How to Install FreeIPA Server + Let's Encrypt on CentOS 7

FreeIPA is a free and open source identity management system. FreeIPA is the upstream open-source project for Red Hat Identity Manager. Wikipedia, Policy, and Audit (IPA) suite. It’s an IPA solution combination of Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS Bind, Dogtag, Apache web server, and Python.

FreeIPA comes with the command-line administration tool and a beautiful web-UI interface running on top of Python and Apache webserver.
freeipa-plus-letsencrypt
Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at any time. Wikipedia

This installation of FreeIPA and Let’s_Encrypt was tested in Centos 7 and using the real domain for test similar to vmbs.uk where the FreeIPA domain it was ipa.ldap.vmbs.uk and pointed with A DNS record to the AWS EC2 instance.

Setup Hosts

First of all, we’re going to change the server hostname, and then edit the ‘/etc/hosts’ file and set up the FQDN.

hostnamectl set-hostname ipa.ldap.vmbs.uk

Edit the ‘/etc/hosts’ file of the system.

echo 10.0.208.10 ipa.ldap.vmbs.uk ipa ipa.ldap ldap >> /etc/hosts

Make sure that the configuration was added to the hosts file.

cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.208.10 ipa.ldap.vmbs.uk ipa ipa.ldap ldap

Install FreeIPA Packages

After setting up the hostname and FQDN of the server, we’re going to install FreeIPA packages from the official CentOS repository.

yum install -y ipa-server bind-dyndb-ldap ipa-server-dns

Next you will need to disable SELinux to be more easy the installation. If you know how to use SELinux is better to have enable.

vi /etc/selinux/config

Change option SELINUX=enforcing to SELINUX=disabled

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Save and reboot the server to take efect the change.

reboot now

In this step, we are going to set up the FreeIPA server and the DNS. For that purpose, FreeIPA provides an interactive command-line. So we can easily administrate the FreeIPA configuration.

ipa-server-install

Click to expand summary of command ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================
This program will set up the IPA Server.

This includes:

  • Configure a stand-alone CA (dogtag) for certificate management
  • Configure the Network Time Daemon (ntpd)
  • Create and configure an instance of Directory Server
  • Create and configure a Kerberos Key Distribution Center (KDC)
  • Configure Apache (httpd)
  • Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service ‘chronyd’ will be disabled
in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you’re setting up server software. Using the form
.
Example: master.example.com.

Server host name [ipa.ldap.vmbs.uk]: ipa.ldap.vmbs.uk

Warning: skipping DNS resolution of host ipa.ldap.vmbs.uk
The domain name has been determined based on the host name.

Please confirm the domain name [ldap.vmbs.uk]: ldap.vmbs.uk

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [LDAP.VMBS.UK]: LDAP.VMBS.UK
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: your password
Password (confirm): confirm your password

The IPA server requires an administrative user, named ‘admin’.
This user is a regular system account used for IPA server administration.

IPA admin password: your password
Password (confirm): confirm your password

Checking DNS domain ldap.vmbs.uk., please wait …
Do you want to configure DNS forwarders? [yes]: yes
Following DNS servers are configured in /etc/resolv.conf: 10.0.208.3
Do you want to configure these servers as DNS forwarders? [yes]: yes
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8
DNS forwarder 8.8.8.8 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait …
DNS server 10.0.208.2: answer to query ‘. SOA’ is missing DNSSEC signatures (no RRSIG data)
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive “dnssec-enable yes;” to “options {}”)
WARNING: DNSSEC validation will be disabled
Do you want to search for missing reverse zones? [yes]: yes

The IPA Master Server will be configured with:
Hostname: ipa.ldap.vmbs.uk
IP address(es): 10.0.208.10
Domain name: ldap.vmbs.uk
Realm name: LDAP.VMBS.UK

BIND DNS server will be configured to serve IPA domain with:
Forwarders: 10.0.208.3, 8.8.8.8
Forward policy: only
Reverse zone(s): No reverse zone

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/44]: creating directory server instance
[2/44]: enabling ldapi
[3/44]: configure autobind for root
[4/44]: stopping directory server
[5/44]: updating configuration in dse.ldif
[6/44]: starting directory server
[7/44]: adding default schema
[8/44]: enabling memberof plugin
[9/44]: enabling winsync plugin
[10/44]: configuring replication version plugin
[11/44]: enabling IPA enrollment plugin
[12/44]: configuring uniqueness plugin
[13/44]: configuring uuid plugin
[14/44]: configuring modrdn plugin
[15/44]: configuring DNS plugin
[16/44]: enabling entryUSN plugin
[17/44]: configuring lockout plugin
[18/44]: configuring topology plugin
[19/44]: creating indices
[20/44]: enabling referential integrity plugin
[21/44]: configuring certmap.conf
[22/44]: configure new location for managed entries
[23/44]: configure dirsrv ccache
[24/44]: enabling SASL mapping fallback
[25/44]: restarting directory server
[26/44]: adding sasl mappings to the directory
[27/44]: adding default layout
[28/44]: adding delegation layout
[29/44]: creating container for managed entries
[30/44]: configuring user private groups
[31/44]: configuring netgroups from hostgroups
[32/44]: creating default Sudo bind user
[33/44]: creating default Auto Member layout
[34/44]: adding range check plugin
[35/44]: creating default HBAC rule allow_all
[36/44]: adding entries for topology management
[37/44]: initializing group membership
[38/44]: adding master entry
[39/44]: initializing domain level
[40/44]: configuring Posix uid/gid generation
[41/44]: adding replication acis
[42/44]: activating sidgen plugin
[43/44]: activating extdom plugin
[44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: configuring certificate server instance
[2/29]: reindex attributes
[3/29]: exporting Dogtag certificate store pin
[4/29]: stopping certificate server instance to update CS.cfg
[5/29]: backing up CS.cfg
[6/29]: disabling nonces
[7/29]: set up CRL publishing
[8/29]: enable PKIX certificate path discovery and validation
[9/29]: starting certificate server instance
[10/29]: configure certmonger for renewals
[11/29]: requesting RA certificate from CA
[12/29]: setting audit signing renewal to 2 years
[13/29]: restarting certificate server
[14/29]: publishing the CA certificate
[15/29]: adding RA agent as a trusted user
[16/29]: authorizing RA to modify profiles
[17/29]: authorizing RA to manage lightweight CAs
[18/29]: Ensure lightweight CAs container exists
[19/29]: configure certificate renewals
[20/29]: configure Server-Cert certificate renewal
[21/29]: Configure HTTP to proxy connections
[22/29]: restarting certificate server
[23/29]: updating IPA configuration
[24/29]: enabling CA instance
[25/29]: migrating certificate profiles to LDAP
[26/29]: importing IPA certificate profiles
[27/29]: adding default CA ACL
[28/29]: adding ‘ipa’ CA entry
[29/29]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: setting mod_nss port to 443
[3/22]: setting mod_nss cipher suite
[4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[5/22]: setting mod_nss password file
[6/22]: enabling mod_nss renegotiate
[7/22]: disabling mod_nss OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: importing CA certificates from LDAP
[15/22]: publish CA cert
[16/22]: clean up any existing httpd ccaches
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Restarting the KDC
Configuring DNS (named)
[1/11]: generating rndc key file
[2/11]: adding DNS container
[3/11]: setting up our zone
[4/11]: setting up our own record
[5/11]: setting up records for other masters
[6/11]: adding NS record to the zones
[7/11]: setting up kerberos principal
[8/11]: setting up named.conf
[9/11]: setting up server configuration
[10/11]: configuring named to start on boot
[11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate ‘/etc/ipa/ca.crt’.
Client hostname: ipa.ldap.vmbs.uk
Realm: LDAP.VMBS.UK
DNS Domain: ldap.vmbs.uk
IPA Server: ipa.ldap.vmbs.uk
BaseDN: dc=ldap,dc=vmbs,dc=uk

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipa.ldap.vmbs.uk/ipa/json
[try 1]: Forwarding ‘schema’ to json server ‘https://ipa.ldap.vmbs.uk/ipa/json
trying https://ipa.ldap.vmbs.uk/ipa/session/json
[try 1]: Forwarding ‘ping’ to json server ‘https://ipa.ldap.vmbs.uk/ipa/session/json
[try 1]: Forwarding ‘ca_is_enabled’ to json server ‘https://ipa.ldap.vmbs.uk/ipa/session/json
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding ‘host_mod’ to json server ‘https://ipa.ldap.vmbs.uk/ipa/session/json
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ldap.vmbs.uk as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:

  1. You must make sure these network ports are open:
    TCP Ports:

    • 80, 443: HTTP/HTTPS
    • 389, 636: LDAP/LDAPS
    • 88, 464: kerberos
    • 53: bind
      UDP Ports:
    • 88, 464: kerberos
    • 53: bind
    • 123: ntp
  2. You can now obtain a kerberos ticket using the command: ‘kinit admin’
    This ticket will allow you to use the IPA tools (e.g., ipa user-add)
    and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

Verify Admin

At this stage, we’ve already set up the FreeIPA on CentOS 7 server. Now we’re going to verify our configuration.

kinit admin

Password for admin@LDAP.VMBS.UK: your password

After that, verify the admin user is available on the FreeIPA database using the following command.

ipa user-find admin
--------------
1 user matched
--------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@LDAP.VMBS.UK
UID: 1952800000
GID: 1952800000
Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

Next step, we’re going to verify the FreeIPA admin web-UI.

Open the web browser, type the FreeIPA domain name on the address bar. Mine is:

https://ipa.ldap.vmbs.uk/

And you will get the FreeIPA web-UI login page with no auto signed certificate.

freeipa-plus-letsencrypt

Let’s Encrypt - Free SSL/TLS Certificates] (https://letsencrypt.org/) + Certbot (https://certbot.eff.org/)

This commands are recomended to use for greate install:

authconfig --enablemkhomedir --update
chkconfig sssd on
yum install epel-release -y
yum install -y letsencrypt

These two scripts try to automatically obtain and install Let’s Encrypt certs to FreeIPA web interface.

To use it, do this:

  • BACKUP /etc/httpd/alias to some safe place (it contains private keys!)

cp -r /etc/httpd/alias /etc/httpd/alias_backup

  • clone/unpack all scripts including “ca” subdirectory somewhere

cd ~
git clone https://github.com/freeipa/freeipa-letsencrypt.git
cp -r freeipa-letsencrypt/* /root/

  • set WORKDIR and EMAIL variables in scripts setup-le.sh and renew-le.sh

vi /root/renew-le.sh

I have changed WORKDIR="/root/ipa-le" to WORKDIR="/root/" and I have added the email address EMAIL="freeipa@vmbs.uk"

#!/usr/bin/bash
set -o nounset -o errexit

WORKDIR="/root/"
EMAIL="freeipa@vmbs.uk"
#cd "$WORKDIR"

### cron
# check that the cert will last at least 2 days from now to prevent too frequent renewal
# comment out this line for the first run
if [ "${1:-renew}" != "--first-time" ]
then
        certutil -d /etc/httpd/alias/ -V -u V -n Server-Cert -b "$(date '+%y%m%d%H%M%S%z' --date='2 days')" && exit 0
fi

# cert renewal is needed if we reached this line

# cleanup
rm -f "$WORKDIR"/*.pem
rm -f "$WORKDIR"/httpd-csr.*

# generate CSR
certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt -s "CN=$(hostname -f)" --extSAN "dns:$(hostname -f)" -o "$WORKDIR/httpd-csr.der"

# httpd process prevents letsencrypt from working, stop it
service httpd stop

# get a new cert
letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos

# remove old cert
certutil -D -d /etc/httpd/alias/ -n Server-Cert
# add the new cert
certutil -A -d /etc/httpd/alias/ -n Server-Cert -t u,u,u -a -i "$WORKDIR/0000_cert.pem"

# start httpd with the new cert
service httpd start

vi /root/setup-le.sh

I have changed WORKDIR="/root/ipa-le" to WORKDIR="/root/"

#!/usr/bin/bash
set -o nounset -o errexit

WORKDIR="/root/"

dnf install letsencrypt -y

ipa-cacert-manage install "$WORKDIR/ca/DSTRootCAX3.pem" -n DSTRootCAX3 -t C,,
ipa-certupdate -v

ipa-cacert-manage install "$WORKDIR/ca/LetsEncryptAuthorityX3.pem" -n letsencryptx3 -t C,,
ipa-certupdate -v

"$(dirname "$0")/renew-le.sh" "--first-time"

Save :wq!

  • run setup-le.sh script once to prepare the machine.

cd /root/

./setup-le.sh

Click to expand summary of command ./setup-le.sh
Last metadata expiration check: 0:23:43 ago on Wed Nov 27 15:23:05 2019.
Package certbot-0.39.0-1.el7.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Verified DSTRootCAX3
CA certificate successfully installed
The ipa-cacert-manage command was successful
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$79e69edd...
ipalib.plugable: DEBUG: importing plugin module ipaclient.remote_plugins.schema$79e69edd.plugins
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.csrgen
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault
ipalib.rpc: DEBUG: failed to find session_cookie in persistent storage for principal 'admin@LDAP.vmbs.uk'
ipalib.rpc: INFO: trying https://ipa.ldap.vmbs.uk/ipa/json
ipalib.backend: DEBUG: Created connection context.rpcclient_140417616875088
ipalib.install.kinit: DEBUG: Initializing principal host/ipa.ldap.vmbs.uk@LDAP.vmbs.uk using keytab /etc/krb5.keytab
ipalib.install.kinit: DEBUG: using ccache /tmp/tmp-XIFmOx/ccache
ipalib.install.kinit: DEBUG: Attempt 1/1: success
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.107')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.107')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://ipa.ldap.vmbs.uk/ipa/json'
ipalib.rpc: DEBUG: New HTTP connection (ipa.ldap.vmbs.uk)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=35gm3dUkUFzr6zl%2b2vii8Yo61O0ey%2bkznrbKOuShhLbwZqV%2brmyLIhzNSBPLpu36%2fqBxIFp3yO8zhDBQK%2fTz0RuxfHlhWHerBR0418UztVdhgJcvK2FV4kny53a5Fydgzy5SlSYRC6mME55%2f3tD4JNc9R9sIYWoO1lCoqJr7PcFxtkzEsUI13X9xVM30zM7989PE%2fAjm15fnWV90tJDPN83XQJ5ZD%2b1evXimMUNbV3xhrlD7uT7zgmQkGyXM0n27;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=ii8Yo61O0ey%2b35gm3dUkUFzr6zl%2b2vkznrbKOuShhLbwZqV%2brmyLIhzNSBPLpu36%2fqBxIFp3yO8zh35gm3dUkUFzr6zl%2b2vDBQK%2fTz0RuxfHlhWHerBR0418UztVdhgJcvK2FV4kny53a5Fydgzy5SlSYRC6mME55%2f3tD4JNc9R9sIYWoO1lCoqJr7PcFxtkzEsUI13X9xVM30zM7989PE%2fAjm15fnWV90tJDPN83XQJ5ZD%2b1evXimMUNbV3xhrlD7uT7zgmQkGyXM0n27;' for principal admin@LDAP.vmbs.uk
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.ldap.vmbs.uk:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fb585ecab90>
ipalib.frontend: DEBUG: raw: ca_find(None, version=u'2.231')
ipalib.frontend: DEBUG: ca_find(None, version=u'2.231')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_find/1' to json server 'https://ipa.ldap.vmbs.uk/ipa/json'
ipalib.rpc: DEBUG: HTTP connection keep-alive (ipa.ldap.vmbs.uk)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=qwELH2035gm3dUkUFzr6zl%2b2vO8%2bOcgSPLRlBaHjnNTyUJXOc4uQqi9Fozz5fumAwnqn8BIF8MgA%2b2K8rjbweOhWWgUoT2jOGAIKsQ3%2b%2fh0M8cB6a6VdEzelyPugDVwQKDa7yMTYJjy5mKdAHf3HSlF2w5IxeF12aBiSms5dlgevbtqUMeNLe07FNgNY68Xs4Qm3va8PskGbF4yNWyxGO9%2f6gjMICvAMF5sBbRH9MhX4MgoDrcX64zhdqInYEPvGGoAhEXz3qAk;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=qwELH20NbEox%2fXO8%2bOcgSPLRlBaHjnNTyUJXOc4uQqi9Fozz5fumAwnqn8BIF8MgA%2b2K8rjbweOhWWgUoT2jOGAIKsQ35gm3dUkUFzr6zl%2b2vM8cB6a6VdEzelyPugDVwQKDa7yMTYJjy5mKdAHf3HSlF2w5IxeF12aBiSms5dlgevbtqUMeNLe07FNgNY68Xs4Qm3va8PskGbF4yNWyxG35gm3dUkUFzr6zl%2b2vO9%2f6gjMICvAMF5sBbRH9MhX4MgoDrcX64zhdqInYEPvGGoAhEXz3qAk;' for principal admin@LDAP.vmbs.uk
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LDAP-VMBS-UK -A -n LDAP.vmbs.uk IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-LDAP-VMBS-UK/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LDAP-VMBS-UK -A -n DSTRootCAX3 -t C,, -a -f /etc/dirsrv/slapd-LDAP-VMBS-UK/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active dirsrv@LDAP-VMBS-UK.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl --system daemon-reload
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart dirsrv@LDAP-VMBS-UK.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active dirsrv@LDAP-VMBS-UK.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: wait_for_open_ports: localhost [389] timeout 300
ipapython.ipautil: DEBUG: waiting for port: 389
ipapython.ipautil: DEBUG: SUCCESS: port: 389
ipaplatform.base.services: DEBUG: Restart of dirsrv@LDAP-VMBS-UK.service complete
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n LDAP.vmbs.uk IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n DSTRootCAX3 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipaplatform.base.services: DEBUG: Restart of httpd.service complete
ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request '20191127153204'
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipaclient.install.ipa_certupdate: DEBUG: modifying certmonger request '20191127153204'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n IPA CA -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n External CA cert -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n LDAP.vmbs.uk IPA CA -t CT,C,C -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n DSTRootCAX3 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140417616875088
ipapython.admintool: INFO: The ipa-certupdate command was successful
Installing CA certificate, please wait
Verified letsencryptx3
CA certificate successfully installed
The ipa-cacert-manage command was successful
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$79e69edd...
ipalib.plugable: DEBUG: importing plugin module ipaclient.remote_plugins.schema$79e69edd.plugins
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.csrgen
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault
ipalib.rpc: DEBUG: failed to find session_cookie in persistent storage for principal 'admin@LDAP.vmbs.uk'
ipalib.rpc: INFO: trying https://ipa.ldap.vmbs.uk/ipa/json
ipalib.backend: DEBUG: Created connection context.rpcclient_139693756030544
ipalib.install.kinit: DEBUG: Initializing principal host/ipa.ldap.vmbs.uk@LDAP.vmbs.uk using keytab /etc/krb5.keytab
ipalib.install.kinit: DEBUG: using ccache /tmp/tmp-dQbHsF/ccache
ipalib.install.kinit: DEBUG: Attempt 1/1: success
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.107')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.107')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://ipa.ldap.vmbs.uk/ipa/json'
ipalib.rpc: DEBUG: New HTTP connection (ipa.ldap.vmbs.uk)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=za9D7F35gm3dUkUFzr6zl%2b2veyhTpV70%2fzNDeQbsZQkkMZyY1oWWqIG%2btwVuo8tu5ItGXrWgOnwSDhQQfr5NhhJCuIUsgWjNXP80dSHI%2bdcan94vhLUJKnwiu3z2KI4BRVaRKePB5qk9qwT0fVTVQW%2fFMh6MEnpwKJGDet1izNP6iY0t9Bx%2bEQ8CO53LOTtybdCKm6%2b8jBs8ct0xfqBwFfVpxqcOcv6r5C1oyn%2fuA9w7U5%2b8Nm4ey6WcjpmjJcjE88VYQRgDER%2bvu2YRfG;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=za9D7FeyhTpV70%2fzNDeQbsZQkkMZyY1oWWqIG%2btwVuo8tu5ItGXrWgOnwSDhQQfr5NhhJCuIUsgWjNXP80dSHI%2bdcan94vhLUJKnwiu3z2KI4BRVaRKePB5qk9qwT0fVTVQW%2fFMh6MEnpwKJGDet1izNP6iY0t9Bx%2bEQ8CO53LOTtybdCKm6%2b8jBs8ct0xfqBwFfVpxqcOcv6r5C1oyn%2fuA9w7U5%2b8Nm4ey6WcjpmjJcjE88VYQRgDER%2bvu2YRfG;' for principal admin@LDAP.vmbs.uk
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.ldap.vmbs.uk:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0cfc752d40>
ipalib.frontend: DEBUG: raw: ca_find(None, version=u'2.231')
ipalib.frontend: DEBUG: ca_find(None, version=u'2.231')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_find/1' to json server 'https://ipa.ldap.vmbs.uk/ipa/json'
ipalib.rpc: DEBUG: HTTP connection keep-alive (ipa.ldap.vmbs.uk)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=4hYk35gm3dUkUFzr6zl%2b2vKg5BGMh5mDI%2fHJ%2bl%2bojCmzfVbX14a3HugBE8cOyi6muHjERaxkIvaat4pm%2bD3ubvcQldGz3QQjBHm2vf%2btsyrW%2bYifAEy5q57tT%2f0rz%2faYkgomyG%2bBh%2by77mmEm8j5lZThRmae8H2TEMffXwThGozEUDgxVjBQ0G4dEFLJLttOgxqaBgr2D8p98T0g0P9H1Z1%2ff7V2RaeCE0GGhxNQazTpocFxAVBgQJOTjSXxIeYvTMesaXwq27NswlWs3S;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=4hYkKg5BGMh5mDI%2fHJ%2bl%2bojCmzfVbX14a3HugBE8cOyi6muHjERaxkIvaat4pm%2bD3ubvcQldGz3QQjBHm2vf%2btsyrW%2bYifAEy5q57tT%2f0rz%2faYkgomyG%2bBh%2by77mmEm8j5lZThRmae8H2TEMffXwThGozEUDgxVjBQ0G4dEFLJLttOgxqaBgr2D8p98T0g0P9H1Z1%2ff7V2RaeCE0GGhxNQazTpocFxAVBgQJOTjSXxIeYvTMesaXwq27NswlWs3S;' for principal admin@LDAP.vmbs.uk
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LDAP-VMBS-UK -A -n LDAP.vmbs.uk IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-LDAP-VMBS-UK/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LDAP-VMBS-UK -A -n DSTRootCAX3 -t C,, -a -f /etc/dirsrv/slapd-LDAP-VMBS-UK/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LDAP-VMBS-UK -A -n letsencryptx3 -t C,, -a -f /etc/dirsrv/slapd-LDAP-VMBS-UK/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active dirsrv@LDAP-VMBS-UK.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl --system daemon-reload
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart dirsrv@LDAP-VMBS-UK.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active dirsrv@LDAP-VMBS-UK.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: wait_for_open_ports: localhost [389] timeout 300
ipapython.ipautil: DEBUG: waiting for port: 389
ipapython.ipautil: DEBUG: SUCCESS: port: 389
ipaplatform.base.services: DEBUG: Restart of dirsrv@LDAP-VMBS-UK.service complete
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n LDAP.vmbs.uk IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n DSTRootCAX3 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n letsencryptx3 -t C,, -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipaplatform.base.services: DEBUG: Restart of httpd.service complete
ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request '20191127153204'
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipaclient.install.ipa_certupdate: DEBUG: modifying certmonger request '20191127153204'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n IPA CA -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n External CA cert -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n LDAP.vmbs.uk IPA CA -t CT,C,C -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n DSTRootCAX3 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n letsencryptx3 -t C,, -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_139693756030544
ipapython.admintool: INFO: The ipa-certupdate command was successful
Redirecting to /bin/systemctl stop httpd.service
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Performing the following challenges:
http-01 challenge for ipa.ldap.vmbs.uk
Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /root/0000_cert.pem
Cert chain written to <fdopen>
Cert chain written to <fdopen>

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /root/0001_chain.pem
   Your cert will expire on 2020-02-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Notice: Trust flag u is set automatically if the private key is present.
Redirecting to /bin/systemctl start httpd.service

The script will:

  • install Let’s Encrypt client package if not do manually install: yum install -y dnf && dnf repolist

  • install Let’s Encrypt CA certificates into FreeIPA certificate store

  • requests new certificate for FreeIPA web interface

  • run renew-le.sh script once a day: it will renew the cert as necessary

./renew-le.sh

If you have any problem, feel free to ask here for help or contact FreeIPA team: http://www.freeipa.org/page/Contribute#Communication

Removing CA manually in case any issue of pki-tomcat arrived:

pkidestroy -s CA -i pki-tomcat
rm -rf /var/log/pki/pki-tomcat
rm -rf /etc/sysconfig/pki-tomcat
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
rm -rf /var/lib/pki/pki-tomcat
rm -rf /etc/pki/pki-tomcat

WIFI AUTHENTICATE WITH RADIUS AND FREEIPA

Install ipa-SAMBA or ADTrust

ipa-adtrust-install

Click to expand summary of command ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-install.log

This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:

  • Configure Samba
  • Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user ‘admin’.
This user is a regular system account used for IPA server administration.

admin password:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.

Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: yes

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

NetBIOS domain name [VMBS]:

WARNING: 3 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
[1/25]: validate server hostname
[2/25]: stopping smbd
[3/25]: creating samba domain object
[4/25]: creating samba config registry
[5/25]: writing samba config file
[6/25]: adding cifs Kerberos principal
[7/25]: adding cifs and host Kerberos principals to the adtrust agents group
[8/25]: check for cifs services defined on other replicas
[9/25]: adding cifs principal to S4U2Proxy targets
[10/25]: adding admin(group) SIDs
[11/25]: adding RID bases
[12/25]: updating Kerberos config
‘dns_lookup_kdc’ already set to ‘true’, nothing to do.
[13/25]: activating CLDAP plugin
[14/25]: activating sidgen task
[15/25]: map BUILTIN\Guests to nobody group
[16/25]: configuring smbd to start on boot
[17/25]: adding special DNS service records
[18/25]: enabling trusted domains support for older clients via Schema Compatibility plugin
[19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[20/25]: adding fallback group
[21/25]: adding Default Trust View
[22/25]: setting SELinux booleans
[23/25]: starting CIFS services
[24/25]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait…
[25/25]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
TCP Ports:

  • 135: epmap
  • 138: netbios-dgm
  • 139: netbios-ssn
  • 445: microsoft-ds
  • 1024…1300: epmap listener range
  • 3268: msft-gc
    UDP Ports:
  • 138: netbios-dgm
  • 139: netbios-ssn
  • 389: ©LDAP
  • 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

After ADTrust or SMB is installed you can see new services using ipactl status

# ipactl status

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Take care, if you installed trustad after server, you need to change users password to create ipaNTHash

Now restart freeipa and add radius service on ipa server:
ipactl restart

ipa service-add ‘radius/radius.vmbs.uk’
ipa service-add-host --hosts=radius.vmbs.uk radius/radius.vmbs.uk
ipa role-add-member --hosts=radius.vmbs.uk certadmin
ipa-getkeytab -p ‘radius/radius.vmbs.uk’ -s ipa.ldap.vmbs.uk -k /root/radiusd.keytab

Create role and assign it permissions for ipaNTHash

ipa permission-add ‘ipaNTHash service read’ --attrs=ipaNTHash --type=user --right=read
ipa privilege-add ‘Radius services’ --desc=‘Privileges needed to allow radiusd servers to operate’
ipa privilege-add-permission ‘Radius services’ --permissions=‘ipaNTHash service read’
ipa role-add ‘Radius server’ --desc=“Radius server role”
ipa role-add-privilege --privileges=“Radius services” ‘Radius server’

Create system account add permission:

ldapmodify -x -D 'cn=Directory Manager' -W

Enter password:
dn: cn=sysaccounts,cn=etc,dc=vmbs,dc=uk
changetype: modify
add: memberUid
memberUid: krbprincipalname=radius/radius.vmbs.uk@LDAP.VMBS.UK,cn=services,cn=accounts,dc=ldap,dc=vmbs,dc=uk

Add service account to adtrust agents:

dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ldap,dc=vmbs,dc=uk
changetype: modify
add: memberUid
memberUid: krbprincipalname=radius/radius.vmbs.uk@LDAP.VMBS.UK,cn=services,cn=accounts,dc=ldap,dc=vmbs,dc=uk

Create password for service account:

dn: krbprincipalname=radius/radius.vmbs.uk@LDAP.VMBS.UK,cn=services,cn=accounts,dc=ldap,dc=vmbs,dc=uk
changetype: modify add:
objectClass objectClass: simpleSecurityObject
-
add: userPassword
userPassword: <what password you like>

Add the service account to cn=radius server

dn: cn=Radius server,cn=roles,cn=accounts,dc=ldap,dc=vmbs,uk
memberOf: cn=Radius services,cn=privileges,cn=pbac,dc=ldap,dc=vmbs,dc=uk
memberOf: cn=ipaNTHash service read,cn=permissions,cn=pbac,dc=ldap,dc=vmbs,dc=uk
description: Radius server role
cn: Radius server
objectClass: groupofnames
objectClass: nestedgroup
objectClass: top
member: krbprincipalname=radius/radius.vmbs.uk@LDAP.VMBS.UK,cn=services,cn=accounts,dc=ldap,dc=vmbs,dc=uk