Closed HeneryH closed 3 years ago
So sorry, can't seem to get the output to wrap the newlines.
This is the error line by itself
Enter pass phrase for /var/lib/ipa/private/httpd.key:
unable to load Private Key
Doing some investigation out loud here...
So maybe there already is a key for the httpd service and it is trying to read that key in.
When I look in the web UI, I see a service for HTTP/ipa1.lab.flynnhome.org@LAB.
You need to apply the changes in this PR https://github.com/freeipa/freeipa-letsencrypt/pull/16
@mkosek @rcritten Hi Martin and Rob. Thanks for the help to the noob. I went and cloned Martin's repo and ran that. It made more progress but then I hit this error...
`ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140147645009152
ipapython.admintool: INFO: The ipa-certupdate command was successful
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization. `
Do you think this might be user error? I did: sudo su; kinit admin; ./setup.sh
Here is my full log of output https://github.com/HeneryH/dropbox/blob/master/full_log
It's not clear where that error is coming from. Given the setup seems to have worked I'd try running this directly for more output:
@rcritten your copy/paste has some weird stuff with quotes but if I am to assume you mean
bash -x ./renew-le.sh --first-time
+ set -o nounset -o errexit
+ WORKDIR=/root/ipa-le
+ EMAIL=
+ '[' --first-time '!=' --first-time ']'
+ rm -f '/root/ipa-le/*.pem'
+ rm -f /root/ipa-le/httpd-csr.der
++ hostname -f
++ hostname -f
+ certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt -s CN=ipa1.lab.<mydomain>.org --extSAN dns:ipa1.lab.<mydomain>.org -o /root/ipa-le/httpd-csr.der
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization.
Perhaps refresh from current master. The code you have is no longer upstream. renew-le.sh doesn't call certutil at all in HEAD.
I couldn't figure out how to get how to get mkoseks PR into my file system due to my lack of skill with git :) so I just cloned his whole forked repo.
I'll try again later. Thanks Rob!
This will do it:
git clone https://github.com/mkosek/freeipa-letsencrypt
cd freeipa-letsencrypt/
git checkout fix-workdir
I may have been on the wrong path here...
There is a key in /var/lib/ipa/private/httpd.key that has a time stamp of when I installed the system and FreeIPA. When I test the passphrase it is telling me that the passphrase I entered is incorrect. I only ever use one or two go-to passphrases for this sort of testing so I can't imagine I used a different one. I have to go back to the installation and try to figure out what that passphrase might have been.
Solved but took some research...
Found a way for FreeIPA to print out the key passphrase that it generated when installing. Not sure how safe this is :) but the following command printed out the passphrase for the httpd key:
bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA
- USAGE='./ipa-pwdreader host:port RSA|DSA|ECC|number'
- '[' 2 -ne 2 ']'
- fname=ipa1.lab.
.org-443-RSA - pwdpath=/var/lib/ipa/passwds/ipa1.lab.
.org-443-RSA ++ /usr/bin/realpath -e /var/lib/ipa/passwds/ipa1.lab. .org-443-RSA - checkpath=/var/lib/ipa/passwds/ipa1.lab.
.org-443-RSA - '[' /var/lib/ipa/passwds/ipa1.lab.
.org-443-RSA == /var/lib/ipa/passwds/ipa1.lab. .org-443-RSA '] - cat /var/lib/ipa/passwds/ipa1.lab.
.org-443-RSA xxxxxxxxxx <-- my passphrase --> xxxxxxxxxxxx
@rcritten , since I did not see objections, I merged the respective PR to this repo, so that it is not that complicated.
@HeneryH thank you, this solved my issue as well. Should this password be auto-entered in the generation script, and if not, will this issue affect renewals of the lets automate cert in 90 days?
I solved this by adding -passin file:$OPENSSL_PASSWD_FILE
to the openssl command when that file (/var/lib/ipa/passwds/$HOSTNAME-443-RSA
) is present. See the commit in my fork: https://github.com/thinkmassive/freeipa-letsencrypt/commit/b682c6ecb024c502e7a135f60de822e340e3b33a
Hi, this seams to do the trick at least for me ! So I would like to se that change merged ?
I am not sure how to go about that but seams I can create a PR ? Hope thats is fine with @thinkmassive ?
(Centos8 btw ..)
bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA
I have try to run this bash command but get the following errors. I am on fedora 33.
+ 'mod_ssl password reader
This program is a handler written for Apache mod_ssl'\''s SSLPassPhraseDialog.
If you'\''d like to write your custom binary providing passwords to mod_ssl,
see the documentation of the aforementioned directive of the mod_ssl module.
'
/usr/libexec/ipa/ipa-httpd-pwdreader: line 7: $'mod_ssl password reader\nThis program is a handler written for Apache mod_ssl\'s SSLPassPhraseDialog.\n\nIf you\'d like to write your custom binary providing passwords to mod_ssl,\nsee the documentation of the aforementioned directive of the mod_ssl module.\n': command not found
+ import argparse
/usr/libexec/ipa/ipa-httpd-pwdreader: line 8: import: command not found
+ import os
/usr/libexec/ipa/ipa-httpd-pwdreader: line 9: import: command not found
+ from ipaplatform.paths import paths
/usr/libexec/ipa/ipa-httpd-pwdreader: line 11: from: command not found
/usr/libexec/ipa/ipa-httpd-pwdreader: line 13: syntax error near unexpected token `('
/usr/libexec/ipa/ipa-httpd-pwdreader: line 13: `HTTPD_PASSWD_DIR = os.path.realpath('
[root@ipa ~]# cat /var/lib/ipa/passwds/ipa1.lab..org-443-RSA
cat: /var/lib/ipa/passwds/ipa1.lab..org-443-RSA: No such file or directory
The script ipa-httpd-pwdreader
is written in python, so you don't need to use bash -x
to run it.
The script
ipa-httpd-pwdreader
is written in python, so you don't need to usebash -x
to run it.
Thanks for your quick respond. I was trying to get the key passphrase, like @HeneryH was showing as a solution.
So execute python /usr/libexec/ipa/ipa-httpd-pwdreader instead (or python3 or whatever your distro uses).
Or look directly in /var/lib/ipa/passwds/
Trying to run a fresh in stall on Fedora 32b all from scratch on 12-Apr-2020.
Running as sudo su, after doing a kinit admin, the setup script chugs for quite a while then throws shit error. Is this asking me to create or verify a passphrase? I never created it so I don't know what it is. Is it asking me for a new one? It failed. Do I need to create one as a prereq?
Also not sure if the failure on the /root/ipa-le/ipa-httpd.cnf is just because this is the first run.
Any suggestions? User error? Thanks
. . . . ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/ipa/nssdb', '-A', '-n', 'letsencryptx3', '-t', 'C,,', '-a', '-f', '/etc/ipa/nssdb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/update-ca-trust'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/update-ca-trust'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140224107767696 ipapython.admintool: INFO: The ipa-certupdate command was successful Can't open /root/ipa-le/ipa-httpd.cnf for reading, No such file or directory 140437864580928:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/root/ipa-le/ipa-httpd.cnf','r') 140437864580928:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76: Enter pass phrase for /var/lib/ipa/private/httpd.key: unable to load Private Key 140437864580928:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:603: 140437864580928:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62: 140437864580928:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93: 140437864580928:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88: