On Sat, 2012-05-05 at 21:47 -0400, Chris Evich wrote:
> On 05/05/2012 09:08 PM, Chris Evich wrote:
> > On 05/05/2012 08:01 PM, Chris Evich wrote:
> >> On 05/04/2012 04:17 PM, Chris Evich wrote:
> >> That makes me think maybe there's just a missing service principal or
> >> something I can add? I'll see if I can remove that request and try
> >> running ipa-replica-prepare again to see if it still gives that error
> >> (systems have been restarted since then). Though any other
> >> suggestions/ideas of what I can try or look at are much appreciated.
> >> Thanks.
> > Replying to myself again, bad-form, but maybe it'll help someone else if
> > they have a similar problem....
> > ...cut...
> > I'm guessing there's something going on with this 'caIPAserviceCert'
> > thing. Granted I didn't try requesting any certs prior to the update,
> > however I can click the 'view' button in the web UI on some service
> > certs from the install, so it was generating them at some point.
> Google was kind to me and I found
> https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly
> confirmed was a problem:
> [root@<master> ~]# find /var/lib -name caIPAserviceCert.cfg
> [root@<master> ~]# cd /var/lib/pki-ca/profiles/ca/
> [root@<master> ca]# ll
> total 424
> -rw-rw----. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg
> -rw-rw----. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg
> -rw-rw----. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg
> -rw-rw----. 1 pkiuser pkiuser 5548 Apr 22 16:42
> -rw-rw----. 1 pkiuser pkiuser 5580 Apr 22 16:42
> -rw-rw----. 1 pkiuser pkiuser 5784 Apr 22 16:42
> -rw-rw----. 1 root root 6220 May 4 10:18 caIPAserviceCert.cfg
> [root@<master> ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg
> [root@<master> ca]# fixfiles restore *
> [root@<master> ~]# systemctl restart email@example.com
> certmonger.service ipa.service
> (Probably only needed to restart ipa.service) Now generating the cert
> works like a champ! with a whole boat-load more stuff showing up in the
> debug log:
> [root@<replica> ~]# ipa cert-request --principal=imap/<replica
> fqdn>@<domain> dovecot.pem.csr
> Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE
> Subject: CN=<replica fqdn>,O=<domain>
> Issuer: CN=Certificate Authority,O=<domain>
> Not Before: Sun May 06 01:20:26 2012 UTC
> Not After: Wed May 07 01:20:26 2014 UTC
> Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82
> Fingerprint (SHA1):
> Feeling confident, I tried ipa-replica-prepare and it worked!
> [root@<master> ca]# ipa-replica-prepare king.yewess.us
> Directory Manager (existing master) password:
> Preparing replica for <replica fqdn> from <master fqdn>
> Creating SSL certificate for the Directory Server
> Creating SSL certificate for the dogtag Directory Server
> Creating SSL certificate for the Web Server
> Exporting RA certificate
> Copying additional files
> Finalizing configuration
> Packaging replica information into /var/lib/ipa/replica-info-<replica
> I'm guessing what happened was I got bit by BZ 675742 or similar before
> or after the upgrade but never noticed b/c I haven't used the cert
> system until now. Maybe whatever the fix for this bug was should be
> revisited, or the upgrade process should make sure this file gets reset
> with the correct ownership. Otherwise, hopefully this exercise will be
> helpful to someone else, and thanks Rob for responding so quickly the
> other day.
thanks a lot for getting back with your solution, it is very valuable
for all users that may end up in the same weird situation.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list