Access log: https://files.pakos.uk/access.txt
Error log: https://files.pakos.uk/ipareplica-install.log.txt

I hope it helps.

On 29 December 2016 at 12:52, Peter Pakos <pe...@pakos.uk> wrote:

> Hi guys,
>
> I'm facing yet another problem with CA-less install of FreeIPA replica and
> 3rd party SSL certificate.
>
> Few days ago I deployed a new CA-less server (ipa02) by running the
> following command:
>
> ipa-server-install \
>>   -r PAKOS.UK \
>>   -n pakos.uk \
>>   -p 'password' \
>>   -a 'password' \
>>   --mkhomedir \
>>   --setup-dns \
>>   --no-forwarders \
>>   --no-dnssec-validation \
>>   --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>>   --dirsrv-pin='' \
>>   --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>>   --http-pin='' \
>>   --http-cert-name=AlphaWildcardIPA \
>>   --idstart=1000
>
>
> This server appears to be working OK.
>
> Then yesterday I deployed a client (ipa01):
>
> ipa-client-install \
>>   -p admin \
>>   -w 'password' \
>>   --mkhomedir
>
>
> Next, I promoted it to IPA server:
>
> ipa-replica-install \
>>   -w 'password' \
>>   --mkhomedir \
>>   --setup-dns \
>>   --no-forwarders \
>>   --no-dnssec-validation \
>>   --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>>   --dirsrv-pin='' \
>>   --dirsrv-cert-name=AlphaWildcardIPA \
>>   --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>>   --http-pin='' \
>>   --http-cert-name=AlphaWildcardIPA
>
>
> After it finished, I've noticed that dirsrv wasn't running on port 636 on
> ipa01.
>
> Further investigation revealed that the SSL wildcard certificate
> (AlphaWildcardIPA) wasn't installed in dirsrv DB and CA certificates were
> named oddly (CA 1 and CA 2):
>
> [root@ipa01 ~]# certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
>
> AlphaWildcardIPA                                             u,u,u
> CA 1                                                         ,,
> CA 2                                                         C,,
>
>
> [root@ipa01 ~]# certutil -L -d /etc/dirsrv/slapd-PAKOS-UK/
>
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
>
> GlobalSign Root CA - GlobalSign nv-sa                        ,,
> AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa                 C,,
>
>
> This is what I found in the error log:
>
> [29/Dec/2016:01:43:58.852745536 +0000] 389-Directory/1.3.5.10 B2016.341.2222 
> starting up
> [29/Dec/2016:01:43:58.867642515 +0000] default_mr_indexer_create: warning - 
> plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
> [29/Dec/2016:01:43:58.889866051 +0000] schema-compat-plugin - scheduled 
> schema-compat-plugin tree scan in about 5 seconds after the server startup!
> [29/Dec/2016:01:43:58.905267535 +0000] NSACLPlugin - The ACL target 
> cn=groups,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.907051833 +0000] NSACLPlugin - The ACL target 
> cn=computers,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.908396407 +0000] NSACLPlugin - The ACL target 
> cn=ng,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.909758735 +0000] NSACLPlugin - The ACL target 
> ou=sudoers,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.911133739 +0000] NSACLPlugin - The ACL target 
> cn=users,cn=compat,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.912416230 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.913644794 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.914901802 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.916158004 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.917409810 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.918636743 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.919904210 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.921175543 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.922417264 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.923818252 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.925218237 +0000] NSACLPlugin - The ACL target 
> cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.928474915 +0000] NSACLPlugin - The ACL target 
> cn=ad,cn=etc,dc=pakos,dc=uk does not exist
> [29/Dec/2016:01:43:58.943158867 +0000] NSACLPlugin - The ACL target 
> cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does 
> not exist
> [29/Dec/2016:01:43:58.944679679 +0000] NSACLPlugin - The ACL target 
> cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does 
> not exist
> [29/Dec/2016:01:43:59.060335708 +0000] NSACLPlugin - The ACL target 
> cn=automember rebuild membership,cn=tasks,cn=config does not exist
> [29/Dec/2016:01:43:59.066618653 +0000] Skipping CoS Definition cn=Password 
> Policy,cn=accounts,dc=pakos,dc=uk--no CoS Templates found, which should be 
> added before the CoS Definition.
> [29/Dec/2016:01:43:59.100168779 +0000] schema-compat-plugin - 
> schema-compat-plugin tree scan will start in about 5 seconds!
> [29/Dec/2016:01:43:59.108366423 +0000] slapd started.  Listening on All 
> Interfaces port 389 for LDAP requests
> [29/Dec/2016:01:43:59.109788596 +0000] Listening on 
> /var/run/slapd-PAKOS-UK.socket for LDAPI requests
> [29/Dec/2016:01:44:04.117095313 +0000] schema-compat-plugin - warning: no 
> entries set up under cn=ng, cn=compat,dc=pakos,dc=uk
> [29/Dec/2016:01:44:04.142962437 +0000] schema-compat-plugin - warning: no 
> entries set up under cn=computers, cn=compat,dc=pakos,dc=uk
> [29/Dec/2016:01:44:04.164958006 +0000] schema-compat-plugin - Finished plugin 
> initialization.
> [29/Dec/2016:01:44:20.113621699 +0000] ipa-topology-plugin - 
> ipa_topo_util_get_replica_conf: server configuration missing
> [29/Dec/2016:01:44:20.115517170 +0000] ipa-topology-plugin - 
> ipa_topo_util_get_replica_conf: cannot create replica
>
>
> At this point I trashed ipa01 and tried to re-deploy it again using the
> same commands. The install failed with the following error message:
>
> Done configuring directory server (dirsrv).
> Configuring ipa-custodia
>   [1/4]: Generating ipa-custodia config file
>   [2/4]: Generating ipa-custodia keys
>   [3/4]: starting ipa-custodia
>   [4/4]: configuring ipa-custodia to start on boot
> Done configuring ipa-custodia.
> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
>   [1/4]: configuring KDC
>   [2/4]: adding the password extension to the directory
>   [3/4]: starting the KDC
>   [4/4]: configuring KDC to start on boot
> Done configuring Kerberos KDC (krb5kdc).
> Configuring kadmin
>   [1/2]: starting kadmin
>   [2/2]: configuring kadmin to start on boot
> Done configuring kadmin.
> Configuring ipa_memcached
>   [1/2]: starting ipa_memcached
>   [2/2]: configuring ipa_memcached to start on boot
> Done configuring ipa_memcached.
> Configuring the web interface (httpd). Estimated time: 1 minute
>   [1/19]: setting mod_nss port to 443
>   [2/19]: setting mod_nss cipher suite
>   [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
>   [4/19]: setting mod_nss password file
>   [5/19]: enabling mod_nss renegotiate
>   [6/19]: adding URL rewriting rules
>   [7/19]: configuring httpd
>   [8/19]: setting up httpd keytab
>   [9/19]: setting up ssl
>   [error] NotFound: no such entry
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    no such entry
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The 
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
> more information
>
> Here's the full install log: https://files.pakos.uk/
> ipareplica-install.log.txt
>
> I've raised this problem on #freeipa channel (many thanks to mbasti and ab
> for their help in investigating this issue with me) however we didn't get
> too far and some further input from dirsrv gurus is required here.
>
> [root@ipa01 ipa]# echo $SERVICE
> HTTP/ipa01.pakos...@pakos.uk
>
> [root@ipa01 ipa]# echo $DN
> krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk
>
> [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base 
> <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk>
>  with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # HTTP/ipa01.pakos...@pakos.uk, services, accounts, pakos.uk
> dn: krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=p
>  akos,dc=uk
> krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
> krbLastPwdChange: 20161229103250Z
> krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
>  NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
>  a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
>  pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
>  LwmAX3lYm
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> ipaKrbPrincipalAlias: HTTP/ipa01.pakos...@pakos.uk
> krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk
> managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
> krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk
> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub 
> "krbprincipalname=*"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base 
> <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk>
>  with scope subtree
> # filter: krbprincipalname=*
> # requesting: ALL
> #
>
> # HTTP/ipa01.pakos...@pakos.uk, services, accounts, pakos.uk
> dn: krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=p
>  akos,dc=uk
> krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
> krbLastPwdChange: 20161229103250Z
> krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
>  NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
>  a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
>  pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
>  LwmAX3lYm
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> ipaKrbPrincipalAlias: HTTP/ipa01.pakos...@pakos.uk
> krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk
> managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
> krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk
> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub 
> "(objectclass=*)"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base 
> <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk>
>  with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # HTTP/ipa01.pakos...@pakos.uk, services, accounts, pakos.uk
> dn: krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=p
>  akos,dc=uk
> krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
> krbLastPwdChange: 20161229103250Z
> krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
>  NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
>  a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
>  pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
>  LwmAX3lYm
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> ipaKrbPrincipalAlias: HTTP/ipa01.pakos...@pakos.uk
> krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk
> managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
> krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk
> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s base
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base 
> <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk>
>  with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # HTTP/ipa01.pakos...@pakos.uk, services, accounts, pakos.uk
> dn: krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=p
>  akos,dc=uk
> krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
> krbLastPwdChange: 20161229103250Z
> krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
>  NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
>  a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
>  pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
>  LwmAX3lYm
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> ipaKrbPrincipalAlias: HTTP/ipa01.pakos...@pakos.uk
> krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk
> managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk
> krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk
> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> I must say that this a show stopper for us at WANdisco which is holding
> back the upgrade from FreeIPA 4.2 to FreeIPA 4.4.
>
> If there is anything else I can do to help with the investigation, please
> just let me know.
>
> Many thanks in advance.
>
> --
> Kind regards,
>  Peter Pakos
>



-- 
Kind regards,
 Peter Pakos
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to