There seems to be a problem either with Kerberos and/or using a self signed
certificate vs. Let’s Encrypt. I tried to run the set up script from
https://github.com/freeipa/freeipa-letsencrypt
<https://github.com/freeipa/freeipa-letsencrypt> and below are some errors and
logs.
Within the /etc/httpd/conf.d/ipa.conf file I commented out these directives as
I had some Apache redirects that were breaking:
#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off
./setup-le.sh
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user. (visit
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
kinit admin
kinit: Generic preauthentication failure while getting initial credentials
journalctl -u named-pkcs11
-- No entries —
journalctl -u named
-- No entries —
file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' (No such
file or directory)
ldapsearch -Y GSSAPI
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (No Kerberos credentials
available (default cache: KEYRING:persistent:0))
ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials
In /var/log/krb5kdc.log:
Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip:
NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional
pre-authentication required
Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip:
NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional
pre-authentication required
Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
