Validity, status and serials seems to be fine. One interesting pick: While the installation is not too old it might be installed initially with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398.

# getcert list |grep expires
        expires: 2016-11-21 13:40:41 UTC
        expires: 2016-11-21 13:40:44 UTC
        expires: 2016-11-21 13:40:41 UTC
        expires: 2016-10-30 09:08:12 UTC
        expires: 2016-10-30 09:07:12 UTC
        expires: 2016-10-30 09:07:12 UTC
        expires: 2016-10-30 09:07:12 UTC
        expires: 2016-10-30 09:07:12 UTC
# getcert list -d /etc/httpd/alias -n ipaCert |egrep -i '(status|expires)'
        status: MONITORING
        expires: 2016-10-30 09:07:12 UTC
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
        Serial Number: 31 (0x1f)
# ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca description
# extended LDIF
# LDAPv3
# base <uid=ipara,ou=People,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: description

# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

-- Jani West
On 20.2.2015 01:07, Dmitri Pal wrote:
On 02/19/2015 02:54 PM, Jim Richard wrote:

Hey guys, for what it's worth, I spent a couple weeks working with
Endi Sukma Dewata, edew...@redhat.com, "Re: [Freeipa-users]
Redhat/Centos iDM 3.0 to 3.1 upgrade fail".

Unfortunately my post subject was not accurate but in fact, I was
attempting the exact same thing and seeing the exact same error. The
main LDAP instance would come up ok but upon attempting to migrate
the PKI stuff with the new ldap schema etc, it just fails…

 If you have been gradually upgrading it might very well be that you
are hitting some of the earlier bugs related to cert tracking.
 The page can help you with troubleshooting
 You need to see whether the certs on the master have expired and
whether they are now properly tracked.
 Rob is this the right way of checking the cert validity (see previous
mail in the thread)?

In the end we couldn't figure it out, basically had to just give up.

Maybe one of you could reach out to Endi and he could share some

I'd love to be able to make this work as well but as of now it looks
like my only option if I want to upgrade to version 3.3/Centos 7 is
well, there is no option….

I'd be happy to share or help in any way.

Jim Richard | PlaceIQ [1] | Systems Administrator |
jrich...@placeiq.com | +1 (646) 338-8905

On Feb 19, 2015, at 11:37 AM, Jani West <jw...@iki.fi> wrote:


How I can check the cert and test?

I did curl -v -k https://xxx/ca/admin/ca/getDomainXML [2]

According to that the cert have plenty of time left.

On the otherhand
https://xxx/ca/admin/ca/updateDomainXML [3] is givin the the same
cert but also http 404.

On 02/19/2015 06:22 PM, Martin Kosek wrote:
On 02/19/2015 05:14 PM, Dmitri Pal wrote:
On 02/19/2015 10:07 AM, Jani West wrote:
Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS
7.0 with
FreeIPA 3.3.3-28 by using replication.

I have prepared replication file and moved it to the new replica
Configured the firewalld and installed Ipa and other needed
packages via yum.

When running "ipa-replica-install --setup-ca -d" installation will
stuck on:

"Configuring certificate server (pki-tomcatd): Estimated time 3
minutes 30
[2/19]: configuring certificate server instance
ipa : DEBUG Starting external process
ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
ipa : DEBUG Process finished, return code=1
ipa : DEBUG stdout=Loading deployment configuration from
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
Installation failed.

ipa : DEBUG stderr=pkispawn : WARNING ....... unable to
validate security domain user/password through REST interface.
Interface not
pkispawn : ERROR ....... Exception from Java Configuration Servlet:
Error while updating security domain: java.io.IOException:
java.io.IOException: SocketException cannot read on socket

ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit
status 1


Betwee the attempts I have cleaned yu ipa and pki configurations
deleteted the old replication agreement.

Apache logs on old CentOS 6 server have these errors.

---------------------------------------------------------------------- - - [19/Feb/2015:11:38:44 +0200] "POST
/ca/admin/ca/getDomainXML HTTP/1.0" 200 1158 - - [19/Feb/2015:11:38:44 +0200] "POST
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 - - - [19/Feb/2015:11:38:44 +0200] "POST
/ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
[Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate:
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181
Certificate has
[Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed:
accepted by client!?


What certificate this means? ca.crt have more than five years left.

Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
ipa-pki-proxy.conf and there are no obvious reason. Any hints?

Are CA ports accessible on your master? Can you check your FW

 This line makes me think that expired certs may be involved:

 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181
Certificate has

 CCing JanCh who have the best context in this area.

 -- Jani West -- jw...@iki.fi -- +358 40 5010914 --
 -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND --

 "Haluaisin, että Suomi olisi paljon monikulttuurisempi.
 Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda
 tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana.
 On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen.
 Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me
 pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin
 lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu.
 Ei ymmärretä, että maahanmuuttajat voivat tuoda
 Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä,
 että koko kansaa kuullaan, myös eri kulttuureista
 tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän
 Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella
 maahanmuuttajia enemmän."

 HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio.

 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users [5]
 Go To http://freeipa.org [6] for more info on the project

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

[2] https://xxx/ca/admin/ca/getDomainXML
[3] https://xxx/ca/admin/ca/updateDomainXML
[5] https://www.redhat.com/mailman/listinfo/freeipa-users
[6] http://freeipa.org

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to