[Freeipa-users] With freeipa 4.4.0-14 on CentOS 7 cert-show fails
Alexander Bokovoy
abokovoy at redhat.com
Wed Dec 14 09:15:55 UTC 2016
On ke, 14 joulu 2016, Florence Blanc-Renaud wrote:
>On 12/13/2016 05:29 PM, jay wrote:
>>Well Flo, the issue was IPV6 was disabled. As soon as I enabled it
>>again, added that /etc/hosts entry back, and rebooted the server, things
>>are working again!
>>
>>So is that now a requirement for 4.4.x? Server worked fine on 4.2
>Hi Jay,
>
>this behavior was introduced with the fix for ticket 4291 (CA not
>start during ipa server install in pure IPv6 env) in FreeIPA 4.4.1
>[1].
>
>I agree that the doc [2] does not explicitely mention that IPv6 is
>required, but it sort of suggests that it should be set up.
We actually require IPv6 stack on IPA masters for very long time.
There is no reason why IPv6 stack should be disabled. You may lack
addresses, even local ones, but given that IPv4 and IPv6 share the same
port space, a single API is recommended to be used in implementing
networking applications by the documentation in ipv6(7):
----
IPv4 connections can be handled with the v6 API by using the
v4-mapped-on-v6 address type; thus a program needs to support only
this API type to support both protocols. This is handled
transparently by the address handling functions in the C library.
IPv4 and IPv6 share the local port space. When you get an IPv4
connection or packet to a IPv6 socket, its source address will be
mapped to v6 and it will be mapped to v6.
----
Thus, most of IPA code actually is implemented using this approach. You
need to have IPv6 enabled in the kernel but not necessary used.
This is mentioned as a requirement in the Windows Integration guide but
it is valid for a normal IPA install as well:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#trust-req-ipv6
>I found an e-mail thread mentioning why IPv6 should not be disabled
>[3], and also on freeipa.org a wiki for Deployment recommendations
>[4].
>
>I will open a documentation bug asking to add this requirement in Red
>Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and
>Policy Guide.
>
>Flo
>
>[1] https://fedorahosted.org/freeipa/ticket/4291
>[2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs
>[3] https://www.redhat.com/mailman/private/freeipa-users/2015-September/msg00175.html
>[4] http://www.freeipa.org/page/Deployment_Recommendations#Active_Directory_Integration
>
>>without IPV6 enabled. Or has that always been a requirement and I just
>>got lucky somehow. I'm looking through the docs now.
>>
>>Regardless, thank you very much for the help Flo!
>>
>>Jay
>>
>>On Tue, Dec 13, 2016 at 10:20 AM, Florence Blanc-Renaud <flo at redhat.com
>><mailto:flo at redhat.com>> wrote:
>>
>> On 12/13/2016 04:41 PM, jay wrote:
>>
>> Maybe this will help more, I noticed this error in the Apache logs
>>
>> [Tue Dec 13 09:33:37.774921 2016 <tel:774921%202016>] [:error]
>> [pid 2309] ipa: INFO:
>> [jsonserver_kerb] admin at IPA.US-WEST-2.COMPUTE.IN
>> <mailto:admin at IPA.US-WEST-2.COMPUTE.IN>TERNAL:
>> cert_show/1(u'1', version=u'2.213'): CertificateOperationError
>> [Tue Dec 13 09:35:29.141847 2016] [proxy:error] [pid 2316]
>> (111)Connection refused: AH00957: AJP: attempt to connect to
>> 127.0.0.1:8009 <http://127.0.0.1:8009> <http://127.0.0.1:8009>
>> (localhost) failed
>> [Tue Dec 13 09:35:29.141881 2016] [proxy:error] [pid 2316] AH00959:
>> ap_proxy_connect_backend disabling worker for (localhost) for 60s
>> [Tue Dec 13 09:35:29.141900 2016] [proxy_ajp:error] [pid 2316]
>> [client
>> 172.31.0.254:39646 <http://172.31.0.254:39646>
>> <http://172.31.0.254:39646>] AH00896: failed to make
>> connection to backend: localhost
>> [Tue Dec 13 09:35:29.142412 2016] [:error] [pid 2310] ipa: ERROR:
>> ra.get_certificate(): Unable to communicate with CMS (503)
>>
>>
>> So whatever is running on port 8009 isn't responding or setup
>> properly.
>>
>> Jay
>>
>> On Tue, Dec 13, 2016 at 8:46 AM, jay <titleistfour at gmail.com
>> <mailto:titleistfour at gmail.com>
>> <mailto:titleistfour at gmail.com <mailto:titleistfour at gmail.com>>>
>> wrote:
>>
>> Thank you for the response Flo. So I do see Apache running and
>> listening on port 443. However, running that command I get
>> a 503
>>
>> * Trying 172.31.0.254...
>> * Connected to ip-172-31-0-254.us-west-2.compute.internal
>> (172.31.0.254) port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias
>> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>> CApath: none
>> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> * Server certificate:
>> * subject:
>>
>> CN=ip-172-31-0-254.us-west-2.compute.internal,O=IPA.US-WEST-2.COMPUTE.INTERNAL
>> * start date: Dec 13 14:33:16 2016 GMT
>> * expire date: Dec 14 14:33:16 2018 GMT
>> * common name: ip-172-31-0-254.us-west-2.compute.internal
>> * issuer: CN=Certificate
>> Authority,O=IPA.US-WEST-2.COMPUTE.INTERNAL
>> > GET /ca/agent/ca/displayBySerial?serialNumber=1 HTTP/1.1
>> > User-Agent: curl/7.29.0
>> > Host: ip-172-31-0-254.us-west-2.compute.internal
>> > Accept: */*
>> >
>> * NSS: using client certificate: ipaCert
>> * subject: CN=IPA RA,O=IPA.US-WEST-2.COMPUTE.INT
>> <http://IPA.US-WEST-2.COMPUTE.INT>ERNAL
>> * start date: Dec 13 14:32:28 2016 GMT
>> * expire date: Dec 03 14:32:28 2018 GMT
>> * common name: IPA RA
>> * issuer: CN=Certificate
>> Authority,O=IPA.US-WEST-2.COMPUTE.INTERNAL
>> < HTTP/1.1 503 Service Unavailable
>> < Date: Tue, 13 Dec 2016 14:44:00 GMT
>> < Server: Apache
>> < Content-Length: 299
>> < Connection: close
>> < Content-Type: text/html; charset=iso-8859-1
>>
>> [root at ip-172-31-0-254 ~]# cat out.html
>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>> <html><head>
>> <title>503 Service Unavailable</title>
>> </head><body>
>> <h1>Service Unavailable</h1>
>> <p>The server is temporarily unable to service your
>> request due to maintenance downtime or capacity
>> problems. Please try again later.</p>
>> </body></html>
>> [root at ip-172-31-0-254 ~]#
>>
>>
>> What would cause the service to be unavailable? Maybe the
>> installer
>> changed and I need to provide another option now that I
>> didn't have
>> to before the version upgrade?
>>
>> Hi Jay,
>>
>> I am not completely familiar with Tomcat, but I understand so far
>> that the httpd server is configured to redirect requests on
>> displayBySerial to Tomcat with this setting in the file
>> /etc/httpd/conf.d/ipa-pki-proxy.conf:
>>
>> <LocationMatch
>> "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
>> NSSOptions +StdEnvVars +ExportCertData +StrictRequire
>> +OptRenegotiate
>> NSSVerifyClient require
>> ProxyPassMatch ajp://localhost:8009
>> ProxyPassReverse ajp://localhost:8009
>> </LocationMatch>
>>
>> And this port must be configured in /etc/pki/pki-tomcat/server.xml:
>> <Connector port="8009"
>> protocol="AJP/1.3"
>> redirectPort="8443"
>> address="::1" />
>>
>> In my setup I also have /etc/hosts defining localhost:
>> 127.0.0.1 localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1 localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>>
>>
>> Can you check that you also have those settings? If yes, then I
>> assume that Tomcat is not able to create the AJP connector on port 8009.
>> When PKI is started, you should find a trace of the connector
>> initialization in /var/log/pki/pki-tomcat/catalina.$DATE.log:
>>
>> 12-Dec-2016 13:54:17.579 INFO [main]
>> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
>> ["ajp-nio-0:0:0:0:0:0:0:1-8009"]
>> 12-Dec-2016 13:54:25.076 INFO [main]
>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
>> ["ajp-nio-0:0:0:0:0:0:0:1-8009"]
>> 12-Dec-2016 13:56:33.683 INFO [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1]
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.processApplication
>> RESTEASY002225: Deploying javax.ws.rs.core.Application: class
>> org.dogtagpki.server.ca.rest.CAApplication
>>
>> Next steps to debug would be to increase Tomcat logs.
>> Flo.
>>
>>
>> Thanks,
>> Jay
>>
>> On Tue, Dec 13, 2016 at 1:56 AM, Florence Blanc-Renaud
>> <flo at redhat.com <mailto:flo at redhat.com>
>> <mailto:flo at redhat.com <mailto:flo at redhat.com>>> wrote:
>>
>> On 12/12/2016 10:32 PM, jay wrote:
>>
>> Hello,
>>
>> I have been testing freeipa on CentOS 7 for a while
>> now with a
>> relatively simple setup, just a single server and 12
>> or so
>> Linux clients
>> in AWS. I went to rebuild the environment today and
>> part of
>> my Ansible
>> playbook failed with this error
>>
>> ipa: ERROR: Certificate operation cannot be
>> completed: Unable to
>> communicate with CMS (503)
>>
>> This is the command that failed
>>
>> /usr/bin/ipa cert-show 1 --out=/root/cacert.crt
>>
>> I noticed the version I was using on Friday was
>> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64. But
>> now I'm
>> getting
>> ipa-server-4.4.0-14.el7.centos.x86_64 installed, so
>> the repo
>> was updated
>> over the weekend.
>>
>> Is there a known issue running cert-show with this
>> version?
>> I can't
>> find anything in the debug logs that point to something
>> wrong. Running
>> 'ipa cert-find' and 'getcert list -d /etc/httpd/alias -n
>> ipaCert' work
>> just fine.
>>
>> Can someone offer some advice or pointer to what
>> might be
>> going on? I'm
>> invoking the install with these options and it has
>> worked
>> flawlessly
>> before this new version
>>
>> 2016-12-12T21:05:21Z DEBUG ipa-server-install was
>> invoked
>> with arguments
>> [] and options: {'no_dns_
>> sshfp': None, 'ignore_topology_disconnect': None,
>> 'verbose':
>> False,
>> 'ip_addresses': [CheckedIPAddr
>> ess('172.31.0.235')], 'domainlevel': None,
>> 'mkhomedir': None,
>> 'http_cert_files': None, 'no_ntp': N
>> one, 'reverse_zones': None, 'no_forwarders': None,
>> 'external_ca_type':
>> None, 'ssh_trust_dns': True
>> , 'domain_name': 'ipa.us-west-2.compute.internal',
>> 'idmax':
>> None,
>> 'http_cert_name': None, 'dirsrv_
>> cert_files': None, 'no_dnssec_validation': None,
>> 'ca_signing_algorithm':
>> None, 'no_reverse': None,
>> 'subject': None, 'unattended': True,
>> 'auto_reverse': None,
>> 'auto_forwarders': None, 'no_host_dns'
>> : None, 'no_sshd': None, 'no_ui_redirect': None,
>> 'ignore_last_of_role':
>> None, 'realm_name': 'IPA.U
>> S-WEST-2.COMPUTE.INTERNAL', 'forwarders':
>> [CheckedIPAddress('172.31.0.2')], 'idstart': 5000, 'exte
>> rnal_ca': None, 'no_ssh': None,
>> 'external_cert_files': None,
>> 'no_hbac_allow': None, 'forward_polic
>> y': None, 'dirsrv_cert_name': None, 'ca_cert_files':
>> None,
>> 'zonemgr':
>> None, 'quiet': False, 'setup
>> _dns': True, 'host_name':
>> 'ip-172-31-0-235.us-west-2.com
>> <http://ip-172-31-0-235.us-west-2.com>
>> <http://ip-172-31-0-235.us-west-2.com
>> <http://ip-172-31-0-235.us-west-2.com>>pute.internal',
>> 'dirsrv_config_file': None
>> , 'log_file': None, 'allow_zone_overlap': None,
>> 'uninstall':
>> False}
>> 2016-12-12T21:05:21Z DEBUG IPA version
>> 4.4.0-14.el7.centos
>>
>> Thank you
>> Jay
>>
>>
>>
>> Hi,
>>
>> the ipa cert-show command is communicating with Dogtag,
>> using
>> port 443. Can you check if Dogtag is properly responding
>> on this
>> port?
>>
>> $ SSL_DIR=/etc/httpd/alias/ curl -v -E ipaCert:`cat
>> /etc/httpd/alias/pwdfile.txt`
>>
>> https://hostname.domainname:443/ca/agent/ca/displayBySerial?serialNumber=1
>> <https://hostname.domainname:443/ca/agent/ca/displayBySerial?serialNumber=1>
>>
>> <https://hostname.domainname:443/ca/agent/ca/displayBySerial?serialNumber=1
>> <https://hostname.domainname:443/ca/agent/ca/displayBySerial?serialNumber=1>>
>> -o out.html
>>
>> The issue can be that Dogtag is down, or a SSL issue (the
>> certificate ipaCert in /etc/httpd/alias is used to
>> authenticate
>> the client to Dogtag).
>>
>> HTH,
>> Flo.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list