On Sat, 2012-05-05 at 21:47 -0400, Chris Evich wrote: > On 05/05/2012 09:08 PM, Chris Evich wrote: > > On 05/05/2012 08:01 PM, Chris Evich wrote: > >> On 05/04/2012 04:17 PM, Chris Evich wrote: > >> That makes me think maybe there's just a missing service principal or > >> something I can add? I'll see if I can remove that request and try > >> running ipa-replica-prepare again to see if it still gives that error > >> (systems have been restarted since then). Though any other > >> suggestions/ideas of what I can try or look at are much appreciated. > >> Thanks. > >> > > > > Replying to myself again, bad-form, but maybe it'll help someone else if > > they have a similar problem.... > > ...cut... > > I'm guessing there's something going on with this 'caIPAserviceCert' > > thing. Granted I didn't try requesting any certs prior to the update, > > however I can click the 'view' button in the web UI on some service > > certs from the install, so it was generating them at some point. > > Google was kind to me and I found > https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly > confirmed was a problem: > > [root@<master> ~]# find /var/lib -name caIPAserviceCert.cfg > /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg > [root@<master> ~]# cd /var/lib/pki-ca/profiles/ca/ > [root@<master> ca]# ll > total 424 > -rw-rw----. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg > -rw-rw----. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg > -rw-rw----. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg > ...cut... > -rw-rw----. 1 pkiuser pkiuser 5548 Apr 22 16:42 > caInternalAuthServerCert.cfg > -rw-rw----. 1 pkiuser pkiuser 5580 Apr 22 16:42 > caInternalAuthSubsystemCert.cfg > -rw-rw----. 1 pkiuser pkiuser 5784 Apr 22 16:42 > caInternalAuthTransportCert.cfg > -rw-rw----. 1 root root 6220 May 4 10:18 caIPAserviceCert.cfg > ...cut... > [root@<master> ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg > [root@<master> ca]# fixfiles restore * > [root@<master> ~]# systemctl restart [email protected] > certmonger.service ipa.service > > (Probably only needed to restart ipa.service) Now generating the cert > works like a champ! with a whole boat-load more stuff showing up in the > debug log: > > [root@<replica> ~]# ipa cert-request --principal=imap/<replica > fqdn>@<domain> dovecot.pem.csr > Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE > ...blahblahblah... > fXlqt7LmHUSbfg== > Subject: CN=<replica fqdn>,O=<domain> > Issuer: CN=Certificate Authority,O=<domain> > Not Before: Sun May 06 01:20:26 2012 UTC > Not After: Wed May 07 01:20:26 2014 UTC > Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82 > Fingerprint (SHA1): > e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b > > Feeling confident, I tried ipa-replica-prepare and it worked! > [root@<master> ca]# ipa-replica-prepare king.yewess.us > Directory Manager (existing master) password: > > Preparing replica for <replica fqdn> from <master fqdn> > Creating SSL certificate for the Directory Server > Creating SSL certificate for the dogtag Directory Server > Creating SSL certificate for the Web Server > Exporting RA certificate > Copying additional files > Finalizing configuration > Packaging replica information into /var/lib/ipa/replica-info-<replica > fqdn>.gpg > > I'm guessing what happened was I got bit by BZ 675742 or similar before > or after the upgrade but never noticed b/c I haven't used the cert > system until now. Maybe whatever the fix for this bug was should be > revisited, or the upgrade process should make sure this file gets reset > with the correct ownership. Otherwise, hopefully this exercise will be > helpful to someone else, and thanks Rob for responding so quickly the > other day.
Chris, thanks a lot for getting back with your solution, it is very valuable for all users that may end up in the same weird situation. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
