Thanks so much for the info David!
We're using the latest version available via EPEL, which is 10.1.2.

List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary
would be fine. Or, if it isn't available, where can I start
contributing to the port of pki 10.2.6 to CentOS 7?

Thanks!
Guillermo

On Wed, Jul 29, 2015 at 9:13 AM, David Kupka <dku...@redhat.com> wrote:
> On 29/07/15 01:47, Guillermo Fuentes wrote:
>>
>> Hi all,
>>
>> We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1).
>>
>> Starting with FreeIPA 3.0 and to avoid the SSL certificate warning
>> when accessing the GUI, we installed a 3rd part certificate for https:
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>
>>
>> We're ready to migrate to FreeIPA 4.1 and we already have two 4.1
>> replicas but we're having problems cloning the CA from the 3.0 master.
>>
>> This is our current environment:
>> master1 and master2:
>> CentOS 6.6 (up to date)
>> ipa-admintools-3.0.0-42.el6.centos.x86_64
>> ipa-server-3.0.0-42.el6.centos.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-1.11.6-30.el6_6.4.x86_64
>> device-mapper-multipath-0.4.9-80.el6_6.3.x86_64
>> ipa-client-3.0.0-42.el6.centos.x86_64
>> ipa-server-selinux-3.0.0-42.el6.centos.x86_64
>> ipa-python-3.0.0-42.el6.centos.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> sssd-ipa-1.11.6-30.el6_6.4.x86_64
>> pki-selinux-9.0.3-39.el6_6.noarch
>> pki-common-9.0.3-39.el6_6.noarch
>> pki-native-tools-9.0.3-39.el6_6.x86_64
>> pki-setup-9.0.3-39.el6_6.noarch
>> pki-util-9.0.3-39.el6_6.noarch
>> pki-symkey-9.0.3-39.el6_6.x86_64
>> pki-ca-9.0.3-39.el6_6.noarch
>> pki-java-tools-9.0.3-39.el6_6.noarch
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> pki-silent-9.0.3-39.el6_6.noarch
>>
>>
>> replica1 and replica2:
>> CentOS 7.1 (up to date)
>> ipa-client-4.1.0-18.el7.centos.3.x86_64
>> libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
>> sssd-ipa-1.12.2-58.el7_1.6.x86_64
>> python-iniparse-0.4-9.el7.noarch
>> ipa-admintools-4.1.0-18.el7.centos.3.x86_64
>> ipa-server-4.1.0-18.el7.centos.3.x86_64
>> ipa-python-4.1.0-18.el7.centos.3.x86_64
>> libipa_hbac-1.12.2-58.el7_1.6.x86_64
>> pki-server-10.1.2-7.el7.noarch
>> krb5-pkinit-1.12.2-14.el7.x86_64
>> pki-base-10.1.2-7.el7.noarch
>> pki-ca-10.1.2-7.el7.noarch
>> pki-symkey-10.1.2-7.el7.x86_64
>> pki-tools-10.1.2-7.el7.x86_64
>>
>>
>> # ipa-replica-manage list
>> master1.example.com: master
>> master2.example.com: master
>> replica1.example.com: master
>> replica2.example.com.com: master
>>
>> # ipa-csreplica-manage list
>> Directory Manager password:
>>
>> replica1.example.com: CA not configured
>> master1.example.com: master
>> master2.example.com: master
>> replica2.example.com: CA not configured
>>
>>
>> When trying to install the CA on replica1 to do the migration:
>> ipa-ca-install --skip-conncheck --skip-schema-check
>> /var/lib/ipa/replica-info-replica1.example.com.gpg
>>
>> we're getting the following error in the
>> /var/log/ipareplica-ca-install.log file:
>> ...
>> 2015-07-28T21:25:14Z DEBUG Saving StateFile to
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2015-07-28T21:25:14Z DEBUG Starting external process
>> 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>> '/tmp/tmp2ON_ql'
>> 2015-07-28T21:25:51Z DEBUG Process finished, return code=1
>> 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration
>> from /tmp/tmp2ON_ql.
>> Installing CA into /var/lib/pki/pki-tomcat.
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>
>> Installation failed.
>>
>>
>> 2015-07-28T21:25:51Z DEBUG
>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771:
>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
>> certificate verification is strongly advised. See:
>> https://urllib3.readthedocs.org/en/latest/security.html
>>
>>    InsecureRequestWarning)
>> pkispawn    : WARNING  ....... unable to validate security domain
>> user/password through REST interface. Interface not available
>> pkispawn    : ERROR    ....... Exception from Java Configuration
>> Servlet: Failed to obtain configuration entries from the master for
>> cloning java.io.IOException: Error: Not authorized
>>
>> 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command
>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned
>> non-zero exit status 1
>> 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last):
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 382, in start_creation
>>      run_step(full_msg, method)
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 372, in run_step
>>      method()
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 673, in __spawn_instance
>>      raise RuntimeError('Configuration of CA failed')
>> RuntimeError: Configuration of CA failed
>> ...
>>
>>
>>> From /var/log/pki/pki-ca-spawn.20150728172515.log:
>>
>> ...
>> 2015-07-28 17:25:16 pkispawn    : INFO     ....... executing 'certutil
>> -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf'
>> 2015-07-28 17:25:16 pkispawn    : INFO     ....... executing
>> 'systemctl daemon-reload'
>> 2015-07-28 17:25:16 pkispawn    : INFO     ....... executing
>> 'systemctl start pki-tomcatd@pki-tomcat.service'
>> 2015-07-28 17:25:16 pkispawn    : DEBUG    ........... No connection -
>> server may still be down
>> 2015-07-28 17:25:16 pkispawn    : DEBUG    ........... No connection -
>> exception thrown: ('Connection aborted.', error(111, 'Connection
>> refused'))
>> 2015-07-28 17:25:17 pkispawn    : DEBUG    ........... No connection -
>> server may still be down
>> 2015-07-28 17:25:17 pkispawn    : DEBUG    ........... No connection -
>> exception thrown: ('Connection aborted.', error(111, 'Connection
>> refused'))
>> 2015-07-28 17:25:18 pkispawn    : DEBUG    ........... No connection -
>> server may still be down
>> 2015-07-28 17:25:18 pkispawn    : DEBUG    ........... No connection -
>> exception thrown: ('Connection aborted.', error(111, 'Connection
>> refused'))
>> 2015-07-28 17:25:19 pkispawn    : DEBUG    ........... No connection -
>> server may still be down
>> 2015-07-28 17:25:19 pkispawn    : DEBUG    ........... No connection -
>> exception thrown: ('Connection aborted.', error(111, 'Connection
>> refused'))
>> 2015-07-28 17:25:46 pkispawn    : DEBUG    ........... <?xml
>> version="1.0" encoding="UTF-8"
>>
>> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.1.2-7.el7</Version></XMLResponse>
>> 2015-07-28 17:25:47 pkispawn    : INFO     ....... constructing PKI
>> configuration data.
>> 2015-07-28 17:25:47 pkispawn    : INFO     ....... configuring PKI
>> configuration data.
>> 2015-07-28 17:25:51 pkispawn    : ERROR    ....... Exception from Java
>> Configuration Servlet: Failed to obtain configuration entries from the
>> master for cloning java.io.IOException: Error: Not authorized
>> 2015-07-28 17:25:51 pkispawn    : DEBUG    ....... Error Type: HTTPError
>> 2015-07-28 17:25:51 pkispawn    : DEBUG    ....... Error Message: 500
>> Server Error: Internal Server Error
>> 2015-07-28 17:25:51 pkispawn    : DEBUG    .......   File
>> "/usr/sbin/pkispawn", line 463, in main
>>      rv = instance.spawn(deployer)
>>    File
>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
>> line 126, in spawn
>>      json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
>>    File
>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
>> line 3211, in configure_pki_data
>>      response = client.configure(data)
>>    File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in
>> configure
>>      r = self.connection.post('/rest/installer/configure', data, headers)
>>    File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post
>>      r.raise_for_status()
>>    File "/usr/lib/python2.7/site-packages/requests/models.py", line
>> 834, in raise_for_status
>>      raise HTTPError(http_error_msg, response=self)
>> ...
>>
>>> From /var/log/pki/pki-tomcat/ca/debug:
>>
>> ...
>> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: SystemConfigService():
>> configure() called
>> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: ConfigurationRequest
>> [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX,
>> securityDomainType=existingdomain,
>> securityDomainUri=https://master1.example.com:443,
>> securityDomainName=null, securityDomainUser=admin,
>> securityDomainPassword=XXXX, isClone=true,
>> cloneUri=https://master1.example.com:443, subsystemName=CA
>> replica1.example.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX,
>> hierarchy=root, dsHost=replica1.example.com, dsPort=389,
>> baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX,
>> database=ipaca, secureConn=false, removeData=true,
>> replicateSchema=False, masterReplicationPort=7389,
>> cloneReplicationPort=389, replicationSecurity=TLS,
>> systemCerts=[com.netscape.certsrv.system.SystemCertData@ac5b61d],
>> issuingCA=https://master1.example.com:443, backupKeys=true,
>> backupPassword=XXXX,
>> backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12,
>> adminUID=null, adminPassword=XXXX, adminEmail=null,
>> adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null,
>> adminName=null, adminProfileID=null, adminCert=null,
>> importAdminCert=false, generateServerCert=true, standAlone=false,
>> stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null,
>> authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null,
>> enableServerSideKeyGen=null, importSharedSecret=null]
>> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Token Panel ===
>> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Security Domain Panel
>> ===
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML start
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: status=0
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML:
>> domainInfo=<?xml version="1.0" encoding="UTF-8"
>>
>> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>master1.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>master2.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</Subsystem!
 C!
>
> ou!
>>
>>   nt></TPSList></DomainInfo>
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len is 2
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: hostname:
>> <master1.example.com>
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: admin_port: <443>
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: === Subsystem Panel ===
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len: 2
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_host master1.example.com
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_port 443
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: http
>> content=type=request&xmlOutput=true&sessionID=4266586385374846691
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange start
>> host=master1.example.com adminPort=443 eePort=443
>>
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
>> content is null.
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
>> Failed to contact master using admin portjava.io.IOException: The
>> server you want to contact is not available
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
>> Attempting to contact master using EE port
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: content from ee
>> interface =<?xml version="1.0" encoding="UTF-8"
>> standalone="no"?><XMLResponse><Status>1</Status><Error>Error: Not
>> authorized</Error></XMLResponse>
>> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange():
>> status=1
>> ...
>>
>>
>>
>> Related logs from master1 (/var/log/pki-ca/debug):
>> ...
>> [28/Jul/2015:17:25:50][TP-Processor2]: according to ccMode,
>> authorization for servlet: caUpdateNumberRange is LDAP based, not XML
>> {1}, use default authz mgr: {2}.
>> [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: done
>> initializing...
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet:service() uri =
>> /ca/ee/ca/updateNumberRange
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
>> name='type' value='request'
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
>> name='xmlOutput' value='true'
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
>> name='sessionID' value='-5799572006108726179'
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: caUpdateNumberRange
>> start to service.
>> [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: processing...
>> [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange process:
>> authentication starts
>> [28/Jul/2015:17:25:50][TP-Processor2]: IP: 10.10.2.45
>> [28/Jul/2015:17:25:50][TP-Processor2]: AuthMgrName: TokenAuth
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: no client certificate
>> found
>> [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: start
>> [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication:
>> content=sessionID=-5799572006108726179&hostname=10.10.2.45
>> [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication
>> authenticate Exception=org.mozilla.jss.ssl.SSLSocketException:
>> SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been
>> marked as not trusted by the user.
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: userid=null
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID
>> auditContext {locale=en_US, ipAddress=10.10.2.45,
>> authManagerId=TokenAuth}
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID:
>> subjectID: null
>> [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory:
>> create()
>> message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][AuthMgr=TokenAuth]
>> authentication success
>>
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID
>> auditContext {locale=en_US, ipAddress=10.10.2.45,
>> authManagerId=TokenAuth}
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID:
>> subjectID: null
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditGroupID
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditGroupID
>> auditContext {locale=en_US, ipAddress=10.10.2.45,
>> authManagerId=TokenAuth}
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditGroupID: groupID:
>> null
>> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in authorize...
>> TokenAuth auditSubjectID unavailable, changing to auditGroupID
>> [28/Jul/2015:17:25:50][TP-Processor2]: checkACLS(): ACLEntry
>> expressions= group="Enterprise CA Administrators" || group="Enterprise
>> KRA Administrators" || group="Enterprise RA Administrators" ||
>> group="Enterprise OCSP Administrators" || group="Enterprise TKS
>> Administrators"
>> [28/Jul/2015:17:25:50][TP-Processor2]: evaluating expressions:
>> group="Enterprise CA Administrators" || group="Enterprise KRA
>> Administrators" || group="Enterprise RA Administrators" ||
>> group="Enterprise OCSP Administrators" || group="Enterprise TKS
>> Administrators"
>> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid
>> null
>> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
>> group="Enterprise CA Administrators" to be false
>> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid
>> null
>> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
>> group="Enterprise KRA Administrators" to be false
>> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid
>> null
>> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
>> group="Enterprise RA Administrators" to be false
>> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid
>> null
>> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
>> group="Enterprise OCSP Administrators" to be false
>> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid
>> null
>> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
>> group="Enterprise TKS Administrators" to be false
>> [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory:
>> create()
>> message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failure][aclResource=certServer.clone.configuration.UpdateNumberRange][Op=modify]
>> authorization failure
>> ...
>>
>> Do you guys know which certificate is the one that's failing and where
>> else to look at to fix this problem?
>>
>> Thanks so much for any help you can provide!
>>
>> Guillermo
>>
>
> Hello!
>
> The problem is in pki-* packages. The old version that is used with
> freeipa-3.0 does not have REST API and the one that is used in freeipa-4.1
> does not expect that.
> The issue is fixed in pki 10.2.6 but I'm not sure if it is available in
> CentOS, yet.
>
>
> --
> David Kupka
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



-- 
Guillermo Fuentes Rodriguez
Computer Systems Analyst
(561) 880-2998 x1337
guillermo.fuen...@modmed.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to