Hi flo, certificate and ca looks good. Certificate is signed by the correct ca and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT)
the permissions looks different (the questionmark) [root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r-- 1 root root ? 1294 15. Mär 2023 /var/lib/ipa-client/pki/kdc-ca-bundle.pem in comparission to the ipa1 [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 13:19 /var/kerberos/krb5kdc/kdc.crt The krb5-pkinit is installed krb5-pkinit-1.19.2-9.fc35.x86_64 Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < [email protected]>: > Hi, > > > On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < > [email protected]> wrote: > >> Hi list, >> as I am currently sorting out our freeipa problems we stumbled across >> another problem. >> After the last reboot of our 2ndary IPA host, we can no longer login into >> the webui on the 2nd host. >> >> The webui on the first host works. >> >> I've checked some logs but was only able to find meaningful entries in >> the httpd log which is this: >> >> mod_wsgi (pid=1137): Exception occurred processing WSGI script >> '/usr/share/ipa/wsgi.py'. >> Traceback (most recent call last): >> File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in >> application >> return api.Backend.wsgi_dispatch(environ, start_response) >> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >> 301, in __call__ >> return self.route(environ, start_response) >> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >> 313, in route >> return app(environ, start_response) >> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >> 1066, in __call__ >> result = attempt_kinit(user_principal, password, >> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >> 996, in attempt_kinit >> self.kinit(user_principal, password, >> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >> 1094, in kinit >> kinit_armor( >> File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line >> 129, in kinit_armor >> run(args, env=env, raiseonerr=True, capture_error=True) >> File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, >> in run >> raise CalledProcessError( >> ipapython.ipautil.CalledProcessError: CalledProcessError(Command >> ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', >> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', >> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned >> non-zero exit status 1: 'kinit: Cannot read password while getting initial >> credentials\\n') >> >> What is the content of this kdc.crt certificate? > openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt > The output will tell us if it's a self-signed PKINIT cert or signed by IPA > CA (look for the Issuer: value in the output). > > Does the kdc-ca-bundle.pem contain the CA that signed this certificate? > openssl crl2pkcs7 -nocrl -certfile > /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs > -text -noout > > On a working system I see the following permissions for the above files: > # ls -lZ /var/kerberos/krb5kdc/kdc.crt > -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 > 14:02 /var/kerberos/krb5kdc/kdc.crt > # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem > -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb > 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem > > Do you have the package krb5-pkinit installed on your machine? > > flo > > Does someone know in which direction I need to debug further? >> >> Cheers >> Boris >> -- >> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >> groüen Saal. >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
