Hi,

Dne 8.8.2014 v 14:46 Nicklas Björk napsal(a):
Trying to upgrade from FreeIPA 3.0 running on CentOS 6 to 3.3 on CentOS
7 using migration. I seem to have run into some certificate problems and
the replica installation halts half-way through. We have a simple
CA-structure, where FreeIPA has been installed as a sub-ca directly
under ca root ca.

A replica bundle was created on the master using:
ipa-replica-prepare replica.example.net --ip-address 192.168.100.2
the gpg-file was copied to replica:/var/lib/ipa and the following
command was executed:
ipa-replica-install --mkhomedir -d --setup-ca --setup-dns
--no-forwarders /var/lib/ipa/replica-info-replica.example.net.gpg

During the first attempt, I was instructed to also run
copy-schema-to-ca.py on the master server, which has been done. The
replica installation halts complainig that ca.crt contains more than one
certificate. Both the FreeIPA CA and the Root CA certificates are in
that file.


Debug output in /var/log/ipareplica-install.log tells the following:

2014-08-08T12:22:08Z DEBUG   [17/34]: configuring ssl for ds instance
2014-08-08T12:22:08Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -N -f
/etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/pk12util -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -i
/tmp/tmpNOzZ3cipa/realm_info/dscert.p12 -k
/etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt -v -w /dev/stdin
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL

2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -L
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
CN=Example Root CA,O=Example AB                            ,,
EXAMPLE.NET IPA CA                                          ,,

2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -A -n CA -t CT,CT, -a
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
     return_value = main_function()

   File "/usr/sbin/ipa-replica-install", line 664, in main
     ds = install_replica_ds(config)

   File "/usr/sbin/ipa-replica-install", line 189, in install_replica_ds
     ca_file=config.dir + "/ca.crt",

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
360, in create_replica
     self.start_creation(runtime=60)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
     method()

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
606, in enable_ssl
     ca_file=self.ca_file)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 841, in create_from_pkcs12
     self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 240, in import_pem_cert
     location)

2014-08-08T12:22:08Z DEBUG The ipa-replica-install command failed,
exception: ValueError: /tmp/tmpNOzZ3cipa/realm_info/ca.crt contains more
than one certificate



Is there anything obvious that is wrong or odd with this setup or process?

It seems you somehow ended up with more than one certificate in /etc/ipa/ca.crt on the master. It should contain only the IPA CA certificate, if you delete all other certificates from it and re-run ipa-replica-prepare, you should be able to successfully install the replica using ipa-replica-install.



Best regards
Nicklas Björk




Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to