring kadmin.
> Configuring ipa_memcached
> [1/2]: starting ipa_memcached
> [2/2]: configuring ipa_memcached to start on boot
> Done configuring ipa_memcached.
> Configuring ipa-otpd
> [1/2]: starting ipa-otpd
> [2/2]: configuring ipa-otpd to start on boot
> Done configuring ipa-otpd.
> Configuring the web interface (httpd). Estimated time: 1 minute
> [1/19]: setting mod_nss port to 443
> [2/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
> [3/19]: setting mod_nss password file
> [4/19]: enabling mod_nss renegotiate
> [5/19]: adding URL rewriting rules
> [6/19]: configuring httpd
> [7/19]: configure certmonger for renewals
> [8/19]: setting up ssl
> [9/19]: importing CA certificates from LDAP
> [10/19]: setting up browser autoconfig
> [11/19]: publish CA cert
> [12/19]: creating a keytab for httpd
> [13/19]: clean up any existing httpd ccache
> [14/19]: configuring SELinux for httpd
> [15/19]: create KDC proxy user
> [16/19]: create KDC proxy config
> [17/19]: enable KDC proxy
> [18/19]: restarting httpd
> [19/19]: configuring httpd to start on boot
> Done configuring the web interface (httpd).
> Applying LDAP updates
> Upgrading IPA:
> [1/9]: stopping directory server
> [2/9]: saving configuration
> [3/9]: disabling listeners
> [4/9]: enabling DS global lock
> [5/9]: starting directory server
> [6/9]: upgrading server
> [7/9]: stopping directory server
> [8/9]: restoring configuration
> [9/9]: starting directory server
> Done.
> Restarting the directory server
> Restarting the KDC
> Sample zone file for bind has been created in /tmp/sample.zone.Yjwpca.db
> Restarting the web server
>
> ==============================================================================
> Setup complete
>
> Next steps:
> 1. You must make sure these network ports are open:
> TCP Ports:
> * 80, 443: HTTP/HTTPS
> * 389, 636: LDAP/LDAPS
> * 88, 464: kerberos
> UDP Ports:
> * 88, 464: kerberos
> * 123: ntp
>
> 2. You can now obtain a kerberos ticket using the command: 'kinit
> admin'
> This ticket will allow you to use the IPA tools (e.g., ipa user-add)
> and the web user interface.
>
> Be sure to back up the CA certificates stored in /root/cacert.p12
> These files are required to create replicas. The password for these
> files is the Directory Manager password
> [jjflynn22 at ipa-1 ~]$ kinit admin
> Password for admin at KKGPITT.ORG:
> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=ntp
> success
> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=http
> success
> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=https
> success
> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=ldap
> success
> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=ldaps
> success
> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=kerberos
> success
> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent --add-service=kpasswd
> success
> [jjflynn22 at ipa-1 ~]$ sudo authconfig --enablemkhomedir --update
> [jjflynn22 at ipa-1 ~]$ sudo chkconfig sssd on
> Note: Forwarding request to 'systemctl enable sssd.service'.
> [jjflynn22 at ipa-1 ~]$ git config --global user.name "Joe Flynn"
> [jjflynn22 at ipa-1 ~]$ git config --global user.email "jjflynn22 at gmail.com"
> [jjflynn22 at ipa-1 ~]$ mkdir ~/.ssh
> [jjflynn22 at ipa-1 ~]$ cd ~/.ssh
> [jjflynn22 at ipa-1 .ssh]$ vi id_rsa
> [jjflynn22 at ipa-1 .ssh]$ vi id_rsa.pub
> [jjflynn22 at ipa-1 .ssh]$ chmod 700 ~/.ssh
> [jjflynn22 at ipa-1 .ssh]$ chmod 600 ~/.ssh/*
> [jjflynn22 at ipa-1 .ssh]$ ssh-add ~/.ssh/id_rsa
> Identity added: /home/jjflynn22/.ssh/id_rsa (/home/jjflynn22/.ssh/id_rsa)
> [jjflynn22 at ipa-1 .ssh]$ sudo yum install -y letsencrypt
> Loaded plugins: fastestmirror, langpacks
> Loading mirror speeds from cached hostfile
> * base: repo1.ash.innoscale.net
> * epel: mirror.cogentco.com
> * extras: chicago.gaminghost.co
> * updates: mirror.cs.vt.edu
> Resolving Dependencies
> --> Running transaction check
> ---> Package certbot.noarch 0:0.9.3-1.el7 will be installed
> --> Processing Dependency: python2-certbot = 0.9.3-1.el7 for package:
> certbot-0.9.3-1.el7.noarch
> --> Running transaction check
> ---> Package python2-certbot.noarch 0:0.9.3-1.el7 will be installed
> --> Processing Dependency: python2-acme = 0.9.3 for package:
> python2-certbot-0.9.3-1.el7.noarch
> --> Processing Dependency: python2-dialog >= 3.3.0 for package:
> python2-certbot-0.9.3-1.el7.noarch
> --> Processing Dependency: python2-configargparse >= 0.10.0 for package:
> python2-certbot-0.9.3-1.el7.noarch
> --> Processing Dependency: python-psutil >= 2.1.0 for package:
> python2-certbot-0.9.3-1.el7.noarch
> --> Processing Dependency: python-zope-interface for package:
> python2-certbot-0.9.3-1.el7.noarch
> --> Processing Dependency: python-zope-component for package:
> python2-certbot-0.9.3-1.el7.noarch
> --> Processing Dependency: python-parsedatetime for package:
> python2-certbot-0.9.3-1.el7.noarch
> --> Processing Dependency: python-mock for package:
> python2-certbot-0.9.3-1.el7.noarch
> --> Running transaction check
> ---> Package python-parsedatetime.noarch 0:1.5-3.el7 will be installed
> ---> Package python-psutil.x86_64 0:2.2.1-1.el7 will be installed
> ---> Package python-zope-component.noarch 1:4.1.0-1.el7 will be installed
> --> Processing Dependency: python-zope-event for package:
> 1:python-zope-component-4.1.0-1.el7.noarch
> ---> Package python-zope-interface.x86_64 0:4.0.5-4.el7 will be installed
> ---> Package python2-acme.noarch 0:0.9.3-1.el7 will be installed
> --> Processing Dependency: python-pyrfc3339 for package:
> python2-acme-0.9.3-1.el7.noarch
> --> Processing Dependency: python-ndg_httpsclient for package:
> python2-acme-0.9.3-1.el7.noarch
> ---> Package python2-configargparse.noarch 0:0.10.0-1.el7 will be installed
> ---> Package python2-dialog.noarch 0:3.3.0-6.el7 will be installed
> --> Processing Dependency: dialog for package:
> python2-dialog-3.3.0-6.el7.noarch
> ---> Package python2-mock.noarch 0:1.0.1-9.el7 will be installed
> --> Running transaction check
> ---> Package dialog.x86_64 0:1.2-4.20130523.el7 will be installed
> ---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed
> ---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed
> ---> Package python2-pyrfc3339.noarch 0:1.0-2.el7 will be installed
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
>
> =============================================================================================================================
> Package Arch
> Version Repository Size
>
> =============================================================================================================================
> Installing:
> certbot noarch
> 0.9.3-1.el7 epel 16 k
> Installing for dependencies:
> dialog x86_64
> 1.2-4.20130523.el7 base 208 k
> python-ndg_httpsclient noarch
> 0.3.2-1.el7 epel 43 k
> python-parsedatetime noarch
> 1.5-3.el7 epel 61 k
> python-psutil x86_64
> 2.2.1-1.el7 epel 114 k
> python-zope-component noarch
> 1:4.1.0-1.el7 epel 110 k
> python-zope-event noarch
> 4.0.3-2.el7 epel 79 k
> python-zope-interface x86_64
> 4.0.5-4.el7 base 138 k
> python2-acme noarch
> 0.9.3-1.el7 epel 168 k
> python2-certbot noarch
> 0.9.3-1.el7 epel 361 k
> python2-configargparse noarch
> 0.10.0-1.el7 epel 28 k
> python2-dialog noarch
> 3.3.0-6.el7 epel 94 k
> python2-mock noarch
> 1.0.1-9.el7 epel 92 k
> python2-pyrfc3339 noarch
> 1.0-2.el7 epel 13 k
>
> Transaction Summary
>
> =============================================================================================================================
> Install 1 Package (+13 Dependent packages)
>
> Total download size: 1.5 M
> Installed size: 6.3 M
> Downloading packages:
> (1/14):
> python-ndg_httpsclient-0.3.2-1.el7.noarch.rpm
> | 43 kB 00:00:00
> (2/14):
> dialog-1.2-4.20130523.el7.x86_64.rpm
> | 208 kB 00:00:00
> (3/14):
> certbot-0.9.3-1.el7.noarch.rpm
> | 16 kB 00:00:00
> (4/14):
> python-parsedatetime-1.5-3.el7.noarch.rpm
> | 61 kB 00:00:00
> (5/14):
> python-psutil-2.2.1-1.el7.x86_64.rpm
> | 114 kB 00:00:00
> (6/14):
> python-zope-component-4.1.0-1.el7.noarch.rpm
> | 110 kB 00:00:00
> (7/14):
> python-zope-interface-4.0.5-4.el7.x86_64.rpm
> | 138 kB 00:00:00
> (8/14):
> python-zope-event-4.0.3-2.el7.noarch.rpm
> | 79 kB 00:00:00
> (9/14):
> python2-certbot-0.9.3-1.el7.noarch.rpm
> | 361 kB 00:00:00
> (10/14):
> python2-configargparse-0.10.0-1.el7.noarch.rpm
> | 28 kB 00:00:00
> (11/14):
> python2-acme-0.9.3-1.el7.noarch.rpm
> | 168 kB 00:00:00
> (12/14):
> python2-dialog-3.3.0-6.el7.noarch.rpm
> | 94 kB 00:00:00
> (13/14):
> python2-pyrfc3339-1.0-2.el7.noarch.rpm
> | 13 kB 00:00:00
> (14/14):
> python2-mock-1.0.1-9.el7.noarch.rpm
> | 92 kB 00:00:00
>
> -----------------------------------------------------------------------------------------------------------------------------
> Total
> 1.3 MB/s | 1.5 MB 00:00:01
> Running transaction check
> Running transaction test
> Transaction test succeeded
> Running transaction
> Installing :
> python-zope-interface-4.0.5-4.el7.x86_64
> 1/14
> Installing :
> python2-mock-1.0.1-9.el7.noarch
> 2/14
> Installing :
> python-parsedatetime-1.5-3.el7.noarch
> 3/14
> Installing :
> python-psutil-2.2.1-1.el7.x86_64
> 4/14
> Installing :
> python-zope-event-4.0.3-2.el7.noarch
> 5/14
> Installing :
> 1:python-zope-component-4.1.0-1.el7.noarch
> 6/14
> Installing :
> python-ndg_httpsclient-0.3.2-1.el7.noarch
> 7/14
> Installing :
> python2-pyrfc3339-1.0-2.el7.noarch
> 8/14
> Installing :
> python2-acme-0.9.3-1.el7.noarch
> 9/14
> Installing :
> python2-configargparse-0.10.0-1.el7.noarch
> 10/14
> Installing :
> dialog-1.2-4.20130523.el7.x86_64
> 11/14
> Installing :
> python2-dialog-3.3.0-6.el7.noarch
> 12/14
> Installing :
> python2-certbot-0.9.3-1.el7.noarch
> 13/14
> Installing :
> certbot-0.9.3-1.el7.noarch
> 14/14
> Verifying :
> dialog-1.2-4.20130523.el7.x86_64
> 1/14
> Verifying :
> certbot-0.9.3-1.el7.noarch
> 2/14
> Verifying :
> python2-configargparse-0.10.0-1.el7.noarch
> 3/14
> Verifying :
> python2-pyrfc3339-1.0-2.el7.noarch
> 4/14
> Verifying :
> python-zope-interface-4.0.5-4.el7.x86_64
> 5/14
> Verifying :
> python-ndg_httpsclient-0.3.2-1.el7.noarch
> 6/14
> Verifying :
> python-zope-event-4.0.3-2.el7.noarch
> 7/14
> Verifying :
> python-psutil-2.2.1-1.el7.x86_64
> 8/14
> Verifying :
> python2-acme-0.9.3-1.el7.noarch
> 9/14
> Verifying :
> python2-dialog-3.3.0-6.el7.noarch
> 10/14
> Verifying :
> 1:python-zope-component-4.1.0-1.el7.noarch
> 11/14
> Verifying :
> python-parsedatetime-1.5-3.el7.noarch
> 12/14
> Verifying :
> python2-certbot-0.9.3-1.el7.noarch
> 13/14
> Verifying :
> python2-mock-1.0.1-9.el7.noarch
> 14/14
>
> Installed:
> certbot.noarch
> 0:0.9.3-1.el7
>
>
> Dependency Installed:
> dialog.x86_64 0:1.2-4.20130523.el7
> python-ndg_httpsclient.noarch 0:0.3.2-1.el7
> python-parsedatetime.noarch 0:1.5-3.el7
> python-psutil.x86_64 0:2.2.1-1.el7
> python-zope-component.noarch 1:4.1.0-1.el7
> python-zope-event.noarch 0:4.0.3-2.el7
> python-zope-interface.x86_64 0:4.0.5-4.el7
> python2-acme.noarch 0:0.9.3-1.el7
> python2-certbot.noarch 0:0.9.3-1.el7
> python2-configargparse.noarch 0:0.10.0-1.el7
> python2-dialog.noarch 0:3.3.0-6.el7
> python2-mock.noarch 0:1.0.1-9.el7
> python2-pyrfc3339.noarch 0:1.0-2.el7
>
> Complete!
> [jjflynn22 at ipa-1 .ssh]$
> [jjflynn22 at ipa-1 .ssh]$
> [jjflynn22 at ipa-1 .ssh]$ sudo cp -r /etc/httpd/alias
> /etc/httpd/alias_backup
> [jjflynn22 at ipa-1 .ssh]$ cd ~
> [jjflynn22 at ipa-1 ~]$ git clone
> https://github.com/freeipa/freeipa-letsencrypt.git
> Cloning into 'freeipa-letsencrypt'...
> remote: Counting objects: 45, done.
> remote: Compressing objects: 100% (4/4), done.
> remote: Total 45 (delta 0), reused 0 (delta 0), pack-reused 41
> Unpacking objects: 100% (45/45), done.
> [jjflynn22 at ipa-1 ~]$ sudo cp -r freeipa-letsencrypt /root/ipa-le
> [jjflynn22 at ipa-1 ~]$ sudo vi /root/ipa-le/renew-le.sh
> [jjflynn22 at ipa-1 ~]$ sudo yum install -y dnf
> Loaded plugins: fastestmirror, langpacks
> Loading mirror speeds from cached hostfile
> * base: repo1.ash.innoscale.net
> * epel: mirror.cogentco.com
> * extras: mirrors.advancedhosters.com
> * updates: mirror.cs.vt.edu
> Resolving Dependencies
> --> Running transaction check
> ---> Package dnf.noarch 0:0.6.4-2.el7 will be installed
> --> Processing Dependency: python-dnf = 0.6.4-2.el7 for package:
> dnf-0.6.4-2.el7.noarch
> --> Running transaction check
> ---> Package python-dnf.noarch 0:0.6.4-2.el7 will be installed
> --> Processing Dependency: dnf-conf = 0.6.4-2.el7 for package:
> python-dnf-0.6.4-2.el7.noarch
> --> Processing Dependency: python-librepo >= 1.7.5 for package:
> python-dnf-0.6.4-2.el7.noarch
> --> Processing Dependency: python-libcomps >= 0.1.6 for package:
> python-dnf-0.6.4-2.el7.noarch
> --> Processing Dependency: python-hawkey >= 0.5.3 for package:
> python-dnf-0.6.4-2.el7.noarch
> --> Running transaction check
> ---> Package dnf-conf.noarch 0:0.6.4-2.el7 will be installed
> ---> Package python-hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7 will be
> installed
> --> Processing Dependency: hawkey(x86-64) = 0.5.8-2.git.0.202b194.el7 for
> package: python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
> --> Processing Dependency: libsolv.so.0(SOLV_1.0)(64bit) for package:
> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
> --> Processing Dependency: libsolv.so.0()(64bit) for package:
> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
> --> Processing Dependency: libhawkey.so.2()(64bit) for package:
> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
> ---> Package python-libcomps.x86_64 0:0.1.6-13.el7 will be installed
> --> Processing Dependency: libcomps(x86-64) = 0.1.6-13.el7 for package:
> python-libcomps-0.1.6-13.el7.x86_64
> --> Processing Dependency: libcomps.so.0.1.6()(64bit) for package:
> python-libcomps-0.1.6-13.el7.x86_64
> ---> Package python-librepo.x86_64 0:1.7.16-1.el7 will be installed
> --> Processing Dependency: librepo(x86-64) = 1.7.16-1.el7 for package:
> python-librepo-1.7.16-1.el7.x86_64
> --> Processing Dependency: librepo.so.0()(64bit) for package:
> python-librepo-1.7.16-1.el7.x86_64
> --> Running transaction check
> ---> Package hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7 will be installed
> ---> Package libcomps.x86_64 0:0.1.6-13.el7 will be installed
> ---> Package librepo.x86_64 0:1.7.16-1.el7 will be installed
> ---> Package libsolv.x86_64 0:0.6.11-1.el7 will be installed
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
>
> =============================================================================================================================
> Package Arch
> Version Repository Size
>
> =============================================================================================================================
> Installing:
> dnf noarch
> 0.6.4-2.el7 epel 209 k
> Installing for dependencies:
> dnf-conf noarch
> 0.6.4-2.el7 epel 61 k
> hawkey x86_64
> 0.5.8-2.git.0.202b194.el7 base 87 k
> libcomps x86_64
> 0.1.6-13.el7 epel 72 k
> librepo x86_64
> 1.7.16-1.el7 base 77 k
> libsolv x86_64
> 0.6.11-1.el7 base 316 k
> python-dnf noarch
> 0.6.4-2.el7 epel 407 k
> python-hawkey x86_64
> 0.5.8-2.git.0.202b194.el7 base 71 k
> python-libcomps x86_64
> 0.1.6-13.el7 epel 44 k
> python-librepo x86_64
> 1.7.16-1.el7 base 49 k
>
> Transaction Summary
>
> =============================================================================================================================
> Install 1 Package (+9 Dependent packages)
>
> Total download size: 1.4 M
> Installed size: 4.1 M
> Downloading packages:
> (1/10):
> hawkey-0.5.8-2.git.0.202b194.el7.x86_64.rpm
> | 87 kB 00:00:00
> (2/10):
> dnf-conf-0.6.4-2.el7.noarch.rpm
> | 61 kB 00:00:00
> (3/10):
> dnf-0.6.4-2.el7.noarch.rpm
> | 209 kB 00:00:00
> (4/10):
> librepo-1.7.16-1.el7.x86_64.rpm
> | 77 kB 00:00:00
> (5/10):
> libcomps-0.1.6-13.el7.x86_64.rpm
> | 72 kB 00:00:00
> (6/10):
> python-librepo-1.7.16-1.el7.x86_64.rpm
> | 49 kB 00:00:00
> (7/10):
> python-libcomps-0.1.6-13.el7.x86_64.rpm
> | 44 kB 00:00:00
> (8/10):
> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64.rpm
> | 71 kB 00:00:00
> (9/10):
> python-dnf-0.6.4-2.el7.noarch.rpm
> | 407 kB 00:00:00
> (10/10):
> libsolv-0.6.11-1.el7.x86_64.rpm
> | 316 kB 00:00:00
>
> -----------------------------------------------------------------------------------------------------------------------------
> Total
> 1.4 MB/s | 1.4 MB 00:00:01
> Running transaction check
> Running transaction test
> Transaction test succeeded
> Running transaction
> Installing :
> libsolv-0.6.11-1.el7.x86_64
> 1/10
> Installing :
> hawkey-0.5.8-2.git.0.202b194.el7.x86_64
> 2/10
> Installing :
> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
> 3/10
> Installing :
> dnf-conf-0.6.4-2.el7.noarch
> 4/10
> Installing :
> libcomps-0.1.6-13.el7.x86_64
> 5/10
> Installing :
> python-libcomps-0.1.6-13.el7.x86_64
> 6/10
> Installing :
> librepo-1.7.16-1.el7.x86_64
> 7/10
> Installing :
> python-librepo-1.7.16-1.el7.x86_64
> 8/10
> Installing :
> python-dnf-0.6.4-2.el7.noarch
> 9/10
> Installing :
> dnf-0.6.4-2.el7.noarch
> 10/10
> Verifying :
> librepo-1.7.16-1.el7.x86_64
> 1/10
> Verifying :
> python-libcomps-0.1.6-13.el7.x86_64
> 2/10
> Verifying :
> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
> 3/10
> Verifying :
> python-librepo-1.7.16-1.el7.x86_64
> 4/10
> Verifying :
> python-dnf-0.6.4-2.el7.noarch
> 5/10
> Verifying :
> libcomps-0.1.6-13.el7.x86_64
> 6/10
> Verifying :
> hawkey-0.5.8-2.git.0.202b194.el7.x86_64
> 7/10
> Verifying :
> dnf-conf-0.6.4-2.el7.noarch
> 8/10
> Verifying :
> dnf-0.6.4-2.el7.noarch
> 9/10
> Verifying :
> libsolv-0.6.11-1.el7.x86_64
> 10/10
>
> Installed:
> dnf.noarch
> 0:0.6.4-2.el7
>
>
> Dependency Installed:
> dnf-conf.noarch 0:0.6.4-2.el7
> hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7
> libcomps.x86_64 0:0.1.6-13.el7
> librepo.x86_64 0:1.7.16-1.el7
> libsolv.x86_64 0:0.6.11-1.el7
> python-dnf.noarch 0:0.6.4-2.el7
> python-hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7
> python-libcomps.x86_64 0:0.1.6-13.el7
> python-librepo.x86_64 0:1.7.16-1.el7
>
> Complete!
> [jjflynn22 at ipa-1 ~]$ sudo yum remove -y epel-release
> Loaded plugins: fastestmirror, langpacks
> Resolving Dependencies
> --> Running transaction check
> ---> Package epel-release.noarch 0:7-6 will be erased
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
>
> =============================================================================================================================
> Package Arch
> Version Repository Size
>
> =============================================================================================================================
> Removing:
> epel-release noarch
> 7-6 @extras 24 k
>
> Transaction Summary
>
> =============================================================================================================================
> Remove 1 Package
>
> Installed size: 24 k
> Downloading packages:
> Running transaction check
> Running transaction test
> Transaction test succeeded
> Running transaction
> Erasing :
> epel-release-7-6.noarch
> 1/1
> Verifying :
> epel-release-7-6.noarch
> 1/1
>
> Removed:
> epel-release.noarch
> 0:7-6
>
>
> Complete!
> [jjflynn22 at ipa-1 ~]$ sudo dnf repolist
> CentOS-7 -
> Base
> 8.4 MB/s | 8.8 MB 00:01
> CentOS-7 -
> Updates
> 4.5 MB/s | 12 MB 00:02
> CentOS-7 -
> Extras
> 1.9 MB/s | 569 kB 00:00
> Using metadata from Sun Dec 4 18:06:04 2016
> repo id repo
> name status
> base CentOS-7 -
> Base 9,007
> extras CentOS-7 -
> Extras 393
> updates CentOS-7 -
> Updates 2,560
> [jjflynn22 at ipa-1 ~]$ sudo /root/ipa-le/setup-le.sh
> Using metadata from Sun Dec 4 18:06:04 2016
> Package certbot-0.9.3-1.el7.noarch is already installed, skipping.
> Dependencies resolved.
> Nothing to do.
> Directory Manager password:
>
> Installing CA certificate, please wait
> CA certificate successfully installed
> The ipa-cacert-manage command was successful
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
> ipa: DEBUG: Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> ipa: DEBUG: importing all plugin modules in ipalib.plugins...
> ipa: DEBUG: importing plugin module ipalib.plugins.aci
> ipa: DEBUG: importing plugin module ipalib.plugins.automember
> ipa: DEBUG: importing plugin module ipalib.plugins.automount
> ipa: DEBUG: importing plugin module ipalib.plugins.baseldap
> ipa: DEBUG: importing plugin module ipalib.plugins.baseuser
> ipa: DEBUG: importing plugin module ipalib.plugins.batch
> ipa: DEBUG: importing plugin module ipalib.plugins.caacl
> ipa: DEBUG: importing plugin module ipalib.plugins.cert
> ipa: DEBUG: importing plugin module ipalib.plugins.certprofile
> ipa: DEBUG: importing plugin module ipalib.plugins.config
> ipa: DEBUG: importing plugin module ipalib.plugins.delegation
> ipa: DEBUG: importing plugin module ipalib.plugins.dns
> ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel
> ipa: DEBUG: importing plugin module ipalib.plugins.group
> ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule
> ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc
> ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup
> ipa: DEBUG: importing plugin module ipalib.plugins.hbactest
> ipa: DEBUG: importing plugin module ipalib.plugins.host
> ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup
> ipa: DEBUG: importing plugin module ipalib.plugins.idrange
> ipa: DEBUG: importing plugin module ipalib.plugins.idviews
> ipa: DEBUG: importing plugin module ipalib.plugins.internal
> ipa: DEBUG: importing plugin module ipalib.plugins.kerberos
> ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy
> ipa: DEBUG: importing plugin module ipalib.plugins.migration
> ipa: DEBUG: importing plugin module ipalib.plugins.misc
> ipa: DEBUG: importing plugin module ipalib.plugins.netgroup
> ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig
> ipa: DEBUG: importing plugin module ipalib.plugins.otptoken
> ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey
> ipa: DEBUG: importing plugin module ipalib.plugins.passwd
> ipa: DEBUG: importing plugin module ipalib.plugins.permission
> ipa: DEBUG: importing plugin module ipalib.plugins.ping
> ipa: DEBUG: importing plugin module ipalib.plugins.pkinit
> ipa: DEBUG: importing plugin module ipalib.plugins.privilege
> ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='klist' '-V'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=Kerberos 5 version 1.13.2
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy
> ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains
> ipa: DEBUG: importing plugin module ipalib.plugins.role
> ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient
> ipa: DEBUG: importing plugin module ipalib.plugins.selfservice
> ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap
> ipa: DEBUG: importing plugin module ipalib.plugins.server
> ipa: DEBUG: importing plugin module ipalib.plugins.service
> ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation
> ipa: DEBUG: importing plugin module ipalib.plugins.session
> ipa: DEBUG: importing plugin module ipalib.plugins.stageuser
> ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd
> ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup
> ipa: DEBUG: importing plugin module ipalib.plugins.sudorule
> ipa: DEBUG: importing plugin module ipalib.plugins.topology
> ipa: DEBUG: importing plugin module ipalib.plugins.trust
> ipa: DEBUG: importing plugin module ipalib.plugins.user
> ipa: DEBUG: importing plugin module ipalib.plugins.vault
> ipa: DEBUG: importing plugin module ipalib.plugins.virtual
> ipa: DEBUG: Initializing principal host/ipa-1.kkgpitt.org at KKGPITT.ORG
> using keytab /etc/krb5.keytab
> ipa: DEBUG: using ccache /tmp/tmp-zgrScg/ccache
> ipa: DEBUG: Attempt 1/1: success
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/
> ipa-1.kkgpitt.org at KKGPITT.ORG'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=134111920
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'pipe' '134111920'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=ipa_session=59c01d94b52f0586e30046bd36ef93a5; Domain=
> ipa-1.kkgpitt.org; Path=/ipa; Expires=Sun, 04 Dec 2016 23:21:13 GMT;
> Secure; HttpOnly
> ipa: DEBUG: stderr=
> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: found session_cookie in
> persistent storage for principal 'host/ipa-1.kkgpitt.org at KKGPITT.ORG',
> cookie: 'ipa_session=59c01d94b52f0586e30046bd36ef93a5; Domain=
> ipa-1.kkgpitt.org; Path=/ipa; Expires=Sun, 04 Dec 2016 23:21:13 GMT;
> Secure; HttpOnly'
> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: setting session_cookie into
> context 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;'
> ipa.ipalib.plugins.rpcclient.rpcclient: INFO: trying
> https://ipa-1.kkgpitt.org/ipa/session/json
> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: Created connection
> context.rpcclient_71021840
> ipa.ipalib.plugins.rpcclient.rpcclient: INFO: Forwarding 'ca_is_enabled'
> to json server 'https://ipa-1.kkgpitt.org/ipa/session/json'
> ipa: DEBUG: NSSConnection init ipa-1.kkgpitt.org
> ipa: DEBUG: Connecting: 192.168.1.201:0
> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> ipa: DEBUG: cert valid True for "CN=ipa-1.kkgpitt.org,O=KKGPITT.ORG"
> ipa: DEBUG: handshake complete, peer = 192.168.1.201:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> ipa: DEBUG: received Set-Cookie
> 'ipa_session=59c01d94b52f0586e30046bd36ef93a5; Domain=ipa-1.kkgpitt.org;
> Path=/ipa; Expires=Sun, 04 Dec 2016 23:26:28 GMT; Secure; HttpOnly'
> ipa: DEBUG: storing cookie 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;
> Domain=ipa-1.kkgpitt.org; Path=/ipa; Expires=Sun, 04 Dec 2016 23:26:28
> GMT; Secure; HttpOnly' for principal host/ipa-1.kkgpitt.org at KKGPITT.ORG
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/
> ipa-1.kkgpitt.org at KKGPITT.ORG'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=134111920
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/
> ipa-1.kkgpitt.org at KKGPITT.ORG'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=134111920
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'pupdate' '134111920'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection
> context.rpcclient_71021840
> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldap://
> ipa-1.kkgpitt.org:389 from SchemaCache
> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
> SchemaCache url=ldap://ipa-1.kkgpitt.org:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x42a2fc8>
> ipa: DEBUG: Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-KKGPITT-ORG'
> '-A' '-n' 'KKGPITT.ORG IPA CA' '-t' 'CT,C,C'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-KKGPITT-ORG'
> '-A' '-n' 'DSTRootCAX3' '-t' 'C,,'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/bin/systemctl' 'is-active' 'dirsrv at KKGPITT-ORG.service'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=active
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/bin/systemctl' '--system' 'daemon-reload'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/bin/systemctl' 'restart' 'dirsrv at KKGPITT-ORG.service'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/bin/systemctl' 'is-active' 'dirsrv at KKGPITT-ORG.service'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=active
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 300
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-A' '-n' '
> KKGPITT.ORG IPA CA' '-t' 'CT,C,C'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-A' '-n'
> 'DSTRootCAX3' '-t' 'C,,'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/bin/systemctl' 'is-active' 'httpd.service'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=active
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/bin/systemctl' 'restart' 'httpd.service'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/bin/systemctl' 'is-active' 'httpd.service'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=active
>
> ipa: DEBUG: stderr=
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: resubmitting certmonger
> request '20161204225818'
> ipa: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR',
> variant_level=1)
> ipa: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT',
> variant_level=1)
> ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT',
> variant_level=1)
> ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT',
> variant_level=1)
> ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT',
> variant_level=1)
> ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING',
> variant_level=1)
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: modifying certmonger
> request '20161204225818'
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> KKGPITT.ORG IPA CA CT,C,C
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' '
> KKGPITT.ORG IPA CA' '-a'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=-----BEGIN CERTIFICATE-----
> MIIDjTCCAnWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtLS0dQ
> SVRULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MTIw
> NDIyNTczNFoXDTM2MTIwNDIyNTczNFowNjEUMBIGA1UECgwLS0tHUElUVC5PUkcx
> HjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB
> .
.
>
BYuURWnoNBd110T0HFOnMOmN5ycnsMvCwCdUFuFKCsjNjCm5/oUCsWSVlad2bzlj
> 7gvnv3d6YmXwTzpOlOHpMu/S7y+JU5ErM9fp97R/vUvBz/7CM0MOKBgXMvfKTu6X
> PTROdl8lKofxA6TMvM+du020+o79dami0hWV/3cRN386huTDcWVn9gbud6hxX8U5
> StsgHtJLlrm4tjLk8+S5VTDu9Y6EX7OsEX51RHwtrfNjEYdCa68AM2/slxdgf+5S
> IQ==
> -----END CERTIFICATE-----
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-D' '-n' '
> KKGPITT.ORG IPA CA'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' '
> KKGPITT.ORG IPA CA' '-a'
> ipa: DEBUG: Process finished, return code=255
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=certutil: Could not find cert: KKGPITT.ORG IPA CA
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n' 'IPA
> CA' '-a'
> ipa: DEBUG: Process finished, return code=255
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n'
> 'External CA cert' '-a'
> ipa: DEBUG: Process finished, return code=255
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' '
> KKGPITT.ORG IPA CA' '-t' 'CT,C,C'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n'
> 'DSTRootCAX3' '-t' 'C,,'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' '
> KKGPITT.ORG IPA CA' '-t' 'CT,C,C'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n'
> 'DSTRootCAX3' '-t' 'C,,'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/update-ca-trust'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: INFO: Systemwide CA database updated.
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/update-ca-trust'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: INFO: Systemwide CA database updated.
> ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate command
> was successful
> Directory Manager password:
>
> Installing CA certificate, please wait
> Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate
> issuer is not recognized. (visit
> http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
> [jjflynn22 at ipa-1 ~]$
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161204/f168b2b9/attachment.htm>
More information about the Freeipa-users
mailing list