Kees Bakker via FreeIPA-users wrote:
> On 13-07-2021 19:47, Kees Bakker via FreeIPA-users wrote:
>> *** EXTERNAL E-MAIL ***
>>
>>
>> On 13-07-2021 17:24, Kees Bakker via FreeIPA-users wrote:
>>> On 13-07-2021 17:08, Rob Crittenden wrote:
>>>> Kees Bakker wrote:
>>>>> On 12-07-2021 21:51, Rob Crittenden wrote:
>>>>>> Kees Bakker via FreeIPA-users wrote:
>>>>>>> Hi Flo,
>>>>>>>
>>>>>>> Do you have a hint how I can get to the point where I can execute
>>>>>>> the pki securitydomain-host-del command? All examples [2] on the
>>>>>>> Internet
>>>>>>> are from the time when there was a /root/ca-agent.p12 and ipaCert.
>>>>>>> I think that has been migrated to /var/lib/ipa/ra-agent.{key,pem}
>>>>>>> [1].
>>>>>>>
>>>>>>> Maybe you are going to say that I shouldn't need that pki
>>>>>>> command. But I
>>>>>>> have two deleted masters in the pki database. Using
>>>>>>> pki securitydomain-host-del seems the only way to get rid of
>>>>>>> them. If
>>>>>>> you
>>>>>>> have a better suggestion then please let me know.
>>>>>>>
>>>>>>> [1] https://www.freeipa.org/page/Releases/4.8.1
>>>>>>> [2] https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup
>>>>>> The CA agent is something different and not used by IPA at all. If
>>>>>> your
>>>>>> installation is > 2 years old it is expired anyway.
>>>>>>
>>>>>> The dogtag documentation is woefully out-of-date in this regard
>>>>>> unfortunately (and yes, I realize I also live in a glass house
>>>>>> regarding
>>>>>> wikis).
>>>>>>
>>>>>> You don't need to import anything, the entries you need are already
>>>>>> there. Try:
>>>>>>
>>>>>> # pki -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' -C
>>>>>> /etc/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del 'CA
>>>>>> ipa.example.test 443'
>>>>> Thanks Rob,
>>>>>
>>>>> That did it.
>>>>>
>>>>> I'm now almost there to get a clean outcome of ipa-healthcheck.
>>>>> It reports no errors anymore, but ... there is one healthcheck that
>>>>> wants a password. I have no idea what or why.
>>>>>
>>>>> [root@linge ~]# /usr/bin/ipa-healthcheck --source
>>>>> pki.server.healthcheck.clones.connectivity_and_data
>>>>> keyctl_search: Required key not available
>>>>> Enter password for Internal Key Storage Token:
>>>>> []
>>>> This comes out of the pki healthcheck plugins.
>>>>
>>>> The check does some client cert connections, so I assume it needs the
>>>> NSS database password. I'm guessing it looks in the kernel keyring
>>>> (keyctl_search) and then prompts the user.
>>>>
>>>> You can open an issue against them at
>>>> https://github.com/dogtagpki/pki/issues
>>> See https://github.com/dogtagpki/pki/issues/3650
>>
>> I wrote some more details in the issue. First part of the problem is
>> that I have this in /etc/pki/pki-tomcat/ca/CS.cfg
>>
>> ca.subsystem.tokenname=Internal Key Storage Token
>>
>> The second part of the problem is that this name should be
>> normalized to "internal".
>>
>> In pki.nssdb there is a normalize function but that is not called
>> in the case. Furthermore, the function is not implemented as I
>> would have done it.
>>
>> If the above two problems were to be solved then the plugin would
>> get the password from /etc/pki/pki-tomcat/password.conf
>
> I am a bit surprised that nobody has this problem but me. The solution
> is probably as simple as this:
>
> diff --git
> a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
> b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
> index bea2872ea..2472f35b5 100644
> --- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
> +++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
> @@ -168,7 +168,7 @@ class ClonesPlugin(Plugin):
> # Set some vars we will be using later
> self.db_dir = self.security_domain.config.get('jss.configDir')
> self.subsystem_token =
> self.security_domain.config.get('ca.subsystem.tokenname')
> - self.passwd = self.instance.get_password(self.subsystem_token)
> + self.passwd =
> self.instance.get_token_password(self.subsystem_token)
>
> return sec_domain, sechost, secport
You're not the only one who has reported this, just the first to have
reported it upstream AFAIK.
Nice work on the patch.
rob
>
>
>> -- Kees
>>
>>>>
>>>> rob
>>>>
>>>>> -- Kees
>>>>>> rob
>>>>>>
>>>>>>> -- Kees
>>>>>>>
>>>>>>> On 12-07-2021 15:01, Kees Bakker via FreeIPA-users wrote:
>>>>>>>> It is now time for me to try and follow the suggested pki commands.
>>>>>>>> However, I don't have a /root/ca-agent.p12
>>>>>>>>
>>>>>>>> There is quite a bit of documentation on the Internet, but it might
>>>>>>>> not all be
>>>>>>>> up-to-date.
>>>>>>>>
>>>>>>>> Here [1] the file /root/ca-agent.p12 is mentioned under "PKI Admin
>>>>>>>> Certificate".
>>>>>>>>
>>>>>>>> "PKI admin certificate is stored in several locations:
>>>>>>>>
>>>>>>>> /root/ca-agent.p12 with nickname ipa-ca-agent (misleading
>>>>>>>> nickname).
>>>>>>>> /root/.dogtag/pki-tomcat/ca_admin.cert
>>>>>>>> /root/.dogtag/pki-tomcat/ca_admin.cert.der
>>>>>>>> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to
>>>>>>>> /root/ca-agent.p12)
>>>>>>>> "
>>>>>>>>
>>>>>>>> I don't have any of them. Then [1] continues with
>>>>>>>>
>>>>>>>> "PKI Agent Certificate
>>>>>>>>
>>>>>>>> PKI agent certificate is stored in /etc/httpd/alias and tracked
>>>>>>>> by IPA:
>>>>>>>>
>>>>>>>> ipaCert (CN=IPA RA)
>>>>>>>>
>>>>>>>> For IPA Password Vault the certificate is exported and cached into
>>>>>>>> /etc/httpd/alias/kra-agent.pem since python-requests does not
>>>>>>>> support
>>>>>>>> NSS. The cache is invalidated if the KRA authentication fails.
>>>>>>>> IPA Certificates
>>>>>>>>
>>>>>>>> IPA certificates are stored in /etc/httpd/alias:
>>>>>>>>
>>>>>>>> <REALM> IPA CA (CN=Certificate Authority)
>>>>>>>> <External CA DN>
>>>>>>>> ipa-ca-agent (CN=ipa-ca-agent)
>>>>>>>> ipaCert (CN=IPA RA)
>>>>>>>> Signing-Cert (CN=Object Signing Cert)
>>>>>>>> "
>>>>>>>>
>>>>>>>> But all I have in /etc/httpd/alias is a file ipasession.key
>>>>>>>>
>>>>>>>> I'm confused.
>>>>>>>>
>>>>>>>> [1] https://www.dogtagpki.org/wiki/IPA_Certificates
>>>>>>>> -- Kees
>>>>>>>>
>>>>>>>> On 14-06-2021 16:39, github--- via FreeIPA-users wrote:
>>>>>>>>> On 29-05-2021 10:21, Alexander Bokovoy wrote:
>>>>>>>>>> But I did use "ipa-csreplica-manage del" as well. However, I
>>>>>>>>>> remember that it
>>>>>>>>>> complained it couldn't remove that host. I was assuming it was
>>>>>>>>>> already gone.
>>>>>>>>>> When I list with ipa-csreplica-manage then I don't see the old
>>>>>>>>>> hosts
>>>>>>>>>> anymore.
>>>>>>>>> Its worth noting my install (4.9.3) on Fedora
>>>>>>>>> `ipa-csreplica-manage
>>>>>>>>> del` just prints a deprecated message and doesn't seem to do
>>>>>>>>> anything.
>>>>>>>>>
>>>>>>>>>> So, two things
>>>>>>>>>> 1) "ipa-csreplica-manage del" somehow failed (it's probably
>>>>>>>>>> too late
>>>>>>>>>> to look
>>>>>>>>>> at logs)
>>>>>>>>>> 2) how can I still remove the old hosts?
>>>>>>>>> I have/had the same problem. I used
>>>>>>>>> https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup to help me auth
>>>>>>>>> into the CA to remove the dead host.
>>>>>>>>>
>>>>>>>>> pki client-cert-import --pkcs12 /root/ca-agent.p12
>>>>>>>>> --pkcs12-password [redact]
>>>>>>>>> pki -n ipa-ca-agent securitydomain-host-find
>>>>>>>>> # you need the full Host ID section to remove
>>>>>>>>> pki -n ipa-ca-agent securitydomain-host-del "CA
>>>>>>>>> freeipa2[redact].net 443"
>>>>>>>>>
>>>>>>>>> Keep in mind I'm fairly new to IPA, so maybe you don't want to do
>>>>>>>>> this on a production system without someone else more experienced
>>>>>>>>> chiming in. But, so far, the health check stopped complaining,
>>>>>>>>> replication is fine, and all my users can still log in.
>>>>>>>>> _______________________________________________
>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>>>>>> To unsubscribe send an email to
>>>>>>>>> freeipa-users-le...@lists.fedorahosted.org
>>>>>>>>> Fedora Code of Conduct:
>>>>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>>>>> List Guidelines:
>>>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>>>> List Archives:
>>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Do not reply to spam on the list, report it:
>>>>>>>>> https://pagure.io/fedora-infrastructure
>>>>>>>> _______________________________________________
>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>>>>> To unsubscribe send an email to
>>>>>>>> freeipa-users-le...@lists.fedorahosted.org
>>>>>>>> Fedora Code of Conduct:
>>>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>>>> List Guidelines:
>>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>>> List Archives:
>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Do not reply to spam on the list, report it:
>>>>>>>> https://pagure.io/fedora-infrastructure
>>>>>>> _______________________________________________
>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>>>> To unsubscribe send an email to
>>>>>>> freeipa-users-le...@lists.fedorahosted.org
>>>>>>> Fedora Code of Conduct:
>>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>>> List Guidelines:
>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>> List Archives:
>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Do not reply to spam on the list, report it:
>>>>>>> https://pagure.io/fedora-infrastructure
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>
>>> Do not reply to spam on the list, report it:
>>> https://pagure.io/fedora-infrastructure
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
