Running in debug mode definitely shows a recently expired cert and running it again this time only shows the correct hostname now unlike before. Is this cert something that I can regenerate/renew? I'll find out about getting a new host to test with as well.
[root@ipa1 ~]# ipa-replica-prepare --debug ipa2.domain.tld ipa : DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa : DEBUG args=klist -V ipa : DEBUG stdout=Kerberos 5 version 1.10.3 ipa : DEBUG stderr= ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' Directory Manager (existing master) password: ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_61017104 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_61017104 ipa : DEBUG Search DNS for ipa2.domain.tld ipa : DEBUG Check if ipa2.domain.tld. is not a CNAME ipa : DEBUG Check reverse address of 192.168.1.11 ipa : DEBUG Found reverse name: ipa2.domain.tld Preparing replica for ipa2.domain.tld from ipa1.domain.tld ipa.ipaserver.plugins.ldap2.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-TLD.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2c00758> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_62965520 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_62965520 ipa : DEBUG args=/usr/bin/PKCS12Export -d /var/lib/pki-ca/alias/ -p /tmp/tmpPl8m5I -w /tmp/tmpTv1GoU -o /root/cacert.p12 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_62965520 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_62965520 Creating SSL certificate for the Directory Server ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -N -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -A -n DOMAIN.TLD IPA CA -t CT,,C -a ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -R -s CN=ipa2.domain.tld,O=DOMAIN.TLD -o /var/lib/ipa/ipa-JGfpWu /tmpcertreq -k rsa -g 2048 -z /tmp/tmpMhbi7sipa/realm_info/noise.txt -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt -a ipa : DEBUG stdout= ipa : DEBUG stderr= Generating key. This may take a few moments... ipa : DEBUG https_request ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient' ipa : DEBUG https_request post 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICdjCCAV4CAQAwMTEQMA4GA1UEChMH WkFZTy5VUzEdMBsGA1UEAxMUZGVuMDJ2%0D%0AbWlkbTAyLnpheW8udXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj%0D%0AGVwN6mATZGwEd19aRzDnG8HhED3Q2shjAxmf 0hreFdls079m1mdbRlUtFOWnVx%2Bx%0D%0AFS0BQZZn0dfNXeArYz0dBXw9Plo%2FzFcMaXjmwGGGGtdTqukdQT79vfvwH7k2mB1c%0D%0AbitykHqYvapI%2BzaMXjRTYwOBJzkxKFhwGl QEt8lb3oqgJrCkyH11ldsDDo%2FMcnEI%0D%0AYua50OPKKnDZ9zdOx32wL7t1VM5FRhqV941R4MT7Y9fr7u3EdUbWNpa9hCQ8LTXs%0D%0Az2pU8%2Fu64Nnj%2FzP9vXXzx5YUSQK7NoUe qOl0%2Ft%2F4h%2B8%2FXmmmKLfdu2aD%2Bp%2BzGBYG%0D%0ApkFLT2oZLk7XOFc5xGmrAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAb%2FkkLjcr%0D%0Ay9XLuzePw59UxpOeCQSdCr ET2e6Uy3rEglo5%2F8HcQbdaeCrOfwKyjbmUjJnCXptM%0D%0As6xW%2FOtNU1Xqt7fUJpxTgKDX%2Fsz5gWejuIQyAT20qnxsg8aHz0L7LxrlumW1eCMg%0D%0Af1kIXwLWzfQntBtaEFyN aJx6wEZTXQboKbZqSB281BH96dJF1szaD7nPKCo4ZFfA%0D%0AwKaJbIM89cjQvYjA9utatlqEK0g2CZnc8YtKauTmZz%2FV7W%2B3jpVV1XfgoChVmr%2FV%0D%0A%2BN0czdeA93Ie9jBB 7ZOAko2BCLuPAc2z4w0K1VF4DXBA4slf2AD%2F29xCnv1nYbzZ%0D%0AfuhOgnfI8PIdQw%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true' ipa : DEBUG NSSConnection init ipa1.domain.tld ipa : DEBUG Connecting: 192.168.1.10:0 ipa : DEBUG auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 804978690 (0x2ffb0002) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=DOMAIN.TLD Validity: Not Before: Tue Oct 06 21:27:25 2015 UTC Not After: Mon Sep 25 21:27:25 2017 UTC Subject: CN=ipa1.domain.tld,O=DOMAIN.TLD Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d0:7d:e0:36:af:0c:c5:03:ea:ea:1e:57:35:50:93:ec: 77:97:79:79:fe:7a:4c:14:e9:08:6a:2e:71:3e:fe:14: 55:cd:e5:97:cf:40:31:e1:f1:c4:fb:d9:a8:81:ce:d1: 76:59:80:7c:65:c2:45:c2:06:69:a0:91:96:51:c6:4e: e1:01:42:a0:6f:99:c3:80:83:69:49:8f:f9:7c:88:f2: 20:4a:df:85:d1:a3:01:e4:78:72:51:13:4c:d8:6b:e8: 06:1f:cb:2b:40:94:c7:9a:14:55:85:58:2b:6a:f9:4a: d8:3b:b6:78:a6:d4:bf:04:cf:69:12:9e:e7:58:a4:6b: 11:55:f7:8a:8f:dd:00:7e:7b:e5:5e:f9:29:0a:9d:dd: d0:ed:fa:ce:e1:c8:27:15:d2:01:b4:3a:fb:8c:33:1b: 66:ff:ce:2d:83:01:44:56:d0:0c:8b:7a:77:3d:d1:c1: 14:f0:0f:15:38:8e:68:f6:aa:5b:99:b3:1e:ef:53:03: 53:af:b4:c7:a8:c0:84:06:f8:0e:27:12:5a:e2:b8:29: ba:0d:b5:0c:af:4c:b6:06:22:76:9d:6a:71:5d:96:41: 4c:c8:c1:3f:0a:40:0a:57:eb:5e:7c:6d:a1:d7:1c:22: 60:07:7a:08:c3:9e:d4:cb:1d:20:c3:b9:65:07:c8:39 Exponent: 65537 (0x10001) Signed Extensions: (4 total) Name: Certificate Authority Key Identifier Critical: False Key ID: df:e2:06:f2:94:98:29:17:5a:0f:65:e5:df:eb:0b:c3: 7d:d0:4b:0f Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Authority Information Access: [1 total] Info [1]: Method: PKIX Online Certificate Status Protocol Location: URI: http://ipa1.domain.tld:80/ca/ocsp Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: a0:98:8f:04:39:d9:57:fd:96:3f:e4:d3:29:7a:df:37: 6d:30:c0:d2:3c:af:0f:a0:9f:c0:dc:38:61:84:a7:b5: e0:db:6a:4a:9d:44:3b:45:04:2b:87:d1:fb:d5:5b:d4: 7f:24:3c:db:80:1e:9d:65:1d:09:5a:6a:3e:15:e0:8a: e9:60:e8:ef:c3:c9:92:fe:a6:df:54:dc:e7:d9:52:c9: 93:10:a9:b4:12:b3:fb:34:fb:f8:c1:43:a1:2e:71:c6: 70:aa:c3:4e:2f:c3:d9:56:ba:9b:b8:14:c5:2b:e7:f2: 64:bb:0b:59:99:9c:85:0e:4f:04:54:1e:cf:53:a2:ae: 4e:72:29:37:cb:53:c1:e4:61:26:0d:68:df:34:86:29: 4a:7e:00:4a:a0:70:06:e8:cb:f4:78:f6:cb:5e:a2:2e: 73:73:51:18:0e:a5:b3:3a:6c:e6:c8:11:aa:18:21:a5: d3:85:a0:01:6b:39:90:aa:38:6c:6b:33:b0:f2:89:4a: e0:2d:51:c7:e7:9b:a7:63:cf:4a:af:17:ed:da:2f:0d: 63:81:61:24:b0:d9:db:44:eb:aa:c0:d1:d3:4e:51:60: 92:70:39:a8:39:45:bc:ca:97:bf:cd:9f:02:38:ec:6e: 15:2f:5c:b2:c6:77:de:d6:8d:3e:76:5c:14:34:f5:69 Fingerprint (MD5): fd:4d:92:51:bb:e0:5e:34:8c:83:e4:43:a0:d3:1f:21 Fingerprint (SHA1): 47:4e:12:b6:5a:12:b8:85:b3:c8:53:09:9e:5f:97:a0: 65:ea:cd:1f ipa : ERROR cert validation failed for "CN=ipa1.domain.tld,O=DOMAIN.TLD" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) preparation of replica failed: cannot connect to ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Pee r's Certificate has expired. ipa : DEBUG cannot connect to ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Cert ificate has expired. File "/usr/sbin/ipa-replica-prepare", line 529, in <module> main() File "/usr/sbin/ipa-replica-prepare", line 400, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb raise e cannot connect to ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. File "/usr/sbin/ipa-replica-prepare", line 529, in <module> main() File "/usr/sbin/ipa-replica-prepare", line 400, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb raise e On Thu, Nov 16, 2017 at 5:16 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote: > > john.bowman--- via FreeIPA-users wrote: > > > Still looking for any ideas on this one so giving it a bump. > > > > Next time please don't wipe out all the context. > > > > Fraser, it seems to be having a problem connecting to the security > domain. > > > > The full thread is at > > https://lists.fedoraproject.org/archives/list/freeipa- > us...@lists.fedorahosted.org/thread/7CMTT25MZKFDUW26XYLHAEV73DIYW7IV/ > > > > rob > > > For the security domain connection problems, a fix was released in > Dogtag 10.5.1 (pki commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3). > > As for the expired certificates problem, I'm not sure about that. > More logs would be helpful. But perhaps start over again with a > fresh host for the replica, and run the latest pki builds (Fedora 27 > was just released and it has Dogtag 10.5.1). > > Cheers, > Fraser > -- John Bowman System Engineer 4500 S 129th East Avenue, Suite 132 Tulsa, OK 74134 (c) 918.633.4191 (o) 918.295.7043 john.bow...@zayo.com
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org