[Freeipa-users] Let's Encrypt along with FreeIPA
Tomas Krizek
tkrizek at redhat.com
Mon Dec 5 17:06:32 UTC 2016
On 12/05/2016 05:58 PM, Joseph Flynn wrote:
> Thank you Tomas, those two do seem to be the same. I will try a fresh
> VM (is there a particular distribution that you've had the best luck
> with?) and try again.
I've tested the procedure on Fedora 24.
>
> sudo openssl x509 -text -in /root/ipa-le/ca/DSTRootCAX3.pem | grep
> 'Subject:'
> sudo openssl x509 -text -in /root/ipa-le/ca/LetsEncryptAuthorityX3.pem
> | grep 'Issuer:'
> Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
> Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
>
>
> [jjflynn22 at ipa-1 ~]$ sudo certutil -d /etc/httpd/alias/ -L
>
> Certificate Nickname Trust
> Attributes
> SSL,S/MIME,JAR/XPI
>
> Signing-Cert u,u,u
> DSTRootCAX3 C,,
> ipaCert u,u,u
> Server-Cert u,u,u
> KKGPITT.ORG <http://KKGPITT.ORG> IPA
> CA CT,C,C
>
>
> On Mon, Dec 5, 2016 at 11:51 AM, Tomas Krizek <tkrizek at redhat.com
> <mailto:tkrizek at redhat.com>>wrote:
>
> Please keep freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>in CC.
>
> On 12/05/2016 05:23 PM, Joseph Flynn wrote:
>> By the way Tomas, can you recommend a good read to better
>> understand how all of these certs play together in an
>> architecture like this? I'm quite confident in Linux usage an
>> admin but must admit this is not quite clear to me.
> The chain of trust on the Let's Encrypt side is explained in
> https://letsencrypt.org/certificates/
> <https://letsencrypt.org/certificates/>On the FreeIPA side, there
> are some articles on our wiki page related to Public Key
> Infrastructure, for example http://www.freeipa.org/page/PKI
> <http://www.freeipa.org/page/PKI>
>>
>> On Mon, Dec 5, 2016 at 11:19 AM, Joseph Flynn
>> <jjflynn22 at gmail.com <mailto:jjflynn22 at gmail.com>>wrote:
>>
>> Thank you for responding Tom.
>>
>> I created the CentOS 7 VM earlier in the week and did its
>> updates and set the hostnames, etc and took a snapshot. I
>> also tried on Ubuntu first but that had too many install hiccups.
>>
>> From that snapshot I have tried several times with the same
>> results as recently as yesterday.
>>
>> Here is the output of your suggestion:
>>
>> [jjflynn22 at ipa-1 ~]$ sudo certutil -d /etc/httpd/alias/ -L
>> [sudo] password for jjflynn22:
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> Signing-Cert u,u,u
>> DSTRootCAX3 C,,
>> ipaCert u,u,u
>> Server-Cert u,u,u
>> KKGPITT.ORG <http://KKGPITT.ORG>IPA CA CT,C,C
>>
> This seems correct, however this information can be misleading if
> DSTRootCAX3 was installed in FreeIPA before.
>
> The last thing I can think of is to verify that the Subject Field
> of DTSRootCAX3 is in fact the same as the Issuer Field in the
> LetsEncryptAuthorityX3 certificate. I've checked the ones that are
> used in the git repo and they are correct, so I can't see how this
> could be the issue, but just to verify:
>
> openssl x509 -text -in /root/ipa-le/ca/DSTRootCAX3.pem | grep
> 'Subject:'
> openssl x509 -text -in /root/ipa-le/ca/LetsEncryptAuthorityX3.pem
> | grep 'Issuer:'
>
> If that doesn't reveal any difference, I'd suggest to attempt to
> reproduce the issue with a clean environment (new VM) and if you
> still encounter the same problem, please open an issue and provide
> as much information as possible, including software versions.
> https://github.com/freeipa/freeipa-letsencrypt/issues
> <https://github.com/freeipa/freeipa-letsencrypt/issues>
>>
>>
>>
>> Joe
>>
>>
>>
>> On Mon, Dec 5, 2016 at 10:35 AM, Tomas Krizek
>> <tkrizek at redhat.com <mailto:tkrizek at redhat.com>>wrote:
>>
>>
>>
>> On 12/05/2016 12:25 AM, Joseph Flynn wrote:
>>> Sorry if this is not the appropriate forum for
>>> discussing this topic.
>>>
>>> I have installed a FreeIPA system on CentOS 7 and am
>>> trying to get the Let's Encrypt scripts to work as
>>> defined in
>>> https://github.com/freeipa/freeipa-letsencrypt
>>> <https://github.com/freeipa/freeipa-letsencrypt>
>>>
>>> I hand to tinker with a combination of
>>> enabling/disabling EPEL and this new tool DNF that I am
>>> not too familiar with but eventually got the script to run.
>>>
>>> It is ending with the following error:
>>>
>>> ipa: INFO: Systemwide CA database updated.
>>> ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The
>>> ipa-certupdate command was successful
>>> Directory Manager password:
>>>
>>> Installing CA certificate, please wait
>>> Not a valid CA certificate:
>>> (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer
>>> is not recognized. (visit
>>> http://www.freeipa.org/page/Troubleshooting
>>> <http://www.freeipa.org/page/Troubleshooting> for
>>> troubleshooting guide)
>>>
>>>
>>> Does anyone recognize this situation?
>>>
>>> I have installed this on a VirtualBox client in Bridge
>>> Network mode. Prior to trying to use a real
>>> certificate, I could access the FreeIPA UI from Firefox
>>> on both the VM and other computers in the home. I've
>>> gotten a domain name and have that domain name pointed
>>> to my home router with a handful of ports (those listed
>>> at the end of the FreeIPA install) forwarded to my VM.
>>>
>>> For completeness, I have included the history below
>>> along with the full output including a couple of
>>> highlighted areas that could be errors.
>>>
>>> Thanks for any assistance from anyone who might notice
>>> an error in my ways.
>>> Joe
>>>
>>>
>>> History:
>>> 1 ifconfig -a
>>> 2 sudo yum -y update
>>> 3 cat /etc/hostname
>>> 4 sudo echo 192.168.1.201 ipa-1.kkgpitt.org
>>> <http://ipa-1.kkgpitt.org>ipa-1 >> /etc/hosts
>>> 5 sudo vi /etc/hosts
>>> 7 sudo reboot now
>>> 8 hostname
>>> 9 ifconfig -a
>>> 11 sudo visudo
>>> 12 sudo ls # just to set pw
>>> 13 sudo yum install epel-release -y
>>> 14 sudo yum install -y haveged
>>> 15 sudo systemctl start haveged.service
>>> 16 sudo ipa-server-install
>>> 17 kinit admin
>>> 18 firewall-cmd --permanent --add-service=ntp
>>> 19 firewall-cmd --permanent --add-service=http
>>> 20 firewall-cmd --permanent --add-service=https
>>> 21 firewall-cmd --permanent --add-service=ldap
>>> 22 firewall-cmd --permanent --add-service=ldaps
>>> 23 firewall-cmd --permanent --add-service=kerberos
>>> 24 firewall-cmd --permanent --add-service=kpasswd
>>> 26 sudo authconfig --enablemkhomedir --update
>>> 27 sudo chkconfig sssd on
>>> 28 git config --global user.name <http://user.name>"Joe
>>> Flynn"
>>> 29 git config --global user.email "jjflynn22 at gmail.com
>>> <mailto:jjflynn22 at gmail.com>"
>>> 30 mkdir ~/.ssh
>>> 31 cd ~/.ssh
>>> 32 vi id_rsa
>>> 33 vi id_rsa.pub
>>> 34 chmod 700 ~/.ssh
>>> 35 chmod 600 ~/.ssh/*
>>> 36 ssh-add ~/.ssh/id_rsa
>>> 37 sudo yum install -y letsencrypt
>>> 38 sudo cp -r /etc/httpd/alias /etc/httpd/alias_backup
>>> 39 cd ~
>>> 40 git clone
>>> https://github.com/freeipa/freeipa-letsencrypt.git
>>> <https://github.com/freeipa/freeipa-letsencrypt.git>
>>> 41 sudo cp -r freeipa-letsencrypt /root/ipa-le
>>> 42 sudo vi /root/ipa-le/renew-le.sh
>>> 43 sudo yum install -y dnf
>>> 44 sudo yum remove -y epel-release
>>> 45 sudo dnf repolist
>>> 46 sudo /root/ipa-le/setup-le.sh
>>> 47 history
>>>
>>>
>>>
>>> [jjflynn22 at ipa-1 ~]$ sudo visudo
>>> [sudo] password for jjflynn22:
>>> [jjflynn22 at ipa-1 ~]$ sudo yum install epel-release -y
>>> Loaded plugins: fastestmirror, langpacks
>>> base | 3.6 kB 00:00:00
>>> extras | 3.4 kB 00:00:00
>>> updates | 3.4 kB 00:00:00
>>> Loading mirror speeds from cached hostfile
>>> * base: repo1.ash.innoscale.net
>>> <http://repo1.ash.innoscale.net>
>>> * extras: mirrors.advancedhosters.com
>>> <http://mirrors.advancedhosters.com>
>>> * updates: mirror.cs.vt.edu <http://mirror.cs.vt.edu>
>>> Resolving Dependencies
>>> --> Running transaction check
>>> ---> Package epel-release.noarch 0:7-6 will be installed
>>> --> Finished Dependency Resolution
>>>
>>> Dependencies Resolved
>>>
>>> =============================================================================================================================
>>> Package Arch Version Repository Size
>>> =============================================================================================================================
>>> Installing:
>>> epel-release noarch 7-6 extras 14 k
>>>
>>> Transaction Summary
>>> =============================================================================================================================
>>> Install 1 Package
>>>
>>> Total download size: 14 k
>>> Installed size: 24 k
>>> Downloading packages:
>>> epel-release-7-6.noarch.rpm | 14 kB 00:00:00
>>> Running transaction check
>>> Running transaction test
>>> Transaction test succeeded
>>> Running transaction
>>> Installing : epel-release-7-6.noarch 1/1
>>> Verifying : epel-release-7-6.noarch 1/1
>>>
>>> Installed:
>>> epel-release.noarch 0:7-6
>>>
>>> Complete!
>>> [jjflynn22 at ipa-1 ~]$ sudo yum install -y haveged
>>> Loaded plugins: fastestmirror, langpacks
>>> epel/x86_64/metalink | 13 kB 00:00:00
>>> epel | 4.3 kB 00:00:00
>>> (1/3): epel/x86_64/updateinfo | 676 kB 00:00:00
>>> (2/3): epel/x86_64/group_gz | 170 kB 00:00:00
>>> (3/3): epel/x86_64/primary_db | 4.4 MB 00:00:01
>>> Loading mirror speeds from cached hostfile
>>> * base: repo1.ash.innoscale.net
>>> <http://repo1.ash.innoscale.net>
>>> * epel: ftp.osuosl.org <http://ftp.osuosl.org>
>>> * extras: mirror.fusioncloud.co
>>> <http://mirror.fusioncloud.co>
>>> * updates: ftp.osuosl.org <http://ftp.osuosl.org>
>>> Resolving Dependencies
>>> --> Running transaction check
>>> ---> Package haveged.x86_64 0:1.9.1-1.el7 will be
>>> installed
>>> --> Finished Dependency Resolution
>>>
>>> Dependencies Resolved
>>>
>>> =============================================================================================================================
>>> Package Arch Version
>>> Repository Size
>>> =============================================================================================================================
>>> Installing:
>>> haveged x86_64 1.9.1-1.el7
>>> epel 61 k
>>>
>>> Transaction Summary
>>> =============================================================================================================================
>>> Install 1 Package
>>>
>>> Total download size: 61 k
>>> Installed size: 181 k
>>> Downloading packages:
>>> warning:
>>> /var/cache/yum/x86_64/7/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm:
>>> Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
>>> Public key for haveged-1.9.1-1.el7.x86_64.rpm is not
>>> installed
>>> haveged-1.9.1-1.el7.x86_64.rpm | 61 kB 00:00:00
>>> Retrieving key from
>>> file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
>>> Importing GPG key 0x352C64E5:
>>> Userid : "Fedora EPEL (7)
>>> <epel at fedoraproject.org
>>> <mailto:epel at fedoraproject.org>>"
>>> Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f
>>> aea2 352c 64e5
>>> Package : epel-release-7-6.noarch (@extras)
>>> From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
>>> Running transaction check
>>> Running transaction test
>>> Transaction test succeeded
>>> Running transaction
>>> Installing : haveged-1.9.1-1.el7.x86_64 1/1
>>> Verifying : haveged-1.9.1-1.el7.x86_64 1/1
>>>
>>> Installed:
>>> haveged.x86_64 0:1.9.1-1.el7
>>>
>>> Complete!
>>> [jjflynn22 at ipa-1 ~]$ sudo systemctl start
>>> haveged.service
>>> [jjflynn22 at ipa-1 ~]$
>>> [jjflynn22 at ipa-1 ~]$
>>> [jjflynn22 at ipa-1 ~]$
>>> [jjflynn22 at ipa-1 ~]$
>>> [jjflynn22 at ipa-1 ~]$ sudo ipa-server-install
>>>
>>> The log file for this installation can be found in
>>> /var/log/ipaserver-install.log
>>> ==============================================================================
>>> This program will set up the IPA Server.
>>>
>>> This includes:
>>> * Configure a stand-alone CA (dogtag) for
>>> certificate management
>>> * Configure the Network Time Daemon (ntpd)
>>> * Create and configure an instance of Directory Server
>>> * Create and configure a Kerberos Key Distribution
>>> Center (KDC)
>>> * Configure Apache (httpd)
>>>
>>> To accept the default shown in brackets, press the
>>> Enter key.
>>>
>>> WARNING: conflicting time&date synchronization
>>> service 'chronyd' will be disabled
>>> in favor of ntpd
>>>
>>> Do you want to configure integrated DNS (BIND)? [no]:
>>>
>>> Enter the fully qualified domain name of the computer
>>> on which you're setting up server software. Using
>>> the form
>>> <hostname>.<domainname>
>>> Example: master.example.com <http://master.example.com>.
>>>
>>>
>>> Server host name [ipa-1.kkgpitt.org
>>> <http://ipa-1.kkgpitt.org>]:
>>>
>>> The domain name has been determined based on the
>>> host name.
>>>
>>> Please confirm the domain name [kkgpitt.org
>>> <http://kkgpitt.org>]:
>>>
>>> The kerberos protocol requires a Realm name to be
>>> defined.
>>> This is typically the domain name converted to
>>> uppercase.
>>>
>>> Please provide a realm name [KKGPITT.ORG
>>> <http://KKGPITT.ORG>]:
>>> Certain directory server operations require an
>>> administrative user.
>>> This user is referred to as the Directory Manager
>>> and has full access
>>> to the Directory for system management tasks and
>>> will be added to the
>>> instance of directory server created for IPA.
>>> The password must be at least 8 characters long.
>>>
>>> Directory Manager password:
>>> Password (confirm):
>>>
>>> The IPA server requires an administrative user,
>>> named 'admin'.
>>> This user is a regular system account used for IPA
>>> server administration.
>>>
>>> IPA admin password:
>>> Password (confirm):
>>>
>>>
>>> The IPA Master Server will be configured with:
>>> Hostname: ipa-1.kkgpitt.org <http://ipa-1.kkgpitt.org>
>>> IP address(es): 192.168.1.201
>>> Domain name: kkgpitt.org <http://kkgpitt.org>
>>> Realm name: KKGPITT.ORG <http://KKGPITT.ORG>
>>>
>>> Continue to configure the system with these values?
>>> [no]: yes
>>>
>>> The following operations may take some minutes to
>>> complete.
>>> Please wait until the prompt is returned.
>>>
>>> Configuring NTP daemon (ntpd)
>>> [1/4]: stopping ntpd
>>> [2/4]: writing configuration
>>> [3/4]: configuring ntpd to start on boot
>>> [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv). Estimated
>>> time: 1 minute
>>> [1/42]: creating directory server user
>>> [2/42]: creating directory server instance
>>> [3/42]: adding default schema
>>> [4/42]: enabling memberof plugin
>>> [5/42]: enabling winsync plugin
>>> [6/42]: configuring replication version plugin
>>> [7/42]: enabling IPA enrollment plugin
>>> [8/42]: enabling ldapi
>>> [9/42]: configuring uniqueness plugin
>>> [10/42]: configuring uuid plugin
>>> [11/42]: configuring modrdn plugin
>>> [12/42]: configuring DNS plugin
>>> [13/42]: enabling entryUSN plugin
>>> [14/42]: configuring lockout plugin
>>> [15/42]: creating indices
>>> [16/42]: enabling referential integrity plugin
>>> [17/42]: configuring certmap.conf
>>> [18/42]: configure autobind for root
>>> [19/42]: configure new location for managed entries
>>> [20/42]: configure dirsrv ccache
>>> [21/42]: enable SASL mapping fallback
>>> [22/42]: restarting directory server
>>> [23/42]: adding default layout
>>> [24/42]: adding delegation layout
>>> [25/42]: creating container for managed entries
>>> [26/42]: configuring user private groups
>>> [27/42]: configuring netgroups from hostgroups
>>> [28/42]: creating default Sudo bind user
>>> [29/42]: creating default Auto Member layout
>>> [30/42]: adding range check plugin
>>> [31/42]: creating default HBAC rule allow_all
>>> [32/42]: adding entries for topology management
>>> [33/42]: initializing group membership
>>> [34/42]: adding master entry
>>> [35/42]: initializing domain level
>>> [36/42]: configuring Posix uid/gid generation
>>> [37/42]: adding replication acis
>>> [38/42]: enabling compatibility plugin
>>> [39/42]: activating sidgen plugin
>>> [40/42]: activating extdom plugin
>>> [41/42]: tuning directory server
>>> [42/42]: configuring directory to start on boot
>>> Done configuring directory server (dirsrv).
>>> Configuring certificate server (pki-tomcatd).
>>> Estimated time: 3 minutes 30 seconds
>>> [1/28]: creating certificate server user
>>> [2/28]: configuring certificate server instance
>>> [3/28]: stopping certificate server instance to
>>> update CS.cfg
>>> [4/28]: backing up CS.cfg
>>> [5/28]: disabling nonces
>>> [6/28]: set up CRL publishing
>>> [7/28]: enable PKIX certificate path discovery and
>>> validation
>>> [8/28]: starting certificate server instance
>>> [9/28]: creating RA agent certificate database
>>> [10/28]: importing CA chain to RA certificate database
>>> [11/28]: fixing RA database permissions
>>> [12/28]: setting up signing cert profile
>>> [13/28]: setting audit signing renewal to 2 years
>>> [14/28]: restarting certificate server
>>> [15/28]: requesting RA certificate from CA
>>> [16/28]: issuing RA agent certificate
>>> [17/28]: adding RA agent as a trusted user
>>> [18/28]: authorizing RA to modify profiles
>>> [19/28]: configure certmonger for renewals
>>> [20/28]: configure certificate renewals
>>> [21/28]: configure RA certificate renewal
>>> [22/28]: configure Server-Cert certificate renewal
>>> [23/28]: Configure HTTP to proxy connections
>>> [24/28]: restarting certificate server
>>> [25/28]: migrating certificate profiles to LDAP
>>> [26/28]: importing IPA certificate profiles
>>> [27/28]: adding default CA ACL
>>> [28/28]: updating IPA configuration
>>> Done configuring certificate server (pki-tomcatd).
>>> Configuring directory server (dirsrv). Estimated
>>> time: 10 seconds
>>> [1/3]: configuring ssl for ds instance
>>> [2/3]: restarting directory server
>>> [3/3]: adding CA certificate entry
>>> Done configuring directory server (dirsrv).
>>> Configuring Kerberos KDC (krb5kdc). Estimated time:
>>> 30 seconds
>>> [1/10]: adding sasl mappings to the directory
>>> [2/10]: adding kerberos container to the directory
>>> [3/10]: configuring KDC
>>> [4/10]: initialize kerberos container
>>> [5/10]: adding default ACIs
>>> [6/10]: creating a keytab for the directory
>>> [7/10]: creating a keytab for the machine
>>> [8/10]: adding the password extension to the directory
>>> [9/10]: starting the KDC
>>> [10/10]: configuring KDC to start on boot
>>> Done configuring Kerberos KDC (krb5kdc).
>>> Configuring kadmin
>>> [1/2]: starting kadmin
>>> [2/2]: configuring kadmin to start on boot
>>> Done configuring kadmin.
>>> Configuring ipa_memcached
>>> [1/2]: starting ipa_memcached
>>> [2/2]: configuring ipa_memcached to start on boot
>>> Done configuring ipa_memcached.
>>> Configuring ipa-otpd
>>> [1/2]: starting ipa-otpd
>>> [2/2]: configuring ipa-otpd to start on boot
>>> Done configuring ipa-otpd.
>>> Configuring the web interface (httpd). Estimated
>>> time: 1 minute
>>> [1/19]: setting mod_nss port to 443
>>> [2/19]: setting mod_nss protocol list to TLSv1.0 -
>>> TLSv1.2
>>> [3/19]: setting mod_nss password file
>>> [4/19]: enabling mod_nss renegotiate
>>> [5/19]: adding URL rewriting rules
>>> [6/19]: configuring httpd
>>> [7/19]: configure certmonger for renewals
>>> [8/19]: setting up ssl
>>> [9/19]: importing CA certificates from LDAP
>>> [10/19]: setting up browser autoconfig
>>> [11/19]: publish CA cert
>>> [12/19]: creating a keytab for httpd
>>> [13/19]: clean up any existing httpd ccache
>>> [14/19]: configuring SELinux for httpd
>>> [15/19]: create KDC proxy user
>>> [16/19]: create KDC proxy config
>>> [17/19]: enable KDC proxy
>>> [18/19]: restarting httpd
>>> [19/19]: configuring httpd to start on boot
>>> Done configuring the web interface (httpd).
>>> Applying LDAP updates
>>> Upgrading IPA:
>>> [1/9]: stopping directory server
>>> [2/9]: saving configuration
>>> [3/9]: disabling listeners
>>> [4/9]: enabling DS global lock
>>> [5/9]: starting directory server
>>> [6/9]: upgrading server
>>> [7/9]: stopping directory server
>>> [8/9]: restoring configuration
>>> [9/9]: starting directory server
>>> Done.
>>> Restarting the directory server
>>> Restarting the KDC
>>> Sample zone file for bind has been created in
>>> /tmp/sample.zone.Yjwpca.db
>>> Restarting the web server
>>> ==============================================================================
>>> Setup complete
>>>
>>> Next steps:
>>> 1. You must make sure these network ports are open:
>>> TCP Ports:
>>> * 80, 443: HTTP/HTTPS
>>> * 389, 636: LDAP/LDAPS
>>> * 88, 464: kerberos
>>> UDP Ports:
>>> * 88, 464: kerberos
>>> * 123: ntp
>>>
>>> 2. You can now obtain a kerberos ticket using
>>> the command: 'kinit admin'
>>> This ticket will allow you to use the IPA
>>> tools (e.g., ipa user-add)
>>> and the web user interface.
>>>
>>> Be sure to back up the CA certificates stored in
>>> /root/cacert.p12
>>> These files are required to create replicas. The
>>> password for these
>>> files is the Directory Manager password
>>> [jjflynn22 at ipa-1 ~]$ kinit admin
>>> Password for admin at KKGPITT.ORG
>>> <mailto:admin at KKGPITT.ORG>:
>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent
>>> --add-service=ntp
>>> success
>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent
>>> --add-service=http
>>> success
>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent
>>> --add-service=https
>>> success
>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent
>>> --add-service=ldap
>>> success
>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent
>>> --add-service=ldaps
>>> success
>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent
>>> --add-service=kerberos
>>> success
>>> [jjflynn22 at ipa-1 ~]$ firewall-cmd --permanent
>>> --add-service=kpasswd
>>> success
>>> [jjflynn22 at ipa-1 ~]$ sudo authconfig
>>> --enablemkhomedir --update
>>> [jjflynn22 at ipa-1 ~]$ sudo chkconfig sssd on
>>> Note: Forwarding request to 'systemctl enable
>>> sssd.service'.
>>> [jjflynn22 at ipa-1 ~]$ git config --global user.name
>>> <http://user.name> "Joe Flynn"
>>> [jjflynn22 at ipa-1 ~]$ git config --global user.email
>>> "jjflynn22 at gmail.com <mailto:jjflynn22 at gmail.com>"
>>> [jjflynn22 at ipa-1 ~]$ mkdir ~/.ssh
>>> [jjflynn22 at ipa-1 ~]$ cd ~/.ssh
>>> [jjflynn22 at ipa-1 .ssh]$ vi id_rsa
>>> [jjflynn22 at ipa-1 .ssh]$ vi id_rsa.pub
>>> [jjflynn22 at ipa-1 .ssh]$ chmod 700 ~/.ssh
>>> [jjflynn22 at ipa-1 .ssh]$ chmod 600 ~/.ssh/*
>>> [jjflynn22 at ipa-1 .ssh]$ ssh-add ~/.ssh/id_rsa
>>> Identity added: /home/jjflynn22/.ssh/id_rsa
>>> (/home/jjflynn22/.ssh/id_rsa)
>>> [jjflynn22 at ipa-1 .ssh]$ sudo yum install -y letsencrypt
>>> Loaded plugins: fastestmirror, langpacks
>>> Loading mirror speeds from cached hostfile
>>> * base: repo1.ash.innoscale.net
>>> <http://repo1.ash.innoscale.net>
>>> * epel: mirror.cogentco.com
>>> <http://mirror.cogentco.com>
>>> * extras: chicago.gaminghost.co
>>> <http://chicago.gaminghost.co>
>>> * updates: mirror.cs.vt.edu <http://mirror.cs.vt.edu>
>>> Resolving Dependencies
>>> --> Running transaction check
>>> ---> Package certbot.noarch 0:0.9.3-1.el7 will be
>>> installed
>>> --> Processing Dependency: python2-certbot =
>>> 0.9.3-1.el7 for package: certbot-0.9.3-1.el7.noarch
>>> --> Running transaction check
>>> ---> Package python2-certbot.noarch 0:0.9.3-1.el7
>>> will be installed
>>> --> Processing Dependency: python2-acme = 0.9.3 for
>>> package: python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch
>>> --> Processing Dependency: python2-dialog >= 3.3.0
>>> for package: python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch
>>> --> Processing Dependency: python2-configargparse >=
>>> 0.10.0 for package: python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch
>>> --> Processing Dependency: python-psutil >= 2.1.0
>>> for package: python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch
>>> --> Processing Dependency: python-zope-interface for
>>> package: python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch
>>> --> Processing Dependency: python-zope-component for
>>> package: python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch
>>> --> Processing Dependency: python-parsedatetime for
>>> package: python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch
>>> --> Processing Dependency: python-mock for package:
>>> python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch
>>> --> Running transaction check
>>> ---> Package python-parsedatetime.noarch 0:1.5-3.el7
>>> will be installed
>>> ---> Package python-psutil.x86_64 0:2.2.1-1.el7 will
>>> be installed
>>> ---> Package python-zope-component.noarch
>>> 1:4.1.0-1.el7 will be installed
>>> --> Processing Dependency: python-zope-event for
>>> package: 1:python-zope-component-4.1.0-1.el7.noarch
>>> ---> Package python-zope-interface.x86_64
>>> 0:4.0.5-4.el7 will be installed
>>> ---> Package python2-acme.noarch 0:0.9.3-1.el7 will
>>> be installed
>>> --> Processing Dependency: python-pyrfc3339 for
>>> package: python2-acme-0.9.3-1.el7.noarch
>>> --> Processing Dependency: python-ndg_httpsclient
>>> for package: python2-acme-0.9.3-1.el7.noarch
>>> ---> Package python2-configargparse.noarch
>>> 0:0.10.0-1.el7 will be installed
>>> ---> Package python2-dialog.noarch 0:3.3.0-6.el7
>>> will be installed
>>> --> Processing Dependency: dialog for package:
>>> python2-dialog-3.3.0-6.el7.noarch
>>> ---> Package python2-mock.noarch 0:1.0.1-9.el7 will
>>> be installed
>>> --> Running transaction check
>>> ---> Package dialog.x86_64 0:1.2-4.20130523.el7 will
>>> be installed
>>> ---> Package python-ndg_httpsclient.noarch
>>> 0:0.3.2-1.el7 will be installed
>>> ---> Package python-zope-event.noarch 0:4.0.3-2.el7
>>> will be installed
>>> ---> Package python2-pyrfc3339.noarch 0:1.0-2.el7
>>> will be installed
>>> --> Finished Dependency Resolution
>>>
>>> Dependencies Resolved
>>>
>>> =============================================================================================================================
>>> Package Arch Version
>>> Repository Size
>>> =============================================================================================================================
>>> Installing:
>>> certbot noarch 0.9.3-1.el7
>>> epel 16 k
>>> Installing for dependencies:
>>> dialog x86_64 1.2-4.20130523.el7
>>> base 208 k
>>> python-ndg_httpsclient noarch 0.3.2-1.el7
>>> epel 43 k
>>> python-parsedatetime noarch 1.5-3.el7
>>> epel 61 k
>>> python-psutil x86_64 2.2.1-1.el7
>>> epel 114 k
>>> python-zope-component noarch
>>> 1:4.1.0-1.el7 epel 110 k
>>> python-zope-event noarch 4.0.3-2.el7
>>> epel 79 k
>>> python-zope-interface x86_64 4.0.5-4.el7
>>> base 138 k
>>> python2-acme noarch 0.9.3-1.el7
>>> epel 168 k
>>> python2-certbot noarch 0.9.3-1.el7
>>> epel 361 k
>>> python2-configargparse noarch
>>> 0.10.0-1.el7 epel 28 k
>>> python2-dialog noarch 3.3.0-6.el7
>>> epel 94 k
>>> python2-mock noarch 1.0.1-9.el7
>>> epel 92 k
>>> python2-pyrfc3339 noarch 1.0-2.el7
>>> epel 13 k
>>>
>>> Transaction Summary
>>> =============================================================================================================================
>>> Install 1 Package (+13 Dependent packages)
>>>
>>> Total download size: 1.5 M
>>> Installed size: 6.3 M
>>> Downloading packages:
>>> (1/14):
>>> python-ndg_httpsclient-0.3.2-1.el7.noarch.rpm | 43
>>> kB 00:00:00
>>> (2/14): dialog-1.2-4.20130523.el7.x86_64.rpm | 208
>>> kB 00:00:00
>>> (3/14): certbot-0.9.3-1.el7.noarch.rpm | 16 kB
>>> 00:00:00
>>> (4/14): python-parsedatetime-1.5-3.el7.noarch.rpm |
>>> 61 kB 00:00:00
>>> (5/14): python-psutil-2.2.1-1.el7.x86_64.rpm | 114
>>> kB 00:00:00
>>> (6/14): python-zope-component-4.1.0-1.el7.noarch.rpm
>>> | 110 kB 00:00:00
>>> (7/14): python-zope-interface-4.0.5-4.el7.x86_64.rpm
>>> | 138 kB 00:00:00
>>> (8/14): python-zope-event-4.0.3-2.el7.noarch.rpm |
>>> 79 kB 00:00:00
>>> (9/14): python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch.rpm |
>>> 361 kB 00:00:00
>>> (10/14):
>>> python2-configargparse-0.10.0-1.el7.noarch.rpm | 28
>>> kB 00:00:00
>>> (11/14): python2-acme-0.9.3-1.el7.noarch.rpm | 168
>>> kB 00:00:00
>>> (12/14): python2-dialog-3.3.0-6.el7.noarch.rpm | 94
>>> kB 00:00:00
>>> (13/14): python2-pyrfc3339-1.0-2.el7.no
>>> <http://python2-pyrfc3339-1.0-2.el7.no>arch.rpm |
>>> 13 kB 00:00:00
>>> (14/14): python2-mock-1.0.1-9.el7.noarch.rpm | 92
>>> kB 00:00:00
>>> -----------------------------------------------------------------------------------------------------------------------------
>>> Total 1.3 MB/s | 1.5 MB 00:00:01
>>> Running transaction check
>>> Running transaction test
>>> Transaction test succeeded
>>> Running transaction
>>> Installing :
>>> python-zope-interface-4.0.5-4.el7.x86_64 1/14
>>> Installing : python2-mock-1.0.1-9.el7.noarch 2/14
>>> Installing : python-parsedatetime-1.5-3.el7.noarch
>>> 3/14
>>> Installing : python-psutil-2.2.1-1.el7.x86_64 4/14
>>> Installing : python-zope-event-4.0.3-2.el7.noarch
>>> 5/14
>>> Installing :
>>> 1:python-zope-component-4.1.0-1.el7.noarch 6/14
>>> Installing :
>>> python-ndg_httpsclient-0.3.2-1.el7.noarch 7/14
>>> Installing : python2-pyrfc3339-1.0-2.el7.no
>>> <http://python2-pyrfc3339-1.0-2.el7.no>arch 8/14
>>> Installing : python2-acme-0.9.3-1.el7.noarch 9/14
>>> Installing :
>>> python2-configargparse-0.10.0-1.el7.noarch 10/14
>>> Installing : dialog-1.2-4.20130523.el7.x86_64 11/14
>>> Installing : python2-dialog-3.3.0-6.el7.noarch 12/14
>>> Installing : python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch 13/14
>>> Installing : certbot-0.9.3-1.el7.noarch 14/14
>>> Verifying : dialog-1.2-4.20130523.el7.x86_64 1/14
>>> Verifying : certbot-0.9.3-1.el7.noarch 2/14
>>> Verifying :
>>> python2-configargparse-0.10.0-1.el7.noarch 3/14
>>> Verifying : python2-pyrfc3339-1.0-2.el7.no
>>> <http://python2-pyrfc3339-1.0-2.el7.no>arch 4/14
>>> Verifying :
>>> python-zope-interface-4.0.5-4.el7.x86_64 5/14
>>> Verifying :
>>> python-ndg_httpsclient-0.3.2-1.el7.noarch 6/14
>>> Verifying : python-zope-event-4.0.3-2.el7.noarch
>>> 7/14
>>> Verifying : python-psutil-2.2.1-1.el7.x86_64 8/14
>>> Verifying : python2-acme-0.9.3-1.el7.noarch 9/14
>>> Verifying : python2-dialog-3.3.0-6.el7.noarch 10/14
>>> Verifying :
>>> 1:python-zope-component-4.1.0-1.el7.noarch 11/14
>>> Verifying : python-parsedatetime-1.5-3.el7.noarch
>>> 12/14
>>> Verifying : python2-certbot-0.9.3-1.el7.no
>>> <http://python2-certbot-0.9.3-1.el7.no>arch 13/14
>>> Verifying : python2-mock-1.0.1-9.el7.noarch 14/14
>>>
>>> Installed:
>>> certbot.noarch 0:0.9.3-1.el7
>>>
>>> Dependency Installed:
>>> dialog.x86_64 0:1.2-4.20130523.el7
>>> python-ndg_httpsclient.noarch 0:0.3.2-1.el7
>>> python-parsedatetime.noarch 0:1.5-3.el7
>>> python-psutil.x86_64 0:2.2.1-1.el7
>>> python-zope-component.noarch 1:4.1.0-1.el7
>>> python-zope-event.noarch 0:4.0.3-2.el7
>>> python-zope-interface.x86_64 0:4.0.5-4.el7
>>> python2-acme.noarch 0:0.9.3-1.el7
>>> python2-certbot.noarch 0:0.9.3-1.el7
>>> python2-configargparse.noarch 0:0.10.0-1.el7
>>> python2-dialog.noarch 0:3.3.0-6.el7
>>> python2-mock.noarch 0:1.0.1-9.el7
>>> python2-pyrfc3339.noarch 0:1.0-2.el7
>>>
>>> Complete!
>>> [jjflynn22 at ipa-1 .ssh]$
>>> [jjflynn22 at ipa-1 .ssh]$
>>> [jjflynn22 at ipa-1 .ssh]$ sudo cp -r /etc/httpd/alias
>>> /etc/httpd/alias_backup
>>> [jjflynn22 at ipa-1 .ssh]$ cd ~
>>> [jjflynn22 at ipa-1 ~]$ git clone
>>> https://github.com/freeipa/freeipa-letsencrypt.git
>>> <https://github.com/freeipa/freeipa-letsencrypt.git>
>>> Cloning into 'freeipa-letsencrypt'...
>>> remote: Counting objects: 45, done.
>>> remote: Compressing objects: 100% (4/4), done.
>>> remote: Total 45 (delta 0), reused 0 (delta 0),
>>> pack-reused 41
>>> Unpacking objects: 100% (45/45), done.
>>> [jjflynn22 at ipa-1 ~]$ sudo cp -r freeipa-letsencrypt
>>> /root/ipa-le
>>> [jjflynn22 at ipa-1 ~]$ sudo vi /root/ipa-le/renew-le.sh
>>> [jjflynn22 at ipa-1 ~]$ sudo yum install -y dnf
>>> Loaded plugins: fastestmirror, langpacks
>>> Loading mirror speeds from cached hostfile
>>> * base: repo1.ash.innoscale.net
>>> <http://repo1.ash.innoscale.net>
>>> * epel: mirror.cogentco.com
>>> <http://mirror.cogentco.com>
>>> * extras: mirrors.advancedhosters.com
>>> <http://mirrors.advancedhosters.com>
>>> * updates: mirror.cs.vt.edu <http://mirror.cs.vt.edu>
>>> Resolving Dependencies
>>> --> Running transaction check
>>> ---> Package dnf.noarch 0:0.6.4-2.el7 will be installed
>>> --> Processing Dependency: python-dnf = 0.6.4-2.el7
>>> for package: dnf-0.6.4-2.el7.noarch
>>> --> Running transaction check
>>> ---> Package python-dnf.noarch 0:0.6.4-2.el7 will be
>>> installed
>>> --> Processing Dependency: dnf-conf = 0.6.4-2.el7
>>> for package: python-dnf-0.6.4-2.el7.noarch
>>> --> Processing Dependency: python-librepo >= 1.7.5
>>> for package: python-dnf-0.6.4-2.el7.noarch
>>> --> Processing Dependency: python-libcomps >= 0.1.6
>>> for package: python-dnf-0.6.4-2.el7.noarch
>>> --> Processing Dependency: python-hawkey >= 0.5.3
>>> for package: python-dnf-0.6.4-2.el7.noarch
>>> --> Running transaction check
>>> ---> Package dnf-conf.noarch 0:0.6.4-2.el7 will be
>>> installed
>>> ---> Package python-hawkey.x86_64
>>> 0:0.5.8-2.git.0.202b194.el7 will be installed
>>> --> Processing Dependency: hawkey(x86-64) =
>>> 0.5.8-2.git.0.202b194.el7 for package:
>>> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
>>> --> Processing Dependency:
>>> libsolv.so.0(SOLV_1.0)(64bit) for package:
>>> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
>>> --> Processing Dependency: libsolv.so.0()(64bit) for
>>> package: python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
>>> --> Processing Dependency: libhawkey.so.2()(64bit)
>>> for package:
>>> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64
>>> ---> Package python-libcomps.x86_64 0:0.1.6-13.el7
>>> will be installed
>>> --> Processing Dependency: libcomps(x86-64) =
>>> 0.1.6-13.el7 for package:
>>> python-libcomps-0.1.6-13.el7.x86_64
>>> --> Processing Dependency:
>>> libcomps.so.0.1.6()(64bit) for package:
>>> python-libcomps-0.1.6-13.el7.x86_64
>>> ---> Package python-librepo.x86_64 0:1.7.16-1.el7
>>> will be installed
>>> --> Processing Dependency: librepo(x86-64) =
>>> 1.7.16-1.el7 for package:
>>> python-librepo-1.7.16-1.el7.x86_64
>>> --> Processing Dependency: librepo.so.0()(64bit) for
>>> package: python-librepo-1.7.16-1.el7.x86_64
>>> --> Running transaction check
>>> ---> Package hawkey.x86_64
>>> 0:0.5.8-2.git.0.202b194.el7 will be installed
>>> ---> Package libcomps.x86_64 0:0.1.6-13.el7 will be
>>> installed
>>> ---> Package librepo.x86_64 0:1.7.16-1.el7 will be
>>> installed
>>> ---> Package libsolv.x86_64 0:0.6.11-1.el7 will be
>>> installed
>>> --> Finished Dependency Resolution
>>>
>>> Dependencies Resolved
>>>
>>> =============================================================================================================================
>>> Package Arch Version Repository Size
>>> =============================================================================================================================
>>> Installing:
>>> dnf noarch 0.6.4-2.el7 epel 209 k
>>> Installing for dependencies:
>>> dnf-conf noarch 0.6.4-2.el7
>>> epel 61 k
>>> hawkey x86_64 0.5.8-2.git.0.202b194.el7
>>> base 87 k
>>> libcomps x86_64 0.1.6-13.el7
>>> epel 72 k
>>> librepo x86_64 1.7.16-1.el7
>>> base 77 k
>>> libsolv x86_64 0.6.11-1.el7 base
>>> 316 k
>>> python-dnf noarch 0.6.4-2.el7
>>> epel 407 k
>>> python-hawkey x86_64 0.5.8-2.git.0.202b194.el7
>>> base 71 k
>>> python-libcomps x86_64 0.1.6-13.el7
>>> epel 44 k
>>> python-librepo x86_64 1.7.16-1.el7
>>> base 49 k
>>>
>>> Transaction Summary
>>> =============================================================================================================================
>>> Install 1 Package (+9 Dependent packages)
>>>
>>> Total download size: 1.4 M
>>> Installed size: 4.1 M
>>> Downloading packages:
>>> (1/10): hawkey-0.5.8-2.git.0.202b194.el7.x86_64.rpm
>>> | 87 kB 00:00:00
>>> (2/10): dnf-conf-0.6.4-2.el7.noarch.rpm | 61 kB
>>> 00:00:00
>>> (3/10): dnf-0.6.4-2.el7.noarch.rpm | 209 kB 00:00:00
>>> (4/10): librepo-1.7.16-1.el7.x86_64.rpm | 77 kB
>>> 00:00:00
>>> (5/10): libcomps-0.1.6-13.el7.x86_64.rpm | 72 kB
>>> 00:00:00
>>> (6/10): python-librepo-1.7.16-1.el7.x86_64.rpm | 49
>>> kB 00:00:00
>>> (7/10): python-libcomps-0.1.6-13.el7.x86_64.rpm |
>>> 44 kB 00:00:00
>>> (8/10):
>>> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64.rpm
>>> | 71 kB 00:00:00
>>> (9/10): python-dnf-0.6.4-2.el7.noarch.rpm | 407 kB
>>> 00:00:00
>>> (10/10): libsolv-0.6.11-1.el7.x86_64.rpm | 316 kB
>>> 00:00:00
>>> -----------------------------------------------------------------------------------------------------------------------------
>>> Total 1.4 MB/s | 1.4 MB 00:00:01
>>> Running transaction check
>>> Running transaction test
>>> Transaction test succeeded
>>> Running transaction
>>> Installing : libsolv-0.6.11-1.el7.x86_64 1/10
>>> Installing :
>>> hawkey-0.5.8-2.git.0.202b194.el7.x86_64 2/10
>>> Installing :
>>> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64 3/10
>>> Installing : dnf-conf-0.6.4-2.el7.noarch 4/10
>>> Installing : libcomps-0.1.6-13.el7.x86_64 5/10
>>> Installing : python-libcomps-0.1.6-13.el7.x86_64 6/10
>>> Installing : librepo-1.7.16-1.el7.x86_64 7/10
>>> Installing : python-librepo-1.7.16-1.el7.x86_64 8/10
>>> Installing : python-dnf-0.6.4-2.el7.noarch 9/10
>>> Installing : dnf-0.6.4-2.el7.noarch 10/10
>>> Verifying : librepo-1.7.16-1.el7.x86_64 1/10
>>> Verifying : python-libcomps-0.1.6-13.el7.x86_64 2/10
>>> Verifying :
>>> python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64 3/10
>>> Verifying : python-librepo-1.7.16-1.el7.x86_64 4/10
>>> Verifying : python-dnf-0.6.4-2.el7.noarch 5/10
>>> Verifying : libcomps-0.1.6-13.el7.x86_64 6/10
>>> Verifying :
>>> hawkey-0.5.8-2.git.0.202b194.el7.x86_64 7/10
>>> Verifying : dnf-conf-0.6.4-2.el7.noarch 8/10
>>> Verifying : dnf-0.6.4-2.el7.noarch 9/10
>>> Verifying : libsolv-0.6.11-1.el7.x86_64 10/10
>>>
>>> Installed:
>>> dnf.noarch 0:0.6.4-2.el7
>>>
>>> Dependency Installed:
>>> dnf-conf.noarch 0:0.6.4-2.el7 hawkey.x86_64
>>> 0:0.5.8-2.git.0.202b194.el7
>>> libcomps.x86_64 0:0.1.6-13.el7 librepo.x86_64
>>> 0:1.7.16-1.el7
>>> libsolv.x86_64 0:0.6.11-1.el7 python-dnf.noarch
>>> 0:0.6.4-2.el7
>>> python-hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7
>>> python-libcomps.x86_64 0:0.1.6-13.el7
>>> python-librepo.x86_64 0:1.7.16-1.el7
>>>
>>> Complete!
>>> [jjflynn22 at ipa-1 ~]$ sudo yum remove -y epel-release
>>> Loaded plugins: fastestmirror, langpacks
>>> Resolving Dependencies
>>> --> Running transaction check
>>> ---> Package epel-release.noarch 0:7-6 will be erased
>>> --> Finished Dependency Resolution
>>>
>>> Dependencies Resolved
>>>
>>> =============================================================================================================================
>>> Package Arch Version Repository Size
>>> =============================================================================================================================
>>> Removing:
>>> epel-release noarch 7-6 @extras 24 k
>>>
>>> Transaction Summary
>>> =============================================================================================================================
>>> Remove 1 Package
>>>
>>> Installed size: 24 k
>>> Downloading packages:
>>> Running transaction check
>>> Running transaction test
>>> Transaction test succeeded
>>> Running transaction
>>> Erasing : epel-release-7-6.noarch 1/1
>>> Verifying : epel-release-7-6.noarch 1/1
>>>
>>> Removed:
>>> epel-release.noarch 0:7-6
>>>
>>> Complete!
>>> [jjflynn22 at ipa-1 ~]$ sudo dnf repolist
>>> CentOS-7 - Base 8.4 MB/s | 8.8 MB 00:01
>>> CentOS-7 - Updates 4.5 MB/s | 12 MB 00:02
>>> CentOS-7 - Extras 1.9 MB/s | 569 kB 00:00
>>> Using metadata from Sun Dec 4 18:06:04 2016
>>> repo id repo name status
>>> base CentOS-7 - Base 9,007
>>> extras CentOS-7 - Extras 393
>>> updates CentOS-7 - Updates 2,560
>>> [jjflynn22 at ipa-1 ~]$ sudo /root/ipa-le/setup-le.sh
>>> Using metadata from Sun Dec 4 18:06:04 2016
>>> Package certbot-0.9.3-1.el7.noarch is already
>>> installed, skipping.
>>> Dependencies resolved.
>>> Nothing to do.
>>> Directory Manager password:
>>>
>>> Installing CA certificate, please wait
>>> CA certificate successfully installed
>>> The ipa-cacert-manage command was successful
>>> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not
>>> logging to a file
>>> ipa: DEBUG: Loading Index file from
>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>> ipa: DEBUG: importing all plugin modules in
>>> ipalib.plugins...
>>> ipa: DEBUG: importing plugin module ipalib.plugins.aci
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.automember
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.automount
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.baseldap
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.baseuser
>>> ipa: DEBUG: importing plugin module ipalib.plugins.batch
>>> ipa: DEBUG: importing plugin module ipalib.plugins.caacl
>>> ipa: DEBUG: importing plugin module ipalib.plugins.cert
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.certprofile
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.config
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.delegation
>>> ipa: DEBUG: importing plugin module ipalib.plugins.dns
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.domainlevel
>>> ipa: DEBUG: importing plugin module ipalib.plugins.group
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.hbacrule
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.hbacsvc
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.hbacsvcgroup
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.hbactest
>>> ipa: DEBUG: importing plugin module ipalib.plugins.host
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.hostgroup
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.idrange
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.idviews
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.internal
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.kerberos
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.krbtpolicy
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.migration
>>> ipa: DEBUG: importing plugin module ipalib.plugins.misc
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.netgroup
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.otpconfig
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.otptoken
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.otptoken_yubikey
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.passwd
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.permission
>>> ipa: DEBUG: importing plugin module ipalib.plugins.ping
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.pkinit
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.privilege
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.pwpolicy
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='klist' '-V'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=Kerberos 5 version 1.13.2
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.radiusproxy
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.realmdomains
>>> ipa: DEBUG: importing plugin module ipalib.plugins.role
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.rpcclient
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.selfservice
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.selinuxusermap
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.server
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.service
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.servicedelegation
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.session
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.stageuser
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.sudocmd
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.sudocmdgroup
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.sudorule
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.topology
>>> ipa: DEBUG: importing plugin module ipalib.plugins.trust
>>> ipa: DEBUG: importing plugin module ipalib.plugins.user
>>> ipa: DEBUG: importing plugin module ipalib.plugins.vault
>>> ipa: DEBUG: importing plugin module
>>> ipalib.plugins.virtual
>>> ipa: DEBUG: Initializing principal
>>> host/ipa-1.kkgpitt.org at KKGPITT.ORG
>>> <mailto:ipa-1.kkgpitt.org at KKGPITT.ORG> using keytab
>>> /etc/krb5.keytab
>>> ipa: DEBUG: using ccache /tmp/tmp-zgrScg/ccache
>>> ipa: DEBUG: Attempt 1/1: success
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
>>> 'ipa_session_cookie:host/ipa-1.kkgpitt.org at KKGPITT.ORG
>>> <mailto:ipa-1.kkgpitt.org at KKGPITT.ORG>'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=134111920
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='keyctl' 'pipe' '134111920'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG:
>>> stdout=ipa_session=59c01d94b52f0586e30046bd36ef93a5;
>>> Domain=ipa-1.kkgpitt.org <http://ipa-1.kkgpitt.org>;
>>> Path=/ipa; Expires=Sun, 04 Dec 2016 23:21:13 GMT;
>>> Secure; HttpOnly
>>> ipa: DEBUG: stderr=
>>> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: found
>>> session_cookie in persistent storage for principal
>>> 'host/ipa-1.kkgpitt.org at KKGPITT.ORG
>>> <mailto:ipa-1.kkgpitt.org at KKGPITT.ORG>', cookie:
>>> 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;
>>> Domain=ipa-1.kkgpitt.org <http://ipa-1.kkgpitt.org>;
>>> Path=/ipa; Expires=Sun, 04 Dec 2016 23:21:13 GMT;
>>> Secure; HttpOnly'
>>> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG:
>>> setting session_cookie into context
>>> 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;'
>>> ipa.ipalib.plugins.rpcclient.rpcclient: INFO: trying
>>> https://ipa-1.kkgpitt.org/ipa/session/json
>>> <https://ipa-1.kkgpitt.org/ipa/session/json>
>>> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG:
>>> Created connection context.rpcclient_71021840
>>> ipa.ipalib.plugins.rpcclient.rpcclient: INFO:
>>> Forwarding 'ca_is_enabled' to json server
>>> 'https://ipa-1.kkgpitt.org/ipa/session/json
>>> <https://ipa-1.kkgpitt.org/ipa/session/json>'
>>> ipa: DEBUG: NSSConnection init ipa-1.kkgpitt.org
>>> <http://ipa-1.kkgpitt.org>
>>> ipa: DEBUG: Connecting: 192.168.1.201:0
>>> <http://192.168.1.201:0>
>>> ipa: DEBUG: approved_usage = SSL Server
>>> intended_usage = SSL Server
>>> ipa: DEBUG: cert valid True for
>>> "CN=ipa-1.kkgpitt.org
>>> <http://ipa-1.kkgpitt.org>,O=KKGPITT.ORG
>>> <http://KKGPITT.ORG>"
>>> ipa: DEBUG: handshake complete, peer =
>>> 192.168.1.201:443 <http://192.168.1.201:443>
>>> ipa: DEBUG: Protocol: TLS1.2
>>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
>>> ipa: DEBUG: received Set-Cookie
>>> 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;
>>> Domain=ipa-1.kkgpitt.org <http://ipa-1.kkgpitt.org>;
>>> Path=/ipa; Expires=Sun, 04 Dec 2016 23:26:28 GMT;
>>> Secure; HttpOnly'
>>> ipa: DEBUG: storing cookie
>>> 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;
>>> Domain=ipa-1.kkgpitt.org <http://ipa-1.kkgpitt.org>;
>>> Path=/ipa; Expires=Sun, 04 Dec 2016 23:26:28 GMT;
>>> Secure; HttpOnly' for principal
>>> host/ipa-1.kkgpitt.org at KKGPITT.ORG
>>> <mailto:ipa-1.kkgpitt.org at KKGPITT.ORG>
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
>>> 'ipa_session_cookie:host/ipa-1.kkgpitt.org at KKGPITT.ORG
>>> <mailto:ipa-1.kkgpitt.org at KKGPITT.ORG>'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=134111920
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
>>> 'ipa_session_cookie:host/ipa-1.kkgpitt.org at KKGPITT.ORG
>>> <mailto:ipa-1.kkgpitt.org at KKGPITT.ORG>'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=134111920
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='keyctl' 'pupdate' '134111920'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG:
>>> Destroyed connection context.rpcclient_71021840
>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
>>> ldap://ipa-1.kkgpitt.org:389
>>> <http://ipa-1.kkgpitt.org:389> from SchemaCache
>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving
>>> schema for SchemaCache
>>> url=ldap://ipa-1.kkgpitt.org:389
>>> <http://ipa-1.kkgpitt.org:389>
>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at
>>> 0x42a2fc8>
>>> ipa: DEBUG: Loading Index file from
>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/dirsrv/slapd-KKGPITT-ORG' '-A' '-n'
>>> 'KKGPITT.ORG <http://KKGPITT.ORG> IPA CA' '-t' 'CT,C,C'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/dirsrv/slapd-KKGPITT-ORG' '-A' '-n'
>>> 'DSTRootCAX3' '-t' 'C,,'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/bin/systemctl' 'is-active'
>>> 'dirsrv at KKGPITT-ORG.service
>>> <mailto:dirsrv at KKGPITT-ORG.service>'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=active
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/bin/systemctl' '--system'
>>> 'daemon-reload'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/bin/systemctl' 'restart'
>>> 'dirsrv at KKGPITT-ORG.service
>>> <mailto:dirsrv at KKGPITT-ORG.service>'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/bin/systemctl' 'is-active'
>>> 'dirsrv at KKGPITT-ORG.service
>>> <mailto:dirsrv at KKGPITT-ORG.service>'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=active
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: wait_for_open_ports: localhost [389]
>>> timeout 300
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/httpd/alias' '-A' '-n' 'KKGPITT.ORG
>>> <http://KKGPITT.ORG> IPA CA' '-t' 'CT,C,C'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/httpd/alias' '-A' '-n' 'DSTRootCAX3' '-t' 'C,,'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/bin/systemctl' 'is-active'
>>> 'httpd.service'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=active
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/bin/systemctl' 'restart'
>>> 'httpd.service'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/bin/systemctl' 'is-active'
>>> 'httpd.service'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=active
>>>
>>> ipa: DEBUG: stderr=
>>> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG:
>>> resubmitting certmonger request '20161204225818'
>>> ipa: DEBUG: certmonger request is in state
>>> dbus.String(u'GENERATING_CSR', variant_level=1)
>>> ipa: DEBUG: certmonger request is in state
>>> dbus.String(u'PRE_SAVE_CERT', variant_level=1)
>>> ipa: DEBUG: certmonger request is in state
>>> dbus.String(u'POST_SAVED_CERT', variant_level=1)
>>> ipa: DEBUG: certmonger request is in state
>>> dbus.String(u'POST_SAVED_CERT', variant_level=1)
>>> ipa: DEBUG: certmonger request is in state
>>> dbus.String(u'POST_SAVED_CERT', variant_level=1)
>>> ipa: DEBUG: certmonger request is in state
>>> dbus.String(u'MONITORING', variant_level=1)
>>> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG:
>>> modifying certmonger request '20161204225818'
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/ipa/nssdb' '-L'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> Certificate Nickname Trust Attributes
>>> SSL,S/MIME,JAR/XPI
>>>
>>> KKGPITT.ORG <http://KKGPITT.ORG> IPA CA CT,C,C
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/pki/nssdb' '-L' '-n' 'KKGPITT.ORG
>>> <http://KKGPITT.ORG> IPA CA' '-a'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=-----BEGIN CERTIFICATE-----
>>> MIIDjTCCAnWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtLS0dQ
>>> SVRULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MTIw
>>> NDIyNTczNFoXDTM2MTIwNDIyNTczNFowNjEUMBIGA1UECgwLS0tHUElUVC5PUkcx
>>> HjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB
>>> .
>>>
>>> .
>>>
>>> BYuURWnoNBd110T0HFOnMOmN5ycnsMvCwCdUFuFKCsjNjCm5/oUCsWSVlad2bzlj
>>> 7gvnv3d6YmXwTzpOlOHpMu/S7y+JU5ErM9fp97R/vUvBz/7CM0MOKBgXMvfKTu6X
>>> PTROdl8lKofxA6TMvM+du020+o79dami0hWV/3cRN386huTDcWVn9gbud6hxX8U5
>>> StsgHtJLlrm4tjLk8+S5VTDu9Y6EX7OsEX51RHwtrfNjEYdCa68AM2/slxdgf+5S
>>> IQ==
>>> -----END CERTIFICATE-----
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/pki/nssdb' '-D' '-n' 'KKGPITT.ORG
>>> <http://KKGPITT.ORG> IPA CA'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/pki/nssdb' '-L' '-n' 'KKGPITT.ORG
>>> <http://KKGPITT.ORG> IPA CA' '-a'
>>> ipa: DEBUG: Process finished, return code=255
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=certutil: Could not find cert:
>>> KKGPITT.ORG <http://KKGPITT.ORG> IPA CA
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/ipa/nssdb' '-L' '-n' 'IPA CA' '-a'
>>> ipa: DEBUG: Process finished, return code=255
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/ipa/nssdb' '-L' '-n' 'External CA cert' '-a'
>>> ipa: DEBUG: Process finished, return code=255
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=certutil: Could not find cert:
>>> External CA cert
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/ipa/nssdb' '-A' '-n' 'KKGPITT.ORG
>>> <http://KKGPITT.ORG> IPA CA' '-t' 'CT,C,C'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/ipa/nssdb' '-A' '-n' 'DSTRootCAX3' '-t' 'C,,'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/pki/nssdb' '-A' '-n' 'KKGPITT.ORG
>>> <http://KKGPITT.ORG> IPA CA' '-t' 'CT,C,C'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/certutil' '-d'
>>> '/etc/pki/nssdb' '-A' '-n' 'DSTRootCAX3' '-t' 'C,,'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/update-ca-trust'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: INFO: Systemwide CA database updated.
>>> ipa: DEBUG: Starting external process
>>> ipa: DEBUG: args='/usr/bin/update-ca-trust'
>>> ipa: DEBUG: Process finished, return code=0
>>> ipa: DEBUG: stdout=
>>> ipa: DEBUG: stderr=
>>> ipa: INFO: Systemwide CA database updated.
>>> ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The
>>> ipa-certupdate command was successful
>>> Directory Manager password:
>>>
>>> Installing CA certificate, please wait
>>> Not a valid CA certificate:
>>> (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer
>>> is not recognized. (visit
>>> http://www.freeipa.org/page/Troubleshooting
>>> <http://www.freeipa.org/page/Troubleshooting> for
>>> troubleshooting guide)
>>> [jjflynn22 at ipa-1 ~]$
>>>
>>>
>>>
>>>
>> Hi,
>>
>> you seem to have an issue when the LetsEncryptAuthorityX3
>> is being installed. The certificate from the CA that
>> issued this certificate (DSTRootCAX3) seems to be
>> installed correctly. Could you verify that DSTRootCAX3 is
>> marked as trusted CA by issuing:
>>
>> certutil -d /etc/httpd/alias/ -L
>>
>> The DSTRoootCAX3 should have C,, trust flags.
>>
>> There was an issue fixed last week that might caused this
>> issue if you've ever tried to install letsencrypt on this
>> particular VM before:
>> https://github.com/freeipa/freeipa-letsencrypt/issues/1#issuecomment-263546822
>> <https://github.com/freeipa/freeipa-letsencrypt/issues/1#issuecomment-263546822>If
>> that's the case, you will need to re-install IPA before
>> the letsencrypt solution will work.
>>
>> I was not able to reproduce your issue with a clean machine.
>>
>> --
>> Tomas Krizek
>>
>>
>>
>
> --
> Tomas Krizek
>
>
--
Tomas Krizek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161205/b3502b8c/attachment.htm>
More information about the Freeipa-users
mailing list