On Wed, Aug 2, 2017 at 1:31 PM, Fraser Tweedale via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
> On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote:
>> john.bowman--- via FreeIPA-users wrote:
>> > Since taking over our FreeIPA environment I've been unable to create a new 
>> > CA replica.  A bunch of failed attempts and upgrades over the last year 
>> > and I keep running in to issues.   After my latest attempt I noticed 
>> > something that I had not seen before (likely a result of an recent 
>> > upgrade) and I was wondering if this would cause a CA install to fail.
>> >
>> > Our env:
>> > 3 x ipa-server-3.0.0-51.el6.x86_64
>> > 3 x ipa-server-4.4.0-14.el7_3.7.x86_64
>> >
>> > 2 of the 3.x IPA servers are currently acting as CAs and I've been trying 
>> > to create a new 4.x CA replica in order to start removing the 3.x IPA 
>> > servers.   I've been able to do a simple test with vanilla CentOS 6.9 and 
>> > 7.3 and it seems to work fine as far as I can tell but when I try it in 
>> > our environment it fails.  I noticed this error in one of the logs and 
>> > something jumped out at me that I had never seen before:
>> >
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization ===
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security 
>> > domain
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): 
>> > Getting domain.xml from CA...
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting 
>> > domain info
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET 
>> > https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain 
>> > info: <?xml version="1.0" encoding="UTF-8" 
>> > standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA
>> >> <Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec
>> > ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld
>> > </Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S
>> > ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se
>> > curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom
>> > ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst
>> > emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL
>> > ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using 
>> > admin interface
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: 
>> > updateDomainXML start hostname=ipa-master.domain.tld port=443
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST 
>> > https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin 
>> > interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using 
>> > agent interface
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: 
>> > updateDomainXML start hostname=ipa-master.domain.tld port=443
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() 
>> > nickname=subsystemCert cert-pki-ca
>> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST 
>> > https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML
>> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate:
>> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]:  - subject: 
>> > CN=ipa-master.domain.tld,O=DOMAIN.US
>> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]:  - issuer: CN=Certificate 
>> > Authority,O=DOMAIN.US
>> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: 
>> > updateDomainXML: status=1

>> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security 
>> > domain: 2
>> > java.io.IOException: Unable to update security domain: 2

This error message means that pkispawn cannot authenticate to Dogtag
on master by a certificate. Usually cert doesn't match the one in
Dogtag user db in LDAP or cert serial number mapping is wrong.

More info is in:
* https://www.freeipa.org/page/Troubleshooting#Migrating_from_RHEL_6.2FCentOS_6

resp.
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html

But Dogtag team made an utility which should do the steps described in
the above post automatically

So run on RHEL 6 master:
# python /usr/share/pki/scripts/restore-subsystem-user.py -v

Then remove previous installation attempt by
* ipa-replica-manage del $replica
* ipa-csreplica-manage del $replica

Try again
* generate new replica file by ipa-replica-prepare
* run replica installation again with the new replica file

>> >
>> >
>> > The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x 
>> > servers but the other two listed in that domainxml file one does not exist 
>> > (it may have at some point been renamed) and the other server is not a CA 
>> > replica but it is a replica.
>> >
>> > Is it possible this bad info would cause a failure when trying to create a 
>> > new CA replica?  If so is it something I can try cleaning up?
>> >
>> > Any info would be appreciated.  Thanks!
>>
>> I think one of the dogtag devs will need to look at it. It may take a
>> few days, things get a bit slow around here in the summer.
>>
>> rob
>>
> This went off my radar, but now it back on my radar.  Looks like
> it could be another case of [1]?
>
> [1] 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/TJGJZANRCIYTGXCUEAZ3XLISNEO7QOIN/#A54XHWAG4Z6BVX62YRUQXYO5QKW4OXAZ
>
> Cheers,
> Fraser
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



-- 
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to