Hi Rob. To add to this mess, I seem to have somehow confused the LDAP certificate configuration in the process of setting up a replicant (ipa.cs.ru.is) with my new StartSSL (personal) certificate. The previous certificate was a corporate Level2 certificate. Trying to use the old certificate (which expires tomorrow) doesn't seem to put it back in working order.
This is what I did to make the pkcs file: cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt (the ca-bundle is the root_bundle.crt they now send you in a zip file) openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin XXXXX --dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin XXXXX ipa.cs.ru.is Then copied it to ipa.cs.ru.is and ran ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg Everything looks fine until: [24/38]: setting up initial replication Starting replication, please wait until this has completed. [ipa2.cs.ru.is] reports: Update failed! Status: [-11 - LDAP error: Connect error] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start replication Looking at the setup log in /var/log/ipareplica-install.log: 2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache url=ldap://ipa2.cs.ru.is:389 conn=<ldap.ldapobject.SimpleLDAPObject instan\ ce at 0x8cfc908> 2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId. 2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from SchemaCache 2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa.cs.ru.is:636 conn=<ldap.ldapobject.SimpleLDAPObject instan\ ce at 0x8a01830> 2016-03-22T08:49:24Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 377, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1014, in setup_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication 2016-03-22T08:49:24Z DEBUG [error] RuntimeError: Failed to start replication 2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432 2016-03-22T08:49:24Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 566, in install ds = install_replica_ds(config) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 77, in install_replica_ds ca_file=config.dir + "/ca.crt", File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 364, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 377, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1014, in setup_replication raise RuntimeError("Failed to start replication") 2016-03-22T08:49:24Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication 2016-03-22T08:49:24Z ERROR Failed to start replication On Mon, 2016-03-21 at 15:47 -0400, Rob Crittenden wrote: > Joseph Timothy Foley wrote: > > I just discovered that the certificate on ipa2.cs.ru.is is good to August, > > so I have a little bit of breathing room. That said, the ipa.cs.ru.is > > certificate will expire on March 23, so I need to update it. > > The process to get a new cert is pretty much the same as you obtained > the original assuming you kept the original CSR. You'd re-submit that to > StartSSL and they will provide a new certificate in PEM format. > > Add that to the relevant database via: > > # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to > cert.pem > > I can't give much more specific information without knowing if you are, > for example, using the came cert/key for both 389-ds and Apache. > > rob > > > -- > > Dr. Joseph T. Foley <[email protected]> Assistant Professor, Reykjavik > > University +354-599-6569 > > > > > > > > On 3/21/16 6:27 PM, "Joseph Timothy Foley" <[email protected]> wrote: > > > >> Hi there. > >> I setup an IPA4.2.0 on RHEL7 service for our CS department on > >> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is > >> I used StartSSL to sign our certificate for HTTP and LDAP usage because I > >> didn't want our users to deal with the internal CA nor could we get the CA > >> certificate signed. Problem is, I can't find any information on how to > >> get the new certificates installed on the running IPA server. They expire > >> in 2 days, so I'm running out of time. Any help would be greatly > >> appreciated. > >> > >> I can only find information on how to setup these certificates on a brand > >> new IPA or replicant. There isn't any obvious information on how to put > >> updated certificates into a running instance. > >> > >> Thanks in advance. > >> > >> Joe > >> -- > >> Dr. Joseph T. Foley <[email protected]> Assistant Professor, Reykjavik > >> University +354-599-6569 > >> > >> > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > > > > -- Dr. Joseph T. Foley <[email protected]> Assistant Professor, Dept. of Science & Engineering, Reykjavik University Menntavegur 1, Nauthólsvík | 101 Reykjavík | Iceland | Phone: +354-599-6569 | Fax +354-599-6201 | www.ru.is -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
