Fedora Linux Support Community & Resources Center
  #1  
Old 17th January 2012, 09:51 PM
mdragt Offline
Registered User
 
Join Date: Aug 2008
Posts: 24
linuxfirefox
FreeIPA SSL failure

Hi,
I think I've set up my FreeIPA server (almost) correctly on my Fedora 16 box:

[root@virgo ~]# ipa-server-install --no-host-dns

After accepting all suggested names and entering some passwords, I got a lot of status messages, and then I finally got:

done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.f1Rcip.db
================================================== ============================
Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password


I guess thats all excellent. I made sure these ports are all open.
As instructed in the manual (https://docs.fedoraproject.org/en-US...ll-interactive), I restarted SSHD:

[root@virgo ~]# service sshd restart


Looking good.
To check things out, I did:

[root@virgo ~]# kinit admin@SSC.KALLIANCE.NL
Password for admin@SSC.KALLIANCE.NL:


Still looking great, no errors.
And then, as suggested in the manual (https://docs.fedoraproject.org/en-US...ll-interactive)

[root@virgo ~]# ipa user-find admin
ipa: ERROR: cannot connect to u'https://virgo.ssc.kalliance.nl/ipa/xml': [Errno -12263] (SSL_ERROR_RX_RECORD_TOO_LONG) SSL received a record that exceeded the maximum permissible length.




Excuse me? Where did I go wrong?

Last edited by mdragt; 17th January 2012 at 10:01 PM.
Reply With Quote
  #2  
Old 18th January 2012, 02:50 PM
sgallagh Offline
Registered User
 
Join Date: Aug 2010
Posts: 25
linuxfirefox
Re: FreeIPA SSL failure

Could you be hitting this? http://www.lodesys.com/blog/2009/resolving.php
Reply With Quote
  #3  
Old 20th January 2012, 10:32 PM
mdragt Offline
Registered User
 
Join Date: Aug 2008
Posts: 24
linuxfirefox
Re: FreeIPA SSL failure

@sgallagh: thanks for your reply. I am not sure. I've managed to setup FreeIPA without option --no-host-dns, but I keep getting the exact same error message. From your link, the error SSL_ERROR_RX_RECORD_TOO_LONG appears to be DNS related, but I dont see what is wrong. Output from several lookup functions:

[root@virgo ~]# hostname
virgo.ssc.kalliance.nl

[root@virgo ~]# nslookup virgo.ssc.kalliance.nl
Server: 192.168.204.140
Address: 192.168.204.140#53

Name: virgo.ssc.kalliance.nl
Address: 192.168.204.140

[root@virgo ~]# dig virgo.ssc.kalliance.nl

; <<>> DiG 9.8.1-P1-RedHat-9.8.1-4.P1.fc16 <<>> virgo.ssc.kalliance.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56034
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;virgo.ssc.kalliance.nl. IN A

;; ANSWER SECTION:
virgo.ssc.kalliance.nl. 3600 IN A 192.168.204.140

;; AUTHORITY SECTION:
ssc.kalliance.nl. 3600 IN NS virgo.ssc.kalliance.nl.

;; Query time: 0 msec
;; SERVER: 192.168.204.140#53(192.168.204.140)
;; WHEN: Fri Jan 20 23:27:12 2012
;; MSG SIZE rcvd: 70

Reply With Quote
  #4  
Old 23rd January 2012, 01:15 PM
sgallagh Offline
Registered User
 
Join Date: Aug 2010
Posts: 25
linuxfirefox
Re: FreeIPA SSL failure

Well, the issue there could be if your /etc/hosts file has an entry for virgo.ssc.kalliance.nl that doesn't exactly match DNS. (For example, the short hostname could be listed before the FQDN)
Reply With Quote
  #5  
Old 12th February 2012, 04:30 PM
mdragt Offline
Registered User
 
Join Date: Aug 2008
Posts: 24
linuxfirefox
Re: FreeIPA SSL failure

Thanks! It appears that for my case you were right. I had to reinstall FreeIPA quite a lot of times, and I learned a few new things I like to share:

1) make sure /etc/hosts is correct, use FQDN of your server as first hostname:
[root@virgo ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost localhost4
::1 localhost6.localdomain6 localhost6
192.168.204.140 virgo.ssc.kalliance.nl virgo

2) after reinstall of ipa-server-install, clear sshd cache
[root@lynx ~]# ll /var/lib/sss/db/
totaal 612
-rw-------. 1 root root 114688 9 feb 21:41 cache_default.ldb
-rw-------. 1 root root 327680 12 feb 19:22 cache_kalliance.nl.ldb
-rw-------. 1 root root 1208 12 feb 22:35 ccache_KALLIANCE.NL
-rw-------. 1 root root 126976 12 feb 17:51 config.ldb
-rw-------. 1 root root 53248 9 feb 21:32 sssd.ldb
[root@lynx db]# service sssd stop
Redirecting to /bin/systemctl stop sssd.service
[root@lynx db]# rm /var/lib/sss/db/cache_kalliance.nl.ldb
[root@lynx db]# service sssd start

3) before setting up authentication in GNOME, make sure nss-pam-ldapd is installed:
[root@virgo ~]# yum install nss-pam-ldapd

4) Set up authenitication using system-config-authentication on every client to configure client's link to your FreeIPA-server, but:
a) do not check boxes next to fingerprint or smartcard reader if you don't have one;
b) align password hashing algorithm (not required, as far as I can see, but it is more elegant I guess);
c) use https://name.of.your.server to download server CA certificate .
Closing this case, opening a new one to get NFS working...

Last edited by mdragt; 12th February 2012 at 10:02 PM.
Reply With Quote
Reply

Tags
failure, freeipa, ssl

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeIPA 2.x not working djbonner Servers & Networking 3 5th October 2011 06:19 PM
[SOLVED] Could not update ICEauthority file /home/brad/.ICEauthority FreeIPA brad_c6 Servers & Networking 1 14th August 2011 07:00 AM
FreeIPA v2 and Xfce 4.8 test days diamond_ramsey F15 Development 1 17th February 2011 08:49 AM
Kerberos + LDAP + (AD) = FREEIPA roachy Links 2 21st April 2009 02:58 PM


Current GMT-time: 04:07 (Friday, 25-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat