[Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3
Peter Pakos
peter at pakos.uk
Thu Dec 29 18:13:10 UTC 2016
Access log: https://files.pakos.uk/access.txt
Error log: https://files.pakos.uk/ipareplica-install.log.txt
I hope it helps.
On 29 December 2016 at 12:52, Peter Pakos <peter at pakos.uk> wrote:
> Hi guys,
>
> I'm facing yet another problem with CA-less install of FreeIPA replica and
> 3rd party SSL certificate.
>
> Few days ago I deployed a new CA-less server (ipa02) by running the
> following command:
>
> ipa-server-install \
>> -r PAKOS.UK \
>> -n pakos.uk \
>> -p 'password' \
>> -a 'password' \
>> --mkhomedir \
>> --setup-dns \
>> --no-forwarders \
>> --no-dnssec-validation \
>> --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>> --dirsrv-pin='' \
>> --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>> --http-pin='' \
>> --http-cert-name=AlphaWildcardIPA \
>> --idstart=1000
>
>
> This server appears to be working OK.
>
> Then yesterday I deployed a client (ipa01):
>
> ipa-client-install \
>> -p admin \
>> -w 'password' \
>> --mkhomedir
>
>
> Next, I promoted it to IPA server:
>
> ipa-replica-install \
>> -w 'password' \
>> --mkhomedir \
>> --setup-dns \
>> --no-forwarders \
>> --no-dnssec-validation \
>> --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>> --dirsrv-pin='' \
>> --dirsrv-cert-name=AlphaWildcardIPA \
>> --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>> --http-pin='' \
>> --http-cert-name=AlphaWildcardIPA
>
>
> After it finished, I've noticed that dirsrv wasn't running on port 636 on
> ipa01.
>
> Further investigation revealed that the SSL wildcard certificate
> (AlphaWildcardIPA) wasn't installed in dirsrv DB and CA certificates were
> named oddly (CA 1 and CA 2):
>
> [root at ipa01 ~]# certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> AlphaWildcardIPA u,u,u
> CA 1 ,,
> CA 2 C,,
>
>
> [root at ipa01 ~]# certutil -L -d /etc/dirsrv/slapd-PAKOS-UK/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> GlobalSign Root CA - GlobalSign nv-sa ,,
> AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,
>
>
> This is what I found in the error log:
>
> [29/Dec/2016:01:43:58.852745536 +0000] 389-Directory/1.3.5.10 B2016.341.2222 starting up
> [29/Dec/2016:01:43:58.867642515 +0000] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
> [29/Dec/2016:01:43:58.889866051 +0000] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!
> [29/Dec/2016:01:43:58.905267535 +0000] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.907051833 +0000] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.908396407 +0000] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.909758735 +0000] NSACLPlugin - The ACL target ou=sudoers,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.911133739 +0000] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.912416230 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.913644794 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.914901802 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.916158004 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.917409810 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.918636743 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.919904210 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.921175543 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.922417264 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.923818252 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.925218237 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.928474915 +0000] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.943158867 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.944679679 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:59.060335708 +0000] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist
> [29/Dec/2016:01:43:59.066618653 +0000] Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pakos,dc=uk--no CoS Templates found, which should be added before the CoS Definition.
> [29/Dec/2016:01:43:59.100168779 +0000] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds!
> [29/Dec/2016:01:43:59.108366423 +0000] slapd started. Listening on All Interfaces port 389 for LDAP requests
> [29/Dec/2016:01:43:59.109788596 +0000] Listening on /var/run/slapd-PAKOS-UK.socket for LDAPI requests
> [29/Dec/2016:01:44:04.117095313 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=pakos,dc=uk
> [29/Dec/2016:01:44:04.142962437 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pakos,dc=uk
> [29/Dec/2016:01:44:04.164958006 +0000] schema-compat-plugin - Finished plugin initialization.
> [29/Dec/2016:01:44:20.113621699 +0000] ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing
> [29/Dec/2016:01:44:20.115517170 +0000] ipa-topology-plugin - ipa_topo_util_get_replica_conf: cannot create replica
>
>
> At this point I trashed ipa01 and tried to re-deploy it again using the
> same commands. The install failed with the following error message:
>
> Done configuring directory server (dirsrv).
> Configuring ipa-custodia
> [1/4]: Generating ipa-custodia config file
> [2/4]: Generating ipa-custodia keys
> [3/4]: starting ipa-custodia
> [4/4]: configuring ipa-custodia to start on boot
> Done configuring ipa-custodia.
> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
> [1/4]: configuring KDC
> [2/4]: adding the password extension to the directory
> [3/4]: starting the KDC
> [4/4]: configuring KDC to start on boot
> Done configuring Kerberos KDC (krb5kdc).
> Configuring kadmin
> [1/2]: starting kadmin
> [2/2]: configuring kadmin to start on boot
> Done configuring kadmin.
> Configuring ipa_memcached
> [1/2]: starting ipa_memcached
> [2/2]: configuring ipa_memcached to start on boot
> Done configuring ipa_memcached.
> Configuring the web interface (httpd). Estimated time: 1 minute
> [1/19]: setting mod_nss port to 443
> [2/19]: setting mod_nss cipher suite
> [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
> [4/19]: setting mod_nss password file
> [5/19]: enabling mod_nss renegotiate
> [6/19]: adding URL rewriting rules
> [7/19]: configuring httpd
> [8/19]: setting up httpd keytab
> [9/19]: setting up ssl
> [error] NotFound: no such entry
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR no such entry
> ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
>
> Here's the full install log: https://files.pakos.uk/
> ipareplica-install.log.txt
>
> I've raised this problem on #freeipa channel (many thanks to mbasti and ab
> for their help in investigating this issue with me) however we didn't get
> too far and some further input from dirsrv gurus is required here.
>
> [root at ipa01 ipa]# echo $SERVICE
> HTTP/ipa01.pakos.uk at PAKOS.UK
>
> [root at ipa01 ipa]# echo $DN
> krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk
>
> [root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # HTTP/ipa01.pakos.uk at PAKOS.UK, services, accounts, pakos.uk
> dn: krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=p
> akos,dc=uk
> krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
> krbLastPwdChange: 20161229103250Z
> krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
> NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
> a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
> pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
> LwmAX3lYm
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> ipaKrbPrincipalAlias: HTTP/ipa01.pakos.uk at PAKOS.UK
> krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
> managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
> krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> [root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub "krbprincipalname=*"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk> with scope subtree
> # filter: krbprincipalname=*
> # requesting: ALL
> #
>
> # HTTP/ipa01.pakos.uk at PAKOS.UK, services, accounts, pakos.uk
> dn: krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=p
> akos,dc=uk
> krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
> krbLastPwdChange: 20161229103250Z
> krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
> NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
> a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
> pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
> LwmAX3lYm
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> ipaKrbPrincipalAlias: HTTP/ipa01.pakos.uk at PAKOS.UK
> krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
> managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
> krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> [root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub "(objectclass=*)"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # HTTP/ipa01.pakos.uk at PAKOS.UK, services, accounts, pakos.uk
> dn: krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=p
> akos,dc=uk
> krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
> krbLastPwdChange: 20161229103250Z
> krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
> NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
> a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
> pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
> LwmAX3lYm
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> ipaKrbPrincipalAlias: HTTP/ipa01.pakos.uk at PAKOS.UK
> krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
> managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
> krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> [root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s base
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # HTTP/ipa01.pakos.uk at PAKOS.UK, services, accounts, pakos.uk
> dn: krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=p
> akos,dc=uk
> krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
> krbLastPwdChange: 20161229103250Z
> krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
> NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
> a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
> pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
> LwmAX3lYm
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> ipaKrbPrincipalAlias: HTTP/ipa01.pakos.uk at PAKOS.UK
> krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
> managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
> krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> I must say that this a show stopper for us at WANdisco which is holding
> back the upgrade from FreeIPA 4.2 to FreeIPA 4.4.
>
> If there is anything else I can do to help with the investigation, please
> just let me know.
>
> Many thanks in advance.
>
> --
> Kind regards,
> Peter Pakos
>
--
Kind regards,
Peter Pakos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161229/5c7800d0/attachment.htm>
More information about the Freeipa-users
mailing list