[SOLVED] FreeIPA SSL failure

mdragt · #1 17th January 2012, 09:51 PM

Hi,
I think I've set up my FreeIPA server (almost) correctly on my Fedora 16 box:

[root@virgo ~]# ipa-server-install --no-host-dns

After accepting all suggested names and entering some passwords, I got a lot of status messages, and then I finally got:

done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.f1Rcip.db
================================================== ============================
Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

I guess thats all excellent. I made sure these ports are all open.
As instructed in the manual (https://docs.fedoraproject.org/en-US...ll-interactive), I restarted SSHD:

[root@virgo ~]# service sshd restart

Looking good.
To check things out, I did:

[root@virgo ~]# kinit admin@SSC.KALLIANCE.NL
Password for admin@SSC.KALLIANCE.NL:

Still looking great, no errors.
And then, as suggested in the manual (https://docs.fedoraproject.org/en-US...ll-interactive)

[root@virgo ~]# ipa user-find admin
ipa: ERROR: cannot connect to u'https://virgo.ssc.kalliance.nl/ipa/xml': [Errno -12263] (SSL_ERROR_RX_RECORD_TOO_LONG) SSL received a record that exceeded the maximum permissible length.

Excuse me? Where did I go wrong?

sgallagh · #2 18th January 2012, 02:50 PM

Could you be hitting this? http://www.lodesys.com/blog/2009/resolving.php

mdragt · #3 20th January 2012, 10:32 PM

@sgallagh: thanks for your reply. I am not sure. I've managed to setup FreeIPA without option --no-host-dns, but I keep getting the exact same error message. From your link, the error SSL_ERROR_RX_RECORD_TOO_LONG appears to be DNS related, but I dont see what is wrong. Output from several lookup functions:

[root@virgo ~]# hostname
virgo.ssc.kalliance.nl

[root@virgo ~]# nslookup virgo.ssc.kalliance.nl
Server: 192.168.204.140
Address: 192.168.204.140#53

Name: virgo.ssc.kalliance.nl
Address: 192.168.204.140

[root@virgo ~]# dig virgo.ssc.kalliance.nl

; <<>> DiG 9.8.1-P1-RedHat-9.8.1-4.P1.fc16 <<>> virgo.ssc.kalliance.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56034
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;virgo.ssc.kalliance.nl. IN A

;; ANSWER SECTION:
virgo.ssc.kalliance.nl. 3600 IN A 192.168.204.140

;; AUTHORITY SECTION:
ssc.kalliance.nl. 3600 IN NS virgo.ssc.kalliance.nl.

;; Query time: 0 msec
;; SERVER: 192.168.204.140#53(192.168.204.140)
;; WHEN: Fri Jan 20 23:27:12 2012
;; MSG SIZE rcvd: 70

sgallagh · #4 23rd January 2012, 01:15 PM

Well, the issue there could be if your /etc/hosts file has an entry for virgo.ssc.kalliance.nl that doesn't exactly match DNS. (For example, the short hostname could be listed before the FQDN)

mdragt · #5 12th February 2012, 04:30 PM

Thanks! It appears that for my case you were right. I had to reinstall FreeIPA quite a lot of times, and I learned a few new things I like to share:

1) make sure /etc/hosts is correct, use FQDN of your server as first hostname:

[root@virgo ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost localhost4
::1 localhost6.localdomain6 localhost6
192.168.204.140 virgo.ssc.kalliance.nl virgo

2) after reinstall of ipa-server-install, clear sshd cache

[root@lynx ~]# ll /var/lib/sss/db/
totaal 612
-rw-------. 1 root root 114688 9 feb 21:41 cache_default.ldb
-rw-------. 1 root root 327680 12 feb 19:22 cache_kalliance.nl.ldb
-rw-------. 1 root root 1208 12 feb 22:35 ccache_KALLIANCE.NL
-rw-------. 1 root root 126976 12 feb 17:51 config.ldb
-rw-------. 1 root root 53248 9 feb 21:32 sssd.ldb
[root@lynx db]# service sssd stop
Redirecting to /bin/systemctl stop sssd.service
[root@lynx db]# rm /var/lib/sss/db/cache_kalliance.nl.ldb
[root@lynx db]# service sssd start

3) before setting up authentication in GNOME, make sure nss-pam-ldapd is installed:

[root@virgo ~]# yum install nss-pam-ldapd

4) Set up authenitication using system-config-authentication on every client to configure client's link to your FreeIPA-server, but:

a) do not check boxes next to fingerprint or smartcard reader if you don't have one;
b) align password hashing algorithm (not required, as far as I can see, but it is more elegant I guess);
c) use https://name.of.your.server to download server CA certificate .

Closing this case, opening a new one to get NFS working...