[Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3
Peter Pakos
peter at pakos.uk
Thu Dec 29 12:52:55 UTC 2016
Hi guys,
I'm facing yet another problem with CA-less install of FreeIPA replica and
3rd party SSL certificate.
Few days ago I deployed a new CA-less server (ipa02) by running the
following command:
ipa-server-install \
> -r PAKOS.UK \
> -n pakos.uk \
> -p 'password' \
> -a 'password' \
> --mkhomedir \
> --setup-dns \
> --no-forwarders \
> --no-dnssec-validation \
> --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
> --dirsrv-pin='' \
> --http-cert-file=/root/ssl/star.pakos.uk.pfx \
> --http-pin='' \
> --http-cert-name=AlphaWildcardIPA \
> --idstart=1000
This server appears to be working OK.
Then yesterday I deployed a client (ipa01):
ipa-client-install \
> -p admin \
> -w 'password' \
> --mkhomedir
Next, I promoted it to IPA server:
ipa-replica-install \
> -w 'password' \
> --mkhomedir \
> --setup-dns \
> --no-forwarders \
> --no-dnssec-validation \
> --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
> --dirsrv-pin='' \
> --dirsrv-cert-name=AlphaWildcardIPA \
> --http-cert-file=/root/ssl/star.pakos.uk.pfx \
> --http-pin='' \
> --http-cert-name=AlphaWildcardIPA
After it finished, I've noticed that dirsrv wasn't running on port 636 on
ipa01.
Further investigation revealed that the SSL wildcard certificate
(AlphaWildcardIPA) wasn't installed in dirsrv DB and CA certificates were
named oddly (CA 1 and CA 2):
[root at ipa01 ~]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
AlphaWildcardIPA u,u,u
CA 1 ,,
CA 2 C,,
[root at ipa01 ~]# certutil -L -d /etc/dirsrv/slapd-PAKOS-UK/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
GlobalSign Root CA - GlobalSign nv-sa ,,
AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,
This is what I found in the error log:
[29/Dec/2016:01:43:58.852745536 +0000] 389-Directory/1.3.5.10
B2016.341.2222 starting up
[29/Dec/2016:01:43:58.867642515 +0000] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match
[29/Dec/2016:01:43:58.889866051 +0000] schema-compat-plugin -
scheduled schema-compat-plugin tree scan in about 5 seconds after the
server startup!
[29/Dec/2016:01:43:58.905267535 +0000] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.907051833 +0000] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.908396407 +0000] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.909758735 +0000] NSACLPlugin - The ACL target
ou=sudoers,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.911133739 +0000] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.912416230 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.913644794 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.914901802 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.916158004 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.917409810 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.918636743 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.919904210 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.921175543 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.922417264 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.923818252 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.925218237 +0000] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.928474915 +0000] NSACLPlugin - The ACL target
cn=ad,cn=etc,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.943158867 +0000] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.944679679 +0000] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:59.060335708 +0000] NSACLPlugin - The ACL target
cn=automember rebuild membership,cn=tasks,cn=config does not exist
[29/Dec/2016:01:43:59.066618653 +0000] Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=pakos,dc=uk--no CoS Templates found,
which should be added before the CoS Definition.
[29/Dec/2016:01:43:59.100168779 +0000] schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!
[29/Dec/2016:01:43:59.108366423 +0000] slapd started. Listening on
All Interfaces port 389 for LDAP requests
[29/Dec/2016:01:43:59.109788596 +0000] Listening on
/var/run/slapd-PAKOS-UK.socket for LDAPI requests
[29/Dec/2016:01:44:04.117095313 +0000] schema-compat-plugin - warning:
no entries set up under cn=ng, cn=compat,dc=pakos,dc=uk
[29/Dec/2016:01:44:04.142962437 +0000] schema-compat-plugin - warning:
no entries set up under cn=computers, cn=compat,dc=pakos,dc=uk
[29/Dec/2016:01:44:04.164958006 +0000] schema-compat-plugin - Finished
plugin initialization.
[29/Dec/2016:01:44:20.113621699 +0000] ipa-topology-plugin -
ipa_topo_util_get_replica_conf: server configuration missing
[29/Dec/2016:01:44:20.115517170 +0000] ipa-topology-plugin -
ipa_topo_util_get_replica_conf: cannot create replica
At this point I trashed ipa01 and tried to re-deploy it again using the
same commands. The install failed with the following error message:
Done configuring directory server (dirsrv).
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/4]: configuring KDC
[2/4]: adding the password extension to the directory
[3/4]: starting the KDC
[4/4]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd). Estimated time: 1 minute
[1/19]: setting mod_nss port to 443
[2/19]: setting mod_nss cipher suite
[3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[4/19]: setting mod_nss password file
[5/19]: enabling mod_nss renegotiate
[6/19]: adding URL rewriting rules
[7/19]: configuring httpd
[8/19]: setting up httpd keytab
[9/19]: setting up ssl
[error] NotFound: no such entry
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR no such entry
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Here's the full install log:
https://files.pakos.uk/ipareplica-install.log.txt
I've raised this problem on #freeipa channel (many thanks to mbasti and ab
for their help in investigating this issue with me) however we didn't get
too far and some further input from dirsrv gurus is required here.
[root at ipa01 ipa]# echo $SERVICE
HTTP/ipa01.pakos.uk at PAKOS.UK
[root at ipa01 ipa]# echo $DN
krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk
[root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# HTTP/ipa01.pakos.uk at PAKOS.UK, services, accounts, pakos.uk
dn: krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=p
akos,dc=uk
krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
krbLastPwdChange: 20161229103250Z
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
LwmAX3lYm
objectClass: ipaobject
objectClass: ipaservice
objectClass: krbticketpolicyaux
objectClass: ipakrbprincipal
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: pkiuser
objectClass: top
ipaKrbPrincipalAlias: HTTP/ipa01.pakos.uk at PAKOS.UK
krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s
sub "krbprincipalname=*"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk>
with scope subtree
# filter: krbprincipalname=*
# requesting: ALL
#
# HTTP/ipa01.pakos.uk at PAKOS.UK, services, accounts, pakos.uk
dn: krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=p
akos,dc=uk
krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
krbLastPwdChange: 20161229103250Z
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
LwmAX3lYm
objectClass: ipaobject
objectClass: ipaservice
objectClass: krbticketpolicyaux
objectClass: ipakrbprincipal
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: pkiuser
objectClass: top
ipaKrbPrincipalAlias: HTTP/ipa01.pakos.uk at PAKOS.UK
krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s
sub "(objectclass=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# HTTP/ipa01.pakos.uk at PAKOS.UK, services, accounts, pakos.uk
dn: krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=p
akos,dc=uk
krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
krbLastPwdChange: 20161229103250Z
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
LwmAX3lYm
objectClass: ipaobject
objectClass: ipaservice
objectClass: krbticketpolicyaux
objectClass: ipakrbprincipal
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: pkiuser
objectClass: top
ipaKrbPrincipalAlias: HTTP/ipa01.pakos.uk at PAKOS.UK
krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s base
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk>
with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# HTTP/ipa01.pakos.uk at PAKOS.UK, services, accounts, pakos.uk
dn: krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=p
akos,dc=uk
krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
krbLastPwdChange: 20161229103250Z
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
LwmAX3lYm
objectClass: ipaobject
objectClass: ipaservice
objectClass: krbticketpolicyaux
objectClass: ipakrbprincipal
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: pkiuser
objectClass: top
ipaKrbPrincipalAlias: HTTP/ipa01.pakos.uk at PAKOS.UK
krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I must say that this a show stopper for us at WANdisco which is holding
back the upgrade from FreeIPA 4.2 to FreeIPA 4.4.
If there is anything else I can do to help with the investigation, please
just let me know.
Many thanks in advance.
--
Kind regards,
Peter Pakos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161229/03f6baca/attachment.htm>
More information about the Freeipa-users
mailing list