KDC Self Signed Certificate Creation
by Mark Selby
My company has 6 FreeIPA servers across 3 different locations. Five of the six servers are ok, but one we could not login to. The error messages pointed to the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt`
My question is how do I "properly" renew or recreate this certificate. I have been able to renew it with the command listed below - but the renewed cert does not have the same characteristics as the other certs. The existing ones all see to be self signed with the specified profile while my new one does not have these features. It seems to be working Ok but it would great to understand how to generate this cert correctly. All is any help is greatly appreciated.
The servers that work all display the following with using getcert list -f /var/kerberos/krb5kdc/kdc.crt
Request ID '20191003181545':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG
subject: CN=ipa01.sub1.acme.org,O=ACME.ORG
expires: 2022-08-09 22:06:33 UTC
principal name: krbtgt/ACME.ORG(a)ACME.ORG
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Using the local-getcert start-tracking command below gets me an updated cert but it is not self signed and does not have the specified profile.
local-getcert start-tracking \
-k /var/kerberos/krb5kdc/kdc.key \
-f /var/kerberos/krb5kdc/kdc.crt \
-T KDCs_PKINIT_Certs \
-C /usr/libexec/ipa/certmonger/renew_kdc_cert
Request ID '20220117193849':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: local
issuer: CN=Certificate Authority,O=ACME.ORG
subject: CN=vipa06.sub3.acme.org,O=ACME.ORG
expires: 2024-01-18 17:32:20 UTC
principal name: krbtgt/ACME.ORG(a)ACME.ORG
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
13 hours, 23 minutes
Freel IPA on CentOS CA_UNREACHABLE Error - kerberos
by girish f
We have one new customer, they have setup of one single node of IPA on CentOS.
There certificate is expired, and everthing went down.
When we are trying to bring services up.
pki_tomcatd is not starting, another thing is
When we run command > ipactl-getcerts list
One of the certificate is shwoing CA_Unreachable and getting error:
/var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.key
enter image description here
Created new certificate and CA -> it loads certificate, new dates it shows but still says CA unreachable.
13 hours, 36 minutes
Freel IPA on CentOS CA_UNREACHABLE Error - kerberos
by girish f
We have one new customer, they have setup of one single node of IPA on CentOS.
There certificate is expired, and everthing went down.
When we are trying to bring services up.
pki_tomcatd is not starting, another thing is
When we run command > ipactl-getcerts list
One of the certificate is shwoing CA_Unreachable and getting error:
/var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.key
enter image description here
Created new certificate and CA -> it loads certificate, new dates it shows but still says CA unreachable.
13 hours, 36 minutes
ipa-ca-install failed
by Satish Patel
Folks,
Trying to deploy CA on a replica node and failed here without any
information. Can I restart the process again? Even log directories are
empty /var/log/pki/pki-tomcat
My OS is RockyLunux 8.9 and Master CA running on CentOS7.x
[root@ldap-vx-010103-3 ~]# ipa-ca-install
Directory Manager (existing master) password:
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: creating certificate server db
[2/28]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 161 seconds elapsed
Update succeeded
[3/28]: creating ACIs for admin
[4/28]: creating installation admin user
[5/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
1 day, 9 hours
Remove bad replica nodes from list
by Satish Patel
Folks,
I am trying to build some replicas and somehow they failed but because they
are half baked they are stuck in master nodes and not letting me remove
them. I have tried all the options and don't know how to get rid of them.
I want to remove ldap-vx-010103-1.site5.example.com and
ldap-vx-010103-2.site5.example.com. I have removed them from topology and
from host and hostgroup ipaservers list but no luck. I have totally shut
down replicas nodes but still no luck. Are there any good ways to clean
them up?
[root@ldap-vx-010101-4 ~]# ipa-replica-manage list -v `hostname`
ldap-vx-010101-1.site5.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental
update succeeded
last update ended: 2024-05-16 01:58:02+00:00
ldap-vx-010101-2.site5.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental
update succeeded
last update ended: 2024-05-16 01:58:02+00:00
ldap-vx-010101-3.site5.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental
update succeeded
last update ended: 2024-05-16 01:58:02+00:00
ldap-vx-010101-5.site5.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental
update succeeded
last update ended: 2024-05-16 01:58:02+00:00
ldap-vx-010103-1.site5.example.com: replica
last init status: Error (0)
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-1) Problem connecting to replica - LDAP
error: Can't contact LDAP server (connection error)
last update ended: 2024-05-11 10:30:33+00:00
ldap-vx-010103-2.site5.example.com: replica
last init status: Error (0) Total update succeeded
last init ended: 2024-05-10 20:35:02+00:00
last update status: Error (-1) Problem connecting to replica - LDAP
error: Can't contact LDAP server (connection error)
last update ended: 1970-01-01 00:00:00+00:00
ldap-vx-010103-3.site5.example.com: replica
last init status: Error (0) Total update succeeded
last init ended: 2024-05-10 21:14:53+00:00
last update status: Error (0) Replica acquired successfully: Incremental
update succeeded
last update ended: 2024-05-16 01:58:02+00:00
2 days, 9 hours
FreeIPA - Need help with Expired Certificate
by azeem
Hello!
I have inherited a FreeIPA server, and upon checking the certificate list with getcert list, it shows that the certificate is already expired. Does anyone know how to renew it? And coz of this issue, I am not able to enroll any any clients. Any help would be appreciated.
Request ID '20160825909273':
status: CA_UNREACHABLE
ca-error: Server at https://test.domain.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://test.domain.com:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
subject: CN=test.domain.com,O=TEST.DOMAIN.COM
expires: 2023-12-18 15:52:08 UTC
principal name: ldap/test.domain.com(a)TEST.DOMAIN.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM
track: yes
auto-renew: yes
2 days, 10 hours
502 Server Error: Proxy Error when creating CA replica on RockyLinux 8.9
by Satish Patel
Folks,
I have Master freeIPA running on CentOS 7 and now trying to migrate it to
RockyLinux 8.9 (because centos7 is EOL).
When I am running # ipa-replica-install --setup-ca I encounter following
error
Custodia uses 'ldap-vx-010101-4.site5.example.com' as master peer.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
502 Server Error: Proxy Error for url:
https://ldap-vx-010101-4.site5.example.com/ipa/keys/ca/caSigningCert%20ce...
I did google and found a similar issue but no solutions. Any idea what
could be wrong here? I have checked and all certs are updated and not
expired.
Above error isn't great to understand what is going on. I am able to use
curls etc. That means cert is updated and valid.
2 days, 12 hours
FreeIPA v4.11 - wsgi:ipa high cpu load
by Djerk Geurts
Hi all,
Last week, we saw CPU jump from 7% to 62% on our primary FreeIPA server (4.11.1-2.fc39) on Fedora 39. Inspecting the server shows that the wigs:ipa process runs at >95% CPU.
Has anyone else observed this, and would anyone have a solution, or be able to point me in the right direction for what might be causing this?
FreeIPA works fine and we can’t tell any adverse effects on the server apart from burning more CPU.
Thanks,
Djerk Geurts
2 days, 15 hours
Reinitializing isolated replica with updated certificate
by William Faulk
I have an IdM replica that stopped sending its replications to the other replicas in the environment. I want to reinitialize it to hopefully resolve that replication problem. However, when confirming what data would be lost in the reinitialization, I noticed that the replica has reissued itself certificates for its own LDAP and HTTP services. These certificates are the ones found in the "userCertificate" attributes of the "krbprincipalname=ldap/isolated-replica(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com" and "krbprincipalname=HTTP/isolated-replica(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com" DNs. The other replicas show the older certificates in those multivalue entries, but not the new ones. In addition, the previous certificates have now expired.
I'm concerned about what will happen if I perform a reinitialization of this replica. Will it restart its LDAP and HTTP services with an old, expired certificate? What effect will that have on other replicas trying to connect to it? Will it still have keys for those old certificates? Will it be able to reissue its certificates again? The existence of the "ipa-cert-fix" utility implies not.
Or will it keep its new certificates? Will those certificates cause a problem when they no longer exist in the replica's own domain database?
The replica in question will still accept replications from the rest of the environment. Is it possible to get another replica to push new certificates to it, so that that new certificate will exist in the domain database after a reinitialization happens?
This is all in an IdM environment run under RHEL 7.9, so FreeIPA 4.6.8. (I'm desperately trying to dig myself out of replication problems before I upgrade. This is the next-to-last issue.)
--
William Faulk
3 days