First run - "Enter pass phrase for /var/lib/ipa/private/httpd.key" ?

[HeneryH]

Trying to run a fresh in stall on Fedora 32b all from scratch on 12-Apr-2020.

Running as sudo su, after doing a kinit admin, the setup script chugs for quite a while then throws shit error. Is this asking me to create or verify a passphrase? I never created it so I don't know what it is. Is it asking me for a new one? It failed. Do I need to create one as a prereq?

Also not sure if the failure on the /root/ipa-le/ipa-httpd.cnf is just because this is the first run.

Any suggestions? User error? Thanks

. . . . ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/ipa/nssdb', '-A', '-n', 'letsencryptx3', '-t', 'C,,', '-a', '-f', '/etc/ipa/nssdb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/update-ca-trust'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/update-ca-trust'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140224107767696 ipapython.admintool: INFO: The ipa-certupdate command was successful Can't open /root/ipa-le/ipa-httpd.cnf for reading, No such file or directory 140437864580928:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/root/ipa-le/ipa-httpd.cnf','r') 140437864580928:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76: Enter pass phrase for /var/lib/ipa/private/httpd.key: unable to load Private Key 140437864580928:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:603: 140437864580928:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62: 140437864580928:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93: 140437864580928:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:

[HeneryH]

So sorry, can't seem to get the output to wrap the newlines.

This is the error line by itself

Enter pass phrase for /var/lib/ipa/private/httpd.key:

unable to load Private Key

[HeneryH]

Doing some investigation out loud here...

So maybe there already is a key for the httpd service and it is trying to read that key in.

When I look in the web UI, I see a service for HTTP/ipa1.lab.flynnhome.org@LAB..ORG but how could that impact me using the LetsEncrypt scripts?? Hmmmm.

[rcritten]

You need to apply the changes in this PR https://github.com/freeipa/freeipa-letsencrypt/pull/16

[HeneryH]

@mkosek @rcritten Hi Martin and Rob. Thanks for the help to the noob. I went and cloned Martin's repo and ran that. It made more progress but then I hit this error...

`ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.

ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140147645009152

ipapython.admintool: INFO: The ipa-certupdate command was successful

certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.

certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization. `

Do you think this might be user error? I did: sudo su; kinit admin; ./setup.sh

[HeneryH]

Here is my full log of output https://github.com/HeneryH/dropbox/blob/master/full_log

[rcritten]

It's not clear where that error is coming from. Given the setup seems to have worked I'd try running this directly for more output:

bash -x ./renew-le.sh" "--first-time"

[HeneryH]

@rcritten your copy/paste has some weird stuff with quotes but if I am to assume you mean

bash -x ./renew-le.sh --first-time

+ set -o nounset -o errexit
+ WORKDIR=/root/ipa-le
+ EMAIL=
+ '[' --first-time '!=' --first-time ']'
+ rm -f '/root/ipa-le/*.pem'
+ rm -f /root/ipa-le/httpd-csr.der
++ hostname -f
++ hostname -f
+ certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt -s CN=ipa1.lab.<mydomain>.org --extSAN dns:ipa1.lab.<mydomain>.org -o /root/ipa-le/httpd-csr.der
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization.

[rcritten]

Perhaps refresh from current master. The code you have is no longer upstream. renew-le.sh doesn't call certutil at all in HEAD.

[HeneryH]

I couldn't figure out how to get how to get mkoseks PR into my file system due to my lack of skill with git :) so I just cloned his whole forked repo.

I'll try again later. Thanks Rob!

[rcritten]

This will do it:

git clone https://github.com/mkosek/freeipa-letsencrypt
cd freeipa-letsencrypt/
git checkout fix-workdir

[HeneryH]

I may have been on the wrong path here...

There is a key in /var/lib/ipa/private/httpd.key that has a time stamp of when I installed the system and FreeIPA. When I test the passphrase it is telling me that the passphrase I entered is incorrect. I only ever use one or two go-to passphrases for this sort of testing so I can't imagine I used a different one. I have to go back to the installation and try to figure out what that passphrase might have been.

[HeneryH]

Solved but took some research...

Found a way for FreeIPA to print out the key passphrase that it generated when installing. Not sure how safe this is :) but the following command printed out the passphrase for the httpd key:

bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA

• USAGE='./ipa-pwdreader host:port RSA|DSA|ECC|number'
• '[' 2 -ne 2 ']'
• fname=ipa1.lab..org-443-RSA
• pwdpath=/var/lib/ipa/passwds/ipa1.lab..org-443-RSA ++ /usr/bin/realpath -e /var/lib/ipa/passwds/ipa1.lab..org-443-RSA
• checkpath=/var/lib/ipa/passwds/ipa1.lab..org-443-RSA
• '[' /var/lib/ipa/passwds/ipa1.lab..org-443-RSA == /var/lib/ipa/passwds/ipa1.lab..org-443-RSA ']
• cat /var/lib/ipa/passwds/ipa1.lab..org-443-RSA xxxxxxxxxx <-- my passphrase --> xxxxxxxxxxxx

[mkosek]

@rcritten , since I did not see objections, I merged the respective PR to this repo, so that it is not that complicated.

[917huB]

@HeneryH thank you, this solved my issue as well. Should this password be auto-entered in the generation script, and if not, will this issue affect renewals of the lets automate cert in 90 days?

[thinkmassive]

I solved this by adding -passin file:$OPENSSL_PASSWD_FILE to the openssl command when that file (/var/lib/ipa/passwds/$HOSTNAME-443-RSA) is present. See the commit in my fork: https://github.com/thinkmassive/freeipa-letsencrypt/commit/b682c6ecb024c502e7a135f60de822e340e3b33a

[senare]

Hi, this seams to do the trick at least for me ! So I would like to se that change merged ?

I am not sure how to go about that but seams I can create a PR ? Hope thats is fine with @thinkmassive ?

(Centos8 btw ..)

[arifulislamat]

bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA

I have try to run this bash command but get the following errors. I am on fedora 33.

+ 'mod_ssl password reader
This program is a handler written for Apache mod_ssl'\''s SSLPassPhraseDialog.

If you'\''d like to write your custom binary providing passwords to mod_ssl,
see the documentation of the aforementioned directive of the mod_ssl module.
'
/usr/libexec/ipa/ipa-httpd-pwdreader: line 7: $'mod_ssl password reader\nThis program is a handler written for Apache mod_ssl\'s SSLPassPhraseDialog.\n\nIf you\'d like to write your custom binary providing passwords to mod_ssl,\nsee the documentation of the aforementioned directive of the mod_ssl module.\n': command not found
+ import argparse
/usr/libexec/ipa/ipa-httpd-pwdreader: line 8: import: command not found
+ import os
/usr/libexec/ipa/ipa-httpd-pwdreader: line 9: import: command not found
+ from ipaplatform.paths import paths
/usr/libexec/ipa/ipa-httpd-pwdreader: line 11: from: command not found
/usr/libexec/ipa/ipa-httpd-pwdreader: line 13: syntax error near unexpected token `('
/usr/libexec/ipa/ipa-httpd-pwdreader: line 13: `HTTPD_PASSWD_DIR = os.path.realpath('
[root@ipa ~]# cat /var/lib/ipa/passwds/ipa1.lab..org-443-RSA
cat: /var/lib/ipa/passwds/ipa1.lab..org-443-RSA: No such file or directory

[abbra]

The script ipa-httpd-pwdreader is written in python, so you don't need to use bash -x to run it.

[arifulislamat]

The script ipa-httpd-pwdreader is written in python, so you don't need to use bash -x to run it.

Thanks for your quick respond. I was trying to get the key passphrase, like @HeneryH was showing as a solution.

[rcritten]

So execute python /usr/libexec/ipa/ipa-httpd-pwdreader instead (or python3 or whatever your distro uses).

Or look directly in /var/lib/ipa/passwds/