search

freeipa / freeipa-letsencrypt

A quick hack allowing to use Let's Encrypt certificates for FreeIPA web interface.
140 stars 71 forks source link

Error: certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization. (summary, doesn't work with 4.7.x) #12

Closed cmonty14 closed 4 years ago

cmonty14 commented 5 years ago

I have executed script setup.sh from package "freeipa-letsencrypt". The installation finished with this error message:

ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140228802354200
ipapython.admintool: INFO: The ipa-certupdate command was successful
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error
occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An
I/O error occurred during security authorization.

What's causing this error? And how can I fix this?

The file "httpd-csr.der" in working directory (in my case /etc/ssl/ipa-le/) is 0 bytes. Therefore I conclude that the installation was not successful.

[root@ipa freeipa-letsencrypt]# ls -lR /etc/ssl/ipa-le/
/etc/ssl/ipa-le/:
insgesamt 0
drwxr-xr-x. 2 root root 187 3. Nov 19:49 ca
-rw-r-----. 1 root root 0 3. Nov 20:19 httpd-csr.der

/etc/ssl/ipa-le/ca:
insgesamt 24
-rw-r--r--. 1 root root 1220 3. Nov 19:49 DSTRootCAX3.pem
-rw-r--r--. 1 root root 1967 3. Nov 19:49 isrgrootx1.pem
-rw-r--r--. 1 root root 1702 3. Nov 19:49 LetsEncryptAuthorityX1.pem
-rw-r--r--. 1 root root 1675 3. Nov 19:49 LetsEncryptAuthorityX2.pem
-rw-r--r--. 1 root root 1647 3. Nov 19:49 LetsEncryptAuthorityX3.pem
-rw-r--r--. 1 root root 1647 3. Nov 19:49 LetsEncryptAuthorityX4.pem

THX

rcritten commented 5 years ago

What version of IPA?

cmonty14 commented 5 years ago

It's the latest version provided by Fedora 29: 4.7.1

I don't fully understand the implementation of Let's Encrypt on Fedora. But I run a reverse proxy (HAproxy) on Debian with LE, and in that case there must be some specific configuration in order to have a working LE. Therefore I cannot exclude that the issue is related to a communication problem with "LE registration server" because FreeIPA server is not directly connected to internet but running in NAT network.

rcritten commented 5 years ago

The issue is that IPA 4.7 no longer uses NSS to store the Apache server certificate so this script will not work with that version.

cmonty14 commented 5 years ago

What is the proposed procedure to implement a certificate with LE for FreeIPA 4.7.x?

rcritten commented 5 years ago

There isn't one currently. This issue will stand as the bug report that the script doesn't work with 4.7.x

petri3 commented 4 years ago

no news ... This git is dead ?

rcritten commented 4 years ago

Yes, it is unsupported.

petri3 commented 4 years ago

Oki :-( . but Do you have an other solution ? It's really impossible to have a let's encrypt certificate to freeipa 4.8 ? Thanks in advance if you have information about that :-)

mkosek commented 4 years ago

@petri3, I use FreeIPA with Let's Encrypt certificate when running https://ipa.demo1.freeipa.org/ipa/ui/ I finally took the time to upload my locally modified scripts to create a pull request - see #14. Does that work for you? I have not merged that myself and would prefer second pair of eyes.