Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update

Jan Cholasta Thu, 18 Jun 2015 04:20:02 -0700

Dne 17.6.2015 v 12:26 Fraser Tweedale napsal(a):

On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote:

On 06/12/2015 03:18 PM, Fraser Tweedale wrote:

On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote:

On 06/04/2015 04:03 PM, Petr Vobornik wrote:

- ipa-replica-prepare works
- old IPA server was upgraded to today's master (with Cert profiles
patches)
- ipa-replica-prepare fails with:


Log:

ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=repl.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: request status 200
ipa: DEBUG: request reason_phrase u'OK'
ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT',
'content-length': '148', 'content-type': 'application/xml', 'server':
'Apache-Coyote/1.1'}
ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><Status>1</Status><Error>Profile
caIPAserviceCert Not Found</Error></XMLResponse>'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
     return_value = self.run()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 338, in run
     self.copy_ds_certificate()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 383, in copy_ds_certificate
     self.export_certdb("dscert", passwd_fname)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 595, in export_certdb
     db.create_server_cert(nickname, hostname, ca_db)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
     cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 419, in issue_server_cert
     raise RuntimeError("Certificate issuance failed")


Bump, I have also came across this issue (see log:
http://pastebin.test.redhat.com/289434).

--
Martin^3 Babinsky


It was reported to me that the issue was reproducible after upgrade

>from 4.1.4 to master, but I was not able to reproduce.  Can anyone

who has encountered it please:

- state fedora version(s) affected and precise build of Dogtag
- provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug

Thanks,
Fraser


I  see similar issue when creating a replica file from second
replica/master, all git master. I.e. the prepare on first server obviously
works.

The error is different though:

ipa: DEBUG: request status 200
ipa: DEBUG: request reason_phrase u'OK'
ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT',
'content-length': '133', 'content-type': 'application/xml', 'server':
'Apache-Coyote/1.1'}
ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><Status>1</Status><Error>Invalid
Credential.</Error></XMLResponse>'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
     return_value = self.run()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 338, in run
     self.copy_ds_certificate()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 383, in copy_ds_certificate
     self.export_certdb("dscert", passwd_fname)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 595, in export_certdb
     db.create_server_cert(nickname, hostname, ca_db)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
337, in create_server_cert
     cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
419, in issue_server_cert
     raise RuntimeError("Certificate issuance failed")

--
Petr Vobornik


I spent some time debugging tihs issue today.  It appears to be
introduced by commit:

     commit 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034
     Author: David Kupka <dku...@redhat.com>
     Date:   Mon Jun 8 05:23:56 2015 +0000

         Move CA installation code into single module.

         https://fedorahosted.org/freeipa/ticket/4468

         Reviewed-By: Jan Cholasta <jchol...@redhat.com>

During the execution of ipa-replica-prepare, the RA cert (nickname
"ipaCert") gets added to the /etc/httpd/alias/ NSSDB, but then
removed somehow while executing http.create_instance().  I have not
yet precisely identified the cause enough to fix it.  Hopefully
David or Honza can some light.


Fixed.

--
Jan Cholasta

>From dca319d651c578a3c7c763a32160aaa70e16efd2 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 18 Jun 2015 10:35:09 +0000
Subject: [PATCH] install: Fix ipa-replica-install not installing RA cert

https://fedorahosted.org/freeipa/ticket/4468
---
 ipaserver/install/ca.py                    |  8 +-------
 ipaserver/install/server/replicainstall.py | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 1ef8b2c..b847569 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -122,13 +122,7 @@ def install_step_0(standalone, replica_config, options):
             postinstall = True
         else:
             postinstall = False
-        ca = cainstance.install_replica_ca(replica_config, postinstall)
-
-        if not standalone:
-            ca.configure_certmonger_renewal()
-            ca.import_ra_cert(replica_config.dir + "/ra.p12")
-            ca.fix_ra_perms()
-
+        cainstance.install_replica_ca(replica_config, postinstall)
         return
 
     if options.external_cert_files:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 34580ce..303d0bc 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -24,8 +24,9 @@ from ipaplatform.paths import paths
 from ipalib import api, certstore, constants, create_api, errors, x509
 import ipaclient.ntpconf
 from ipaserver.install import (
-    bindinstance, ca, dns, dsinstance, httpinstance, installutils, kra,
-    krbinstance, memcacheinstance, ntpinstance, otpdinstance, service)
+    bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
+    installutils, kra, krbinstance, memcacheinstance, ntpinstance,
+    otpdinstance, service)
 from ipaserver.install.installutils import create_replica_config
 from ipaserver.install.replication import (
     ReplicationManager, replica_conn_check)
@@ -579,6 +580,16 @@ def install(installer):
     otpd.create_instance('OTPD', config.host_name, config.dirman_password,
                          ipautil.realm_to_suffix(config.realm_name))
 
+    if ipautil.file_exists(cafile):
+        CA = cainstance.CAInstance(
+            config.realm_name, certs.NSS_DIR,
+            dogtag_constants=dogtag_constants)
+        CA.dm_password = config.dirman_password
+
+        CA.configure_certmonger_renewal()
+        CA.import_ra_cert(config.dir + "/ra.p12")
+        CA.fix_ra_perms()
+
     # The DS instance is created before the keytab, add the SSL cert we
     # generated
     ds.add_cert_to_service()
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update

Reply via email to