Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems
ok I did the updates, and edited the python files. Now when I try to run the replica install I get: [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarder Directory Manager (existing master) password: root: ERRORCannot find Reverse Address for earth.bcrl.stcloudstate.edu (3.2.0.10.in-addr.arpa.) I had this when installing the ipa-server and there was a --no-dns-lookup option but not with the replica. Before the testing updates, i did get a warning about the server not working for DNS lookup but still went ahead with install. I'm looking to set these two up and make them the DNS servers and currently have a simple dns setup that will get replaced by this setup. How do I get around the reverse address lookup on the replica install side. Thanks again for all the help. Corey- From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 2:49 PM To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: I'm using fedora 13 amd-64 version. I added the developers repo from freeIPA.com for V2.0 and then did a yum install ipa-server so which ever version it installed. I'm looking at dogtag and one of the packages says 1.3.1-2.fc13 and the other 2 packages for dogtag say 1.3.2-2.fc13 for the pki dogtag package it says 1.3.7-1.fc13 all the packages read 1.3.something the pki-silent-1.3.3-1.fc13 package if that helps. I also attached the two files you asked to check. I attached the ipa-serv_deplist that i created from running yum deplist ipa-server and it has all the packages and version numbers. Sorry for the choppy e-mail I'm writing and looking up the stuff in pieces. Can you update the pki-* and dogtag-* packages from the updates-testing repo? There are a number of important fixes there. It is also going to break your replica install because a new required option has been added to pkisilent. You'll need to modify /usr/lib/python*/site-packages/ipaserver/install/cainstance.py Search for pkisilent. We create a python list of the command to execute. You want to patch it like this (the numbers might not exactly line up): @@ -535,6 +524,7 @@ class CAInstance(service.Service): -db_name, ipaca, -key_size, 2048, -key_type, rsa, +-key_algorithm, SHA256withRSA, -save_p12, true, -backup_pwd, self.admin_password, -subsystem_name, self.service_name, You *might* be able to get away with just updating dogtag on the replica, I'm not sure. rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 12:35 PM To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: Hi, I'm a student admin for St. Cloud State University's Business Computing Research Lab, and we run our own seperate network inside the campus network with dedicated internet feeds and hardware for professors research as well as masters and bachelors student research and labs. We have many computers setup for workstations, clusters, clouds, etc... and I'm trying to set up a redundant FreeIPA v2.0 in virtual box to help manage the systems and control access to machines. I have setup the master with no problems, but when creating the replica I run the command ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master and I get this error output. It created the directory fine but is having trouble with the certs. I have disabled the firewalls on both and selinux hoping they would help but still same problem. [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarders An existing Directory Server has been detected. Do you wish to remove it and create a new one? [no]: yes Directory Manager (existing master) password: Warning: Hostname (earth.bcrl.stcloudstate.edu) not found in DNS Configuring directory server for the CA: [1/4]: creating directory server user [2/4]: creating directory server instance [3/4]: configuring directory to start on boot [4/4]: restarting directory server done configuring pkids. Configuring certificate server: [1/9]: creating certificate server user [2/9]: configuring certificate server instance root: CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname earth.bcrl.stcloudstate.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-vemQSV
Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems
Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: ok I did the updates, and edited the python files. Now when I try to run the replica install I get: [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarder Directory Manager (existing master) password: root: ERRORCannot find Reverse Address for earth.bcrl.stcloudstate.edu (3.2.0.10.in-addr.arpa.) I had this when installing the ipa-server and there was a --no-dns-lookup option but not with the replica. Before the testing updates, i did get a warning about the server not working for DNS lookup but still went ahead with install. I'm looking to set these two up and make them the DNS servers and currently have a simple dns setup that will get replaced by this setup. How do I get around the reverse address lookup on the replica install side. Thanks again for all the help. You'll need to modify /usr/sbin/ipa-replica-install. Look for the function get_host_name(). You'll want to comment out the 5 lines starting with try:. The comment character in python is the hash #. This will cause it to skip the call to verify_fqdn() and your install should proceed. I've opened a ticket to add this functionality to ipa-replica-install: https://fedorahosted.org/freeipa/ticket/146 rob Corey- From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 2:49 PM To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: I'm using fedora 13 amd-64 version. I added the developers repo from freeIPA.com for V2.0 and then did a yum install ipa-server so which ever version it installed. I'm looking at dogtag and one of the packages says 1.3.1-2.fc13 and the other 2 packages for dogtag say 1.3.2-2.fc13 for the pki dogtag package it says 1.3.7-1.fc13 all the packages read 1.3.something the pki-silent-1.3.3-1.fc13 package if that helps. I also attached the two files you asked to check. I attached the ipa-serv_deplist that i created from running yum deplist ipa-server and it has all the packages and version numbers. Sorry for the choppy e-mail I'm writing and looking up the stuff in pieces. Can you update the pki-* and dogtag-* packages from the updates-testing repo? There are a number of important fixes there. It is also going to break your replica install because a new required option has been added to pkisilent. You'll need to modify /usr/lib/python*/site-packages/ipaserver/install/cainstance.py Search for pkisilent. We create a python list of the command to execute. You want to patch it like this (the numbers might not exactly line up): @@ -535,6 +524,7 @@ class CAInstance(service.Service): -db_name, ipaca, -key_size, 2048, -key_type, rsa, +-key_algorithm, SHA256withRSA, -save_p12, true, -backup_pwd, self.admin_password, -subsystem_name, self.service_name, You *might* be able to get away with just updating dogtag on the replica, I'm not sure. rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 12:35 PM To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: Hi, I'm a student admin for St. Cloud State University's Business Computing Research Lab, and we run our own seperate network inside the campus network with dedicated internet feeds and hardware for professors research as well as masters and bachelors student research and labs. We have many computers setup for workstations, clusters, clouds, etc... and I'm trying to set up a redundant FreeIPA v2.0 in virtual box to help manage the systems and control access to machines. I have setup the master with no problems, but when creating the replica I run the command ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master and I get this error output. It created the directory fine but is having trouble with the certs. I have disabled the firewalls on both and selinux hoping they would help but still same problem. [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarders An existing Directory Server has been detected. Do you wish to remove it and create a new one? [no]: yes Directory Manager (existing master) password: Warning: Hostname (earth.bcrl.stcloudstate.edu) not found in DNS Configuring directory server for the CA: [1/4]: creating directory server user [2/4]: creating directory server instance [3/4
Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems
Thanks so much you've been a big help. I'll give it a whack tomorrow morning. Thanks again. Corey On Aug 17, 2010, at 3:06 PM, Rob Crittenden rcrit...@redhat.com wrote: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: ok I did the updates, and edited the python files. Now when I try to run the replica install I get: [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarder Directory Manager (existing master) password: root: ERRORCannot find Reverse Address for earth.bcrl.stcloudstate.edu (3.2.0.10.in-addr.arpa.) I had this when installing the ipa-server and there was a --no-dns-lookup option but not with the replica. Before the testing updates, i did get a warning about the server not working for DNS lookup but still went ahead with install. I'm looking to set these two up and make them the DNS servers and currently have a simple dns setup that will get replaced by this setup. How do I get around the reverse address lookup on the replica install side. Thanks again for all the help. You'll need to modify /usr/sbin/ipa-replica-install. Look for the function get_host_name(). You'll want to comment out the 5 lines starting with try:. The comment character in python is the hash #. This will cause it to skip the call to verify_fqdn() and your install should proceed. I've opened a ticket to add this functionality to ipa-replica-install: https://fedorahosted.org/freeipa/ticket/146 rob Corey- From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 2:49 PM To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: I'm using fedora 13 amd-64 version. I added the developers repo from freeIPA.com for V2.0 and then did a yum install ipa-server so which ever version it installed. I'm looking at dogtag and one of the packages says 1.3.1-2.fc13 and the other 2 packages for dogtag say 1.3.2-2.fc13 for the pki dogtag package it says 1.3.7-1.fc13 all the packages read 1.3.something the pki-silent-1.3.3-1.fc13 package if that helps. I also attached the two files you asked to check. I attached the ipa-serv_deplist that i created from running yum deplist ipa-server and it has all the packages and version numbers. Sorry for the choppy e-mail I'm writing and looking up the stuff in pieces. Can you update the pki-* and dogtag-* packages from the updates-testing repo? There are a number of important fixes there. It is also going to break your replica install because a new required option has been added to pkisilent. You'll need to modify /usr/lib/python*/site-packages/ipaserver/install/cainstance.py Search for pkisilent. We create a python list of the command to execute. You want to patch it like this (the numbers might not exactly line up): @@ -535,6 +524,7 @@ class CAInstance(service.Service): -db_name, ipaca, -key_size, 2048, -key_type, rsa, +-key_algorithm, SHA256withRSA, -save_p12, true, -backup_pwd, self.admin_password, -subsystem_name, self.service_name, You *might* be able to get away with just updating dogtag on the replica, I'm not sure. rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 12:35 PM To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: Hi, I'm a student admin for St. Cloud State University's Business Computing Research Lab, and we run our own seperate network inside the campus network with dedicated internet feeds and hardware for professors research as well as masters and bachelors student research and labs. We have many computers setup for workstations, clusters, clouds, etc... and I'm trying to set up a redundant FreeIPA v2.0 in virtual box to help manage the systems and control access to machines. I have setup the master with no problems, but when creating the replica I run the command ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master and I get this error output. It created the directory fine but is having trouble with the certs. I have disabled the firewalls on both and selinux hoping they would help but still same problem. [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarders An existing Directory Server has been detected. Do you wish to remove it and create a new
[Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems
I fat-fingered this moderated message and it went into the bit bucket, here it is revived. Subject: FreeIPA v2.0 alpha4 replica installation problems From: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] heco0...@stcloudstate.edu Date: Mon, 16 Aug 2010 10:32:14 -0500 To: freeipa-users@redhat.com freeipa-users@redhat.com Hi, I'm a student admin for St. Cloud State University's Business Computing Research Lab, and we run our own seperate network inside the campus network with dedicated internet feeds and hardware for professors research as well as masters and bachelors student research and labs. We have many computers setup for workstations, clusters, clouds, etc... and I'm trying to set up a redundant FreeIPA v2.0 in virtual box to help manage the systems and control access to machines. I have setup the master with no problems, but when creating the replica I run the command ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master and I get this error output. It created the directory fine but is having trouble with the certs. I have disabled the firewalls on both and selinux hoping they would help but still same problem. [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarders An existing Directory Server has been detected. Do you wish to remove it and create a new one? [no]: yes Directory Manager (existing master) password: Warning: Hostname (earth.bcrl.stcloudstate.edu) not found in DNS Configuring directory server for the CA: [1/4]: creating directory server user [2/4]: creating directory server instance [3/4]: configuring directory to start on boot [4/4]: restarting directory server done configuring pkids. Configuring certificate server: [1/9]: creating certificate server user [2/9]: configuring certificate server instance root: CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname earth.bcrl.stcloudstate.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-vemQSV -client_certdb_pwd -preop_pin yhiJojW06gxaPrkvOJOK -domain_name IPA -admin_user admin -admin_email r...@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IPA -ldap_host earth.bcrl.stcloudstate.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IPA -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IPA -ca_server_cert_subject_name CN=earth.bcrl.stcloudstate.edu,O=IPA -ca_audit_signing_cert_subject_name CN=CA Audit,O=IPA -ca_sign_cert_subject_name CN=Certificate Autho! rity,O=IPA -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname zeus.bcrl.stcloudstate.edu -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password -clone_uri https://zeus.bcrl.stcloudstate.edu:9444' returned non-zero exit status 255 [3/9]: creating RA agent certificate database [4/9]: importing CA chain to RA certificate database creation of replica failed: Unable to retrieve CA chain: Retrieving CA cert chain failed: Error: Failed to get certificate chain. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Thanks for any help, Corey ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems
Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: Hi, I'm a student admin for St. Cloud State University's Business Computing Research Lab, and we run our own seperate network inside the campus network with dedicated internet feeds and hardware for professors research as well as masters and bachelors student research and labs. We have many computers setup for workstations, clusters, clouds, etc... and I'm trying to set up a redundant FreeIPA v2.0 in virtual box to help manage the systems and control access to machines. I have setup the master with no problems, but when creating the replica I run the command ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master and I get this error output. It created the directory fine but is having trouble with the certs. I have disabled the firewalls on both and selinux hoping they would help but still same problem. [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarders An existing Directory Server has been detected. Do you wish to remove it and create a new one? [no]: yes Directory Manager (existing master) password: Warning: Hostname (earth.bcrl.stcloudstate.edu) not found in DNS Configuring directory server for the CA: [1/4]: creating directory server user [2/4]: creating directory server instance [3/4]: configuring directory to start on boot [4/4]: restarting directory server done configuring pkids. Configuring certificate server: [1/9]: creating certificate server user [2/9]: configuring certificate server instance root: CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname earth.bcrl.stcloudstate.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-vemQSV -client_certdb_pwd -preop_pin yhiJojW06gxaPrkvOJOK -domain_name IPA -admin_user admin -admin_email r...@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IPA -ldap_host earth.bcrl.stcloudstate.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IPA -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IPA -ca_server_cert_subject_name CN=earth.bcrl.stcloudstate.edu,O=IPA -ca_audit_signing_cert_subject_name CN=CA Audit,O=IPA -ca_sign_cert_subject_name CN=Certificate Auth o! rity,O=IPA -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname zeus.bcrl.stcloudstate.edu -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password -clone_uri https://zeus.bcrl.stcloudstate.edu:9444' returned non-zero exit status 255 [3/9]: creating RA agent certificate database [4/9]: importing CA chain to RA certificate database creation of replica failed: Unable to retrieve CA chain: Retrieving CA cert chain failed: Error: Failed to get certificate chain. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Thanks for any help, Corey Heh, I guess I didn't fat-finger this after all... What distro is this? What version of pki-* and dogtag-* do you have installed? Can you look at /var/log/ipareplica-install.log to see if there are any more details on the failure? /var/log/pki-ca/debug would also be a place to look though be forewarned, it is quite verbose and daunting (and has a number of red herrings, particularly warnings about cipher failures). We had some problems creating dogtag clones while creating IPA replicas in the recent pas and it would fail in the pkisilent step. This may be another case of that or it may be that our current requires don't pull in the right set of of dogtag packages. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
