Hey Rob, thank you so much for your help! I just checked certutil... it works with the added -d database location. Upon trying to create a new certificate for HTTP, ipa-getcert list gives me:
> Request ID '20191115101517': > status: CA_UNREACHABLE > ca-error: Server at https://ipa.*.*/ipa/xml failed request, will retry: > -504 (HTTP POST to URL 'https://ipa.*.*/ipa/xml' failed. libcurl failed even > to execute the HTTP transaction, explaining: Failed to connect to ipa.*.* > port 443: Connection refused). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/nssdb/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes Output of ipactl status: >Directory Service: RUNNING >krb5kdc Service: RUNNING >kadmin Service: RUNNING >httpd Service: RUNNING >ipa-custodia Service: RUNNING >pki-tomcatd Service: RUNNING >smb Service: RUNNING >winbind Service: RUNNING >ipa-otpd Service: RUNNING And to answer: > Are you just trying random commands? Those are outputs I collected during all my attempts to fix it. Also I tried various (afaik) non-destructive commands to see what works and what doesn't to hopefully close in on what's wrong. > Based on above I'm guessing you didn't kinit first. Always made sure to have active Kerberos credentials! Definitely used kinit first. > Knowing what services are running is more important at this point. Here's the output of systemctl status for the relevant processes: gssproxy >gssproxy.service - GSSAPI Proxy Daemon > Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor > preset: disabled) > Active: active (running) since Fri 2019-11-15 11:41:16 CET; 7s ago > Process: 2656 ExecReload=/bin/kill -HUP $MAINPID (code=exited, > status=0/SUCCESS) > Process: 20319 ExecStart=/usr/sbin/gssproxy -D (code=exited, > status=0/SUCCESS) > Main PID: 20320 (gssproxy) > Tasks: 6 (limit: 52428) > Memory: 1.6M > CGroup: /system.slice/gssproxy.service > └─20320 /usr/sbin/gssproxy -D ipa >ipa.service - Identity, Policy, Audit > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor > preset: disabled) > Active: active (exited) since Thu 2019-11-14 15:10:30 CET; 20h ago > Process: 11849 ExecStart=/usr/sbin/ipactl start (code=exited, > status=0/SUCCESS) > Main PID: 11849 (code=exited, status=0/SUCCESS) > >Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting Directory Service >Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting krb5kdc Service >Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting kadmin Service >Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting httpd Service >Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting ipa-custodia Service >Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting pki-tomcatd Service >Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting smb Service >Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting winbind Service >Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting ipa-otpd Service >Nov 14 15:10:30 ipa.*.* systemd[1]: Started Identity, Policy, Audit. httpd >httpd.service - The Apache HTTP Server > Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor > preset: disabled) > Drop-In: /etc/systemd/system/httpd.service.d > └─ipa.conf > /usr/lib/systemd/system/httpd.service.d > └─php-fpm.conf > Active: active (running) since Fri 2019-11-15 11:38:13 CET; 7min ago > Docs: man:httpd.service(8) > Process: 19582 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > (code=exited, status=0/SUCCESS) > Main PID: 19587 (httpd) > Status: "Total requests: 2; Idle/Busy workers 100/0;Requests/sec: 0.00437; > Bytes served/sec: 16 B/se> > Tasks: 330 (limit: 52428) > Memory: 386.6M > CGroup: /system.slice/httpd.service > ├─19587 /usr/sbin/httpd -DFOREGROUND > ├─19592 /usr/sbin/httpd -DFOREGROUND > ├─19593 (wsgi:kdcproxy) -DFOREGROUND > ├─19594 (wsgi:kdcproxy) -DFOREGROUND > ├─19595 (wsgi:ipa) -DFOREGROUND > ├─19596 (wsgi:ipa) -DFOREGROUND > ├─19597 (wsgi:ipa) -DFOREGROUND > ├─19598 (wsgi:ipa) -DFOREGROUND > ├─19599 /usr/sbin/httpd -DFOREGROUND > ├─19601 /usr/sbin/httpd -DFOREGROUND > ├─19602 /usr/sbin/httpd -DFOREGROUND > └─19935 /usr/sbin/httpd -DFOREGROUND > >Nov 15 11:38:12 ipa.*.* systemd[1]: Starting The Apache HTTP Server... >Nov 15 11:38:13 ipa.*.* ipa-httpd-kdcproxy[19582]: ipa: INFO: KDC proxy enabled >Nov 15 11:38:13 ipa.*.* ipa-httpd-kdcproxy[19582]: ipa-httpd-kdcproxy: INFO > KDC proxy e> >Nov 15 11:38:13 ipa.*.* httpd[19587]: AH00558: httpd: Could not reliably >determine the serv> >Nov 15 11:38:13 ipa.*.* httpd[19587]: Server configured, listening on: >192.168.178.101 port> >Nov 15 11:38:13 ipa.*.* systemd[1]: Started The Apache HTTP Server. > >Nov 15 11:41:15 ipa.*.* systemd[1]: Starting GSSAPI Proxy Daemon... >Nov 15 11:41:16 ipa.*.* systemd[1]: Started GSSAPI Proxy Daemon. The whole systemctl status >UNIT LOAD ACTIVE SUB DESCRIPTION > >proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable >File Formats File System Au> >init.scope loaded active running System and Service >Manager >session-1015.scope loaded active running Session 1015 of user >eelocal >session-37.scope loaded active running Session 37 of user >eelocal >atd.service loaded active running Job spooling tools > >auditd.service loaded active running Security Auditing >Service >certmonger.service loaded active running Certificate monitoring >and PKI enrollment >chronyd.service loaded active running NTP client/server > >crond.service loaded active running Command Scheduler > >dbus.service loaded active running D-Bus System Message >Bus >dirsrv@EAGLEEYE-FILM-DE.service loaded active running 389 Directory Server >EAGLEEYE-FILM-DE. >firewalld.service loaded active running firewalld - dynamic >firewall daemon >getty@tty1.service loaded active running Getty on tty1 > >gssproxy.service loaded active running GSSAPI Proxy Daemon > >httpd.service loaded active running The Apache HTTP Server > >ipa-custodia.service loaded active running IPA Custodia Service > >irqbalance.service loaded active running irqbalance daemon > >kadmin.service loaded active running Kerberos 5 >Password-changing and Administration >krb5kdc.service loaded active running Kerberos 5 KDC > >libstoragemgmt.service loaded active running libstoragemgmt plug-in >server daemon >mcelog.service loaded active running Machine Check >Exception Logging Daemon >multipathd.service loaded active running Device-Mapper >Multipath Device Controller >mysqld.service loaded active running MySQL 8.0 database >server >NetworkManager.service loaded active running Network Manager > >nfs-idmapd.service loaded active running NFSv4 ID-name mapping >service >nfs-mountd.service loaded active running NFS Mount Daemon > >nginx.service loaded active running The nginx HTTP and >reverse proxy server >nmb.service loaded active running Samba NMB Daemon > >oddjobd.service loaded active running privileged operations >for unprivileged applicati> >php-fpm.service loaded active running The PHP FastCGI >Process Manager >pki-tomcatd@pki-tomcat.service loaded active running PKI Tomcat Server >pki-tomcat >polkit.service loaded active running Authorization Manager > >postfix.service loaded active running Postfix Mail Transport >Agent >postgresql.service loaded active running PostgreSQL database >server >redis.service loaded active running Redis persistent >key-value database >rngd.service loaded active running Hardware RNG Entropy >Gatherer Daemon >rpc-gssd.service loaded active running RPC security service >for NFS client and server >rpc-statd.service loaded active running NFS status monitor for >NFSv2/3 locking. >rpcbind.service loaded active running RPC Bind > >rsyslog.service loaded active running System Logging Service > >smartd.service loaded active running Self Monitoring and >Reporting Technology (SMART)> >smb.service loaded active running Samba SMB Daemon > >sshd.service loaded active running OpenSSH server daemon > >sssd.service loaded active running System Security >Services Daemon >systemd-journald.service loaded active running Journal Service > >systemd-logind.service loaded active running Login Service > >systemd-udevd.service loaded active running udev Kernel Device >Manager >tuned.service loaded active running Dynamic System Tuning >Daemon >user@1000.service loaded active running User Manager for UID >1000 >winbind.service loaded active running Samba Winbind Daemon > >zou-events.service loaded active running Gunicorn instance to >serve the Zou Events API >zou-jobs.service loaded active running RQ Job queue to run >asynchronous job from Zou >zou.service loaded active running Gunicorn instance to >serve the Zou API >dbus.socket loaded active running D-Bus System Message >Bus Socket >multipathd.socket loaded active running multipathd control >socket >rpcbind.socket loaded active running RPCbind Server >Activation Socket >systemd-journald-dev-log.socket loaded active running Journal Socket >(/dev/log) >systemd-journald.socket loaded active running Journal Socket > >systemd-udevd-control.socket loaded active running udev Control Socket > >systemd-udevd-kernel.socket loaded active running udev Kernel Socket There are no degraded services. Everything seems to be running fine. Nginx is listening on a different network interface than apache; had no problems with that setup before. Tried with nginx disabled as well, no difference. Tried disabling the firewall; problem persists. SELinux is set to 'permissive'. >Doesn't sound cert related and you said the KDC is working. It seems to ONLY affect authorization via HTTP (preauth?). Apache itself is running without any other errors. I can access the FreeIPA WebUI from any browser. ONLY when I try to login it produces an error. Before the server restart, all browsers with log in cookies for the WebUI were still logged in and could operate the WebUI; only the 'Authentication' tab already gave me a http error while trying to list certificates. I hope that's enough info for a good overview. All the best and thanks, Tristan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
