Hi all, We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1).
Starting with FreeIPA 3.0 and to avoid the SSL certificate warning when accessing the GUI, we installed a 3rd part certificate for https: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP We're ready to migrate to FreeIPA 4.1 and we already have two 4.1 replicas but we're having problems cloning the CA from the 3.0 master. This is our current environment: master1 and master2: CentOS 6.6 (up to date) ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-1.11.6-30.el6_6.4.x86_64 device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-selinux-9.0.3-39.el6_6.noarch pki-common-9.0.3-39.el6_6.noarch pki-native-tools-9.0.3-39.el6_6.x86_64 pki-setup-9.0.3-39.el6_6.noarch pki-util-9.0.3-39.el6_6.noarch pki-symkey-9.0.3-39.el6_6.x86_64 pki-ca-9.0.3-39.el6_6.noarch pki-java-tools-9.0.3-39.el6_6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-silent-9.0.3-39.el6_6.noarch replica1 and replica2: CentOS 7.1 (up to date) ipa-client-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 python-iniparse-0.4-9.el7.noarch ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-1.12.2-58.el7_1.6.x86_64 pki-server-10.1.2-7.el7.noarch krb5-pkinit-1.12.2-14.el7.x86_64 pki-base-10.1.2-7.el7.noarch pki-ca-10.1.2-7.el7.noarch pki-symkey-10.1.2-7.el7.x86_64 pki-tools-10.1.2-7.el7.x86_64 # ipa-replica-manage list master1.example.com: master master2.example.com: master replica1.example.com: master replica2.example.com.com: master # ipa-csreplica-manage list Directory Manager password: replica1.example.com: CA not configured master1.example.com: master master2.example.com: master replica2.example.com: CA not configured When trying to install the CA on replica1 to do the migration: ipa-ca-install --skip-conncheck --skip-schema-check /var/lib/ipa/replica-info-replica1.example.com.gpg we're getting the following error in the /var/log/ipareplica-ca-install.log file: ... 2015-07-28T21:25:14Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-07-28T21:25:14Z DEBUG Starting external process 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql' 2015-07-28T21:25:51Z DEBUG Process finished, return code=1 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmp2ON_ql. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-07-28T21:25:51Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ....... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning java.io.IOException: Error: Not authorized 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned non-zero exit status 1 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed ... >From /var/log/pki/pki-ca-spawn.20150728172515.log: ... 2015-07-28 17:25:16 pkispawn : INFO ....... executing 'certutil -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf' 2015-07-28 17:25:16 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2015-07-28 17:25:16 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection - server may still be down 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection - server may still be down 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection - server may still be down 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection - server may still be down 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:46 pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.1.2-7.el7</Version></XMLResponse> 2015-07-28 17:25:47 pkispawn : INFO ....... constructing PKI configuration data. 2015-07-28 17:25:47 pkispawn : INFO ....... configuring PKI configuration data. 2015-07-28 17:25:51 pkispawn : ERROR ....... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning java.io.IOException: Error: Not authorized 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Type: HTTPError 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Message: 500 Server Error: Internal Server Error 2015-07-28 17:25:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 463, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 126, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3211, in configure_pki_data response = client.configure(data) File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in configure r = self.connection.post('/rest/installer/configure', data, headers) File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status raise HTTPError(http_error_msg, response=self) ... >From /var/log/pki/pki-tomcat/ca/debug: ... [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: SystemConfigService(): configure() called [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://master1.example.com:443, securityDomainName=null, securityDomainUser=admin, securityDomainPassword=XXXX, isClone=true, cloneUri=https://master1.example.com:443, subsystemName=CA replica1.example.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=replica1.example.com, dsPort=389, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=false, removeData=true, replicateSchema=False, masterReplicationPort=7389, cloneReplicationPort=389, replicationSecurity=TLS, systemCerts=[com.netscape.certsrv.system.SystemCertData@ac5b61d], issuingCA=https://master1.example.com:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null] [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Token Panel === [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Security Domain Panel === [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML start [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: status=0 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: domainInfo=<?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>master1.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>master2.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCou! nt></TPSList></DomainInfo> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len is 2 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: hostname: <master1.example.com> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: admin_port: <443> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: === Subsystem Panel === [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len: 2 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_host master1.example.com [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_port 443 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: http content=type=request&xmlOutput=true&sessionID=4266586385374846691 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange start host=master1.example.com adminPort=443 eePort=443 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: content is null. [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: Failed to contact master using admin portjava.io.IOException: The server you want to contact is not available [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: Attempting to contact master using EE port [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: content from ee interface =<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>1</Status><Error>Error: Not authorized</Error></XMLResponse> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange(): status=1 ... Related logs from master1 (/var/log/pki-ca/debug): ... [28/Jul/2015:17:25:50][TP-Processor2]: according to ccMode, authorization for servlet: caUpdateNumberRange is LDAP based, not XML {1}, use default authz mgr: {2}. [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: done initializing... [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet:service() uri = /ca/ee/ca/updateNumberRange [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param name='type' value='request' [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param name='xmlOutput' value='true' [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param name='sessionID' value='-5799572006108726179' [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: caUpdateNumberRange start to service. [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: processing... [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange process: authentication starts [28/Jul/2015:17:25:50][TP-Processor2]: IP: 10.10.2.45 [28/Jul/2015:17:25:50][TP-Processor2]: AuthMgrName: TokenAuth [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: no client certificate found [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: start [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: content=sessionID=-5799572006108726179&hostname=10.10.2.45 [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication authenticate Exception=org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: userid=null [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.10.2.45, authManagerId=TokenAuth} [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID: subjectID: null [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][AuthMgr=TokenAuth] authentication success [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.10.2.45, authManagerId=TokenAuth} [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID: subjectID: null [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditGroupID [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditGroupID auditContext {locale=en_US, ipAddress=10.10.2.45, authManagerId=TokenAuth} [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditGroupID: groupID: null [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in authorize... TokenAuth auditSubjectID unavailable, changing to auditGroupID [28/Jul/2015:17:25:50][TP-Processor2]: checkACLS(): ACLEntry expressions= group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" [28/Jul/2015:17:25:50][TP-Processor2]: evaluating expressions: group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise CA Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise KRA Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise RA Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise OCSP Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise TKS Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failure][aclResource=certServer.clone.configuration.UpdateNumberRange][Op=modify] authorization failure ... Do you guys know which certificate is the one that's failing and where else to look at to fix this problem? Thanks so much for any help you can provide! Guillermo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project