Access log: https://files.pakos.uk/access.txt Error log: https://files.pakos.uk/ipareplica-install.log.txt
I hope it helps. On 29 December 2016 at 12:52, Peter Pakos <[email protected]> wrote: > Hi guys, > > I'm facing yet another problem with CA-less install of FreeIPA replica and > 3rd party SSL certificate. > > Few days ago I deployed a new CA-less server (ipa02) by running the > following command: > > ipa-server-install \ >> -r PAKOS.UK \ >> -n pakos.uk \ >> -p 'password' \ >> -a 'password' \ >> --mkhomedir \ >> --setup-dns \ >> --no-forwarders \ >> --no-dnssec-validation \ >> --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \ >> --dirsrv-pin='' \ >> --http-cert-file=/root/ssl/star.pakos.uk.pfx \ >> --http-pin='' \ >> --http-cert-name=AlphaWildcardIPA \ >> --idstart=1000 > > > This server appears to be working OK. > > Then yesterday I deployed a client (ipa01): > > ipa-client-install \ >> -p admin \ >> -w 'password' \ >> --mkhomedir > > > Next, I promoted it to IPA server: > > ipa-replica-install \ >> -w 'password' \ >> --mkhomedir \ >> --setup-dns \ >> --no-forwarders \ >> --no-dnssec-validation \ >> --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \ >> --dirsrv-pin='' \ >> --dirsrv-cert-name=AlphaWildcardIPA \ >> --http-cert-file=/root/ssl/star.pakos.uk.pfx \ >> --http-pin='' \ >> --http-cert-name=AlphaWildcardIPA > > > After it finished, I've noticed that dirsrv wasn't running on port 636 on > ipa01. > > Further investigation revealed that the SSL wildcard certificate > (AlphaWildcardIPA) wasn't installed in dirsrv DB and CA certificates were > named oddly (CA 1 and CA 2): > > [root@ipa01 ~]# certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > AlphaWildcardIPA u,u,u > CA 1 ,, > CA 2 C,, > > > [root@ipa01 ~]# certutil -L -d /etc/dirsrv/slapd-PAKOS-UK/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > GlobalSign Root CA - GlobalSign nv-sa ,, > AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,, > > > This is what I found in the error log: > > [29/Dec/2016:01:43:58.852745536 +0000] 389-Directory/1.3.5.10 B2016.341.2222 > starting up > [29/Dec/2016:01:43:58.867642515 +0000] default_mr_indexer_create: warning - > plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match > [29/Dec/2016:01:43:58.889866051 +0000] schema-compat-plugin - scheduled > schema-compat-plugin tree scan in about 5 seconds after the server startup! > [29/Dec/2016:01:43:58.905267535 +0000] NSACLPlugin - The ACL target > cn=groups,cn=compat,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.907051833 +0000] NSACLPlugin - The ACL target > cn=computers,cn=compat,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.908396407 +0000] NSACLPlugin - The ACL target > cn=ng,cn=compat,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.909758735 +0000] NSACLPlugin - The ACL target > ou=sudoers,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.911133739 +0000] NSACLPlugin - The ACL target > cn=users,cn=compat,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.912416230 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.913644794 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.914901802 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.916158004 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.917409810 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.918636743 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.919904210 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.921175543 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.922417264 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.923818252 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.925218237 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.928474915 +0000] NSACLPlugin - The ACL target > cn=ad,cn=etc,dc=pakos,dc=uk does not exist > [29/Dec/2016:01:43:58.943158867 +0000] NSACLPlugin - The ACL target > cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does > not exist > [29/Dec/2016:01:43:58.944679679 +0000] NSACLPlugin - The ACL target > cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does > not exist > [29/Dec/2016:01:43:59.060335708 +0000] NSACLPlugin - The ACL target > cn=automember rebuild membership,cn=tasks,cn=config does not exist > [29/Dec/2016:01:43:59.066618653 +0000] Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=pakos,dc=uk--no CoS Templates found, which should be > added before the CoS Definition. > [29/Dec/2016:01:43:59.100168779 +0000] schema-compat-plugin - > schema-compat-plugin tree scan will start in about 5 seconds! > [29/Dec/2016:01:43:59.108366423 +0000] slapd started. Listening on All > Interfaces port 389 for LDAP requests > [29/Dec/2016:01:43:59.109788596 +0000] Listening on > /var/run/slapd-PAKOS-UK.socket for LDAPI requests > [29/Dec/2016:01:44:04.117095313 +0000] schema-compat-plugin - warning: no > entries set up under cn=ng, cn=compat,dc=pakos,dc=uk > [29/Dec/2016:01:44:04.142962437 +0000] schema-compat-plugin - warning: no > entries set up under cn=computers, cn=compat,dc=pakos,dc=uk > [29/Dec/2016:01:44:04.164958006 +0000] schema-compat-plugin - Finished plugin > initialization. > [29/Dec/2016:01:44:20.113621699 +0000] ipa-topology-plugin - > ipa_topo_util_get_replica_conf: server configuration missing > [29/Dec/2016:01:44:20.115517170 +0000] ipa-topology-plugin - > ipa_topo_util_get_replica_conf: cannot create replica > > > At this point I trashed ipa01 and tried to re-deploy it again using the > same commands. The install failed with the following error message: > > Done configuring directory server (dirsrv). > Configuring ipa-custodia > [1/4]: Generating ipa-custodia config file > [2/4]: Generating ipa-custodia keys > [3/4]: starting ipa-custodia > [4/4]: configuring ipa-custodia to start on boot > Done configuring ipa-custodia. > Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds > [1/4]: configuring KDC > [2/4]: adding the password extension to the directory > [3/4]: starting the KDC > [4/4]: configuring KDC to start on boot > Done configuring Kerberos KDC (krb5kdc). > Configuring kadmin > [1/2]: starting kadmin > [2/2]: configuring kadmin to start on boot > Done configuring kadmin. > Configuring ipa_memcached > [1/2]: starting ipa_memcached > [2/2]: configuring ipa_memcached to start on boot > Done configuring ipa_memcached. > Configuring the web interface (httpd). Estimated time: 1 minute > [1/19]: setting mod_nss port to 443 > [2/19]: setting mod_nss cipher suite > [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 > [4/19]: setting mod_nss password file > [5/19]: enabling mod_nss renegotiate > [6/19]: adding URL rewriting rules > [7/19]: configuring httpd > [8/19]: setting up httpd keytab > [9/19]: setting up ssl > [error] NotFound: no such entry > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR no such entry > ipa.ipapython.install.cli.install_tool(Replica): ERROR The > ipa-replica-install command failed. See /var/log/ipareplica-install.log for > more information > > Here's the full install log: https://files.pakos.uk/ > ipareplica-install.log.txt > > I've raised this problem on #freeipa channel (many thanks to mbasti and ab > for their help in investigating this issue with me) however we didn't get > too far and some further input from dirsrv gurus is required here. > > [root@ipa01 ipa]# echo $SERVICE > HTTP/[email protected] > > [root@ipa01 ipa]# echo $DN > krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=pakos,dc=uk > > [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base > <krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=pakos,dc=uk> > with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # HTTP/[email protected], services, accounts, pakos.uk > dn: krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=p > akos,dc=uk > krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA= > krbLastPwdChange: 20161229103250Z > krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5 > NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq > a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3 > pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP > LwmAX3lYm > objectClass: ipaobject > objectClass: ipaservice > objectClass: krbticketpolicyaux > objectClass: ipakrbprincipal > objectClass: krbprincipal > objectClass: krbprincipalaux > objectClass: pkiuser > objectClass: top > ipaKrbPrincipalAlias: HTTP/[email protected] > krbCanonicalName: HTTP/[email protected] > managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk > krbPrincipalName: HTTP/[email protected] > ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub > "krbprincipalname=*" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base > <krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=pakos,dc=uk> > with scope subtree > # filter: krbprincipalname=* > # requesting: ALL > # > > # HTTP/[email protected], services, accounts, pakos.uk > dn: krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=p > akos,dc=uk > krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA= > krbLastPwdChange: 20161229103250Z > krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5 > NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq > a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3 > pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP > LwmAX3lYm > objectClass: ipaobject > objectClass: ipaservice > objectClass: krbticketpolicyaux > objectClass: ipakrbprincipal > objectClass: krbprincipal > objectClass: krbprincipalaux > objectClass: pkiuser > objectClass: top > ipaKrbPrincipalAlias: HTTP/[email protected] > krbCanonicalName: HTTP/[email protected] > managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk > krbPrincipalName: HTTP/[email protected] > ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub > "(objectclass=*)" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base > <krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=pakos,dc=uk> > with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # HTTP/[email protected], services, accounts, pakos.uk > dn: krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=p > akos,dc=uk > krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA= > krbLastPwdChange: 20161229103250Z > krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5 > NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq > a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3 > pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP > LwmAX3lYm > objectClass: ipaobject > objectClass: ipaservice > objectClass: krbticketpolicyaux > objectClass: ipakrbprincipal > objectClass: krbprincipal > objectClass: krbprincipalaux > objectClass: pkiuser > objectClass: top > ipaKrbPrincipalAlias: HTTP/[email protected] > krbCanonicalName: HTTP/[email protected] > managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk > krbPrincipalName: HTTP/[email protected] > ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s base > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base > <krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=pakos,dc=uk> > with scope baseObject > # filter: (objectclass=*) > # requesting: ALL > # > > # HTTP/[email protected], services, accounts, pakos.uk > dn: krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=p > akos,dc=uk > krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA= > krbLastPwdChange: 20161229103250Z > krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5 > NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq > a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3 > pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP > LwmAX3lYm > objectClass: ipaobject > objectClass: ipaservice > objectClass: krbticketpolicyaux > objectClass: ipakrbprincipal > objectClass: krbprincipal > objectClass: krbprincipalaux > objectClass: pkiuser > objectClass: top > ipaKrbPrincipalAlias: HTTP/[email protected] > krbCanonicalName: HTTP/[email protected] > managedBy: fqdn=ipa01.pakos.uk,cn=computers,cn=accounts,dc=pakos,dc=uk > krbPrincipalName: HTTP/[email protected] > ipaUniqueID: 25dc5432-cdb2-11e6-a20e-005056a2f7f5 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > I must say that this a show stopper for us at WANdisco which is holding > back the upgrade from FreeIPA 4.2 to FreeIPA 4.4. > > If there is anything else I can do to help with the investigation, please > just let me know. > > Many thanks in advance. > > -- > Kind regards, > Peter Pakos > -- Kind regards, Peter Pakos
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
