Hi guys, I'm facing yet another problem with CA-less install of FreeIPA replica and 3rd party SSL certificate.
Few days ago I deployed a new CA-less server (ipa02) by running the following command: ipa-server-install \ > -r PAKOS.UK \ > -n pakos.uk \ > -p 'password' \ > -a 'password' \ > --mkhomedir \ > --setup-dns \ > --no-forwarders \ > --no-dnssec-validation \ > --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \ > --dirsrv-pin='' \ > --http-cert-file=/root/ssl/star.pakos.uk.pfx \ > --http-pin='' \ > --http-cert-name=AlphaWildcardIPA \ > --idstart=1000 This server appears to be working OK. Then yesterday I deployed a client (ipa01): ipa-client-install \ > -p admin \ > -w 'password' \ > --mkhomedir Next, I promoted it to IPA server: ipa-replica-install \ > -w 'password' \ > --mkhomedir \ > --setup-dns \ > --no-forwarders \ > --no-dnssec-validation \ > --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \ > --dirsrv-pin='' \ > --dirsrv-cert-name=AlphaWildcardIPA \ > --http-cert-file=/root/ssl/star.pakos.uk.pfx \ > --http-pin='' \ > --http-cert-name=AlphaWildcardIPA After it finished, I've noticed that dirsrv wasn't running on port 636 on ipa01. Further investigation revealed that the SSL wildcard certificate (AlphaWildcardIPA) wasn't installed in dirsrv DB and CA certificates were named oddly (CA 1 and CA 2): [root@ipa01 ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI AlphaWildcardIPA u,u,u CA 1 ,, CA 2 C,, [root@ipa01 ~]# certutil -L -d /etc/dirsrv/slapd-PAKOS-UK/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GlobalSign Root CA - GlobalSign nv-sa ,, AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,, This is what I found in the error log: [29/Dec/2016:01:43:58.852745536 +0000] 389-Directory/1.3.5.10 B2016.341.2222 starting up [29/Dec/2016:01:43:58.867642515 +0000] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [29/Dec/2016:01:43:58.889866051 +0000] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [29/Dec/2016:01:43:58.905267535 +0000] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.907051833 +0000] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.908396407 +0000] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.909758735 +0000] NSACLPlugin - The ACL target ou=sudoers,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.911133739 +0000] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.912416230 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.913644794 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.914901802 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.916158004 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.917409810 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.918636743 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.919904210 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.921175543 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.922417264 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.923818252 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.925218237 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.928474915 +0000] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.943158867 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.944679679 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:59.060335708 +0000] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [29/Dec/2016:01:43:59.066618653 +0000] Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pakos,dc=uk--no CoS Templates found, which should be added before the CoS Definition. [29/Dec/2016:01:43:59.100168779 +0000] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [29/Dec/2016:01:43:59.108366423 +0000] slapd started. Listening on All Interfaces port 389 for LDAP requests [29/Dec/2016:01:43:59.109788596 +0000] Listening on /var/run/slapd-PAKOS-UK.socket for LDAPI requests [29/Dec/2016:01:44:04.117095313 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=pakos,dc=uk [29/Dec/2016:01:44:04.142962437 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pakos,dc=uk [29/Dec/2016:01:44:04.164958006 +0000] schema-compat-plugin - Finished plugin initialization. [29/Dec/2016:01:44:20.113621699 +0000] ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing [29/Dec/2016:01:44:20.115517170 +0000] ipa-topology-plugin - ipa_topo_util_get_replica_conf: cannot create replica At this point I trashed ipa01 and tried to re-deploy it again using the same commands. The install failed with the following error message: Done configuring directory server (dirsrv). Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/4]: configuring KDC [2/4]: adding the password extension to the directory [3/4]: starting the KDC [4/4]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd). Estimated time: 1 minute [1/19]: setting mod_nss port to 443 [2/19]: setting mod_nss cipher suite [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/19]: setting mod_nss password file [5/19]: enabling mod_nss renegotiate [6/19]: adding URL rewriting rules [7/19]: configuring httpd [8/19]: setting up httpd keytab [9/19]: setting up ssl [error] NotFound: no such entry Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR no such entry ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Here's the full install log: https://files.pakos.uk/ipareplica-install.log.txt I've raised this problem on #freeipa channel (many thanks to mbasti and ab for their help in investigating this issue with me) however we didn't get too far and some further input from dirsrv gurus is required here. [root@ipa01 ipa]# echo $SERVICE HTTP/ipa01.pakos...@pakos.uk [root@ipa01 ipa]# echo $DN krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub Enter LDAP Password: # extended LDIF # # LDAPv3 # base <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk> with scope subtree # filter: (objectclass=*) # requesting: ALL # # HTTP/ipa01.pakos...@pakos.uk, services, accounts, pakos.uk dn: krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=p akos,dc=uk krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA= krbLastPwdChange: 20161229103250Z krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5 NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3 pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP LwmAX3lYm objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias: HTTP/ipa01.pakos...@pakos.uk krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub "krbprincipalname=*" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk> with scope subtree # filter: krbprincipalname=* # requesting: ALL # # HTTP/ipa01.pakos...@pakos.uk, services, accounts, pakos.uk dn: krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=p akos,dc=uk krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA= krbLastPwdChange: 20161229103250Z krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5 NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3 pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP LwmAX3lYm objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias: HTTP/ipa01.pakos...@pakos.uk krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub "(objectclass=*)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk> with scope subtree # filter: (objectclass=*) # requesting: ALL # # HTTP/ipa01.pakos...@pakos.uk, services, accounts, pakos.uk dn: krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=p akos,dc=uk krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA= krbLastPwdChange: 20161229103250Z krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5 NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3 pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP LwmAX3lYm objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias: HTTP/ipa01.pakos...@pakos.uk krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s base Enter LDAP Password: # extended LDIF # # LDAPv3 # base <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # HTTP/ipa01.pakos...@pakos.uk, services, accounts, pakos.uk dn: krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=p akos,dc=uk krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA= krbLastPwdChange: 20161229103250Z krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5 NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3 pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP LwmAX3lYm objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias: HTTP/ipa01.pakos...@pakos.uk krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 I must say that this a show stopper for us at WANdisco which is holding back the upgrade from FreeIPA 4.2 to FreeIPA 4.4. If there is anything else I can do to help with the investigation, please just let me know. Many thanks in advance. -- Kind regards, Peter Pakos
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project