dockerdocker-composeportfreeipa

FreeIPA Docker Compose WEB UI

After spending hours searching why I cannot access to my webUI, I turn to you. I setup freeipa on docker using docker-compose. I opened some port to gain remote access using host-ip:port on my own computer. Freeipa is supposed to be run on my server (lets say 192.168.1.2) and the webui accessible with any other local computer on port 80 / 443 (192.168.1.4:80 or 192.168.1.4:443)

When I run my .yaml file, freeipa get setup with a "the ipa-server-install command was successful" message.

I thought it could come from my tight iptables rules and tried to put all policies to ACCEPT to debug. It didn't do it.

I'm a bit lost to how I could debbug this or find how to fix it.

OS : ubuntu 20.04.3 Docker version: 20.10.12, build e91ed57 freeipa image: freeipa/freeipa:centos-8-stream Docker-compose version: 1.29.2, build 5becea4c

My .yaml file:

version: "3.8"
services:  
  freeipa:
    image: freeipa/freeipa-server:centos-8-stream
    hostname: sanctuary
    domainname: serv.sanctuary.local
    container_name: freeipa-dev
    ports:
      - 80:80
      - 443:443
      - 389:389
      - 636:636
      - 88:88
      - 464:464
      - 88:88/udp
      - 464:464/udp
      - 123:123/udp
    dns:
      - 10.64.0.1
      - 1.1.1.1
      - 1.0.0.1
    restart: unless-stopped
    tty: true
    stdin_open: true
    environment:
      IPA_SERVER_HOSTNAME: serv.sanctuary.local
      IPA_SERVER_IP: 192.168.1.100
      TZ: "Europe/Paris"
    command:
      - -U
      - --domain=sanctuary.local
      - --realm=sanctuary.local
      - --admin-password=pass
      - --http-pin=pass
      - --dirsrv-pin=pass
      - --ds-password=pass
      - --no-dnssec-validation
      - --no-host-dns
      - --setup-dns
      - --auto-forwarders
      - --allow-zone-overlap
      - --unattended
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - ./data:/data
      - ./logs:/var/logs
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    security_opt:
      - "seccomp:unconfined"
    labels:
      - dev

I tried to tinker with the deployment file (add or remove conf found on internet such as add/remove IPA_SERVER_IP, add/remove an external bridge network)

Thank you very much for any help =)

Solution

  • Alright, for those who might have the same problem, I will explain everything I did to debug this.

    I extensively relieded on the answers found here : https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/

    First, I checked the status of each services with ipactl status. Depending of the problem, you might have different output but mine was like this :

    Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

    I therefore checked the logs for tomcat /var/log/pki/pki-tomcat/ca/debug-xxxx. I realised I had connection refused with something related to the certificates.

    Here, I first checked that my certificate was present in /etc/pki/pki-tomcat/alias using sudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'.

    ## output : 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        ...
        ...

    Then I made sure that the private key can be read using the password found in /var/lib/pki/pki-tomcat/conf/password.conf (with the tag internal=…)

    grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt

    certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'

    I still had nothings strange so I assumed that at this point :

    1. pki-tomcat is able to access the certificate and the private key
    2. The issue is likely to be on the LDAP server side

    I tried to read the user entry in the LDAP to compare it to the certificate using ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso but had an error after entering the password. Because my certs were OK and LDAP service running, I assumed something was off with the certificates date.

    Indeed, during the install freeipa setup the certs using your current system date as base. But it also install chrony for server time synchronization. After reboot, my chrony conf were wrong and set my host date 2 years ahead.

    I couldnt figure out the problem with the chrony conf so I stopped the service and set the date manually using timedatectl set-time "yyyy-mm-dd hh:mm:ss".

    I restarted freeipa services amd my pki-tomcat service was working again.

    After that, I set the freeipa IP in my router as DNS. I restarted services and computer in the local network so DNS config were refreshed. After that, the webUI was accessible !