Access log: https://files.pakos.uk/access.txt
Error log: https://files.pakos.uk/ipareplica-install.log.txt
I hope it helps.
On 29 December 2016 at 12:52, Peter Pakos <pe...@pakos.uk
<mailto:pe...@pakos.uk>> wrote:
Hi guys,
I'm facing yet another problem with CA-less install of FreeIPA
replica and 3rd party SSL certificate.
Few days ago I deployed a new CA-less server (ipa02) by running
the following command:
ipa-server-install \ -r PAKOS.UK <http://PAKOS.UK> \ -n
pakos.uk <http://pakos.uk> \ -p 'password' \ -a
'password' \ --mkhomedir \ --setup-dns \
--no-forwarders \ --no-dnssec-validation \
--dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
--dirsrv-pin='' \
--http-cert-file=/root/ssl/star.pakos.uk.pfx \
--http-pin='' \ --http-cert-name=AlphaWildcardIPA \
--idstart=1000
This server appears to be working OK.
Then yesterday I deployed a client (ipa01):
ipa-client-install \ -p admin \ -w 'password' \ --mkhomedir
Next, I promoted it to IPA server:
ipa-replica-install \ -w 'password' \ --mkhomedir \
--setup-dns \ --no-forwarders \ --no-dnssec-validation \
--dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
--dirsrv-pin='' \ --dirsrv-cert-name=AlphaWildcardIPA \
--http-cert-file=/root/ssl/star.pakos.uk.pfx \
--http-pin='' \ --http-cert-name=AlphaWildcardIPA
After it finished, I've noticed that dirsrv wasn't running on
port 636 on ipa01.
Further investigation revealed that the SSL wildcard certificate
(AlphaWildcardIPA) wasn't installed in dirsrv DB and CA
certificates were named oddly (CA 1 and CA 2):
[root@ipa01 ~]# certutil -L -d /etc/httpd/alias/ Certificate
Nickname Trust Attributes SSL,S/MIME,JAR/XPI AlphaWildcardIPA
u,u,u CA 1 ,, CA 2 C,, [root@ipa01 ~]# certutil -L -d
/etc/dirsrv/slapd-PAKOS-UK/ Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI GlobalSign Root CA - GlobalSign nv-sa ,,
AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,
This is what I found in the error log:
[29/Dec/2016:01:43:58.852745536 +0000] 389-Directory/1.3.5.10
<http://1.3.5.10> B2016.341.2222 starting up
[29/Dec/2016:01:43:58.867642515 +0000] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match [29/Dec/2016:01:43:58.889866051 +0000]
schema-compat-plugin - scheduled schema-compat-plugin tree scan
in about 5 seconds after the server startup!
[29/Dec/2016:01:43:58.905267535 +0000] NSACLPlugin - The ACL
target cn=groups,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.907051833 +0000] NSACLPlugin - The ACL
target cn=computers,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.908396407 +0000] NSACLPlugin - The ACL
target cn=ng,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.909758735 +0000] NSACLPlugin - The ACL
target ou=sudoers,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.911133739 +0000] NSACLPlugin - The ACL
target cn=users,cn=compat,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.912416230 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.913644794 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.914901802 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.916158004 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.917409810 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.918636743 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.919904210 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.921175543 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.922417264 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.923818252 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.925218237 +0000] NSACLPlugin - The ACL
target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.928474915 +0000] NSACLPlugin - The ACL
target cn=ad,cn=etc,dc=pakos,dc=uk does not exist
[29/Dec/2016:01:43:58.943158867 +0000] NSACLPlugin - The ACL
target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not
exist [29/Dec/2016:01:43:58.944679679 +0000] NSACLPlugin - The
ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not
exist [29/Dec/2016:01:43:59.060335708 +0000] NSACLPlugin - The
ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [29/Dec/2016:01:43:59.066618653 +0000] Skipping
CoS Definition cn=Password Policy,cn=accounts,dc=pakos,dc=uk--no
CoS Templates found, which should be added before the CoS
Definition. [29/Dec/2016:01:43:59.100168779 +0000]
schema-compat-plugin - schema-compat-plugin tree scan will start
in about 5 seconds! [29/Dec/2016:01:43:59.108366423 +0000] slapd
started. Listening on All Interfaces port 389 for LDAP requests
[29/Dec/2016:01:43:59.109788596 +0000] Listening on
/var/run/slapd-PAKOS-UK.socket for LDAPI requests
[29/Dec/2016:01:44:04.117095313 +0000] schema-compat-plugin -
warning: no entries set up under cn=ng, cn=compat,dc=pakos,dc=uk
[29/Dec/2016:01:44:04.142962437 +0000] schema-compat-plugin -
warning: no entries set up under cn=computers,
cn=compat,dc=pakos,dc=uk [29/Dec/2016:01:44:04.164958006 +0000]
schema-compat-plugin - Finished plugin initialization.
[29/Dec/2016:01:44:20.113621699 +0000] ipa-topology-plugin -
ipa_topo_util_get_replica_conf: server configuration missing
[29/Dec/2016:01:44:20.115517170 +0000] ipa-topology-plugin -
ipa_topo_util_get_replica_conf: cannot create replica
At this point I trashed ipa01 and tried to re-deploy it again
using the same commands. The install failed with the following
error message:
Done configuring directory server (dirsrv). Configuring
ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]:
Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]:
configuring ipa-custodia to start on boot Done configuring
ipa-custodia. Configuring Kerberos KDC (krb5kdc). Estimated time:
30 seconds [1/4]: configuring KDC [2/4]: adding the password
extension to the directory [3/4]: starting the KDC [4/4]:
configuring KDC to start on boot Done configuring Kerberos KDC
(krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]:
configuring kadmin to start on boot Done configuring kadmin.
Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]:
configuring ipa_memcached to start on boot Done configuring
ipa_memcached. Configuring the web interface (httpd). Estimated
time: 1 minute [1/19]: setting mod_nss port to 443 [2/19]:
setting mod_nss cipher suite [3/19]: setting mod_nss protocol
list to TLSv1.0 - TLSv1.2 [4/19]: setting mod_nss password file
[5/19]: enabling mod_nss renegotiate [6/19]: adding URL rewriting
rules [7/19]: configuring httpd [8/19]: setting up httpd keytab
[9/19]: setting up ssl [error] NotFound: no such entry Your
system may be partly configured. Run /usr/sbin/ipa-server-install
--uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR no such
entry ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Here's the full install log:
https://files.pakos.uk/ipareplica-install.log.txt
<https://files.pakos.uk/ipareplica-install.log.txt>
I've raised this problem on #freeipa channel (many thanks to
mbasti and ab for their help in investigating this issue with me)
however we didn't get too far and some further input from dirsrv
gurus is required here.
[root@ipa01 ipa]# echo $SERVICE HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk> [root@ipa01 ipa]# echo $DN
krbprincipalname=HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>,cn=services,cn=accounts,dc=pakos,dc=uk
[root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN
-s sub Enter LDAP Password: # extended LDIF # # LDAPv3 # base
<krbprincipalname=HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>,cn=services,cn=accounts,dc=pakos,dc=uk>
with scope subtree # filter: (objectclass=*) # requesting: ALL #
# HTTP/ipa01.pakos...@pakos.uk <mailto:ipa01.pakos...@pakos.uk>,
services, accounts, pakos.uk <http://pakos.uk> dn:
krbprincipalname=HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>,cn=services,cn=accounts,dc=p
akos,dc=uk krbExtraData::
AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
krbLastPwdChange: 20161229103250Z krbPrincipalKey::
MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
LwmAX3lYm objectClass: ipaobject objectClass: ipaservice
objectClass: krbticketpolicyaux objectClass: ipakrbprincipal
objectClass: krbprincipal objectClass: krbprincipalaux
objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias:
HTTP/ipa01.pakos...@pakos.uk <mailto:ipa01.pakos...@pakos.uk>
krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk> managedBy: fqdn=ipa01.pakos.uk
<http://ipa01.pakos.uk>,cn=computers,cn=accounts,dc=pakos,dc=uk
krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk> ipaUniqueID:
25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2
result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa01
ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub
"krbprincipalname=*" Enter LDAP Password: # extended LDIF # #
LDAPv3 # base <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>,cn=services,cn=accounts,dc=pakos,dc=uk>
with scope subtree # filter: krbprincipalname=* # requesting: ALL
# # HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>, services, accounts, pakos.uk
<http://pakos.uk> dn:
krbprincipalname=HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>,cn=services,cn=accounts,dc=p
akos,dc=uk krbExtraData::
AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
krbLastPwdChange: 20161229103250Z krbPrincipalKey::
MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
LwmAX3lYm objectClass: ipaobject objectClass: ipaservice
objectClass: krbticketpolicyaux objectClass: ipakrbprincipal
objectClass: krbprincipal objectClass: krbprincipalaux
objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias:
HTTP/ipa01.pakos...@pakos.uk <mailto:ipa01.pakos...@pakos.uk>
krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk> managedBy: fqdn=ipa01.pakos.uk
<http://ipa01.pakos.uk>,cn=computers,cn=accounts,dc=pakos,dc=uk
krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk> ipaUniqueID:
25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2
result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa01
ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub
"(objectclass=*)" Enter LDAP Password: # extended LDIF # # LDAPv3
# base <krbprincipalname=HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>,cn=services,cn=accounts,dc=pakos,dc=uk>
with scope subtree # filter: (objectclass=*) # requesting: ALL #
# HTTP/ipa01.pakos...@pakos.uk <mailto:ipa01.pakos...@pakos.uk>,
services, accounts, pakos.uk <http://pakos.uk> dn:
krbprincipalname=HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>,cn=services,cn=accounts,dc=p
akos,dc=uk krbExtraData::
AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
krbLastPwdChange: 20161229103250Z krbPrincipalKey::
MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
LwmAX3lYm objectClass: ipaobject objectClass: ipaservice
objectClass: krbticketpolicyaux objectClass: ipakrbprincipal
objectClass: krbprincipal objectClass: krbprincipalaux
objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias:
HTTP/ipa01.pakos...@pakos.uk <mailto:ipa01.pakos...@pakos.uk>
krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk> managedBy: fqdn=ipa01.pakos.uk
<http://ipa01.pakos.uk>,cn=computers,cn=accounts,dc=pakos,dc=uk
krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk> ipaUniqueID:
25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2
result: 0 Success # numResponses: 2 # numEntries: 1
[root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN
-s base Enter LDAP Password: # extended LDIF # # LDAPv3 # base
<krbprincipalname=HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>,cn=services,cn=accounts,dc=pakos,dc=uk>
with scope baseObject # filter: (objectclass=*) # requesting: ALL
# # HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>, services, accounts, pakos.uk
<http://pakos.uk> dn:
krbprincipalname=HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk>,cn=services,cn=accounts,dc=p
akos,dc=uk krbExtraData::
AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
krbLastPwdChange: 20161229103250Z krbPrincipalKey::
MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
LwmAX3lYm objectClass: ipaobject objectClass: ipaservice
objectClass: krbticketpolicyaux objectClass: ipakrbprincipal
objectClass: krbprincipal objectClass: krbprincipalaux
objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias:
HTTP/ipa01.pakos...@pakos.uk <mailto:ipa01.pakos...@pakos.uk>
krbCanonicalName: HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk> managedBy: fqdn=ipa01.pakos.uk
<http://ipa01.pakos.uk>,cn=computers,cn=accounts,dc=pakos,dc=uk
krbPrincipalName: HTTP/ipa01.pakos...@pakos.uk
<mailto:ipa01.pakos...@pakos.uk> ipaUniqueID:
25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2
result: 0 Success # numResponses: 2 # numEntries: 1
I must say that this a show stopper for us at WANdisco which is
holding back the upgrade from FreeIPA 4.2 to FreeIPA 4.4.
If there is anything else I can do to help with the
investigation, please just let me know.
Many thanks in advance.
--
Kind regards,
Peter Pakos
--
Kind regards,
Peter Pakos