[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Wed May 29 14:24:53 UTC 2013

On 29.5.2013 15:50, John Moyer wrote:
> 	I changed both the host file (actually did that before emailing) and now I have changed the DNS manually in LDAP.  I restart ipa and it still fails on DNS startup.   It says the following (after I manually start everything else)
>
> May 29 13:16:15 ip- named[9076]: set up managed keys zone for view _default, file 'dynamic/managed-keys.bind'
> May 29 13:16:15 ip- named[9076]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/EC2.INTERNAL at EXAMPLE.COM not found in Kerberos database)
> May 29 13:16:15 ip- named[9076]: bind to LDAP server failed: Local error
> May 29 13:16:15 ip- named[9076]: loading configuration: failure
> May 29 13:16:15 ip- named[9076]: exiting (due to fatal error)

The important piece is:
 > Server krbtgt/EC2.INTERNAL at EXAMPLE.COM not found in Kerberos database

Some very basic instructions are at
See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart

IMHO Kerberos libraries are confused by the crazy network setup inside EC2.

Does your /etc/krb5.conf point to internal or external name?

Does your /etc/hosts point to internal or external name?

I would try to include *internal* IPs in /etc/hosts, because internal IPs are 
what libraries see on local interfaces.

Please do the experiments described above and let us now. Also, you can join 
#freeipa channel on FreeNode, I will be around for next hour (at least).

Petr^2 Spacek

> On May 29, 2013, at 4:11 AM, Petr Spacek <pspacek at redhat.com> wrote:
>
>> On 29.5.2013 07:42, John Moyer wrote:
>>> Yea I replaced both certs, however, in my troubleshooting I've found more I'll say symptoms or potential problems, which may stem from this or be independent from it.
>>>
>>> 1. Showing this error message on restarting the service:
>>>      EXAMPLE-COM...[29/May/2013:05:30:58 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>
>>> 2. This is on an AWS machine, and when I rebooted the internal IP of the machine changed.  I'm not sure if there are values in the Directory Server that would have that internal IP in there which would cause a problem.  The external IP and DNS have stayed the same and I've tried to have all install values match the external IP or external name for this exact reason.
>>>
>>> 3. The named service will no longer start, here are the errors getting put in the /var/log/messages
>>> May 29 05:31:01 ip-10-1-3-5 named[5592]: sizing zone task pool based on 6 zones
>>> May 29 05:31:01 ip-10-1-3-5 named[5592]: /etc/named.conf:12: no forwarders seen; disabling forwarding
>>> May 29 05:31:01 ip-10-1-3-5 named[5592]: set up managed keys zone for view _default, file 'dynamic/managed-keys.bind'
>>>   May 29 05:31:19 ip-10-1-3-5 named[5592]: Failed to init credentials (Cannot contact any KDC for realm 'EXAMPLE.COM')
>>>   May 29 05:31:19 ip-10-1-3-5 named[5592]: loading configuration: failure May 29 05:31:19 ip-10-1-3-5 named[5592]: exiting (due to fatal error)
>>>
>>> Any help in a right direction or theory to a right direction would be much appreciated!
>> Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and IPA DNS. Please correct content of /etc/hosts, start IPA and then correct IP addresses in IPA DNS.