Since taking over our FreeIPA environment I've been unable to create a new CA replica. A bunch of failed attempts and upgrades over the last year and I keep running in to issues. After my latest attempt I noticed something that I had not seen before (likely a result of an recent upgrade) and I was wondering if this would cause a CA install to fail.
Our env: 3 x ipa-server-3.0.0-51.el6.x86_64 3 x ipa-server-4.4.0-14.el7_3.7.x86_64
2 of the 3.x IPA servers are currently acting as CAs and I've been trying to create a new 4.x CA replica in order to start removing the 3.x IPA servers. I've been able to do a simple test with vanilla CentOS 6.9 and 7.3 and it seems to work fine as far as I can tell but when I try it in our environment it fails. I noticed this error in one of the logs and something jumped out at me that I had never seen before:
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization === [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security domain [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml from CA... [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA
<Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec
ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld </Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using admin interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using agent interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate: [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject: CN=ipa-master.domain.tld,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML: status=1 [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security domain: 2 java.io.IOException: Unable to update security domain: 2
The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x servers but the other two listed in that domainxml file one does not exist (it may have at some point been renamed) and the other server is not a CA replica but it is a replica.
Is it possible this bad info would cause a failure when trying to create a new CA replica? If so is it something I can try cleaning up?
Any info would be appreciated. Thanks!
john.bowman--- via FreeIPA-users wrote:
Since taking over our FreeIPA environment I've been unable to create a new CA replica. A bunch of failed attempts and upgrades over the last year and I keep running in to issues. After my latest attempt I noticed something that I had not seen before (likely a result of an recent upgrade) and I was wondering if this would cause a CA install to fail.
Our env: 3 x ipa-server-3.0.0-51.el6.x86_64 3 x ipa-server-4.4.0-14.el7_3.7.x86_64
2 of the 3.x IPA servers are currently acting as CAs and I've been trying to create a new 4.x CA replica in order to start removing the 3.x IPA servers. I've been able to do a simple test with vanilla CentOS 6.9 and 7.3 and it seems to work fine as far as I can tell but when I try it in our environment it fails. I noticed this error in one of the logs and something jumped out at me that I had never seen before:
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization === [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security domain [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml from CA... [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA
<Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec
ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld </Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using admin interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using agent interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate: [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject: CN=ipa-master.domain.tld,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML: status=1 [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security domain: 2 java.io.IOException: Unable to update security domain: 2
The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x servers but the other two listed in that domainxml file one does not exist (it may have at some point been renamed) and the other server is not a CA replica but it is a replica.
Is it possible this bad info would cause a failure when trying to create a new CA replica? If so is it something I can try cleaning up?
Any info would be appreciated. Thanks!
I think one of the dogtag devs will need to look at it. It may take a few days, things get a bit slow around here in the summer.
rob
On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote:
john.bowman--- via FreeIPA-users wrote:
Since taking over our FreeIPA environment I've been unable to create a new CA replica. A bunch of failed attempts and upgrades over the last year and I keep running in to issues. After my latest attempt I noticed something that I had not seen before (likely a result of an recent upgrade) and I was wondering if this would cause a CA install to fail.
Our env: 3 x ipa-server-3.0.0-51.el6.x86_64 3 x ipa-server-4.4.0-14.el7_3.7.x86_64
2 of the 3.x IPA servers are currently acting as CAs and I've been trying to create a new 4.x CA replica in order to start removing the 3.x IPA servers. I've been able to do a simple test with vanilla CentOS 6.9 and 7.3 and it seems to work fine as far as I can tell but when I try it in our environment it fails. I noticed this error in one of the logs and something jumped out at me that I had never seen before:
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization === [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security domain [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml from CA... [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA
<Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec
ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld </Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using admin interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using agent interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate: [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject: CN=ipa-master.domain.tld,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML: status=1 [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security domain: 2 java.io.IOException: Unable to update security domain: 2
The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x servers but the other two listed in that domainxml file one does not exist (it may have at some point been renamed) and the other server is not a CA replica but it is a replica.
Is it possible this bad info would cause a failure when trying to create a new CA replica? If so is it something I can try cleaning up?
Any info would be appreciated. Thanks!
I think one of the dogtag devs will need to look at it. It may take a few days, things get a bit slow around here in the summer.
rob
This went off my radar, but now it back on my radar. Looks like it could be another case of [1]?
[1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Cheers, Fraser
On Wed, Aug 2, 2017 at 1:31 PM, Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote:
john.bowman--- via FreeIPA-users wrote:
Since taking over our FreeIPA environment I've been unable to create a new CA replica. A bunch of failed attempts and upgrades over the last year and I keep running in to issues. After my latest attempt I noticed something that I had not seen before (likely a result of an recent upgrade) and I was wondering if this would cause a CA install to fail.
Our env: 3 x ipa-server-3.0.0-51.el6.x86_64 3 x ipa-server-4.4.0-14.el7_3.7.x86_64
2 of the 3.x IPA servers are currently acting as CAs and I've been trying to create a new 4.x CA replica in order to start removing the 3.x IPA servers. I've been able to do a simple test with vanilla CentOS 6.9 and 7.3 and it seems to work fine as far as I can tell but when I try it in our environment it fails. I noticed this error in one of the logs and something jumped out at me that I had never seen before:
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization === [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security domain [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml from CA... [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA
<Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec
ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld </Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using admin interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using agent interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate: [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject: CN=ipa-master.domain.tld,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML: status=1
[14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security domain: 2 java.io.IOException: Unable to update security domain: 2
This error message means that pkispawn cannot authenticate to Dogtag on master by a certificate. Usually cert doesn't match the one in Dogtag user db in LDAP or cert serial number mapping is wrong.
More info is in: * https://www.freeipa.org/page/Troubleshooting#Migrating_from_RHEL_6.2FCentOS_...
resp. * https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html
But Dogtag team made an utility which should do the steps described in the above post automatically
So run on RHEL 6 master: # python /usr/share/pki/scripts/restore-subsystem-user.py -v
Then remove previous installation attempt by * ipa-replica-manage del $replica * ipa-csreplica-manage del $replica
Try again * generate new replica file by ipa-replica-prepare * run replica installation again with the new replica file
The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x servers but the other two listed in that domainxml file one does not exist (it may have at some point been renamed) and the other server is not a CA replica but it is a replica.
Is it possible this bad info would cause a failure when trying to create a new CA replica? If so is it something I can try cleaning up?
Any info would be appreciated. Thanks!
I think one of the dogtag devs will need to look at it. It may take a few days, things get a bit slow around here in the summer.
rob
This went off my radar, but now it back on my radar. Looks like it could be another case of [1]?
[1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Looks like I missed your answers.
Question: Do I need to run that command on all RHEL6 CA servers or just one of them? (We currently have 2 RHEL 6 CA servers.)
Thank you for the reply!
On Tue, Aug 15, 2017 at 7:57 PM, john.bowman--- via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Looks like I missed your answers.
Question: Do I need to run that command on all RHEL6 CA servers or just one of them? (We currently have 2 RHEL 6 CA servers.)
Which command?
Pasting previsous text, now with host where to run it
So run on RHEL 6 master - this can be run on all RHEL 6 masters but especially on the one where you then run ipa-replica-prepare # python /usr/share/pki/scripts/restore-subsystem-user.py -v
Following is ok to run only on one master. After running it ipa-(cs)replica-manage list commands should no longer list the replica Then remove previous installation attempt by: * ipa-replica-manage del $replica * ipa-csreplica-manage del $replica
Try again * generate new replica file by ipa-replica-prepare (on the orinal master) * run replica installation again with the new replica file
Thank you for the reply!
I've finally had a chance to make this attempt and after running the clean up:
# python /usr/share/pki/scripts/restore-subsystem-user.py -v Subsystem certificate: 2;4;CN=Certificate Authority,O=DOMAIN.TLD;CN=CA Subsystem,O=DOMAIN.TLD -----BEGIN CERTIFICATE----- *snip* -----END CERTIFICATE----- User CA-ipa4.domain.tld-9443 has subsystem certificate User already in Subsystem Group User has the correct certificate mapping Subsystem user CA-ipa4.domain.tld-9443 is OK
It was strange that it listed ipa4 since that is not one of our current CAs just a normal replica. I'm guessing that it was likely a CA at one point but was converted. Perhaps incorrectly?
# ipa-replica-prepare ipa5.domain.tld Directory Manager (existing master) password:
Preparing replica for ipa5.domain.tld from ipa1.domain.tld Creating SSL certificate for the Directory Server ipa : ERROR cert validation failed for "CN=ipa1.domain.tld,O=DOMAIN.TLD" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) preparation of replica failed: cannot connect to 'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. cannot connect to 'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. File "/usr/sbin/ipa-replica-prepare", line 529, in <module> main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb
I know the cert wasn't expired prior to running these two commands. When I look at ipa-getcert list all the expiry dates for requests in MONITORING status show 2019 unless I'm looking in the wrong area.
john.bowman--- via FreeIPA-users wrote:
Still looking for any ideas on this one so giving it a bump.
Next time please don't wipe out all the context.
Fraser, it seems to be having a problem connecting to the security domain.
The full thread is at https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
rob
Apologies, I hit reply from the list's web page instead of replying from email and it did not include the history automatically.
On Thu, Nov 16, 2017 at 1:04 PM, Rob Crittenden rcritten@redhat.com wrote:
john.bowman--- via FreeIPA-users wrote:
Still looking for any ideas on this one so giving it a bump.
Next time please don't wipe out all the context.
Fraser, it seems to be having a problem connecting to the security domain.
The full thread is at https://lists.fedoraproject.org/archives/list/freeipa- users@lists.fedorahosted.org/thread/7CMTT25MZKFDUW26XYLHAEV73DIYW7IV/
rob
On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote:
john.bowman--- via FreeIPA-users wrote:
Still looking for any ideas on this one so giving it a bump.
Next time please don't wipe out all the context.
Fraser, it seems to be having a problem connecting to the security domain.
The full thread is at https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
rob
For the security domain connection problems, a fix was released in Dogtag 10.5.1 (pki commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3).
As for the expired certificates problem, I'm not sure about that. More logs would be helpful. But perhaps start over again with a fresh host for the replica, and run the latest pki builds (Fedora 27 was just released and it has Dogtag 10.5.1).
Cheers, Fraser
Running in debug mode definitely shows a recently expired cert and running it again this time only shows the correct hostname now unlike before. Is this cert something that I can regenerate/renew? I'll find out about getting a new host to test with as well.
[root@ipa1 ~]# ipa-replica-prepare --debug ipa2.domain.tld ipa : DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa : DEBUG args=klist -V ipa : DEBUG stdout=Kerberos 5 version 1.10.3
ipa : DEBUG stderr= ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_61017104 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_61017104 ipa : DEBUG Search DNS for ipa2.domain.tld ipa : DEBUG Check if ipa2.domain.tld. is not a CNAME ipa : DEBUG Check reverse address of 192.168.1.11 ipa : DEBUG Found reverse name: ipa2.domain.tld Preparing replica for ipa2.domain.tld from ipa1.domain.tld ipa.ipaserver.plugins.ldap2.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-TLD.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2c00758> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_62965520 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_62965520 ipa : DEBUG args=/usr/bin/PKCS12Export -d /var/lib/pki-ca/alias/ -p /tmp/tmpPl8m5I -w /tmp/tmpTv1GoU -o /root/cacert.p12 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_62965520 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_62965520 Creating SSL certificate for the Directory Server ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -N -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -A -n DOMAIN.TLD IPA CA -t CT,,C -a ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -R -s CN=ipa2.domain.tld,O=DOMAIN.TLD -o /var/lib/ipa/ipa-JGfpWu /tmpcertreq -k rsa -g 2048 -z /tmp/tmpMhbi7sipa/realm_info/noise.txt -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt -a ipa : DEBUG stdout= ipa : DEBUG stderr=
Generating key. This may take a few moments...
ipa : DEBUG https_request ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient' ipa : DEBUG https_request post 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICdjCCAV4CAQAwMTEQMA4GA1UEChMH WkFZTy5VUzEdMBsGA1UEAxMUZGVuMDJ2%0D%0AbWlkbTAyLnpheW8udXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj%0D%0AGVwN6mATZGwEd19aRzDnG8HhED3Q2shjAxmf 0hreFdls079m1mdbRlUtFOWnVx%2Bx%0D%0AFS0BQZZn0dfNXeArYz0dBXw9Plo%2FzFcMaXjmwGGGGtdTqukdQT79vfvwH7k2mB1c%0D%0AbitykHqYvapI%2BzaMXjRTYwOBJzkxKFhwGl QEt8lb3oqgJrCkyH11ldsDDo%2FMcnEI%0D%0AYua50OPKKnDZ9zdOx32wL7t1VM5FRhqV941R4MT7Y9fr7u3EdUbWNpa9hCQ8LTXs%0D%0Az2pU8%2Fu64Nnj%2FzP9vXXzx5YUSQK7NoUe qOl0%2Ft%2F4h%2B8%2FXmmmKLfdu2aD%2Bp%2BzGBYG%0D%0ApkFLT2oZLk7XOFc5xGmrAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAb%2FkkLjcr%0D%0Ay9XLuzePw59UxpOeCQSdCr ET2e6Uy3rEglo5%2F8HcQbdaeCrOfwKyjbmUjJnCXptM%0D%0As6xW%2FOtNU1Xqt7fUJpxTgKDX%2Fsz5gWejuIQyAT20qnxsg8aHz0L7LxrlumW1eCMg%0D%0Af1kIXwLWzfQntBtaEFyN aJx6wEZTXQboKbZqSB281BH96dJF1szaD7nPKCo4ZFfA%0D%0AwKaJbIM89cjQvYjA9utatlqEK0g2CZnc8YtKauTmZz%2FV7W%2B3jpVV1XfgoChVmr%2FV%0D%0A%2BN0czdeA93Ie9jBB 7ZOAko2BCLuPAc2z4w0K1VF4DXBA4slf2AD%2F29xCnv1nYbzZ%0D%0AfuhOgnfI8PIdQw%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true' ipa : DEBUG NSSConnection init ipa1.domain.tld ipa : DEBUG Connecting: 192.168.1.10:0 ipa : DEBUG auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 804978690 (0x2ffb0002) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=DOMAIN.TLD Validity: Not Before: Tue Oct 06 21:27:25 2015 UTC Not After: Mon Sep 25 21:27:25 2017 UTC Subject: CN=ipa1.domain.tld,O=DOMAIN.TLD Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d0:7d:e0:36:af:0c:c5:03:ea:ea:1e:57:35:50:93:ec: 77:97:79:79:fe:7a:4c:14:e9:08:6a:2e:71:3e:fe:14: 55:cd:e5:97:cf:40:31:e1:f1:c4:fb:d9:a8:81:ce:d1: 76:59:80:7c:65:c2:45:c2:06:69:a0:91:96:51:c6:4e: e1:01:42:a0:6f:99:c3:80:83:69:49:8f:f9:7c:88:f2: 20:4a:df:85:d1:a3:01:e4:78:72:51:13:4c:d8:6b:e8: 06:1f:cb:2b:40:94:c7:9a:14:55:85:58:2b:6a:f9:4a: d8:3b:b6:78:a6:d4:bf:04:cf:69:12:9e:e7:58:a4:6b: 11:55:f7:8a:8f:dd:00:7e:7b:e5:5e:f9:29:0a:9d:dd: d0:ed:fa:ce:e1:c8:27:15:d2:01:b4:3a:fb:8c:33:1b: 66:ff:ce:2d:83:01:44:56:d0:0c:8b:7a:77:3d:d1:c1: 14:f0:0f:15:38:8e:68:f6:aa:5b:99:b3:1e:ef:53:03: 53:af:b4:c7:a8:c0:84:06:f8:0e:27:12:5a:e2:b8:29: ba:0d:b5:0c:af:4c:b6:06:22:76:9d:6a:71:5d:96:41: 4c:c8:c1:3f:0a:40:0a:57:eb:5e:7c:6d:a1:d7:1c:22: 60:07:7a:08:c3:9e:d4:cb:1d:20:c3:b9:65:07:c8:39 Exponent: 65537 (0x10001) Signed Extensions: (4 total) Name: Certificate Authority Key Identifier Critical: False Key ID: df:e2:06:f2:94:98:29:17:5a:0f:65:e5:df:eb:0b:c3: 7d:d0:4b:0f Serial Number: None General Names: [0 total]
Name: Authority Information Access Critical: False Authority Information Access: [1 total] Info [1]: Method: PKIX Online Certificate Status Protocol Location: URI: http://ipa1.domain.tld:80/ca/ocsp
Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment
Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate
Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: a0:98:8f:04:39:d9:57:fd:96:3f:e4:d3:29:7a:df:37: 6d:30:c0:d2:3c:af:0f:a0:9f:c0:dc:38:61:84:a7:b5: e0:db:6a:4a:9d:44:3b:45:04:2b:87:d1:fb:d5:5b:d4: 7f:24:3c:db:80:1e:9d:65:1d:09:5a:6a:3e:15:e0:8a: e9:60:e8:ef:c3:c9:92:fe:a6:df:54:dc:e7:d9:52:c9: 93:10:a9:b4:12:b3:fb:34:fb:f8:c1:43:a1:2e:71:c6: 70:aa:c3:4e:2f:c3:d9:56:ba:9b:b8:14:c5:2b:e7:f2: 64:bb:0b:59:99:9c:85:0e:4f:04:54:1e:cf:53:a2:ae: 4e:72:29:37:cb:53:c1:e4:61:26:0d:68:df:34:86:29: 4a:7e:00:4a:a0:70:06:e8:cb:f4:78:f6:cb:5e:a2:2e: 73:73:51:18:0e:a5:b3:3a:6c:e6:c8:11:aa:18:21:a5: d3:85:a0:01:6b:39:90:aa:38:6c:6b:33:b0:f2:89:4a: e0:2d:51:c7:e7:9b:a7:63:cf:4a:af:17:ed:da:2f:0d: 63:81:61:24:b0:d9:db:44:eb:aa:c0:d1:d3:4e:51:60: 92:70:39:a8:39:45:bc:ca:97:bf:cd:9f:02:38:ec:6e: 15:2f:5c:b2:c6:77:de:d6:8d:3e:76:5c:14:34:f5:69 Fingerprint (MD5): fd:4d:92:51:bb:e0:5e:34:8c:83:e4:43:a0:d3:1f:21 Fingerprint (SHA1): 47:4e:12:b6:5a:12:b8:85:b3:c8:53:09:9e:5f:97:a0: 65:ea:cd:1f ipa : ERROR cert validation failed for "CN=ipa1.domain.tld,O=DOMAIN.TLD" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) preparation of replica failed: cannot connect to ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Pee r's Certificate has expired. ipa : DEBUG cannot connect to ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Cert ificate has expired. File "/usr/sbin/ipa-replica-prepare", line 529, in <module> main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb raise e
cannot connect to ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. File "/usr/sbin/ipa-replica-prepare", line 529, in <module> main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb raise e
On Thu, Nov 16, 2017 at 5:16 PM, Fraser Tweedale ftweedal@redhat.com wrote:
On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote:
john.bowman--- via FreeIPA-users wrote:
Still looking for any ideas on this one so giving it a bump.
Next time please don't wipe out all the context.
Fraser, it seems to be having a problem connecting to the security
domain.
The full thread is at https://lists.fedoraproject.org/archives/list/freeipa-
users@lists.fedorahosted.org/thread/7CMTT25MZKFDUW26XYLHAEV73DIYW7IV/
rob
For the security domain connection problems, a fix was released in Dogtag 10.5.1 (pki commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3).
As for the expired certificates problem, I'm not sure about that. More logs would be helpful. But perhaps start over again with a fresh host for the replica, and run the latest pki builds (Fedora 27 was just released and it has Dogtag 10.5.1).
Cheers, Fraser
freeipa-users@lists.fedorahosted.org