Comments (20)
Solved but took some research...
Found a way for FreeIPA to print out the key passphrase that it generated when installing. Not sure how safe this is :) but the following command printed out the passphrase for the httpd key:
bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA
- USAGE='./ipa-pwdreader host:port RSA|DSA|ECC|number'
- '[' 2 -ne 2 ']'
- fname=ipa1.lab..org-443-RSA
- pwdpath=/var/lib/ipa/passwds/ipa1.lab..org-443-RSA
++ /usr/bin/realpath -e /var/lib/ipa/passwds/ipa1.lab..org-443-RSA- checkpath=/var/lib/ipa/passwds/ipa1.lab..org-443-RSA
- '[' /var/lib/ipa/passwds/ipa1.lab..org-443-RSA == /var/lib/ipa/passwds/ipa1.lab..org-443-RSA ']
- cat /var/lib/ipa/passwds/ipa1.lab..org-443-RSA
xxxxxxxxxx <-- my passphrase --> xxxxxxxxxxxx
from freeipa-letsencrypt.
I solved this by adding -passin file:$OPENSSL_PASSWD_FILE
to the openssl command when that file (/var/lib/ipa/passwds/$HOSTNAME-443-RSA
) is present. See the commit in my fork: thinkmassive@b682c6e
from freeipa-letsencrypt.
So sorry, can't seem to get the output to wrap the newlines.
This is the error line by itself
Enter pass phrase for /var/lib/ipa/private/httpd.key:
unable to load Private Key
from freeipa-letsencrypt.
Doing some investigation out loud here...
So maybe there already is a key for the httpd service and it is trying to read that key in.
When I look in the web UI, I see a service for HTTP/[email protected] but how could that impact me using the LetsEncrypt scripts?? Hmmmm.
from freeipa-letsencrypt.
You need to apply the changes in this PR #16
from freeipa-letsencrypt.
@mkosek @rcritten Hi Martin and Rob. Thanks for the help to the noob. I went and cloned Martin's repo and ran that. It made more progress but then I hit this error...
`ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140147645009152
ipapython.admintool: INFO: The ipa-certupdate command was successful
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization.
`
Do you think this might be user error? I did: sudo su; kinit admin; ./setup.sh
from freeipa-letsencrypt.
Here is my full log of output
https://github.com/HeneryH/dropbox/blob/master/full_log
from freeipa-letsencrypt.
It's not clear where that error is coming from. Given the setup seems to have worked I'd try running this directly for more output:
bash -x ./renew-le.sh" "--first-time"
from freeipa-letsencrypt.
@rcritten your copy/paste has some weird stuff with quotes but if I am to assume you mean
bash -x ./renew-le.sh --first-time
+ set -o nounset -o errexit
+ WORKDIR=/root/ipa-le
+ EMAIL=
+ '[' --first-time '!=' --first-time ']'
+ rm -f '/root/ipa-le/*.pem'
+ rm -f /root/ipa-le/httpd-csr.der
++ hostname -f
++ hostname -f
+ certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt -s CN=ipa1.lab.<mydomain>.org --extSAN dns:ipa1.lab.<mydomain>.org -o /root/ipa-le/httpd-csr.der
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization.
from freeipa-letsencrypt.
Perhaps refresh from current master. The code you have is no longer upstream. renew-le.sh doesn't call certutil at all in HEAD.
from freeipa-letsencrypt.
I couldn't figure out how to get how to get mkoseks PR into my file system due to my lack of skill with git :) so I just cloned his whole forked repo.
I'll try again later. Thanks Rob!
from freeipa-letsencrypt.
This will do it:
git clone https://github.com/mkosek/freeipa-letsencrypt
cd freeipa-letsencrypt/
git checkout fix-workdir
from freeipa-letsencrypt.
I may have been on the wrong path here...
There is a key in /var/lib/ipa/private/httpd.key that has a time stamp of when I installed the system and FreeIPA. When I test the passphrase it is telling me that the passphrase I entered is incorrect. I only ever use one or two go-to passphrases for this sort of testing so I can't imagine I used a different one. I have to go back to the installation and try to figure out what that passphrase might have been.
from freeipa-letsencrypt.
@rcritten , since I did not see objections, I merged the respective PR to this repo, so that it is not that complicated.
from freeipa-letsencrypt.
@HeneryH thank you, this solved my issue as well.
Should this password be auto-entered in the generation script, and if not, will this issue affect renewals of the lets automate cert in 90 days?
from freeipa-letsencrypt.
Hi, this seams to do the trick at least for me ! So I would like to se that change merged ?
I am not sure how to go about that but seams I can create a PR ? Hope thats is fine with @thinkmassive ?
(Centos8 btw ..)
from freeipa-letsencrypt.
bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA
I have try to run this bash command but get the following errors.
I am on fedora 33.
+ 'mod_ssl password reader
This program is a handler written for Apache mod_ssl'\''s SSLPassPhraseDialog.
If you'\''d like to write your custom binary providing passwords to mod_ssl,
see the documentation of the aforementioned directive of the mod_ssl module.
'
/usr/libexec/ipa/ipa-httpd-pwdreader: line 7: $'mod_ssl password reader\nThis program is a handler written for Apache mod_ssl\'s SSLPassPhraseDialog.\n\nIf you\'d like to write your custom binary providing passwords to mod_ssl,\nsee the documentation of the aforementioned directive of the mod_ssl module.\n': command not found
+ import argparse
/usr/libexec/ipa/ipa-httpd-pwdreader: line 8: import: command not found
+ import os
/usr/libexec/ipa/ipa-httpd-pwdreader: line 9: import: command not found
+ from ipaplatform.paths import paths
/usr/libexec/ipa/ipa-httpd-pwdreader: line 11: from: command not found
/usr/libexec/ipa/ipa-httpd-pwdreader: line 13: syntax error near unexpected token `('
/usr/libexec/ipa/ipa-httpd-pwdreader: line 13: `HTTPD_PASSWD_DIR = os.path.realpath('
[root@ipa ~]# cat /var/lib/ipa/passwds/ipa1.lab..org-443-RSA
cat: /var/lib/ipa/passwds/ipa1.lab..org-443-RSA: No such file or directory
from freeipa-letsencrypt.
The script ipa-httpd-pwdreader
is written in python, so you don't need to use bash -x
to run it.
from freeipa-letsencrypt.
The script
ipa-httpd-pwdreader
is written in python, so you don't need to usebash -x
to run it.
Thanks for your quick respond. I was trying to get the key passphrase, like @HeneryH was showing as a solution.
from freeipa-letsencrypt.
So execute python /usr/libexec/ipa/ipa-httpd-pwdreader instead (or python3 or whatever your distro uses).
Or look directly in /var/lib/ipa/passwds/
from freeipa-letsencrypt.
Related Issues (20)
- setup-le.sh fails on CentOS8 HOT 1
- Install certificate for ldap servers HOT 1
- Error opening Private Key /var/lib/ipa/private/httpd.key HOT 3
- LE Error "cannot issue for 'server.example.test'" HOT 1
- Altnames and Renewal Window HOT 2
- CA Certs included are Expired HOT 20
- Broke loading private key HOT 4
- /var/lib/ipa/private/httpd.key: unable to load private key HOT 1
- CERTIFICATE_VERIFY_FAILED HOT 1
- Fedora 33 Not a valid CA certificate: certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure. HOT 1
- SSL: CERTIFICATE_VERIFY_FAILED After Applied Letsencrypt HOT 5
- Freeipa installation HOT 1
- renew-le.sh can't find httpd.crt in Centos7 and FreeIPA 4.6x HOT 1
- Problem installing ssl to freeipa HOT 8
- Error opening Private Key /var/lib/ipa/private/httpd.key HOT 2
- freeipa-letsencrypt fails on Centos 7 with FreeIPA 4.6.8 HOT 1
- Issue with the renew cert script HOT 2
- Letsencrypt easy way
- Certificates are requested every two days HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from freeipa-letsencrypt.