freeipa / freeipa-letsencrypt Goto Github PK
View Code? Open in Web Editor NEWA quick hack allowing to use Let's Encrypt certificates for FreeIPA web interface.
A quick hack allowing to use Let's Encrypt certificates for FreeIPA web interface.
I have executed script setup.sh from package "freeipa-letsencrypt".
The installation finished with this error message:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140228802354200
ipapython.admintool: INFO: The ipa-certupdate command was successful
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error
occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An
I/O error occurred during security authorization.
What's causing this error?
And how can I fix this?
The file "httpd-csr.der" in working directory (in my case /etc/ssl/ipa-le/) is 0
bytes. Therefore I conclude that the installation was not successful.
[root@ipa freeipa-letsencrypt]# ls -lR /etc/ssl/ipa-le/
/etc/ssl/ipa-le/:
insgesamt 0
drwxr-xr-x. 2 root root 187 3. Nov 19:49 ca
-rw-r-----. 1 root root 0 3. Nov 20:19 httpd-csr.der
/etc/ssl/ipa-le/ca:
insgesamt 24
-rw-r--r--. 1 root root 1220 3. Nov 19:49 DSTRootCAX3.pem
-rw-r--r--. 1 root root 1967 3. Nov 19:49 isrgrootx1.pem
-rw-r--r--. 1 root root 1702 3. Nov 19:49 LetsEncryptAuthorityX1.pem
-rw-r--r--. 1 root root 1675 3. Nov 19:49 LetsEncryptAuthorityX2.pem
-rw-r--r--. 1 root root 1647 3. Nov 19:49 LetsEncryptAuthorityX3.pem
-rw-r--r--. 1 root root 1647 3. Nov 19:49 LetsEncryptAuthorityX4.pem
THX
Thanks for the script. Was helpful. I was trying to run and getting errors during import of the CA Certs.
I was able to resolve by directly visiting LetsEncrypt and downloading an updated Root Certificate and Intermediate certificate.
https://letsencrypt.org/certificates/
i replaced the existing files with the new cert and the import was successful.
Hi there,
I'm completely new to FreeIPA and my knowledge is limited. I managed to get everything running and used this tool to setup an LE certficate. The webinterface now shows a valid certificate.
However when I run the command:
sudo ipa config-mod --defaultshell=/bin/bash
I get a CERTIFICATE_VERIFY_FAILED could not connect to https://domain/ipa/json error message.
I'm not sure how to overcome this issue.
I would use the default certificates if it wasn't for firefox complaining about the serial of the certificate being the same as a previous one. I had an installation before but decided to start a fresh install.
I went through the steps to remove the certificate from firefox but was unable to locate it under authorities, I did manage to find it under servers but that didn't solve the issue. To get around this I thought an easy fix would be to use LE certificates instead.
Any ideas as to how I would overcome the issue CERTIFICATE_VERIFY_FAILED would be much appreciated.
Kind regards,
Ronald.
Would it be possible to an option to this script to configure ldap for ldap servers too?
Hi,
setup-le.sh
run with succeed, but the installation failed due to error on first renew-le.sh
run because (perhaps) ipa-httpd.cnf
not existed...
140597481867152:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/root/ipa-le/ipa-httpd.cnf','rb')
140597481867152:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
140597481867152:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:
(I confirm that /root/ipa-le
is the WORKDIR)
Working on Centos 7, and last free-ipa.
I'm using RHEL8 idm repository for the installation and the server is working fine before I applied the Letsencrypt certs.
After the certs has been installed, I can't login anymore, here's the httpd log:
[Thu Jan 28 11:59:06.414247 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Thu Jan 28 11:59:06.414427 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: WSGI login_password.__call__:
[Thu Jan 28 11:59:06.415594 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Obtaining armor in ccache /run/ipa/ccaches/armor_7726
[Thu Jan 28 11:59:06.415751 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Initializing anonymous ccache
[Thu Jan 28 11:59:06.416026 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting external process
[Thu Jan 28 11:59:06.416249 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: args=['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_7726', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem']
[Thu Jan 28 11:59:07.737575 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Process finished, return code=0
[Thu Jan 28 11:59:07.737854 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stdout=
[Thu Jan 28 11:59:07.737954 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stderr=
[Thu Jan 28 11:59:07.738276 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Initializing principal admin using password
[Thu Jan 28 11:59:07.738384 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Using armor ccache /run/ipa/ccaches/armor_7726 for FAST webauth
[Thu Jan 28 11:59:07.738470 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Using enterprise principal
[Thu Jan 28 11:59:07.738605 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting external process
[Thu Jan 28 11:59:07.738692 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: args=['/usr/bin/kinit', 'admin', '-c', '/run/ipa/ccaches/kinit_7726', '-T', '/run/ipa/ccaches/armor_7726', '-E']
[Thu Jan 28 11:59:07.810076 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Process finished, return code=0
[Thu Jan 28 11:59:07.810333 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stdout=Password for [email protected]:
[Thu Jan 28 11:59:07.810354 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665]
[Thu Jan 28 11:59:07.810477 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stderr=
[Thu Jan 28 11:59:07.810692 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Cleanup the armor ccache
[Thu Jan 28 11:59:07.810852 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting external process
[Thu Jan 28 11:59:07.810949 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: args=['/usr/bin/kdestroy', '-A', '-c', '/run/ipa/ccaches/armor_7726']
[Thu Jan 28 11:59:07.820520 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Process finished, return code=0
[Thu Jan 28 11:59:07.820761 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stdout=
[Thu Jan 28 11:59:07.820853 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: stderr=
[Thu Jan 28 11:59:07.845840 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting new HTTP connection (1): idm.example.com:80
[Thu Jan 28 11:59:07.853263 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: http://idm.example.com:80 "GET /ipa/session/cookie HTTP/1.1" 301 247
[Thu Jan 28 11:59:07.857038 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: DEBUG: Starting new HTTPS connection (1): idm.example.com:443
[Thu Jan 28 11:59:07.872285 2021] [wsgi:error] [pid 7726:tid 140699582347008] [remote 114.23.64.130:56665] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='idm.example.com', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
Any ideas for the fix?
Trying to run a fresh in stall on Fedora 32b all from scratch on 12-Apr-2020.
Running as sudo su, after doing a kinit admin, the setup script chugs for quite a while then throws shit error. Is this asking me to create or verify a passphrase? I never created it so I don't know what it is. Is it asking me for a new one? It failed. Do I need to create one as a prereq?
Also not sure if the failure on the /root/ipa-le/ipa-httpd.cnf is just because this is the first run.
Any suggestions? User error?
Thanks
. . . . ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/ipa/nssdb', '-A', '-n', 'letsencryptx3', '-t', 'C,,', '-a', '-f', '/etc/ipa/nssdb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/update-ca-trust'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/update-ca-trust'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140224107767696 ipapython.admintool: INFO: The ipa-certupdate command was successful Can't open /root/ipa-le/ipa-httpd.cnf for reading, No such file or directory 140437864580928:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/root/ipa-le/ipa-httpd.cnf','r') 140437864580928:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76: Enter pass phrase for /var/lib/ipa/private/httpd.key: unable to load Private Key 140437864580928:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:603: 140437864580928:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62: 140437864580928:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93: 140437864580928:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
Hello,
I'm currently using the latest commit on the master branch along with CentOS 8.
I've been able to get to the part where the script invokes Certbot in order to actually get the certificate, but am left with the following error:
Enter pass phrase for /var/lib/ipa/private/httpd.key:
Redirecting to /bin/systemctl stop httpd.service
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "server.example.test": Domain name does not end with a valid public suffix (TLD)
I'm not really sure where this random domain is coming from. My FreeIPA server is definitely configured with the correct domain, as the default self-signed certificates and Apache VHost use the correct domain. I'm sure its something I'm missing, but I can't pinpoint what. Any help would be appreciated.
Thanks
I try to install FreeIPA next to ipsilon with a letsencrypt certificate on centos 7.
Except for the certificate everything works fine.
Freeipa was installed using ansbile: https://github.com/freeipa/ansible-freeipa
ipsilon as described on the website: https://ipsilon-project.org/doc/quickstart-ipa.html
The setup-le.sh
ends with this:
+ /root/freeipa-letsencrypt/renew-le.sh --first-time
Error opening Private Key /var/lib/ipa/private/httpd.key
140147027949456:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r')
140147027949456:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private Key
[root@ipa freeipa-letsencrypt]# bash -x setup-le.sh
+ set -o nounset -o errexit
+++ realpath setup-le.sh
++ dirname /root/freeipa-letsencrypt/setup-le.sh
+ WORKDIR=/root/freeipa-letsencrypt
+ dnf install letsencrypt -y
Letzte Prüfung auf abgelaufene Metadaten: vor 13:51:02 am Mo 25 Mai 2020 17:50:19 UTC.
Package certbot-1.3.0-1.el7.noarch is already installed.
Abhängigkeiten sind aufgelöst.
Nichts zu tun.
Fertig.
+ ipa-cacert-manage install /root/freeipa-letsencrypt/ca/DSTRootCAX3.pem -n DSTRootCAX3 -t C,,
Installing CA certificate, please wait
Verified DSTRootCAX3
CA certificate successfully installed
The ipa-cacert-manage command was successful
+ ipa-certupdate -v
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6ea52b69...
ipalib.plugable: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6ea52b69.plugins
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.csrgen
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault
ipalib.rpc: DEBUG: found session_cookie in persistent storage for principal 'host/[email protected]', cookie: 'ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d'
ipalib.rpc: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;'
ipalib.rpc: INFO: trying https://ipa.makerspace-gt.de/ipa/session/json
ipalib.backend: DEBUG: Created connection context.rpcclient_140371180083856
ipalib.install.kinit: DEBUG: Initializing principal host/[email protected] using keytab /etc/krb5.keytab
ipalib.install.kinit: DEBUG: using ccache /tmp/tmp-9tCQD5/ccache
ipalib.install.kinit: DEBUG: Attempt 1/1: success
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.107')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.107')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://ipa.makerspace-gt.de/ipa/session/json'
ipalib.rpc: DEBUG: New HTTP connection (ipa.makerspace-gt.de)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;' for principal host/[email protected]
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.makerspace-gt.de:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7faab60da1b8>
ipalib.frontend: DEBUG: raw: ca_find(None, version=u'2.231')
ipalib.frontend: DEBUG: ca_find(None, version=u'2.231')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_find/1' to json server 'https://ipa.makerspace-gt.de/ipa/session/json'
ipalib.rpc: DEBUG: HTTP connection keep-alive (ipa.makerspace-gt.de)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;' for principal host/[email protected]
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n MAKERSPACE-GT.DE IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n DSTRootCAX3 -t C,, -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n letsencryptx3 -t C,, -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n letsencryptx3 -t C,, -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n ISRGRootCAX1 -t C,, -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active [email protected]
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl --system daemon-reload
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart [email protected]
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active [email protected]
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: wait_for_open_ports: localhost [389] timeout 300
ipapython.ipautil: DEBUG: waiting for port: 389
ipapython.ipautil: DEBUG: SUCCESS: port: 389
ipaplatform.base.services: DEBUG: Restart of [email protected] complete
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n MAKERSPACE-GT.DE IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n DSTRootCAX3 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n letsencryptx3 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n letsencryptx3 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n ISRGRootCAX1 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipaplatform.base.services: DEBUG: Restart of httpd.service complete
ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request '20200525172055'
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipaclient.install.ipa_certupdate: DEBUG: modifying certmonger request '20200525172055'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n IPA CA -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n External CA cert -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n MAKERSPACE-GT.DE IPA CA -t CT,C,C -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n DSTRootCAX3 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n letsencryptx3 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n letsencryptx3 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n ISRGRootCAX1 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140371180083856
ipapython.admintool: INFO: The ipa-certupdate command was successful
+ ipa-cacert-manage install /root/freeipa-letsencrypt/ca/LetsEncryptAuthorityX3.pem -n letsencryptx3 -t C,,
Installing CA certificate, please wait
Verified letsencryptx3
CA certificate successfully installed
The ipa-cacert-manage command was successful
+ ipa-certupdate -v
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6ea52b69...
ipalib.plugable: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6ea52b69.plugins
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.csrgen
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault
ipalib.rpc: DEBUG: found session_cookie in persistent storage for principal 'host/[email protected]', cookie: 'ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d'
ipalib.rpc: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;'
ipalib.rpc: INFO: trying https://ipa.makerspace-gt.de/ipa/session/json
ipalib.backend: DEBUG: Created connection context.rpcclient_140360143559248
ipalib.install.kinit: DEBUG: Initializing principal host/[email protected] using keytab /etc/krb5.keytab
ipalib.install.kinit: DEBUG: using ccache /tmp/tmp-WRn7d9/ccache
ipalib.install.kinit: DEBUG: Attempt 1/1: success
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.107')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.107')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://ipa.makerspace-gt.de/ipa/session/json'
ipalib.rpc: DEBUG: New HTTP connection (ipa.makerspace-gt.de)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;' for principal host/[email protected]
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.makerspace-gt.de:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fa824399200>
ipalib.frontend: DEBUG: raw: ca_find(None, version=u'2.231')
ipalib.frontend: DEBUG: ca_find(None, version=u'2.231')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_find/1' to json server 'https://ipa.makerspace-gt.de/ipa/session/json'
ipalib.rpc: DEBUG: HTTP connection keep-alive (ipa.makerspace-gt.de)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=vzJPmp6JZHhpL88ue2RPKd3hPfU0%2bTx%2btu7CuXQhZwpn8pUPyzRxr39Bty3jE4E7IffqzgodKW2VlnCDuFLnEKpWExG2hzv9XDQ0TJmnBd%2b9TiIJm7OeHvUWRh67gosf8fqPl3VSn%2fZmFDepDSmDwfBBEsvcF2%2bdCnxEAHQKmkcB0mBolWnSbpXSsQIqg2r5rwHD1iYfv0XwNZ3XpDXCSl4oA8zaTUVOLfToQng0MsDUVShGeyR%2bKkT5IJ38Cx5kTmWB7grOG0Y1vFxNd0hgushiIyLMgsutJtaUxjRcIi0%3d;' for principal host/[email protected]
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n MAKERSPACE-GT.DE IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n DSTRootCAX3 -t C,, -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n letsencryptx3 -t C,, -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n letsencryptx3 -t C,, -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-MAKERSPACE-GT-DE -A -n ISRGRootCAX1 -t C,, -a -f /etc/dirsrv/slapd-MAKERSPACE-GT-DE/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active [email protected]
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl --system daemon-reload
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart [email protected]
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active [email protected]
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: wait_for_open_ports: localhost [389] timeout 300
ipapython.ipautil: DEBUG: waiting for port: 389
ipapython.ipautil: DEBUG: SUCCESS: port: 389
ipaplatform.base.services: DEBUG: Restart of [email protected] complete
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n MAKERSPACE-GT.DE IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n DSTRootCAX3 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n letsencryptx3 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n letsencryptx3 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n ISRGRootCAX1 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipaplatform.base.services: DEBUG: Restart of httpd.service complete
ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request '20200525172055'
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipaclient.install.ipa_certupdate: DEBUG: modifying certmonger request '20200525172055'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n IPA CA -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n External CA cert -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n MAKERSPACE-GT.DE IPA CA -t CT,C,C -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n DSTRootCAX3 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n letsencryptx3 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n letsencryptx3 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n ISRGRootCAX1 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140360143559248
ipapython.admintool: INFO: The ipa-certupdate command was successful
+ /root/freeipa-letsencrypt/renew-le.sh --first-time
Error opening Private Key /var/lib/ipa/private/httpd.key
140147027949456:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r')
140147027949456:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private Key
Hello everyone. After installation ipa-server-install and snapd, I run setup-le.sh and getting this error. Please tell me what to do with it.
Brief information about the system:
Red Hat Enterprise Linux 8
RAM 4GB
2 core CPU
./setup-le.sh
Failed to set locale, defaulting to C.UTF-8
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Last metadata expiration check: 0:04:15 ago on Thu Jul 8 06:56:57 2021.
Dependencies resolved.
===========================================================================================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================================================================================
Installing:
certbot noarch 1.14.0-1.el8 epel 51 k
Installing dependencies:
python3-acme noarch 1.14.0-1.el8 epel 88 k
python3-certbot noarch 1.14.0-1.el8 epel 391 k
python3-configargparse noarch 0.14.0-6.el8 epel 36 k
python3-josepy noarch 1.8.0-1.el8 epel 102 k
python3-parsedatetime noarch 2.5-1.el8 epel 79 k
python3-pyrfc3339 noarch 1.1-1.el8 epel 19 k
python3-requests-toolbelt noarch 0.9.1-4.el8 epel 91 k
python3-zope-component noarch 4.3.0-8.el8 epel 313 k
python3-zope-event noarch 4.2.0-12.el8 epel 210 k
python3-zope-interface x86_64 4.6.0-1.el8 epel 158 k
Installing weak dependencies:
python-josepy-doc noarch 1.8.0-1.el8 epel 22 k
Transaction Summary
===========================================================================================================================================================================================================
Install 12 Packages
Total download size: 1.5 M
Installed size: 5.8 M
Downloading Packages:
(1/12): python-josepy-doc-1.8.0-1.el8.noarch.rpm 611 kB/s | 22 kB 00:00
(2/12): python3-acme-1.14.0-1.el8.noarch.rpm 2.2 MB/s | 88 kB 00:00
(3/12): certbot-1.14.0-1.el8.noarch.rpm 1.2 MB/s | 51 kB 00:00
(4/12): python3-configargparse-0.14.0-6.el8.noarch.rpm 5.3 MB/s | 36 kB 00:00
(5/12): python3-josepy-1.8.0-1.el8.noarch.rpm 13 MB/s | 102 kB 00:00
(6/12): python3-certbot-1.14.0-1.el8.noarch.rpm 23 MB/s | 391 kB 00:00
(7/12): python3-parsedatetime-2.5-1.el8.noarch.rpm 9.4 MB/s | 79 kB 00:00
(8/12): python3-pyrfc3339-1.1-1.el8.noarch.rpm 2.9 MB/s | 19 kB 00:00
(9/12): python3-zope-event-4.2.0-12.el8.noarch.rpm 19 MB/s | 210 kB 00:00
(10/12): python3-requests-toolbelt-0.9.1-4.el8.noarch.rpm 5.2 MB/s | 91 kB 00:00
(11/12): python3-zope-interface-4.6.0-1.el8.x86_64.rpm 16 MB/s | 158 kB 00:00
(12/12): python3-zope-component-4.3.0-8.el8.noarch.rpm 7.1 MB/s | 313 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 11 MB/s | 1.5 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-zope-event-4.2.0-12.el8.noarch 1/12
Installing : python3-zope-interface-4.6.0-1.el8.x86_64 2/12
Installing : python3-pyrfc3339-1.1-1.el8.noarch 3/12
Installing : python3-zope-component-4.3.0-8.el8.noarch 4/12
Installing : python3-requests-toolbelt-0.9.1-4.el8.noarch 5/12
Installing : python3-parsedatetime-2.5-1.el8.noarch 6/12
Installing : python3-configargparse-0.14.0-6.el8.noarch 7/12
Installing : python-josepy-doc-1.8.0-1.el8.noarch 8/12
Installing : python3-josepy-1.8.0-1.el8.noarch 9/12
Installing : python3-acme-1.14.0-1.el8.noarch 10/12
Installing : python3-certbot-1.14.0-1.el8.noarch 11/12
Installing : certbot-1.14.0-1.el8.noarch 12/12
Running scriptlet: certbot-1.14.0-1.el8.noarch 12/12
Verifying : certbot-1.14.0-1.el8.noarch 1/12
Verifying : python-josepy-doc-1.8.0-1.el8.noarch 2/12
Verifying : python3-acme-1.14.0-1.el8.noarch 3/12
Verifying : python3-certbot-1.14.0-1.el8.noarch 4/12
Verifying : python3-configargparse-0.14.0-6.el8.noarch 5/12
Verifying : python3-josepy-1.8.0-1.el8.noarch 6/12
Verifying : python3-parsedatetime-2.5-1.el8.noarch 7/12
Verifying : python3-pyrfc3339-1.1-1.el8.noarch 8/12
Verifying : python3-requests-toolbelt-0.9.1-4.el8.noarch 9/12
Verifying : python3-zope-component-4.3.0-8.el8.noarch 10/12
Verifying : python3-zope-event-4.2.0-12.el8.noarch 11/12
Verifying : python3-zope-interface-4.6.0-1.el8.x86_64 12/12
Installed products updated.
Installed:
certbot-1.14.0-1.el8.noarch python-josepy-doc-1.8.0-1.el8.noarch python3-acme-1.14.0-1.el8.noarch python3-certbot-1.14.0-1.el8.noarch
python3-configargparse-0.14.0-6.el8.noarch python3-josepy-1.8.0-1.el8.noarch python3-parsedatetime-2.5-1.el8.noarch python3-pyrfc3339-1.1-1.el8.noarch
python3-requests-toolbelt-0.9.1-4.el8.noarch python3-zope-component-4.3.0-8.el8.noarch python3-zope-event-4.2.0-12.el8.noarch python3-zope-interface-4.6.0-1.el8.x86_64
Complete!
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1939 100 1939 0 0 11680 0 --:--:-- --:--:-- --:--:-- 11751
Installing CA certificate, please wait
Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 790 100 790 0 0 12343 0 --:--:-- --:--:-- --:--:-- 12343
Installing CA certificate, please wait
Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1826 100 1826 0 0 22825 0 --:--:-- --:--:-- --:--:-- 22825
Installing CA certificate, please wait
Verified CN=R3,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1021 100 1021 0 0 12451 0 --:--:-- --:--:-- --:--:-- 12451
Installing CA certificate, please wait
Verified CN=E1,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1826 100 1826 0 0 67629 0 --:--:-- --:--:-- --:--:-- 67629
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1021 100 1021 0 0 72928 0 --:--:-- --:--:-- --:--:-- 72928
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
Enter pass phrase for /var/lib/ipa/private/httpd.key:
unable to load Private Key
139901708355392:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:616:
139901708355392:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:63:
139901708355392:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:94:
139901708355392:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
Hello, is this also working with CentOS 7 and IPA ?
I mean this is only a Certificate for the Webserver is it possible to create a script for LDAP ?
Thanks for a answer
I'm on centos7 so I changed dnf to yum in the script and added 'kinit admin' and this is the error I get below. Yes I'm using IPA on a private LAN without any public web server, so obviously I'm using a non-public domain suffix "MEANEY.LAB" I thought maybe your script could help me get around that certbot won't create certs for internal IP's / domains ?
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: modifying certmonger request '20161221203330'
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a
ipa: DEBUG: Process finished, return code=255
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a
ipa: DEBUG: Process finished, return code=255
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n MEANEY.LAB IPA CA -t CT,C,C
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n MEANEY.LAB IPA CA -t CT,C,C
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n DSTRootCAX3 -t C,,
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n letsencryptx3 -t C,,
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/update-ca-trust
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: INFO: Systemwide CA database updated.
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/update-ca-trust
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: INFO: Systemwide CA database updated.
ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate command was successful
Redirecting to /bin/systemctl stop httpd.service
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: Error creating new authz :: Name does not end in a public suffix
Please see the logfiles in /var/log/letsencrypt for more details.
root@cortex:~/ipa-le #
As of June 6 2024 Let's Encrypt added new CA's for issuing certs. As such, the setup script is not adding all intermediate CA's which certificates may be issued. https://letsencrypt.org/certificates/.
This is required or else there will be error of:
"SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))"
and
"HTTPSConnectionPool(host='ldap01.idm.nerotechsolutions.com', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))"
In addition, the web service doesnt send the full CA Chain, so the cert is untrusted.
I have an expired certificate which I want to replace using an LE version using this script, what is the best approach here ?
Currently the script renews the issued certificate every two days, which seems quite odd. Shouldn't the script check for how long the certificate is valid and just renew it roughly 30 days before expiry.
Hi,
One can use Letsencrypt deploy script for this:
#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet ">ipa_host_fqdn>" <<< "$RENEWED_DOMAINS"; then
cp $RENEWED_LINEAGE/cert.pem /<path_to_ipa_accessable_folde>/cert.pem
cp $RENEWED_LINEAGE/privkey.pem /<path_to_ipa_accessable_folde>/privkey.pem
****
// inside docker a script to update certs for ipa:
docker exec -it freeipa-serv /data/scripts/installCertsforHttp.sh
// if not in docker restart ipa with:
ipactl restart
****
echo "ipa certs updated and ipa restarted"
fi
If docker then (installCertsforHttp.sh):
#!/bin/bash
ipa-server-certinstall -w -d /<path_to_docker_inside_folder>/privkey.pem /<path_to_docker_inside_folder>/cert.pem --pin='' --dirman-password=<pwd_to_prevent_query>
ipactl restart
And this way letsencrypt certmonger do the work for renewal when needed.
ipapython.admintool: INFO: The ipa-certupdate command was successful
Enter pass phrase for /var/lib/ipa/private/httpd.key:
unable to load Private Key
140015378847552:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:621:
140015378847552:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62:
140015378847552:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93:
140015378847552:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
First of all, thank you for taking the time to write and share this with the community. This script is extremely helpful. I do have a couple of questions:
I see reference to subject alternative names in the ipa-httpd.cnf file. Is it possible to add altnames, and if so, what is the correct syntax for doing so?
The standard 2-day check in the renewal script: If I want to change this to a longer value, say 7 days, would I just [ "$diff" -lt "2" ] to [ "$diff" -lt "7" ]?
Thanks again.
Hello,
I am running on Debian the installation of Freeipa and I am getting the following error almost at the end of the installation after running:
[11/30]: starting certificate server instance
[12/30]: configure certmonger for renewals
[13/30]: requesting RA certificate from CA
[error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "https://freeipa.******.com:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
Certificate issuance failed (CA_REJECTED: Server at "https://freeipa.*****.com:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I am not sure if there is any relation with my host file configuration, though it is talking about the certificate in the following message.
Checking the freeipa logs I have got the following log in /var/log/ipaserver-install.log:
File "/usr/lib/python3/dist-packages/ipaserver/install/dogtaginstance.py", line 520, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2021-04-10T17:00:51Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2021-04-10T17:00:51Z ERROR CA configuration failed.
Thank you for your help,
Is there a way to do this using the DNS-01 way so we don't need port 80 opened to the FreeIPA server ?
Hi
First of all thank you for the great work, it made things so easy. I am trying to set this up on a fresh box
OS --> Centos 8
FreeIPA version 4.8.7
Followed your instructions on setting the hostname and email id in the scripts and executed. It ran for few minuites with no errors, in the end its says command was successful and prompt for httpd key pass phrase. I tried with good pass phrase but it keeps failing. Let me know what am I missing?
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140177581803112
ipapython.admintool: INFO: The ipa-certupdate command was successful
Enter pass phrase for /var/lib/ipa/private/httpd.key:
140526484875072:error:28078065:UI routines:UI_set_result_ex:result too small:crypto/ui/ui_lib.c:905:You must type in 4 to 1023 characters
Enter pass phrase for /var/lib/ipa/private/httpd.key:
unable to load Private Key
140526484875072:error:2807106B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:545:while reading strings
140526484875072:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:621:
140526484875072:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:63:
140526484875072:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:94:
140526484875072:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
Thank you
Harsha
Hello guys,
I had an issues with the renew certificate script renew-le.sh, step that generates csr always asks me for password:
OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passout file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf" -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
I managed to fix the issue by updating OPENSSL_EXTRA_ARGS from -passout to -passin:
OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passin file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf" -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
trying to use on fedora 33
[root@account freeipa-letsencrypt]# ./setup-le.sh
Last metadata expiration check: 1:37:21 ago on Wed 27 Jan 2021 09:21:34 AM UTC.
Package certbot-1.11.0-1.fc33.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure.
(visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
Error opening Private Key /var/lib/ipa/private/httpd.key
139845738243984:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r')
139845738243984:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private Key
Then it terminates without finishing.
Note that this is on Centos 7.
In my installation of FreeIPA with Let's Encrypt I am getting some path errors even though I set my WORK_DIR.
I have hacked around this by making sure I execute out of the specified directory but there might be a bug somewhere related to paths.
It looks like there is a mix-up between my home directory and the working directory.
`IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/home/jjflynn22/0001_chain.pem. Your cert will expire on
2017-03-08. To obtain a new cwhomeor tweaked version of this certificate
in the future, simply run certbot again. To non-interactively renew
all of your certificates, run "certbot renew"
If you lose your account credentials, you can recover through
e-mails sent to [email protected].
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
certutil: unable to open "/root/ipa-le/0000_cert.pem" for reading (-5950, 2).
Once I run this step, my web server is no longer accessible even with a prompt to override a non-secure certificate. At the end of my httpd log I see this
[Thu Dec 08 11:38:22.976583 2016] [core:notice] [pid 1076] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Dec 08 11:38:22.980950 2016] [suexec:notice] [pid 1076] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Dec 08 11:38:22.980971 2016] [:warn] [pid 1076] NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Dec 08 11:38:23.352225 2016] [:error] [pid 1076] Certificate not found: 'Server-Cert'
[root@ipa-a ipa-le]# pwd
/root/ipa-le
[root@ipa-a ipa-le]# find . -ls
16959290 0 drwxr-xr-x 3 root root 92 Dec 8 12:59 .
16959291 4 -rw-r--r-- 1 root root 764 Dec 8 11:35 ./README.md
16959293 4 -rwxr-xr-x 1 root root 347 Dec 8 11:35 ./setup-le.sh
8499079 0 drwxr-xr-x 2 root root 187 Dec 8 11:35 ./ca
8499080 4 -rw-r--r-- 1 root root 1220 Dec 8 11:35 ./ca/DSTRootCAX3.pem
8499081 4 -rw-r--r-- 1 root root 1702 Dec 8 11:35 ./ca/LetsEncryptAuthorityX1.pem
8499082 4 -rw-r--r-- 1 root root 1675 Dec 8 11:35 ./ca/LetsEncryptAuthorityX2.pem
8499083 4 -rw-r--r-- 1 root root 1647 Dec 8 11:35 ./ca/LetsEncryptAuthorityX3.pem
8499084 4 -rw-r--r-- 1 root root 1647 Dec 8 11:35 ./ca/LetsEncryptAuthorityX4.pem
8499085 4 -rw-r--r-- 1 root root 1967 Dec 8 11:35 ./ca/isrgrootx1.pem
17250543 4 -rwxr-xr-x 1 root root 1110 Dec 8 11:35 ./renew-le.sh
16959284 4 -rw-r----- 1 root root 660 Dec 8 11:37 ./httpd-csr.der
[jjflynn22@ipa-a ~]$ pwd
/home/jjflynn22
[jjflynn22@ipa-a ~]$ ls -la
total 32
drwx------. 5 jjflynn22 jjflynn22 217 Dec 8 11:37 .
drwxr-xr-x. 3 root root 23 Dec 7 13:01 ..
-rw-r--r--. 1 root root 1801 Dec 8 11:37 0000_cert.pem
-rw-r--r--. 1 root root 1647 Dec 8 11:37 0000_chain.pem
-rw-r--r--. 1 root root 3448 Dec 8 11:37 0001_chain.pem
-rw-------. 1 jjflynn22 jjflynn22 1500 Dec 8 11:37 .bash_history
-rw-r--r--. 1 jjflynn22 jjflynn22 18 Sep 30 04:25 .bash_logout
-rw-r--r--. 1 jjflynn22 jjflynn22 193 Sep 30 04:25 .bash_profile
-rw-r--r--. 1 jjflynn22 jjflynn22 231 Sep 30 04:25 .bashrc
drwxrwxr-x. 4 jjflynn22 jjflynn22 83 Dec 8 11:35 freeipa-letsencrypt
-rw-rw-r--. 1 jjflynn22 jjflynn22 36 Dec 8 11:35 .gitconfig
drwxrw----. 3 jjflynn22 jjflynn22 19 Dec 8 11:35 .pki
drwx------. 2 jjflynn22 jjflynn22 29 Dec 7 13:12 .ssh
`
Error opening Private Key /var/lib/ipa/private/httpd.key
139845738243984:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r')
139845738243984:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private Key
Then it terminates without finishing.
Note that this is on Centos 7.
Looks like setup-le.sh
fails on CentOS 8.
While running the setup-le.sh
, I get following:
Error:
Problem: package certbot-1.3.0-3.el8.noarch requires python3-certbot = 1.3.0-3.el8, but none of the providers can be installed
- conflicting requests
- nothing provides python3-mock needed by python3-certbot-1.3.0-3.el8.noarch
- nothing provides python3.6dist(mock) needed by python3-certbot-1.3.0-3.el8.noarch
When trying to run, it runs into problem of not being able to install certbot.
Seems similar to ansible/workshops#768
I have a similar issue which was written here #25, and maked all the steps which were provided to resolve, but at the end i have such error after disabling ssl check
Connect error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired)
The ipa-certupdate command failed.
ipa --version
VERSION: 4.9.13, API_VERSION: 2.251
in the docekrfile with image Centos-8-stream
OS: Centos7u3
packages:
freeipa-letsencrypt]# rpm -qa | grep ^ipa
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-common-4.4.0-14.el7.centos.7.noarch
Listening ports:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 6487/kadmind
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 6487/kadmind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4754/sshd
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 6482/krb5kdc
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1025/master
tcp6 0 0 :::749 :::* LISTEN 6487/kadmind
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::8080 :::* LISTEN 6677/java
tcp6 0 0 :::80 :::* LISTEN 6500/httpd
tcp6 0 0 :::464 :::* LISTEN 6487/kadmind
tcp6 0 0 :::22 :::* LISTEN 4754/sshd
tcp6 0 0 :::88 :::* LISTEN 6482/krb5kdc
tcp6 0 0 :::8443 :::* LISTEN 6677/java
tcp6 0 0 :::443 :::* LISTEN 6500/httpd
tcp6 0 0 :::636 :::* LISTEN 6433/ns-slapd
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 6677/java
tcp6 0 0 :::389 :::* LISTEN 6433/ns-slapd
tcp6 0 0 ::1:8009 :::* LISTEN 6677/java
I edited setup-le.sh and changed dnf for yum.
freeipa-letsencrypt]# ./setup-le.sh
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
base | 3.6 kB 00:00:00
epel/x86_64/metalink | 14 kB 00:00:00
epel | 4.3 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/5): epel/x86_64/group_gz | 170 kB 00:00:00
(2/5): epel/x86_64/updateinfo | 789 kB 00:00:00
(3/5): extras/7/x86_64/primary_db | 188 kB 00:00:00
(4/5): epel/x86_64/primary_db | 4.8 MB 00:00:00
(5/5): updates/7/x86_64/primary_db | 7.7 MB 00:00:00
Determining fastest mirrors
* base: mirror.cisp.com
* epel: s3-mirror-us-east-1.fedoraproject.org
* extras: linux.cc.lehigh.edu
* updates: mirrors.advancedhosters.com
Resolving Dependencies
--> Running transaction check
---> Package certbot.noarch 0:0.14.1-3.el7 will be installed
--> Processing Dependency: python2-certbot = 0.14.1-3.el7 for package: certbot-0.14.1-3.el7.noarch
--> Running transaction check
---> Package python2-certbot.noarch 0:0.14.1-3.el7 will be installed
--> Processing Dependency: python2-acme = 0.14.1 for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python2-dialog >= 3.3.0 for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python2-configargparse >= 0.10.0 for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-psutil >= 2.1.0 for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python2-future for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-zope-interface for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-zope-component for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-parsedatetime for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-mock for package: python2-certbot-0.14.1-3.el7.noarch
--> Running transaction check
---> Package python-parsedatetime.noarch 0:1.5-3.el7 will be installed
---> Package python-psutil.x86_64 0:2.2.1-1.el7 will be installed
---> Package python-zope-component.noarch 1:4.1.0-3.el7 will be installed
--> Processing Dependency: python-zope-event for package: 1:python-zope-component-4.1.0-3.el7.noarch
---> Package python-zope-interface.x86_64 0:4.0.5-4.el7 will be installed
---> Package python2-acme.noarch 0:0.14.1-1.el7 will be installed
--> Processing Dependency: pytz for package: python2-acme-0.14.1-1.el7.noarch
--> Processing Dependency: python-pyrfc3339 for package: python2-acme-0.14.1-1.el7.noarch
--> Processing Dependency: python-ndg_httpsclient for package: python2-acme-0.14.1-1.el7.noarch
---> Package python2-configargparse.noarch 0:0.11.0-1.el7 will be installed
---> Package python2-dialog.noarch 0:3.3.0-6.el7 will be installed
--> Processing Dependency: dialog for package: python2-dialog-3.3.0-6.el7.noarch
---> Package python2-future.noarch 0:0.16.0-2.el7 will be installed
---> Package python2-mock.noarch 0:1.0.1-9.el7 will be installed
--> Running transaction check
---> Package dialog.x86_64 0:1.2-4.20130523.el7 will be installed
---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed
---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed
---> Package python2-pyrfc3339.noarch 0:1.0-2.el7 will be installed
---> Package pytz.noarch 0:2012d-5.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================================================================
Installing:
certbot noarch 0.14.1-3.el7 epel 19 k
Installing for dependencies:
dialog x86_64 1.2-4.20130523.el7 base 208 k
python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k
python-parsedatetime noarch 1.5-3.el7 epel 61 k
python-psutil x86_64 2.2.1-1.el7 epel 114 k
python-zope-component noarch 1:4.1.0-3.el7 epel 227 k
python-zope-event noarch 4.0.3-2.el7 epel 79 k
python-zope-interface x86_64 4.0.5-4.el7 base 138 k
python2-acme noarch 0.14.1-1.el7 epel 170 k
python2-certbot noarch 0.14.1-3.el7 epel 417 k
python2-configargparse noarch 0.11.0-1.el7 epel 30 k
python2-dialog noarch 3.3.0-6.el7 epel 94 k
python2-future noarch 0.16.0-2.el7 epel 799 k
python2-mock noarch 1.0.1-9.el7 epel 92 k
python2-pyrfc3339 noarch 1.0-2.el7 epel 13 k
pytz noarch 2012d-5.el7 base 38 k
Transaction Summary
=========================================================================================================================================================================
Install 1 Package (+15 Dependent packages)
Total download size: 2.5 M
Installed size: 11 M
Downloading packages:
(1/16): certbot-0.14.1-3.el7.noarch.rpm | 19 kB 00:00:00
(2/16): python-ndg_httpsclient-0.3.2-1.el7.noarch.rpm | 43 kB 00:00:00
(3/16): python-parsedatetime-1.5-3.el7.noarch.rpm | 61 kB 00:00:00
(4/16): python-psutil-2.2.1-1.el7.x86_64.rpm | 114 kB 00:00:00
(5/16): python-zope-component-4.1.0-3.el7.noarch.rpm | 227 kB 00:00:00
(6/16): python-zope-event-4.0.3-2.el7.noarch.rpm | 79 kB 00:00:00
(7/16): python2-acme-0.14.1-1.el7.noarch.rpm | 170 kB 00:00:00
(8/16): python2-certbot-0.14.1-3.el7.noarch.rpm | 417 kB 00:00:00
(9/16): python2-configargparse-0.11.0-1.el7.noarch.rpm | 30 kB 00:00:00
(10/16): python2-dialog-3.3.0-6.el7.noarch.rpm | 94 kB 00:00:00
(11/16): python2-future-0.16.0-2.el7.noarch.rpm | 799 kB 00:00:00
(12/16): python2-mock-1.0.1-9.el7.noarch.rpm | 92 kB 00:00:00
(13/16): python2-pyrfc3339-1.0-2.el7.noarch.rpm | 13 kB 00:00:00
(14/16): dialog-1.2-4.20130523.el7.x86_64.rpm | 208 kB 00:00:02
(15/16): python-zope-interface-4.0.5-4.el7.x86_64.rpm | 138 kB 00:00:02
(16/16): pytz-2012d-5.el7.noarch.rpm | 38 kB 00:00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 740 kB/s | 2.5 MB 00:00:03
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python-zope-interface-4.0.5-4.el7.x86_64 1/16
Installing : dialog-1.2-4.20130523.el7.x86_64 2/16
Installing : python2-dialog-3.3.0-6.el7.noarch 3/16
Installing : pytz-2012d-5.el7.noarch 4/16
Installing : python-parsedatetime-1.5-3.el7.noarch 5/16
Installing : python2-future-0.16.0-2.el7.noarch 6/16
Installing : python-psutil-2.2.1-1.el7.x86_64 7/16
Installing : python-zope-event-4.0.3-2.el7.noarch 8/16
Installing : 1:python-zope-component-4.1.0-3.el7.noarch 9/16
Installing : python-ndg_httpsclient-0.3.2-1.el7.noarch 10/16
Installing : python2-pyrfc3339-1.0-2.el7.noarch 11/16
Installing : python2-acme-0.14.1-1.el7.noarch 12/16
Installing : python2-configargparse-0.11.0-1.el7.noarch 13/16
Installing : python2-mock-1.0.1-9.el7.noarch 14/16
Installing : python2-certbot-0.14.1-3.el7.noarch 15/16
Installing : certbot-0.14.1-3.el7.noarch 16/16
restorecon: lstat(/etc/letsencrypt) failed: No such file or directory
Verifying : python2-certbot-0.14.1-3.el7.noarch 1/16
Verifying : python2-mock-1.0.1-9.el7.noarch 2/16
Verifying : python2-configargparse-0.11.0-1.el7.noarch 3/16
Verifying : python2-pyrfc3339-1.0-2.el7.noarch 4/16
Verifying : python-zope-interface-4.0.5-4.el7.x86_64 5/16
Verifying : python-ndg_httpsclient-0.3.2-1.el7.noarch 6/16
Verifying : python-zope-event-4.0.3-2.el7.noarch 7/16
Verifying : python-psutil-2.2.1-1.el7.x86_64 8/16
Verifying : certbot-0.14.1-3.el7.noarch 9/16
Verifying : 1:python-zope-component-4.1.0-3.el7.noarch 10/16
Verifying : python2-dialog-3.3.0-6.el7.noarch 11/16
Verifying : python2-future-0.16.0-2.el7.noarch 12/16
Verifying : python-parsedatetime-1.5-3.el7.noarch 13/16
Verifying : python2-acme-0.14.1-1.el7.noarch 14/16
Verifying : pytz-2012d-5.el7.noarch 15/16
Verifying : dialog-1.2-4.20130523.el7.x86_64 16/16
Installed:
certbot.noarch 0:0.14.1-3.el7
Dependency Installed:
dialog.x86_64 0:1.2-4.20130523.el7 python-ndg_httpsclient.noarch 0:0.3.2-1.el7 python-parsedatetime.noarch 0:1.5-3.el7
python-psutil.x86_64 0:2.2.1-1.el7 python-zope-component.noarch 1:4.1.0-3.el7 python-zope-event.noarch 0:4.0.3-2.el7
python-zope-interface.x86_64 0:4.0.5-4.el7 python2-acme.noarch 0:0.14.1-1.el7 python2-certbot.noarch 0:0.14.1-3.el7
python2-configargparse.noarch 0:0.11.0-1.el7 python2-dialog.noarch 0:3.3.0-6.el7 python2-future.noarch 0:0.16.0-2.el7
python2-mock.noarch 0:1.0.1-9.el7 python2-pyrfc3339.noarch 0:1.0-2.el7 pytz.noarch 0:2012d-5.el7
Complete!
WARNING: yacc table file version is out of date
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
WARNING: yacc table file version is out of date
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying https://pae01.domain.org/ipa/json
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection context.rpcclient_30052752
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json server 'https://pae01.domain.org/ipa/json'
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection context.rpcclient_30052752
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line 54, in run
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages
ipaclient.remote_plugins.get_package(self),
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 118, in get_package
plugins = schema.get_package(server_info, client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 543, in get_package
schema = Schema(client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 387, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 986, in forward
return self._call_command(command, params)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 967, in _call_command
return command(*params)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1117, in _call
return self.__request(name, args)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1084, in __request
verbose=self.__verbose >= 3,
File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
return self.single_request(host, handler, request_body, verbose)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 617, in single_request
h = SSLTransport.make_connection(self, host)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 492, in make_connection
host, self._extra_headers, x509 = self.get_host_info(host)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 574, in get_host_info
self._handle_exception(e, service=service)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 547, in _handle_exception
raise errors.CCacheError()
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command failed, exception: CCacheError: did not receive Kerberos credentials
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: did not receive Kerberos credentials
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command failed.
[root@pae01 freeipa-letsencrypt]# ls -l
total 148
drwxr-xr-x. 2 root root 4096 Jul 11 21:31 ca
-rw-r--r--. 1 root root 7183 Jul 11 22:10 lextab.py
-rw-r--r--. 1 root root 764 Jul 11 21:31 README.md
-rwxr-xr-x. 1 root root 1135 Jul 11 21:52 renew-le.sh
-rwxr-xr-x. 1 root root 394 Jul 11 21:53 setup-le.sh
-rw-r--r--. 1 root root 126135 Jul 11 22:10 yacctab.py
[root@pae01 freeipa-letsencrypt]# python --version
Python 2.7.5
I have FreeIPA docker container based on adelton/freeipa-server
. When I run the setup-le.sh
script, I am getting SEC_ERROR_UNKNOWN_ISSUER error.
[root@freeipa ipa-le]# ipa-cacert-manage install /root/ipa-le/ca/LetsEncryptAuthorityX3.pem -n letsencryptx3 -t C,,
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
[root@freeipa ipa-le]# ipa-cacert-manage install /root/ipa-le/ca/LetsEncryptAuthorityX3.pem -n letsencryptx3 -t C,,
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
According to LetsEncrypt Chain of Trust, LetsEncryptAuthorityX3
is not cross signed by ISGRoot X1
.
So I tried installing the (IdentTrust) DST Root CA X3
. Now I am getting SEC_ERROR_UNTRUSTED_ISSUER error.
[root@freeipa ipa-le]# ipa-cacert-manage install /root/ipa-le/ca/DSTRootCAX3.pem -n DSTRootCAX3 -t ,,
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@freeipa ipa-le]# ipa-cacert-manage install /root/ipa-le/ca/LetsEncryptAuthorityX3.pem -n letsencryptx3 -t C,,
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.