This is my note about installing FreeIPA on a CentOS 8 machine. It’s a bit different from the FreeIPA’s installation on CentOS 7, and most importantly there was a problem I came across during the installation and how to fix it.
Configure Static IP
[root@utility ~]# nmcli con mod enp1s0 ipv4.addresses 172.25.250.8/24 \
> ipv4.method manual \
> ipv4.gateway 172.25.250.254 \
> ipv4.dns 172.25.252.1 \
> connection.autoconnect yes
[root@utility ~]# nmcli con up enp1s0
Ensure the hostname of this server exists in /etc/hosts.
[root@utility ~]# grep $(hostname) /etc/hosts
172.25.250.8 utility.lab.example.com utility
Install FreeIPA Server
In CentOS 8, FreeIPA is available i the AppStream repository. It bundles in idm module with different profiles.
[root@utility ~]# dnf module list idm
Last metadata expiration check: 0:29:12 ago on Tue 01 Dec 2020 01:49:44 PM AEDT.
CentOS-8 - AppStream
Name Stream Profiles Summary
idm DL1 adtrust, client, common [d], dns, server The Red Hat Enterprise Linux Identity Management system module
idm client [d] common [d] RHEL IdM long term support client module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
We’ll install only the FreeIPA server and dns profiles.
[root@utility ~]# dnf module install idm:DL1/{server,dns} -y
Next, run the ipa-server-install to install the FreeIPA server.
[root@utility ~]# ipa-server-install --realm LAB.EXAMPLE.COM \
> --ds-password CentOS123^ \
> --admin-password CentOS123^ \
> --setup-dns \
> --no-forwarders \
> --reverse-zone 250.25.172.in-addr.arpa. \
> --unattended
Then, we’ll see the following error message.
...
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmppsmz59io'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: Server unreachable due to SSL error: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:897)\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn\n request_timeout=status_request_timeout,\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 911, in wait_for_startup\n raise Exception(\'Server unreachable due to SSL error: %s\' % reason) from exc\n\n')
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The problem is due to the incompatible version of OpenJDK.
[root@utility ~]# java -version
openjdk version "1.8.0_272"
OpenJDK Runtime Environment (build 1.8.0_272-b10)
OpenJDK 64-Bit Server VM (build 25.272-b10, mixed mode)
According to this discussion, OpenJDK needs to downgrade to at least 1.8.0.265.
First, remove the currently installed OpenJDK.
[root@utility ~]# rpm -e --nodeps java-1.8.0-openjdk java-1.8.0-openjdk-devel java-1.8.0-openjdk-headless
Then download the old version of JDK, and install them.
[root@utility ~]# mkdir java
[root@utility ~]# cd java
[root@utility java]# curl -O http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/java-1.8.0-openjdk-1.8.0.265.b01-0.el8_2.x86_64.rpm
[root@utility java]# curl -O http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/java-1.8.0-openjdk-devel-1.8.0.265.b01-0.el8_2.x86_64.rpm
[root@utility java]# curl -s -O http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/java-1.8.0-openjdk-headless-1.8.0.265.b01-0.el8_2.x86_64.rpm
[root@utility java]# rpm -ivh java*
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:java-1.8.0-openjdk-headless-1:1.8################################# [ 33%]
2:java-1.8.0-openjdk-1:1.8.0.265.b0################################# [ 67%]
3:java-1.8.0-openjdk-devel-1:1.8.0.################################# [100%]
That should do it. However, wee need to uninstall the previous broken-installation first.
[root@utility ~]# ipa-server-install --uninstall
...
The ipa-client-install command was successful
The ipa-server-install command was successful
[root@utility ~]# ipa-server-install -r LAB.EXAMPLE.COM \
> -p CentOS123^ -a CentOS123^ \
> --setup-dns \
> --no-forwarders \
> --reverse-zone 250.25.172.in-addr.arpa. \
> --unattended
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
Configuring Firewall
[root@utility ~]# firewall-cmd --add-service freeipa-ldap --add-service freeipa-ldaps --add-service dns
success
[root@utility ~]# firewall-cmd --add-service freeipa-ldap --add-service freeipa-ldaps --add-service dns --permanent
success
Basic Testing
[root@utility ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM:
[root@utility ~]# klist
Ticket cache: KCM:0
Default principal: admin@LAB.EXAMPLE.COM
Valid starting Expires Service principal
12/01/2020 16:01:56 12/02/2020 16:01:43 krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM