Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
On 02/17/2015 12:08 AM, Rob Crittenden wrote: Steven Jones wrote: ? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob Right. Or even easier is to simply delete cn=CAcert,cn=ipa,cn=etc,SUFFIX and then running # ipa-ldap-updater --upgrade again. upload_cacrt.py plugin should simply re-upload the properly encoded certificate. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Hi, I have no idea how. regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones wrote: ? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
yep this is all double dutch to me. regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 12:08 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: ? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
= cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX8--- = :( So now what? regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 12:08 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: ? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones wrote: = cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX8--- Now you need to replace the contents of this double-encoded value with an actual binary value. First create the necessary file: $ openssl x509 -inform pem -outform der -in /etc/ipa/ca.crt -out /tmp/ca.der Now replace what is there with the contents of the file, replacing dc=example,dc=com with your basedn: $ kinit admin $ ldapmodify -Y GSSAPI dn: cn=CACert,cn=ipa,cn=etc,dc=example,dc=com changetype: modify replace: cacertificate;binary cacertificate;binary: file:///tmp/ca.der hit return to signal you are done modifying entry cn=CACert,cn=ipa,cn=etc,dc=example,dc=com ctrl-D to quit This is assuming that you have a single CA certificate in /etc/ipa/ca.crt. This is *not* the best assumption to make. Be careful. rob = :( So now what? regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 12:08 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: ? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project