On 29/07/15 01:47, Guillermo Fuentes wrote:
Hi all,

We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1).

Starting with FreeIPA 3.0 and to avoid the SSL certificate warning
when accessing the GUI, we installed a 3rd part certificate for https:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

We're ready to migrate to FreeIPA 4.1 and we already have two 4.1
replicas but we're having problems cloning the CA from the 3.0 master.

This is our current environment:
master1 and master2:
CentOS 6.6 (up to date)
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-1.11.6-30.el6_6.4.x86_64
device-mapper-multipath-0.4.9-80.el6_6.3.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
ipa-python-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
sssd-ipa-1.11.6-30.el6_6.4.x86_64
pki-selinux-9.0.3-39.el6_6.noarch
pki-common-9.0.3-39.el6_6.noarch
pki-native-tools-9.0.3-39.el6_6.x86_64
pki-setup-9.0.3-39.el6_6.noarch
pki-util-9.0.3-39.el6_6.noarch
pki-symkey-9.0.3-39.el6_6.x86_64
pki-ca-9.0.3-39.el6_6.noarch
pki-java-tools-9.0.3-39.el6_6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-silent-9.0.3-39.el6_6.noarch


replica1 and replica2:
CentOS 7.1 (up to date)
ipa-client-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-1.12.2-58.el7_1.6.x86_64
pki-server-10.1.2-7.el7.noarch
krb5-pkinit-1.12.2-14.el7.x86_64
pki-base-10.1.2-7.el7.noarch
pki-ca-10.1.2-7.el7.noarch
pki-symkey-10.1.2-7.el7.x86_64
pki-tools-10.1.2-7.el7.x86_64


# ipa-replica-manage list
master1.example.com: master
master2.example.com: master
replica1.example.com: master
replica2.example.com.com: master

# ipa-csreplica-manage list
Directory Manager password:

replica1.example.com: CA not configured
master1.example.com: master
master2.example.com: master
replica2.example.com: CA not configured


When trying to install the CA on replica1 to do the migration:
ipa-ca-install --skip-conncheck --skip-schema-check
/var/lib/ipa/replica-info-replica1.example.com.gpg

we're getting the following error in the
/var/log/ipareplica-ca-install.log file:
...
2015-07-28T21:25:14Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-07-28T21:25:14Z DEBUG Starting external process
2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmp2ON_ql'
2015-07-28T21:25:51Z DEBUG Process finished, return code=1
2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration
from /tmp/tmp2ON_ql.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2015-07-28T21:25:51Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
   InsecureRequestWarning)
pkispawn    : WARNING  ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn    : ERROR    ....... Exception from Java Configuration
Servlet: Failed to obtain configuration entries from the master for
cloning java.io.IOException: Error: Not authorized

2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned
non-zero exit status 1
2015-07-28T21:25:51Z DEBUG Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
     run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
     method()
   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 673, in __spawn_instance
     raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
...


From /var/log/pki/pki-ca-spawn.20150728172515.log:
...
2015-07-28 17:25:16 pkispawn    : INFO     ....... executing 'certutil
-N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf'
2015-07-28 17:25:16 pkispawn    : INFO     ....... executing
'systemctl daemon-reload'
2015-07-28 17:25:16 pkispawn    : INFO     ....... executing
'systemctl start pki-tomcatd@pki-tomcat.service'
2015-07-28 17:25:16 pkispawn    : DEBUG    ........... No connection -
server may still be down
2015-07-28 17:25:16 pkispawn    : DEBUG    ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:17 pkispawn    : DEBUG    ........... No connection -
server may still be down
2015-07-28 17:25:17 pkispawn    : DEBUG    ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:18 pkispawn    : DEBUG    ........... No connection -
server may still be down
2015-07-28 17:25:18 pkispawn    : DEBUG    ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:19 pkispawn    : DEBUG    ........... No connection -
server may still be down
2015-07-28 17:25:19 pkispawn    : DEBUG    ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:46 pkispawn    : DEBUG    ........... <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.1.2-7.el7</Version></XMLResponse>
2015-07-28 17:25:47 pkispawn    : INFO     ....... constructing PKI
configuration data.
2015-07-28 17:25:47 pkispawn    : INFO     ....... configuring PKI
configuration data.
2015-07-28 17:25:51 pkispawn    : ERROR    ....... Exception from Java
Configuration Servlet: Failed to obtain configuration entries from the
master for cloning java.io.IOException: Error: Not authorized
2015-07-28 17:25:51 pkispawn    : DEBUG    ....... Error Type: HTTPError
2015-07-28 17:25:51 pkispawn    : DEBUG    ....... Error Message: 500
Server Error: Internal Server Error
2015-07-28 17:25:51 pkispawn    : DEBUG    .......   File
"/usr/sbin/pkispawn", line 463, in main
     rv = instance.spawn(deployer)
   File 
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 126, in spawn
     json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
   File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3211, in configure_pki_data
     response = client.configure(data)
   File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in configure
     r = self.connection.post('/rest/installer/configure', data, headers)
   File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post
     r.raise_for_status()
   File "/usr/lib/python2.7/site-packages/requests/models.py", line
834, in raise_for_status
     raise HTTPError(http_error_msg, response=self)
...

From /var/log/pki/pki-tomcat/ca/debug:
...
[28/Jul/2015:17:56:25][http-bio-8443-exec-3]: SystemConfigService():
configure() called
[28/Jul/2015:17:56:25][http-bio-8443-exec-3]: ConfigurationRequest
[pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX,
securityDomainType=existingdomain,
securityDomainUri=https://master1.example.com:443,
securityDomainName=null, securityDomainUser=admin,
securityDomainPassword=XXXX, isClone=true,
cloneUri=https://master1.example.com:443, subsystemName=CA
replica1.example.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX,
hierarchy=root, dsHost=replica1.example.com, dsPort=389,
baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX,
database=ipaca, secureConn=false, removeData=true,
replicateSchema=False, masterReplicationPort=7389,
cloneReplicationPort=389, replicationSecurity=TLS,
systemCerts=[com.netscape.certsrv.system.SystemCertData@ac5b61d],
issuingCA=https://master1.example.com:443, backupKeys=true,
backupPassword=XXXX,
backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12,
adminUID=null, adminPassword=XXXX, adminEmail=null,
adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null,
adminName=null, adminProfileID=null, adminCert=null,
importAdminCert=false, generateServerCert=true, standAlone=false,
stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null,
authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null,
enableServerSideKeyGen=null, importSharedSecret=null]
[28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Token Panel ===
[28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Security Domain Panel ===
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML start
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: status=0
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML:
domainInfo=<?xml version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>master1.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>master2.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemC!
ou!
  nt></TPSList></DomainInfo>
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len is 2
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: hostname: <master1.example.com>
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: admin_port: <443>
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: === Subsystem Panel ===
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len: 2
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_host master1.example.com
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_port 443
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: http
content=type=request&xmlOutput=true&sessionID=4266586385374846691
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange start
host=master1.example.com adminPort=443 eePort=443
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
content is null.
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
Failed to contact master using admin portjava.io.IOException: The
server you want to contact is not available
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
Attempting to contact master using EE port
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: content from ee
interface =<?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><Status>1</Status><Error>Error: Not
authorized</Error></XMLResponse>
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange(): status=1
...



Related logs from master1 (/var/log/pki-ca/debug):
...
[28/Jul/2015:17:25:50][TP-Processor2]: according to ccMode,
authorization for servlet: caUpdateNumberRange is LDAP based, not XML
{1}, use default authz mgr: {2}.
[28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: done initializing...
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet:service() uri =
/ca/ee/ca/updateNumberRange
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
name='type' value='request'
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
name='xmlOutput' value='true'
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
name='sessionID' value='-5799572006108726179'
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: caUpdateNumberRange
start to service.
[28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: processing...
[28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange process:
authentication starts
[28/Jul/2015:17:25:50][TP-Processor2]: IP: 10.10.2.45
[28/Jul/2015:17:25:50][TP-Processor2]: AuthMgrName: TokenAuth
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: no client certificate found
[28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: start
[28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication:
content=sessionID=-5799572006108726179&hostname=10.10.2.45
[28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication
authenticate Exception=org.mozilla.jss.ssl.SSLSocketException:
SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been
marked as not trusted by the user.
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: userid=null
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID
auditContext {locale=en_US, ipAddress=10.10.2.45,
authManagerId=TokenAuth}
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID:
subjectID: null
[28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory:
create() 
message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][AuthMgr=TokenAuth]
authentication success

[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID
auditContext {locale=en_US, ipAddress=10.10.2.45,
authManagerId=TokenAuth}
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID:
subjectID: null
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditGroupID
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditGroupID
auditContext {locale=en_US, ipAddress=10.10.2.45,
authManagerId=TokenAuth}
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditGroupID: groupID: null
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in authorize...
TokenAuth auditSubjectID unavailable, changing to auditGroupID
[28/Jul/2015:17:25:50][TP-Processor2]: checkACLS(): ACLEntry
expressions= group="Enterprise CA Administrators" || group="Enterprise
KRA Administrators" || group="Enterprise RA Administrators" ||
group="Enterprise OCSP Administrators" || group="Enterprise TKS
Administrators"
[28/Jul/2015:17:25:50][TP-Processor2]: evaluating expressions:
group="Enterprise CA Administrators" || group="Enterprise KRA
Administrators" || group="Enterprise RA Administrators" ||
group="Enterprise OCSP Administrators" || group="Enterprise TKS
Administrators"
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise CA Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise KRA Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise RA Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise OCSP Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise TKS Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory:
create() 
message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failure][aclResource=certServer.clone.configuration.UpdateNumberRange][Op=modify]
authorization failure
...

Do you guys know which certificate is the one that's failing and where
else to look at to fix this problem?

Thanks so much for any help you can provide!

Guillermo


Hello!

The problem is in pki-* packages. The old version that is used with freeipa-3.0 does not have REST API and the one that is used in freeipa-4.1 does not expect that. The issue is fixed in pki 10.2.6 but I'm not sure if it is available in CentOS, yet.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to