On 05/08/2012 09:10 AM, Simo Sorce wrote:
On Sat, 2012-05-05 at 21:47 -0400, Chris Evich wrote:
On 05/05/2012 09:08 PM, Chris Evich wrote:
On 05/05/2012 08:01 PM, Chris Evich wrote:
On 05/04/2012 04:17 PM, Chris Evich wrote:
That makes me think maybe there's just a missing service principal or
something I can add? I'll see if I can remove that request and try
running ipa-replica-prepare again to see if it still gives that error
(systems have been restarted since then). Though any other
suggestions/ideas of what I can try or look at are much appreciated.

Replying to myself again, bad-form, but maybe it'll help someone else if
they have a similar problem....
I'm guessing there's something going on with this 'caIPAserviceCert'
thing. Granted I didn't try requesting any certs prior to the update,
however I can click the 'view' button in the web UI on some service
certs from the install, so it was generating them at some point.

Google was kind to me and I found
https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly
confirmed was a problem:

[root@<master>  ~]# find /var/lib -name caIPAserviceCert.cfg
[root@<master>  ~]# cd /var/lib/pki-ca/profiles/ca/
[root@<master>  ca]# ll
total 424
-rw-rw----. 1 pkiuser pkiuser  5571 Apr 22 16:42 caAdminCert.cfg
-rw-rw----. 1 pkiuser pkiuser  5485 Apr 22 16:42 caAgentFileSigning.cfg
-rw-rw----. 1 pkiuser pkiuser  5279 Apr 22 16:42 caAgentServerCert.cfg
-rw-rw----. 1 pkiuser pkiuser  5548 Apr 22 16:42
-rw-rw----. 1 pkiuser pkiuser  5580 Apr 22 16:42
-rw-rw----. 1 pkiuser pkiuser  5784 Apr 22 16:42
-rw-rw----. 1 root    root     6220 May  4 10:18 caIPAserviceCert.cfg
[root@<master>  ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg
[root@<master>  ca]# fixfiles restore *
[root@<master>  ~]# systemctl restart pki-cad@pki-ca.service
certmonger.service ipa.service

(Probably only needed to restart ipa.service) Now generating the cert
works like a champ! with a whole boat-load more stuff showing up in the
debug log:

[root@<replica>  ~]# ipa cert-request --principal=imap/<replica
fqdn>@<domain>  dovecot.pem.csr
    Subject: CN=<replica fqdn>,O=<domain>
    Issuer: CN=Certificate Authority,O=<domain>
    Not Before: Sun May 06 01:20:26 2012 UTC
    Not After: Wed May 07 01:20:26 2014 UTC
    Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82
    Fingerprint (SHA1):

Feeling confident, I tried ipa-replica-prepare and it worked!
[root@<master>  ca]# ipa-replica-prepare <replica fqdn>
Directory Manager (existing master) password:

Preparing replica for<replica fqdn>  from<master fqdn>
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-<replica

I'm guessing what happened was I got bit by BZ 675742 or similar before
or after the upgrade but never noticed b/c I haven't used the cert
system until now.  Maybe whatever the fix for this bug was should be
revisited, or the upgrade process should make sure this file gets reset
with the correct ownership.  Otherwise, hopefully this exercise will be
helpful to someone else, and thanks Rob for responding so quickly the
other day.

thanks a lot for getting back with your solution, it is very valuable
for all users that may end up in the same weird situation.


Sure thing. If y'all think of it, it might be good to put some more error reporting into the ipa-replica-prepare tool. The debug log didn't seem to be much help (to my n00b eyes). Ultimately it was the error message from "ipa cert-request", "Profile caIPAserviceCert Not Found" which lead me to the solution. If it's hard to add it to the tool, then tossing stuff like that into the logs would help too.

Just a suggestion, since with such awesome tooling (graphical and CLI) on a project like this, it's bound to attract more n00bs like me. The DNS/Kerberos stuff is straight forward because there's lots of deployments and a long history of mailing list posts to find answers on. The cert. system seems to be a different story entirely, it's (arguably) as powerful as kerberos but doesn't get nearly as much "press" coverage :D

Freeipa-users mailing list

Reply via email to