我认为我的 FreeIPA 实例存在证书问题,这表现为 Web UI 上的“由于未知原因导致登录失败”错误。这似乎与此处描述的问题非常接近:无法登录 FreeIPA Web UI - “由于未知原因,登录失败。”
$ cat /var/log/httpd/error_log
[Sun Nov 15 03:36:02.557178 2020] [lbmethod_heartbeat:notice] [pid 20540:tid 140295188322560] AH02282: No slotmem from mod_heartmonitor
[Sun Nov 15 03:36:02.574268 2020] [mpm_event:notice] [pid 20540:tid 140295188322560] AH00489: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_wsgi/4.5.20 Python/3.6 mod_auth_gssapi/1.6.0 configured -- resuming normal operations
[Sun Nov 15 03:36:02.574356 2020] [core:notice] [pid 20540:tid 140295188322560] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sun Nov 15 03:36:17.130764 2020] [wsgi:error] [pid 16862:tid 140295188322560] ipa: INFO: *** PROCESS START ***
[Sun Nov 15 03:36:17.181095 2020] [wsgi:error] [pid 16863:tid 140295188322560] ipa: INFO: *** PROCESS START ***
[Sun Nov 15 03:36:17.370532 2020] [wsgi:error] [pid 16861:tid 140295188322560] ipa: INFO: *** PROCESS START ***
[Sun Nov 15 03:36:17.480511 2020] [wsgi:error] [pid 16864:tid 140295188322560] ipa: INFO: *** PROCESS START ***
[Sun Nov 15 15:12:18.414969 2020] [wsgi:error] [pid 16862:tid 140294055163648] [remote 10.6.0.156:49417] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS
[Mon Nov 16 16:50:51.133150 2020] [wsgi:error] [pid 16862:tid 140294055163648] [remote 10.5.30.3:59450] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS
[Mon Nov 16 16:51:15.363854 2020] [wsgi:error] [pid 16862:tid 140294055163648] [remote 10.5.30.3:59452] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='ipa.mydomain.org', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
[Wed Nov 18 16:58:58.647565 2020] [wsgi:error] [pid 16864:tid 140294055163648] [remote 10.0.10.3:41362] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS
[Wed Nov 18 16:59:07.206598 2020] [wsgi:error] [pid 16864:tid 140294055163648] [remote 10.0.10.3:41366] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='ipa.mydomain.org', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
[Wed Nov 18 17:23:49.225001 2020] [wsgi:error] [pid 16863:tid 140294055163648] [remote 10.5.30.3:34678] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS
[Wed Nov 18 17:24:12.026368 2020] [wsgi:error] [pid 16863:tid 140294055163648] [remote 10.5.30.3:34684] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='ipa.mydomain.org', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
[Wed Nov 18 17:34:59.981548 2020] [mpm_event:notice] [pid 20540:tid 140295188322560] AH00492: caught SIGWINCH, shutting down gracefully
[Wed Nov 18 17:35:04.633179 2020] [suexec:notice] [pid 8293:tid 140062174685440] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Nov 18 17:35:04.734723 2020] [lbmethod_heartbeat:notice] [pid 8293:tid 140062174685440] AH02282: No slotmem from mod_heartmonitor
[Wed Nov 18 17:35:04.783843 2020] [mpm_event:notice] [pid 8293:tid 140062174685440] AH00489: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_wsgi/4.5.20 Python/3.6 mod_auth_gssapi/1.6.0 configured -- resuming normal operations
[Wed Nov 18 17:35:04.783971 2020] [core:notice] [pid 8293:tid 140062174685440] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Nov 18 17:35:27.735404 2020] [wsgi:error] [pid 8302:tid 140062174685440] ipa: INFO: *** PROCESS START ***
[Wed Nov 18 17:35:28.647317 2020] [wsgi:error] [pid 8299:tid 140062174685440] ipa: INFO: *** PROCESS START ***
[Wed Nov 18 17:35:28.942391 2020] [wsgi:error] [pid 8300:tid 140062174685440] ipa: INFO: *** PROCESS START ***
[Wed Nov 18 17:35:29.517472 2020] [wsgi:error] [pid 8303:tid 140062174685440] ipa: INFO: *** PROCESS START ***
[Wed Nov 18 17:36:00.568524 2020] [wsgi:error] [pid 8302:tid 140061041526528] [remote 10.5.30.3:34818] ipa: INFO: 401 Unauthorized: kinit: Password incorrect while getting initial credentials
[Wed Nov 18 17:36:00.568690 2020] [wsgi:error] [pid 8302:tid 140061041526528] [remote 10.5.30.3:34818]
[Wed Nov 18 17:36:03.647421 2020] [wsgi:error] [pid 8299:tid 140061041526528] [remote 10.5.30.3:34822] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS
[Wed Nov 18 17:36:16.136594 2020] [wsgi:error] [pid 8303:tid 140061041526528] [remote 10.5.30.3:34824] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='ipa.mydomain.org', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
[Wed Nov 18 20:00:01.556792 2020] [wsgi:error] [pid 8299:tid 140061041526528] [remote 10.5.30.3:35998] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS
[Thu Nov 19 12:58:54.813554 2020] [wsgi:error] [pid 8303:tid 140061041526528] [remote 10.5.30.3:50526] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS
[Thu Nov 19 12:59:13.712584 2020] [wsgi:error] [pid 8302:tid 140061041526528] [remote 10.5.30.3:50524] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='ipa.mydomain.org', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
这似乎也导致一些证书无法验证(?):
$ ipa-getcert list
Request ID '20201010134403':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-mydomain-ORG',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-mydomain-ORG/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-mydomain-ORG',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=mydomain.ORG
subject: CN=ipa.mydomain.org,O=mydomain.ORG
expires: 2022-10-02 15:40:17 CEST
dns: ipa.mydomain.org
principal name: ldap/[email protected]
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv mydomain-ORG
track: yes
auto-renew: yes
Request ID '20201010134408':
status: CA_UNREACHABLE
ca-error: Server at https://ipa.mydomain.org/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://ipa.mydomain.org/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: unable to get local issuer certificate).
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: OU=Me,CN=My-Server-CA,[email protected]
subject: OU=Me,CN=ipa.mydomain.org,[email protected]
expires: 2028-10-26 00:09:55 CEST
dns: ipa.mydomain.org
key usage: digitalSignature,keyEncipherment
eku: id-kp-serverAuth,iso.org.dod.internet.security.mechanisms.8.2.2
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20201010135651':
status: CA_UNREACHABLE
ca-error: Server at https://ipa.mydomain.org/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://ipa.mydomain.org/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: unable to get local issuer certificate).
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=mydomain.ORG
subject: CN=ipa.mydomain.org,O=mydomain.ORG
expires: 2022-10-11 15:57:42 CEST
principal name: krbtgt/[email protected]
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
有人知道哪个证书导致了这个问题吗?