Hi all,
we try to set up IPA replication between a Master (Version 4.4.0 on CentOS 7.3) and a new IPA (Version 4.5.1 on CentOS 7.5) on different hosts. We followed the official documentation by first installing the ipa dependencies, then ipa server, added the new host by running "ipa-client-install --server=<new-host> --domain=<existing-domain>". Lastly, we simply ran "ipa-replica-install" and the process gets stuck on "installing X509 Certificate for PKINIT" and resumes after some minutes:
Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc).
Even so, logging into the new IPA all users, groups, services are available. Running "ipa-pkinit-manage enable" doesn't help the following problem.
---
Problem: The new IPA instance is reporting issues then running "ipa cert_find": Certificate operation cannot be completed: Unable to communicate with CMS (Comment not terminated, line 2, column 1)
The same error can be observed by navigating to the IPA Web UI -> Authentication - > Certificates: Certificate operation cannot be completed: Unable to communicate with CMS (Comment not terminated, line 2, column 1)
The /var/log/httpd/error_log report the same issue (on the new IPA only): [:error] [pid 15679] ipa: ERROR: ra.find(): Unable to communicate with CMS (Comment not terminated, line 2, column 1)
Running "getcert list" shows no expired certificates...
---
We ran into the same issues when we tried to upgrade the host OS from CentOS 7.3 to 7.5 (which executes the IPA Upgrade script). With that issue we were not able to remove services from the IPA at all (only adding services, adding/removing users and groups). We then chose to roll back the VM. But now we need to upgrade the OS version.
---
How can we go from here? We could not find any similar issue ("Comment not terminated, line 2, column 1") at all.
Kind regards Adrian
On 2/18/19 8:36 PM, Adrian Villwock via FreeIPA-users wrote:
Hi all,
we try to set up IPA replication between a Master (Version 4.4.0 on CentOS 7.3) and a new IPA (Version 4.5.1 on CentOS 7.5) on different hosts. We followed the official documentation by first installing the ipa dependencies, then ipa server, added the new host by running "ipa-client-install --server=<new-host> --domain=<existing-domain>". Lastly, we simply ran "ipa-replica-install" and the process gets stuck on "installing X509 Certificate for PKINIT" and resumes after some minutes:
Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc).
Even so, logging into the new IPA all users, groups, services are available. Running "ipa-pkinit-manage enable" doesn't help the following problem.
Hi, you are probably hitting issue 7200, where ipa-pkinit-manage enable reports success although it did not complete.
The workaround is to delete the files /var/kerberos/krb5kdc/kdc.{key,crt} and re-run ipa-pkinit-manage enable. At this point, the cert in /var/kerberos/krb5kdc/kdc.crt should be issued by IPA CA. You can check with $ openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt | grep Issuer and you should see Issuer: O=<DOMAIN.COM>, CN=Certificate Authority
HTH, flo [1] https://pagure.io/freeipa/issue/7200
Problem: The new IPA instance is reporting issues then running "ipa cert_find": Certificate operation cannot be completed: Unable to communicate with CMS (Comment not terminated, line 2, column 1)
The same error can be observed by navigating to the IPA Web UI -> Authentication - > Certificates: Certificate operation cannot be completed: Unable to communicate with CMS (Comment not terminated, line 2, column 1)
The /var/log/httpd/error_log report the same issue (on the new IPA only): [:error] [pid 15679] ipa: ERROR: ra.find(): Unable to communicate with CMS (Comment not terminated, line 2, column 1)
Running "getcert list" shows no expired certificates...
We ran into the same issues when we tried to upgrade the host OS from CentOS 7.3 to 7.5 (which executes the IPA Upgrade script). With that issue we were not able to remove services from the IPA at all (only adding services, adding/removing users and groups). We then chose to roll back the VM. But now we need to upgrade the OS version.
How can we go from here? We could not find any similar issue ("Comment not terminated, line 2, column 1") at all.
Kind regards Adrian _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
thank you for your hint. I tried to delete the files and re-run the "ipa-pkinit-manage enable". Unfortunately, it still seemed to get stuck.
---
I found some valuable information then in the "/var/log/messages": certmonger: 2019-02-19 02:29:18 [14377] Error 7 connecting to https://<new_ipa_host>:8443/ca/ee/ca/profileSubmitSSLClient: Couldn't connect to server. ...<repeats>....
Well, there is no CA on this host (and 8443 is not listening). However, I tried to install the replica with the "--setup-ca" argument once and this may be an issue. This lead me to issue 7795: https://pagure.io/freeipa/issue/7795
---
I tried to apply the patch you submitted at https://pagure.io/freeipa/c/778521053336a4ba09923b4b1f9cac0dff72f634 to the /usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py. Since the package "ipaserver.masters" is not part of my release version, I simply set localhost_has_ca to False.
---
After re-running the approach above (rm key/crt and ipa-pkinit-manage enable), we now get in log/messages: ... certmonger: Request for certificate to be stored in file "/var/kerberos/krb5kdc/kdc.crt" rejected by CA. ...
I tried kdestroy / kinit admin to make sure, the new IPA has valid tickets - didn't change the situation.
---
So, I check the logs on the IPA master:
/var/log/httpd/error_log: [:error] [pid 23785] ipa: INFO: [xmlserver] host/<new-IPA>@<domain>: cert_request(u'', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/<domain>@<domain>', add=True, version=u'2.51'): ACIError
I looked for some log files processed by the CA on port 8443, but nothing seemed suspicious there (e.g. /var/log/pki/pki-tomcat/ca/debug).
---
Right now: openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt | grep Issuer Issuer: O=DE.BIGDATA.DIR, CN=<new-IPA-Host>
That is not the CA.
---
I will try the Replication on a fresh host tomorrow.
Kind regards Adrian
Pressed Send too soon:
Some additional information from the new IPA Host:
---
ipa-getcert list: Request ID '20190219024400': status: CA_REJECTED ca-error: Server at https://<new-IPA-host>/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 404: Non-2xx response from CA REST API: 404. ). stuck: yes key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
---
/var/log/httpd/error_log: [Tue Feb 19 03:48:32.410674 2019] [auth_gssapi:error] [pid 15991] [client 10.137.7.5:33828] NO AUTH DATA Client did not send any authentication headers, referer: https://<new-IPA-Host>/ipa/xml [Tue Feb 19 03:48:32.578948 2019] [:error] [pid 15677] ipa: INFO: [xmlserver] host/<new-IPA-Host>@<domain>: cert_request(u'....', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/<domain>@<domain>', add=True, version=u'2.51'): HTTPRequestError
The cert_request payload matches the payload received at the IPA Master Host.
On Tue, 19 Feb 2019, Adrian Villwock via FreeIPA-users wrote:
Hi,
thank you for your hint. I tried to delete the files and re-run the "ipa-pkinit-manage enable". Unfortunately, it still seemed to get stuck.
I found some valuable information then in the "/var/log/messages": certmonger: 2019-02-19 02:29:18 [14377] Error 7 connecting to https://<new_ipa_host>:8443/ca/ee/ca/profileSubmitSSLClient: Couldn't connect to server. ...<repeats>....
Well, there is no CA on this host (and 8443 is not listening). However, I tried to install the replica with the "--setup-ca" argument once and this may be an issue. This lead me to issue 7795: https://pagure.io/freeipa/issue/7795
I tried to apply the patch you submitted at https://pagure.io/freeipa/c/778521053336a4ba09923b4b1f9cac0dff72f634 to the /usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py. Since the package "ipaserver.masters" is not part of my release version, I simply set localhost_has_ca to False.
After re-running the approach above (rm key/crt and ipa-pkinit-manage enable), we now get in log/messages: ... certmonger: Request for certificate to be stored in file "/var/kerberos/krb5kdc/kdc.crt" rejected by CA. ...
I tried kdestroy / kinit admin to make sure, the new IPA has valid tickets - didn't change the situation.
So, I check the logs on the IPA master:
/var/log/httpd/error_log: [:error] [pid 23785] ipa: INFO: [xmlserver] host/<new-IPA>@<domain>: cert_request(u'', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/<domain>@<domain>', add=True, version=u'2.51'): ACIError
I looked for some log files processed by the CA on port 8443, but nothing seemed suspicious there (e.g. /var/log/pki/pki-tomcat/ca/debug).
This is a correct answer here -- FreeIPA 4.4 does not support PKINIT so it will not be able to issue a proper PKINIT certificate.
I think your option is to upgrade 4.4 to 4.5 first or install 4.5 with --setup-ca and decommission 4.4 master.
See https://www.freeipa.org/page/V4/Kerberos_PKINIT, in particular, Upgrade section.
Right now: openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt | grep Issuer Issuer: O=DE.BIGDATA.DIR, CN=<new-IPA-Host>
That is not the CA.
I will try the Replication on a fresh host tomorrow.
Kind regards Adrian _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thank you!
We will re-install the IPA 4.6 with a CA (--setup-ca) and re-run the steps for replication.
Eventually, our plan was to decommission the old master anyway.
Kind Regards Adrian
freeipa-users@lists.fedorahosted.org