<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <tt>On 12/05/2016 05:58 PM, Joseph Flynn wrote:</tt><tt> </tt> <blockquote cite="mid:CAGa_nR19xzf3cU-5KJAJzUSHnCR5L-iE4D=dOCXiP4ndDLmwfw@mail.gmail.com" type="cite"> <div dir="ltr"><tt>Thank you Tomas, those two do seem to be the same. I will try a fresh VM (is there a particular distribution that you've had the best luck with?) and try again.</tt><tt> </tt></div> </blockquote> <tt>I've tested the procedure on Fedora 24.</tt> <blockquote cite="mid:CAGa_nR19xzf3cU-5KJAJzUSHnCR5L-iE4D=dOCXiP4ndDLmwfw@mail.gmail.com" type="cite"> <div dir="ltr"><tt> </tt><tt>sudo openssl x509 -text -in /root/ipa-le/ca/DSTRootCAX3.pem | grep 'Subject:' sudo openssl x509 -text -in /root/ipa-le/ca/LetsEncryptAuthorityX3.pem | grep 'Issuer:' Subject: O=Digital Signature Trust Co., CN=DST Root CA X3 Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3 </tt> <div class="gmail_extra"><tt> [jjflynn22@ipa-1 ~]$ sudo certutil -d /etc/httpd/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u DSTRootCAX3 C,, ipaCert u,u,u Server-Cert u,u,u <a moz-do-not-send="true" href="http://KKGPITT.ORG">KKGPITT.ORG</a> IPA CA CT,C,C</tt><tt> </tt><tt> </tt><tt> </tt> <div class="gmail_quote"><tt>On Mon, Dec 5, 2016 at 11:51 AM, Tomas Krizek </tt><tt><<a moz-do-not-send="true" href="mailto:tkrizek@redhat.com" target="_blank">tkrizek@redhat.com</a>></tt><tt> wrote:</tt><tt> </tt> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div bgcolor="#FFFFFF"> <tt>Please keep </tt><tt><a moz-do-not-send="true" class="gmail-m_-6303702116913931506moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a></tt><tt> in CC.</tt><tt> </tt> <tt> </tt> <div class="gmail-m_-6303702116913931506moz-cite-prefix"><tt>On 12/05/2016 05:23 PM, Joseph Flynn wrote:</tt><tt> </tt> </div> <blockquote type="cite"> <div dir="ltr"><tt>By the way Tomas, can you recommend a good read to better understand how all of these certs play together in an architecture like this? I'm quite confident in Linux usage an admin but must admit this is not quite clear to me.</tt><tt> </tt> </div> </blockquote> <tt>The chain of trust on the Let's Encrypt side is explained in </tt><tt><a moz-do-not-send="true" class="gmail-m_-6303702116913931506moz-txt-link-freetext" href="https://letsencrypt.org/certificates/" target="_blank">https://letsencrypt.org/certificates/</a></tt><tt> On the FreeIPA side, there are some articles on our wiki page related to Public Key Infrastructure, for example </tt><tt><a moz-do-not-send="true" class="gmail-m_-6303702116913931506moz-txt-link-freetext" href="http://www.freeipa.org/page/PKI" target="_blank">http://www.freeipa.org/page/PKI</a></tt><tt> </tt> <blockquote type="cite"> <div class="gmail_extra"><tt> </tt> <div class="gmail_quote"><tt>On Mon, Dec 5, 2016 at 11:19 AM, Joseph Flynn </tt><tt><<a moz-do-not-send="true" href="mailto:jjflynn22@gmail.com" target="_blank">jjflynn22@gmail.com</a>></tt><tt> wrote:</tt><tt> </tt> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div dir="ltr"> <div> <div> <div> <div><tt>Thank you for responding Tom.</tt><tt> </tt> <tt> </tt> </div> <tt>I created the CentOS 7 VM earlier in the week and did its updates and set the hostnames, etc and took a snapshot. I also tried on Ubuntu first but that had too many install hiccups.</tt><tt> </tt> <tt> </tt> </div> <tt>From that snapshot I have tried several times with the same results as recently as yesterday.</tt><tt> </tt> <tt> </tt> </div> <tt>Here is the output of your suggestion:</tt><tt> </tt> <tt> </tt> <tt>[jjflynn22@ipa-1 ~]$ sudo certutil -d /etc/httpd/alias/ -L</tt><tt> </tt> <tt>[sudo] password for jjflynn22: </tt><tt> </tt> <tt> </tt> <tt>Certificate Nickname </tt><tt> Trust Attributes</tt><tt> </tt><tt> </tt><tt> </tt><tt> SSL,S/MIME,JAR/XPI</tt><tt> </tt> <tt> </tt> <tt>Signing-Cert </tt><tt> u,u,u</tt><tt> </tt> <tt>DSTRootCAX3 </tt><tt> C,, </tt><tt> </tt> <tt>ipaCert </tt><tt> u,u,u</tt><tt> </tt> <tt>Server-Cert </tt><tt> u,u,u</tt><tt> </tt> <tt><a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a></tt><tt> IPA CA </tt><tt> CT,C,C</tt><tt> </tt> </div> </div> </blockquote> </div> </div> </blockquote> <tt>This seems correct, however this information can be misleading if DSTRootCAX3 was installed in FreeIPA before.</tt><tt> </tt> <tt> </tt><tt> The last thing I can think of is to verify that the Subject Field of DTSRootCAX3 is in fact the same as the Issuer Field in the </tt><tt>LetsEncryptAuthorityX3 certificate. I've checked the ones that are used in the git repo and they are correct, so I can't see how this could be the issue, but just to verify:</tt><tt> </tt> <tt> </tt><tt> openssl x509 -text -in /root/ipa-le/ca/DSTRootCAX3.</tt><tt>pem | grep 'Subject:'</tt><tt> </tt><tt> openssl x509 -text -in /root/ipa-le/ca/</tt><tt>LetsEncryptAuthorityX3.pem | grep 'Issuer:'</tt><tt> </tt> <tt> </tt><tt> If that doesn't reveal any difference, I'd suggest to attempt to reproduce the issue with a clean environment (new VM) and if you still encounter the same problem, please open an issue and provide as much information as possible, including software versions. </tt><tt><a moz-do-not-send="true" class="gmail-m_-6303702116913931506moz-txt-link-freetext" href="https://github.com/freeipa/freeipa-letsencrypt/issues" target="_blank">https://github.com/freeipa/freeipa-letsencrypt/issues</a></tt><tt> </tt> <blockquote type="cite"> <div class="gmail_extra"> <div class="gmail_quote"> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div dir="ltr"> <div><tt> </tt> <tt> </tt> </div> <tt>Joe</tt><tt> </tt> <tt> </tt> <tt> </tt> </div> <div class="gmail_extra"><tt> </tt> <div class="gmail_quote"><tt>On Mon, Dec 5, 2016 at 10:35 AM, Tomas Krizek </tt><tt><<a moz-do-not-send="true" href="mailto:tkrizek@redhat.com" target="_blank">tkrizek@redhat.com</a>></tt><tt> wrote:</tt><tt> </tt> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div bgcolor="#FFFFFF"> <tt> </tt> <tt> </tt> <div class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002moz-cite-prefix"><tt>On 12/05/2016 12:25 AM, Joseph Flynn wrote:</tt><tt> </tt> </div> <blockquote type="cite"> <div dir="ltr"> <div> <div> <div><tt>Sorry if this is not the appropriate forum for discussing this topic.</tt><tt> </tt> <tt> </tt> </div> <tt>I have installed a FreeIPA system on CentOS 7 and am trying to get the Let's Encrypt scripts to work as defined in </tt><tt><a moz-do-not-send="true" href="https://github.com/freeipa/freeipa-letsencrypt" target="_blank">https://github.com/freeipa/freeipa-letsencrypt</a></tt><tt> </tt><tt> </tt> <tt> </tt> </div> <tt>I hand to tinker with a combination of enabling/disabling EPEL and this new tool DNF that I am not too familiar with but eventually got the script to run.</tt><tt> </tt> <tt> </tt> </div> <tt>It is ending with the following error:</tt><tt> </tt> <tt> </tt> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><tt>ipa: INFO: Systemwide CA database updated. ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate command was successful Directory Manager password: Installing CA certificate, please wait Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. (visit <a moz-do-not-send="true" href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting</a> for troubleshooting guide)</tt><tt> </tt> <tt> </tt> </blockquote> <div><tt> </tt> </div> <div><tt>Does anyone recognize this situation?</tt><tt> </tt> <tt> </tt> </div> <div><tt>I have installed this on a VirtualBox client in Bridge Network mode. Prior to trying to use a real certificate, I could access the FreeIPA UI from Firefox on both the VM and other computers in the home. I've gotten a domain name and have that domain name pointed to my home router with a handful of ports (those listed at the end of the FreeIPA install) forwarded to my VM.</tt><tt> </tt> </div> <div><tt> </tt> </div> <div><tt>For completeness, I have included the history below along with the full output including a couple of highlighted areas that could be errors.</tt><tt> </tt> <tt> </tt> </div> <div><tt>Thanks for any assistance from anyone who might notice an error in my ways.</tt><tt> </tt> </div> <div><tt>Joe</tt><tt> </tt> <tt> </tt> <tt> </tt> </div> <div><tt>History:</tt><tt> </tt><tt> </tt><tt> </tt><tt> 1 ifconfig -a</tt><tt> </tt><tt> </tt><tt> </tt><tt> 2 sudo yum -y update</tt><tt> </tt><tt> </tt><tt> </tt><tt> 3 cat /etc/hostname</tt><tt> </tt><tt> </tt><tt> </tt><tt> 4 sudo echo 192.168.1.201 </tt><tt><a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org" target="_blank">ipa-1.kkgpitt.org</a></tt><tt> ipa-1 >> /etc/hosts</tt><tt> </tt><tt> </tt><tt> </tt><tt> 5 sudo vi /etc/hosts</tt><tt> </tt><tt> </tt><tt> </tt><tt> 7 sudo reboot now</tt><tt> </tt><tt> </tt><tt> </tt><tt> 8 hostname</tt><tt> </tt><tt> </tt><tt> </tt><tt> 9 ifconfig -a</tt><tt> </tt><tt> </tt><tt> </tt><tt> 11 sudo visudo</tt><tt> </tt><tt> </tt><tt> </tt><tt> 12 sudo ls # just to set pw</tt><tt> </tt><tt> </tt><tt> </tt><tt> 13 sudo yum install epel-release -y</tt><tt> </tt><tt> </tt><tt> </tt><tt> 14 sudo yum install -y haveged</tt><tt> </tt><tt> </tt><tt> </tt><tt> 15 sudo systemctl start haveged.service</tt><tt> </tt><tt> </tt><tt> </tt><tt> 16 sudo ipa-server-install</tt><tt> </tt><tt> </tt><tt> </tt><tt> 17 kinit admin</tt><tt> </tt><tt> </tt><tt> </tt><tt> 18 firewall-cmd --permanent --add-service=ntp</tt><tt> </tt><tt> </tt><tt> </tt><tt> 19 firewall-cmd --permanent --add-service=http</tt><tt> </tt><tt> </tt><tt> </tt><tt> 20 firewall-cmd --permanent --add-service=https</tt><tt> </tt><tt> </tt><tt> </tt><tt> 21 firewall-cmd --permanent --add-service=ldap</tt><tt> </tt><tt> </tt><tt> </tt><tt> 22 firewall-cmd --permanent --add-service=ldaps</tt><tt> </tt><tt> </tt><tt> </tt><tt> 23 firewall-cmd --permanent --add-service=kerberos</tt><tt> </tt><tt> </tt><tt> </tt><tt> 24 firewall-cmd --permanent --add-service=kpasswd</tt><tt> </tt><tt> </tt><tt> </tt><tt> 26 sudo authconfig --enablemkhomedir --update</tt><tt> </tt><tt> </tt><tt> </tt><tt> 27 sudo chkconfig sssd on</tt><tt> </tt><tt> </tt><tt> </tt><tt> 28 git config --global </tt><tt><a moz-do-not-send="true" href="http://user.name" target="_blank">user.name</a></tt><tt> "Joe Flynn"</tt><tt> </tt><tt> </tt><tt> </tt><tt> 29 git config --global user.email "</tt><tt><a moz-do-not-send="true" href="mailto:jjflynn22@gmail.com" target="_blank">jjflynn22@gmail.com</a></tt><tt>"</tt><tt> </tt><tt> </tt><tt> </tt><tt> 30 mkdir ~/.ssh</tt><tt> </tt><tt> </tt><tt> </tt><tt> 31 cd ~/.ssh</tt><tt> </tt><tt> </tt><tt> </tt><tt> 32 vi id_rsa</tt><tt> </tt><tt> </tt><tt> </tt><tt> 33 vi id_rsa.pub</tt><tt> </tt><tt> </tt><tt> </tt><tt> 34 chmod 700 ~/.ssh</tt><tt> </tt><tt> </tt><tt> </tt><tt> 35 chmod 600 ~/.ssh/*</tt><tt> </tt><tt> </tt><tt> </tt><tt> 36 ssh-add ~/.ssh/id_rsa</tt><tt> </tt><tt> </tt><tt> </tt><tt> 37 sudo yum install -y letsencrypt</tt><tt> </tt><tt> </tt><tt> </tt><tt> 38 sudo cp -r /etc/httpd/alias /etc/httpd/alias_backup</tt><tt> </tt><tt> </tt><tt> </tt><tt> 39 cd ~</tt><tt> </tt><tt> </tt><tt> </tt><tt> 40 git clone </tt><tt><a moz-do-not-send="true" href="https://github.com/freeipa/freeipa-letsencrypt.git" target="_blank">https://github.com/freeipa/freeipa-letsencrypt.git</a></tt><tt> </tt><tt> </tt><tt> </tt><tt> 41 sudo cp -r freeipa-letsencrypt /root/ipa-le </tt><tt> </tt><tt> </tt><tt> </tt><tt> 42 sudo vi /root/ipa-le/renew-le.sh</tt><tt> </tt><tt> </tt><tt> </tt><tt> 43 sudo yum install -y dnf</tt><tt> </tt><tt> </tt><tt> </tt><tt> 44 sudo yum remove -y epel-release</tt><tt> </tt><tt> </tt><tt> </tt><tt> 45 sudo dnf repolist</tt><tt> </tt><tt> </tt><tt> </tt><tt> 46 sudo /root/ipa-le/setup-le.sh</tt><tt> </tt><tt> </tt><tt> </tt><tt> 47 history</tt><tt> </tt> </div> <div><tt> </tt> <tt> </tt> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><tt> [jjflynn22@ipa-1 ~]$ sudo visudo [sudo] password for jjflynn22: [jjflynn22@ipa-1 ~]$ sudo yum install epel-release -y Loaded plugins: fastestmirror, langpacks base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 Loading mirror speeds from cached hostfile * base: <a moz-do-not-send="true" href="http://repo1.ash.innoscale.net" target="_blank">repo1.ash.innoscale.net</a> * extras: <a moz-do-not-send="true" href="http://mirrors.advancedhosters.com" target="_blank">mirrors.advancedhosters.com</a> * updates: <a moz-do-not-send="true" href="http://mirror.cs.vt.edu" target="_blank">mirror.cs.vt.edu</a> Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================= Package Arch Version Repository Size ============================================================================================================================= Installing: epel-release noarch 7-6 extras 14 k Transaction Summary ============================================================================================================================= Install 1 Package Total download size: 14 k Installed size: 24 k Downloading packages: epel-release-7-6.noarch.rpm | 14 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : epel-release-7-6.noarch 1/1 Verifying : epel-release-7-6.noarch 1/1 Installed: epel-release.noarch 0:7-6 Complete! [jjflynn22@ipa-1 ~]$ sudo yum install -y haveged Loaded plugins: fastestmirror, langpacks epel/x86_64/metalink | 13 kB 00:00:00 epel | 4.3 kB 00:00:00 (1/3): epel/x86_64/updateinfo | 676 kB 00:00:00 (2/3): epel/x86_64/group_gz | 170 kB 00:00:00 (3/3): epel/x86_64/primary_db | 4.4 MB 00:00:01 Loading mirror speeds from cached hostfile * base: <a moz-do-not-send="true" href="http://repo1.ash.innoscale.net" target="_blank">repo1.ash.innoscale.net</a> * epel: <a moz-do-not-send="true" href="http://ftp.osuosl.org" target="_blank">ftp.osuosl.org</a> * extras: <a moz-do-not-send="true" href="http://mirror.fusioncloud.co" target="_blank">mirror.fusioncloud.co</a> * updates: <a moz-do-not-send="true" href="http://ftp.osuosl.org" target="_blank">ftp.osuosl.org</a> Resolving Dependencies --> Running transaction check ---> Package haveged.x86_64 0:1.9.1-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================= Package Arch Version Repository Size ============================================================================================================================= Installing: haveged x86_64 1.9.1-1.el7 epel 61 k Transaction Summary ============================================================================================================================= Install 1 Package Total download size: 61 k Installed size: 181 k Downloading packages: warning: /var/cache/yum/x86_64/7/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Public key for haveged-1.9.1-1.el7.x86_64.rpm is not installed haveged-1.9.1-1.el7.x86_64.rpm | 61 kB 00:00:00 Retrieving key from <a moz-do-not-send="true" class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002moz-txt-link-freetext">file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7</a> Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <<a moz-do-not-send="true" href="mailto:epel@fedoraproject.org" target="_blank">epel@fedoraproject.org</a>>" Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5 Package : epel-release-7-6.noarch (@extras) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : haveged-1.9.1-1.el7.x86_64 1/1 Verifying : haveged-1.9.1-1.el7.x86_64 1/1 Installed: haveged.x86_64 0:1.9.1-1.el7 Complete! [jjflynn22@ipa-1 ~]$ sudo systemctl start haveged.service [jjflynn22@ipa-1 ~]$ [jjflynn22@ipa-1 ~]$ [jjflynn22@ipa-1 ~]$ [jjflynn22@ipa-1 ~]$ [jjflynn22@ipa-1 ~]$ sudo ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Do you want to configure integrated DNS (BIND)? [no]: Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: <a moz-do-not-send="true" href="http://master.example.com" target="_blank">master.example.com</a>. Server host name [<a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org" target="_blank">ipa-1.kkgpitt.org</a>]: The domain name has been determined based on the host name. Please confirm the domain name [<a moz-do-not-send="true" href="http://kkgpitt.org" target="_blank">kkgpitt.org</a>]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [<a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a>]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The IPA Master Server will be configured with: Hostname: <a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org" target="_blank">ipa-1.kkgpitt.org</a> IP address(es): 192.168.1.201 Domain name: <a moz-do-not-send="true" href="http://kkgpitt.org" target="_blank">kkgpitt.org</a> Realm name: <a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/42]: creating directory server user [2/42]: creating directory server instance [3/42]: adding default schema [4/42]: enabling memberof plugin [5/42]: enabling winsync plugin [6/42]: configuring replication version plugin [7/42]: enabling IPA enrollment plugin [8/42]: enabling ldapi [9/42]: configuring uniqueness plugin [10/42]: configuring uuid plugin [11/42]: configuring modrdn plugin [12/42]: configuring DNS plugin [13/42]: enabling entryUSN plugin [14/42]: configuring lockout plugin [15/42]: creating indices [16/42]: enabling referential integrity plugin [17/42]: configuring certmap.conf [18/42]: configure autobind for root [19/42]: configure new location for managed entries [20/42]: configure dirsrv ccache [21/42]: enable SASL mapping fallback [22/42]: restarting directory server [23/42]: adding default layout [24/42]: adding delegation layout [25/42]: creating container for managed entries [26/42]: configuring user private groups [27/42]: configuring netgroups from hostgroups [28/42]: creating default Sudo bind user [29/42]: creating default Auto Member layout [30/42]: adding range check plugin [31/42]: creating default HBAC rule allow_all [32/42]: adding entries for topology management [33/42]: initializing group membership [34/42]: adding master entry [35/42]: initializing domain level [36/42]: configuring Posix uid/gid generation [37/42]: adding replication acis [38/42]: enabling compatibility plugin [39/42]: activating sidgen plugin [40/42]: activating extdom plugin [41/42]: tuning directory server [42/42]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/28]: creating certificate server user [2/28]: configuring certificate server instance [3/28]: stopping certificate server instance to update CS.cfg [4/28]: backing up CS.cfg [5/28]: disabling nonces [6/28]: set up CRL publishing [7/28]: enable PKIX certificate path discovery and validation [8/28]: starting certificate server instance [9/28]: creating RA agent certificate database [10/28]: importing CA chain to RA certificate database [11/28]: fixing RA database permissions [12/28]: setting up signing cert profile [13/28]: setting audit signing renewal to 2 years [14/28]: restarting certificate server [15/28]: requesting RA certificate from CA [16/28]: issuing RA agent certificate [17/28]: adding RA agent as a trusted user [18/28]: authorizing RA to modify profiles [19/28]: configure certmonger for renewals [20/28]: configure certificate renewals [21/28]: configure RA certificate renewal [22/28]: configure Server-Cert certificate renewal [23/28]: Configure HTTP to proxy connections [24/28]: restarting certificate server [25/28]: migrating certificate profiles to LDAP [26/28]: importing IPA certificate profiles [27/28]: adding default CA ACL [28/28]: updating IPA configuration Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd). Estimated time: 1 minute [1/19]: setting mod_nss port to 443 [2/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/19]: setting mod_nss password file [4/19]: enabling mod_nss renegotiate [5/19]: adding URL rewriting rules [6/19]: configuring httpd [7/19]: configure certmonger for renewals [8/19]: setting up ssl [9/19]: importing CA certificates from LDAP [10/19]: setting up browser autoconfig [11/19]: publish CA cert [12/19]: creating a keytab for httpd [13/19]: clean up any existing httpd ccache [14/19]: configuring SELinux for httpd [15/19]: create KDC proxy user [16/19]: create KDC proxy config [17/19]: enable KDC proxy [18/19]: restarting httpd [19/19]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Sample zone file for bind has been created in /tmp/sample.zone.Yjwpca.db Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [jjflynn22@ipa-1 ~]$ kinit admin Password for <a moz-do-not-send="true" href="mailto:admin@KKGPITT.ORG" target="_blank">admin@KKGPITT.ORG</a>: [jjflynn22@ipa-1 ~]$ firewall-cmd --permanent --add-service=ntp success [jjflynn22@ipa-1 ~]$ firewall-cmd --permanent --add-service=http success [jjflynn22@ipa-1 ~]$ firewall-cmd --permanent --add-service=https success [jjflynn22@ipa-1 ~]$ firewall-cmd --permanent --add-service=ldap success [jjflynn22@ipa-1 ~]$ firewall-cmd --permanent --add-service=ldaps success [jjflynn22@ipa-1 ~]$ firewall-cmd --permanent --add-service=kerberos success [jjflynn22@ipa-1 ~]$ firewall-cmd --permanent --add-service=kpasswd success [jjflynn22@ipa-1 ~]$ sudo authconfig --enablemkhomedir --update [jjflynn22@ipa-1 ~]$ sudo chkconfig sssd on Note: Forwarding request to 'systemctl enable sssd.service'. [jjflynn22@ipa-1 ~]$ git config --global <a moz-do-not-send="true" href="http://user.name" target="_blank">user.name</a> "Joe Flynn" [jjflynn22@ipa-1 ~]$ git config --global user.email "<a moz-do-not-send="true" href="mailto:jjflynn22@gmail.com" target="_blank">jjflynn22@gmail.com</a>" [jjflynn22@ipa-1 ~]$ mkdir ~/.ssh [jjflynn22@ipa-1 ~]$ cd ~/.ssh [jjflynn22@ipa-1 .ssh]$ vi id_rsa [jjflynn22@ipa-1 .ssh]$ vi id_rsa.pub [jjflynn22@ipa-1 .ssh]$ chmod 700 ~/.ssh [jjflynn22@ipa-1 .ssh]$ chmod 600 ~/.ssh/* [jjflynn22@ipa-1 .ssh]$ ssh-add ~/.ssh/id_rsa Identity added: /home/jjflynn22/.ssh/id_rsa (/home/jjflynn22/.ssh/id_rsa) [jjflynn22@ipa-1 .ssh]$ sudo yum install -y letsencrypt Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: <a moz-do-not-send="true" href="http://repo1.ash.innoscale.net" target="_blank">repo1.ash.innoscale.net</a> * epel: <a moz-do-not-send="true" href="http://mirror.cogentco.com" target="_blank">mirror.cogentco.com</a> * extras: <a moz-do-not-send="true" href="http://chicago.gaminghost.co" target="_blank">chicago.gaminghost.co</a> * updates: <a moz-do-not-send="true" href="http://mirror.cs.vt.edu" target="_blank">mirror.cs.vt.edu</a> Resolving Dependencies --> Running transaction check ---> Package certbot.noarch 0:0.9.3-1.el7 will be installed --> Processing Dependency: python2-certbot = 0.9.3-1.el7 for package: certbot-0.9.3-1.el7.noarch --> Running transaction check ---> Package python2-certbot.noarch 0:0.9.3-1.el7 will be installed --> Processing Dependency: python2-acme = 0.9.3 for package: <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch --> Processing Dependency: python2-dialog >= 3.3.0 for package: <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch --> Processing Dependency: python2-configargparse >= 0.10.0 for package: <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch --> Processing Dependency: python-psutil >= 2.1.0 for package: <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch --> Processing Dependency: python-zope-interface for package: <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch --> Processing Dependency: python-zope-component for package: <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch --> Processing Dependency: python-parsedatetime for package: <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch --> Processing Dependency: python-mock for package: <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch --> Running transaction check ---> Package python-parsedatetime.noarch 0:1.5-3.el7 will be installed ---> Package python-psutil.x86_64 0:2.2.1-1.el7 will be installed ---> Package python-zope-component.noarch 1:4.1.0-1.el7 will be installed --> Processing Dependency: python-zope-event for package: 1:python-zope-component-4.1.0-1.el7.noarch ---> Package python-zope-interface.x86_64 0:4.0.5-4.el7 will be installed ---> Package python2-acme.noarch 0:0.9.3-1.el7 will be installed --> Processing Dependency: python-pyrfc3339 for package: python2-acme-0.9.3-1.el7.noarch --> Processing Dependency: python-ndg_httpsclient for package: python2-acme-0.9.3-1.el7.noarch ---> Package python2-configargparse.noarch 0:0.10.0-1.el7 will be installed ---> Package python2-dialog.noarch 0:3.3.0-6.el7 will be installed --> Processing Dependency: dialog for package: python2-dialog-3.3.0-6.el7.noarch ---> Package python2-mock.noarch 0:1.0.1-9.el7 will be installed --> Running transaction check ---> Package dialog.x86_64 0:1.2-4.20130523.el7 will be installed ---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed ---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed ---> Package python2-pyrfc3339.noarch 0:1.0-2.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================= Package Arch Version Repository Size ============================================================================================================================= Installing: certbot noarch 0.9.3-1.el7 epel 16 k Installing for dependencies: dialog x86_64 1.2-4.20130523.el7 base 208 k python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k python-parsedatetime noarch 1.5-3.el7 epel 61 k python-psutil x86_64 2.2.1-1.el7 epel 114 k python-zope-component noarch 1:4.1.0-1.el7 epel 110 k python-zope-event noarch 4.0.3-2.el7 epel 79 k python-zope-interface x86_64 4.0.5-4.el7 base 138 k python2-acme noarch 0.9.3-1.el7 epel 168 k python2-certbot noarch 0.9.3-1.el7 epel 361 k python2-configargparse noarch 0.10.0-1.el7 epel 28 k python2-dialog noarch 3.3.0-6.el7 epel 94 k python2-mock noarch 1.0.1-9.el7 epel 92 k python2-pyrfc3339 noarch 1.0-2.el7 epel 13 k Transaction Summary ============================================================================================================================= Install 1 Package (+13 Dependent packages) Total download size: 1.5 M Installed size: 6.3 M Downloading packages: (1/14): python-ndg_httpsclient-0.3.2-1.el7.noarch.rpm | 43 kB 00:00:00 (2/14): dialog-1.2-4.20130523.el7.x86_64.rpm | 208 kB 00:00:00 (3/14): certbot-0.9.3-1.el7.noarch.rpm | 16 kB 00:00:00 (4/14): python-parsedatetime-1.5-3.el7.noarch.rpm | 61 kB 00:00:00 (5/14): python-psutil-2.2.1-1.el7.x86_64.rpm | 114 kB 00:00:00 (6/14): python-zope-component-4.1.0-1.el7.noarch.rpm | 110 kB 00:00:00 (7/14): python-zope-interface-4.0.5-4.el7.x86_64.rpm | 138 kB 00:00:00 (8/14): python-zope-event-4.0.3-2.el7.noarch.rpm | 79 kB 00:00:00 (9/14): <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch.rpm | 361 kB 00:00:00 (10/14): python2-configargparse-0.10.0-1.el7.noarch.rpm | 28 kB 00:00:00 (11/14): python2-acme-0.9.3-1.el7.noarch.rpm | 168 kB 00:00:00 (12/14): python2-dialog-3.3.0-6.el7.noarch.rpm | 94 kB 00:00:00 (13/14): <a moz-do-not-send="true" href="http://python2-pyrfc3339-1.0-2.el7.no" target="_blank">python2-pyrfc3339-1.0-2.el7.no</a>arch.rpm | 13 kB 00:00:00 (14/14): python2-mock-1.0.1-9.el7.noarch.rpm | 92 kB 00:00:00 ----------------------------------------------------------------------------------------------------------------------------- Total 1.3 MB/s | 1.5 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : python-zope-interface-4.0.5-4.el7.x86_64 1/14 Installing : python2-mock-1.0.1-9.el7.noarch 2/14 Installing : python-parsedatetime-1.5-3.el7.noarch 3/14 Installing : python-psutil-2.2.1-1.el7.x86_64 4/14 Installing : python-zope-event-4.0.3-2.el7.noarch 5/14 Installing : 1:python-zope-component-4.1.0-1.el7.noarch 6/14 Installing : python-ndg_httpsclient-0.3.2-1.el7.noarch 7/14 Installing : <a moz-do-not-send="true" href="http://python2-pyrfc3339-1.0-2.el7.no" target="_blank">python2-pyrfc3339-1.0-2.el7.no</a>arch 8/14 Installing : python2-acme-0.9.3-1.el7.noarch 9/14 Installing : python2-configargparse-0.10.0-1.el7.noarch 10/14 Installing : dialog-1.2-4.20130523.el7.x86_64 11/14 Installing : python2-dialog-3.3.0-6.el7.noarch 12/14 Installing : <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch 13/14 Installing : certbot-0.9.3-1.el7.noarch 14/14 Verifying : dialog-1.2-4.20130523.el7.x86_64 1/14 Verifying : certbot-0.9.3-1.el7.noarch 2/14 Verifying : python2-configargparse-0.10.0-1.el7.noarch 3/14 Verifying : <a moz-do-not-send="true" href="http://python2-pyrfc3339-1.0-2.el7.no" target="_blank">python2-pyrfc3339-1.0-2.el7.no</a>arch 4/14 Verifying : python-zope-interface-4.0.5-4.el7.x86_64 5/14 Verifying : python-ndg_httpsclient-0.3.2-1.el7.noarch 6/14 Verifying : python-zope-event-4.0.3-2.el7.noarch 7/14 Verifying : python-psutil-2.2.1-1.el7.x86_64 8/14 Verifying : python2-acme-0.9.3-1.el7.noarch 9/14 Verifying : python2-dialog-3.3.0-6.el7.noarch 10/14 Verifying : 1:python-zope-component-4.1.0-1.el7.noarch 11/14 Verifying : python-parsedatetime-1.5-3.el7.noarch 12/14 Verifying : <a moz-do-not-send="true" href="http://python2-certbot-0.9.3-1.el7.no" target="_blank">python2-certbot-0.9.3-1.el7.no</a>arch 13/14 Verifying : python2-mock-1.0.1-9.el7.noarch 14/14 Installed: certbot.noarch 0:0.9.3-1.el7 Dependency Installed: dialog.x86_64 0:1.2-4.20130523.el7 python-ndg_httpsclient.noarch 0:0.3.2-1.el7 python-parsedatetime.noarch 0:1.5-3.el7 python-psutil.x86_64 0:2.2.1-1.el7 python-zope-component.noarch 1:4.1.0-1.el7 python-zope-event.noarch 0:4.0.3-2.el7 python-zope-interface.x86_64 0:4.0.5-4.el7 python2-acme.noarch 0:0.9.3-1.el7 python2-certbot.noarch 0:0.9.3-1.el7 python2-configargparse.noarch 0:0.10.0-1.el7 python2-dialog.noarch 0:3.3.0-6.el7 python2-mock.noarch 0:1.0.1-9.el7 python2-pyrfc3339.noarch 0:1.0-2.el7 Complete! [jjflynn22@ipa-1 .ssh]$ [jjflynn22@ipa-1 .ssh]$ [jjflynn22@ipa-1 .ssh]$ sudo cp -r /etc/httpd/alias /etc/httpd/alias_backup [jjflynn22@ipa-1 .ssh]$ cd ~ [jjflynn22@ipa-1 ~]$ git clone <a moz-do-not-send="true" href="https://github.com/freeipa/freeipa-letsencrypt.git" target="_blank">https://github.com/freeipa/freeipa-letsencrypt.git</a> Cloning into 'freeipa-letsencrypt'... remote: Counting objects: 45, done. remote: Compressing objects: 100% (4/4), done. remote: Total 45 (delta 0), reused 0 (delta 0), pack-reused 41 Unpacking objects: 100% (45/45), done. [jjflynn22@ipa-1 ~]$ sudo cp -r freeipa-letsencrypt /root/ipa-le [jjflynn22@ipa-1 ~]$ sudo vi /root/ipa-le/renew-le.sh [jjflynn22@ipa-1 ~]$ sudo yum install -y dnf Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: <a moz-do-not-send="true" href="http://repo1.ash.innoscale.net" target="_blank">repo1.ash.innoscale.net</a> * epel: <a moz-do-not-send="true" href="http://mirror.cogentco.com" target="_blank">mirror.cogentco.com</a> * extras: <a moz-do-not-send="true" href="http://mirrors.advancedhosters.com" target="_blank">mirrors.advancedhosters.com</a> * updates: <a moz-do-not-send="true" href="http://mirror.cs.vt.edu" target="_blank">mirror.cs.vt.edu</a> Resolving Dependencies --> Running transaction check ---> Package dnf.noarch 0:0.6.4-2.el7 will be installed --> Processing Dependency: python-dnf = 0.6.4-2.el7 for package: dnf-0.6.4-2.el7.noarch --> Running transaction check ---> Package python-dnf.noarch 0:0.6.4-2.el7 will be installed --> Processing Dependency: dnf-conf = 0.6.4-2.el7 for package: python-dnf-0.6.4-2.el7.noarch --> Processing Dependency: python-librepo >= 1.7.5 for package: python-dnf-0.6.4-2.el7.noarch --> Processing Dependency: python-libcomps >= 0.1.6 for package: python-dnf-0.6.4-2.el7.noarch --> Processing Dependency: python-hawkey >= 0.5.3 for package: python-dnf-0.6.4-2.el7.noarch --> Running transaction check ---> Package dnf-conf.noarch 0:0.6.4-2.el7 will be installed ---> Package python-hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7 will be installed --> Processing Dependency: hawkey(x86-64) = 0.5.8-2.git.0.202b194.el7 for package: python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64 --> Processing Dependency: libsolv.so.0(SOLV_1.0)(64bit) for package: python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64 --> Processing Dependency: libsolv.so.0()(64bit) for package: python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64 --> Processing Dependency: libhawkey.so.2()(64bit) for package: python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64 ---> Package python-libcomps.x86_64 0:0.1.6-13.el7 will be installed --> Processing Dependency: libcomps(x86-64) = 0.1.6-13.el7 for package: python-libcomps-0.1.6-13.el7.x86_64 --> Processing Dependency: libcomps.so.0.1.6()(64bit) for package: python-libcomps-0.1.6-13.el7.x86_64 ---> Package python-librepo.x86_64 0:1.7.16-1.el7 will be installed --> Processing Dependency: librepo(x86-64) = 1.7.16-1.el7 for package: python-librepo-1.7.16-1.el7.x86_64 --> Processing Dependency: librepo.so.0()(64bit) for package: python-librepo-1.7.16-1.el7.x86_64 --> Running transaction check ---> Package hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7 will be installed ---> Package libcomps.x86_64 0:0.1.6-13.el7 will be installed ---> Package librepo.x86_64 0:1.7.16-1.el7 will be installed ---> Package libsolv.x86_64 0:0.6.11-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================= Package Arch Version Repository Size ============================================================================================================================= Installing: dnf noarch 0.6.4-2.el7 epel 209 k Installing for dependencies: dnf-conf noarch 0.6.4-2.el7 epel 61 k hawkey x86_64 0.5.8-2.git.0.202b194.el7 base 87 k libcomps x86_64 0.1.6-13.el7 epel 72 k librepo x86_64 1.7.16-1.el7 base 77 k libsolv x86_64 0.6.11-1.el7 base 316 k python-dnf noarch 0.6.4-2.el7 epel 407 k python-hawkey x86_64 0.5.8-2.git.0.202b194.el7 base 71 k python-libcomps x86_64 0.1.6-13.el7 epel 44 k python-librepo x86_64 1.7.16-1.el7 base 49 k Transaction Summary ============================================================================================================================= Install 1 Package (+9 Dependent packages) Total download size: 1.4 M Installed size: 4.1 M Downloading packages: (1/10): hawkey-0.5.8-2.git.0.202b194.el7.x86_64.rpm | 87 kB 00:00:00 (2/10): dnf-conf-0.6.4-2.el7.noarch.rpm | 61 kB 00:00:00 (3/10): dnf-0.6.4-2.el7.noarch.rpm | 209 kB 00:00:00 (4/10): librepo-1.7.16-1.el7.x86_64.rpm | 77 kB 00:00:00 (5/10): libcomps-0.1.6-13.el7.x86_64.rpm | 72 kB 00:00:00 (6/10): python-librepo-1.7.16-1.el7.x86_64.rpm | 49 kB 00:00:00 (7/10): python-libcomps-0.1.6-13.el7.x86_64.rpm | 44 kB 00:00:00 (8/10): python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64.rpm | 71 kB 00:00:00 (9/10): python-dnf-0.6.4-2.el7.noarch.rpm | 407 kB 00:00:00 (10/10): libsolv-0.6.11-1.el7.x86_64.rpm | 316 kB 00:00:00 ----------------------------------------------------------------------------------------------------------------------------- Total 1.4 MB/s | 1.4 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : libsolv-0.6.11-1.el7.x86_64 1/10 Installing : hawkey-0.5.8-2.git.0.202b194.el7.x86_64 2/10 Installing : python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64 3/10 Installing : dnf-conf-0.6.4-2.el7.noarch 4/10 Installing : libcomps-0.1.6-13.el7.x86_64 5/10 Installing : python-libcomps-0.1.6-13.el7.x86_64 6/10 Installing : librepo-1.7.16-1.el7.x86_64 7/10 Installing : python-librepo-1.7.16-1.el7.x86_64 8/10 Installing : python-dnf-0.6.4-2.el7.noarch 9/10 Installing : dnf-0.6.4-2.el7.noarch 10/10 Verifying : librepo-1.7.16-1.el7.x86_64 1/10 Verifying : python-libcomps-0.1.6-13.el7.x86_64 2/10 Verifying : python-hawkey-0.5.8-2.git.0.202b194.el7.x86_64 3/10 Verifying : python-librepo-1.7.16-1.el7.x86_64 4/10 Verifying : python-dnf-0.6.4-2.el7.noarch 5/10 Verifying : libcomps-0.1.6-13.el7.x86_64 6/10 Verifying : hawkey-0.5.8-2.git.0.202b194.el7.x86_64 7/10 Verifying : dnf-conf-0.6.4-2.el7.noarch 8/10 Verifying : dnf-0.6.4-2.el7.noarch 9/10 Verifying : libsolv-0.6.11-1.el7.x86_64 10/10 Installed: dnf.noarch 0:0.6.4-2.el7 Dependency Installed: dnf-conf.noarch 0:0.6.4-2.el7 hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7 libcomps.x86_64 0:0.1.6-13.el7 librepo.x86_64 0:1.7.16-1.el7 libsolv.x86_64 0:0.6.11-1.el7 python-dnf.noarch 0:0.6.4-2.el7 python-hawkey.x86_64 0:0.5.8-2.git.0.202b194.el7 python-libcomps.x86_64 0:0.1.6-13.el7 python-librepo.x86_64 0:1.7.16-1.el7 Complete! [jjflynn22@ipa-1 ~]$ sudo yum remove -y epel-release Loaded plugins: fastestmirror, langpacks Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-6 will be erased --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================= Package Arch Version Repository Size ============================================================================================================================= Removing: epel-release noarch 7-6 @extras 24 k Transaction Summary ============================================================================================================================= Remove 1 Package Installed size: 24 k Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Erasing : epel-release-7-6.noarch 1/1 Verifying : epel-release-7-6.noarch 1/1 Removed: epel-release.noarch 0:7-6 Complete! [jjflynn22@ipa-1 ~]$ sudo dnf repolist CentOS-7 - Base 8.4 MB/s | 8.8 MB 00:01 CentOS-7 - Updates 4.5 MB/s | 12 MB 00:02 CentOS-7 - Extras 1.9 MB/s | 569 kB 00:00 Using metadata from Sun Dec 4 18:06:04 2016 repo id repo name status base CentOS-7 - Base 9,007 extras CentOS-7 - Extras 393 updates CentOS-7 - Updates 2,560 [jjflynn22@ipa-1 ~]$ sudo /root/ipa-le/setup-le.sh Using metadata from Sun Dec 4 18:06:04 2016 Package certbot-0.9.3-1.el7.noarch is already installed, skipping. Dependencies resolved. Nothing to do. Directory Manager password: Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: importing all plugin modules in ipalib.plugins... ipa: DEBUG: importing plugin module ipalib.plugins.aci ipa: DEBUG: importing plugin module ipalib.plugins.automember ipa: DEBUG: importing plugin module ipalib.plugins.automount ipa: DEBUG: importing plugin module ipalib.plugins.baseldap ipa: DEBUG: importing plugin module ipalib.plugins.baseuser ipa: DEBUG: importing plugin module ipalib.plugins.batch ipa: DEBUG: importing plugin module ipalib.plugins.caacl ipa: DEBUG: importing plugin module ipalib.plugins.cert ipa: DEBUG: importing plugin module ipalib.plugins.certprofile ipa: DEBUG: importing plugin module ipalib.plugins.config ipa: DEBUG: importing plugin module ipalib.plugins.delegation ipa: DEBUG: importing plugin module ipalib.plugins.dns ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel ipa: DEBUG: importing plugin module ipalib.plugins.group ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipalib.plugins.hbactest ipa: DEBUG: importing plugin module ipalib.plugins.host ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup ipa: DEBUG: importing plugin module ipalib.plugins.idrange ipa: DEBUG: importing plugin module ipalib.plugins.idviews ipa: DEBUG: importing plugin module ipalib.plugins.internal ipa: DEBUG: importing plugin module ipalib.plugins.kerberos ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipalib.plugins.migration ipa: DEBUG: importing plugin module ipalib.plugins.misc ipa: DEBUG: importing plugin module ipalib.plugins.netgroup ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig ipa: DEBUG: importing plugin module ipalib.plugins.otptoken ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipalib.plugins.passwd ipa: DEBUG: importing plugin module ipalib.plugins.permission ipa: DEBUG: importing plugin module ipalib.plugins.ping ipa: DEBUG: importing plugin module ipalib.plugins.pkinit ipa: DEBUG: importing plugin module ipalib.plugins.privilege ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy ipa: DEBUG: Starting external process ipa: DEBUG: args='klist' '-V' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains ipa: DEBUG: importing plugin module ipalib.plugins.role ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient ipa: DEBUG: importing plugin module ipalib.plugins.selfservice ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipalib.plugins.server ipa: DEBUG: importing plugin module ipalib.plugins.service ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation ipa: DEBUG: importing plugin module ipalib.plugins.session ipa: DEBUG: importing plugin module ipalib.plugins.stageuser ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipalib.plugins.sudorule ipa: DEBUG: importing plugin module ipalib.plugins.topology ipa: DEBUG: importing plugin module ipalib.plugins.trust ipa: DEBUG: importing plugin module ipalib.plugins.user ipa: DEBUG: importing plugin module ipalib.plugins.vault ipa: DEBUG: importing plugin module ipalib.plugins.virtual ipa: DEBUG: Initializing principal host/<a moz-do-not-send="true" href="mailto:ipa-1.kkgpitt.org@KKGPITT.ORG" target="_blank">ipa-1.kkgpitt.org@KKGPITT.ORG</a> using keytab /etc/krb5.keytab ipa: DEBUG: using ccache /tmp/tmp-zgrScg/ccache ipa: DEBUG: Attempt 1/1: success ipa: DEBUG: Starting external process ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/<a moz-do-not-send="true" href="mailto:ipa-1.kkgpitt.org@KKGPITT.ORG" target="_blank">ipa-1.kkgpitt.org@KKGPITT.ORG</a>' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=134111920 ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='keyctl' 'pipe' '134111920' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=ipa_session=59c01d94b52f0586e30046bd36ef93a5; Domain=<a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org" target="_blank">ipa-1.kkgpitt.org</a>; Path=/ipa; Expires=Sun, 04 Dec 2016 23:21:13 GMT; Secure; HttpOnly ipa: DEBUG: stderr= ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: found session_cookie in persistent storage for principal 'host/<a moz-do-not-send="true" href="mailto:ipa-1.kkgpitt.org@KKGPITT.ORG" target="_blank">ipa-1.kkgpitt.org@KKGPITT.ORG</a>', cookie: 'ipa_session=59c01d94b52f0586e30046bd36ef93a5; Domain=<a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org" target="_blank">ipa-1.kkgpitt.org</a>; Path=/ipa; Expires=Sun, 04 Dec 2016 23:21:13 GMT; Secure; HttpOnly' ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: setting session_cookie into context 'ipa_session=59c01d94b52f0586e30046bd36ef93a5;' ipa.ipalib.plugins.rpcclient.rpcclient: INFO: trying <a moz-do-not-send="true" href="https://ipa-1.kkgpitt.org/ipa/session/json" target="_blank">https://ipa-1.kkgpitt.org/ipa/session/json</a> ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: Created connection context.rpcclient_71021840 ipa.ipalib.plugins.rpcclient.rpcclient: INFO: Forwarding 'ca_is_enabled' to json server '<a moz-do-not-send="true" href="https://ipa-1.kkgpitt.org/ipa/session/json" target="_blank">https://ipa-1.kkgpitt.org/ipa/session/json</a>' ipa: DEBUG: NSSConnection init <a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org" target="_blank">ipa-1.kkgpitt.org</a> ipa: DEBUG: Connecting: <a moz-do-not-send="true" href="http://192.168.1.201:0" target="_blank">192.168.1.201:0</a> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for "CN=<a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org" target="_blank">ipa-1.kkgpitt.org</a>,O=<a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a>" ipa: DEBUG: handshake complete, peer = <a moz-do-not-send="true" href="http://192.168.1.201:443" target="_blank">192.168.1.201:443</a> ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_256_CBC_SHA ipa: DEBUG: received Set-Cookie 'ipa_session=59c01d94b52f0586e30046bd36ef93a5; Domain=<a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org" target="_blank">ipa-1.kkgpitt.org</a>; Path=/ipa; Expires=Sun, 04 Dec 2016 23:26:28 GMT; Secure; HttpOnly' ipa: DEBUG: storing cookie 'ipa_session=59c01d94b52f0586e30046bd36ef93a5; Domain=<a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org" target="_blank">ipa-1.kkgpitt.org</a>; Path=/ipa; Expires=Sun, 04 Dec 2016 23:26:28 GMT; Secure; HttpOnly' for principal host/<a moz-do-not-send="true" href="mailto:ipa-1.kkgpitt.org@KKGPITT.ORG" target="_blank">ipa-1.kkgpitt.org@KKGPITT.ORG</a> ipa: DEBUG: Starting external process ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/<a moz-do-not-send="true" href="mailto:ipa-1.kkgpitt.org@KKGPITT.ORG" target="_blank">ipa-1.kkgpitt.org@KKGPITT.ORG</a>' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=134111920 ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/<a moz-do-not-send="true" href="mailto:ipa-1.kkgpitt.org@KKGPITT.ORG" target="_blank">ipa-1.kkgpitt.org@KKGPITT.ORG</a>' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=134111920 ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='keyctl' 'pupdate' '134111920' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection context.rpcclient_71021840 ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing <a moz-do-not-send="true" class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002moz-txt-link-freetext">ldap://</a><a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org:389" target="_blank">ipa-1.kkgpitt.org:389</a> from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=<a moz-do-not-send="true" class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002moz-txt-link-freetext">ldap://</a><a moz-do-not-send="true" href="http://ipa-1.kkgpitt.org:389" target="_blank">ipa-1.kkgpitt.org:389</a> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x42a2fc8> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-KKGPITT-ORG' '-A' '-n' '<a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> IPA CA' '-t' 'CT,C,C' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-KKGPITT-ORG' '-A' '-n' 'DSTRootCAX3' '-t' 'C,,' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/bin/systemctl' 'is-active' '<a moz-do-not-send="true" class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002moz-txt-link-abbreviated" href="mailto:dirsrv@KKGPITT-ORG.service" target="_blank">dirsrv@KKGPITT-ORG.service</a>' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/bin/systemctl' '--system' 'daemon-reload' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/bin/systemctl' 'restart' '<a moz-do-not-send="true" class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002moz-txt-link-abbreviated" href="mailto:dirsrv@KKGPITT-ORG.service" target="_blank">dirsrv@KKGPITT-ORG.service</a>' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/bin/systemctl' 'is-active' '<a moz-do-not-send="true" class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002moz-txt-link-abbreviated" href="mailto:dirsrv@KKGPITT-ORG.service" target="_blank">dirsrv@KKGPITT-ORG.service</a>' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 300 ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-A' '-n' '<a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> IPA CA' '-t' 'CT,C,C' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-A' '-n' 'DSTRootCAX3' '-t' 'C,,' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/bin/systemctl' 'is-active' 'httpd.service' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/bin/systemctl' 'restart' 'httpd.service' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/bin/systemctl' 'is-active' 'httpd.service' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: resubmitting certmonger request '20161204225818' ipa: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1) ipa: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1) ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1) ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1) ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1) ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1) ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: modifying certmonger request '20161204225818' ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI <a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> IPA CA CT,C,C ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' '<a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> IPA CA' '-a' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDjTCCAnWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtLS0dQ SVRULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MTIw NDIyNTczNFoXDTM2MTIwNDIyNTczNFowNjEUMBIGA1UECgwLS0tHUElUVC5PUkcx HjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB .</tt></blockquote> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div><tt>. </tt><tt> </tt> </div> </blockquote> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><tt>BYuURWnoNBd110T0HFOnMOmN5ycnsMvCwCdUFuFKCsjNjCm5/oUCsWSVlad2bzlj 7gvnv3d6YmXwTzpOlOHpMu/S7y+JU5ErM9fp97R/vUvBz/7CM0MOKBgXMvfKTu6X PTROdl8lKofxA6TMvM+du020+o79dami0hWV/3cRN386huTDcWVn9gbud6hxX8U5 StsgHtJLlrm4tjLk8+S5VTDu9Y6EX7OsEX51RHwtrfNjEYdCa68AM2/slxdgf+5S IQ== -----END CERTIFICATE----- ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-D' '-n' '<a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> IPA CA' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' '<a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> IPA CA' '-a' ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: <a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n' 'IPA CA' '-a' ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n' 'External CA cert' '-a' ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not found ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' '<a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> IPA CA' '-t' 'CT,C,C' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'DSTRootCAX3' '-t' 'C,,' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' '<a moz-do-not-send="true" href="http://KKGPITT.ORG" target="_blank">KKGPITT.ORG</a> IPA CA' '-t' 'CT,C,C' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' 'DSTRootCAX3' '-t' 'C,,' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/update-ca-trust' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: INFO: Systemwide CA database updated. ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/update-ca-trust' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: INFO: Systemwide CA database updated. ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate command was successful Directory Manager password: Installing CA certificate, please wait Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. (visit <a moz-do-not-send="true" href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting</a> for troubleshooting guide) [jjflynn22@ipa-1 ~]$ </tt><tt> </tt> <tt> </tt><tt> </tt><tt> </tt><tt> </tt><tt> </tt> </blockquote> </div> </div> <tt> </tt> <fieldset class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002mimeAttachmentHeader"></fieldset> <tt> </tt> </blockquote> <tt>Hi,</tt><tt> </tt> <tt> </tt> <tt> you seem to have an issue when the LetsEncryptAuthorityX3 is being installed. The certificate from the CA that issued this certificate (DSTRootCAX3) seems to be installed correctly. Could you verify that DSTRootCAX3 is marked as trusted CA by issuing:</tt><tt> </tt> <tt> </tt> <tt> certutil -d /etc/httpd/alias/ -L</tt><tt> </tt> <tt> </tt> <tt> The DSTRoootCAX3 should have C,, trust flags.</tt><tt> </tt> <tt> </tt> <tt> There was an issue fixed last week that might caused this issue if you've ever tried to install letsencrypt on this particular VM before: </tt><tt><a moz-do-not-send="true" class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002moz-txt-link-freetext" href="https://github.com/freeipa/freeipa-letsencrypt/issues/1#issuecomment-263546822" target="_blank">https://github.com/freeipa/freeipa-letsencrypt/issues/1#issuecomment-263546822</a></tt><tt> If that's the case, you will need to re-install IPA before the letsencrypt solution will work.</tt><tt> </tt> <tt> </tt> <tt> I was not able to reproduce your issue with a clean machine.</tt><tt> <pre class="gmail-m_-6303702116913931506m_-7715533103486156359m_3115846549128372002moz-signature" cols="72">-- Tomas Krizek</pre> </tt></div> <tt> </tt></blockquote> <tt> </tt></div> <tt> </tt></div> <tt> </tt></blockquote> <tt> </tt></div> <tt> </tt></div> <tt> </tt></blockquote> <tt> <pre class="gmail-m_-6303702116913931506moz-signature" cols="72">-- Tomas Krizek</pre> </tt></div> </blockquote> </div> <tt> </tt></div> </div> </blockquote> <tt> </tt> <pre class="moz-signature" cols="72">-- Tomas Krizek</pre> </body> </html>