Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
Dne 17.6.2015 v 12:26 Fraser Tweedale napsal(a): On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote: On 06/12/2015 03:18 PM, Fraser Tweedale wrote: On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote: On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for CN=repl.example.com,O=EXAMPLE.COM ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT', 'content-length': '148', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorProfile caIPAserviceCert Not Found/Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) Bump, I have also came across this issue (see log: http://pastebin.test.redhat.com/289434). -- Martin^3 Babinsky It was reported to me that the issue was reproducible after upgrade from 4.1.4 to master, but I was not able to reproduce. Can anyone who has encountered it please: - state fedora version(s) affected and precise build of Dogtag - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug Thanks, Fraser I see similar issue when creating a replica file from second replica/master, all git master. I.e. the prepare on first server obviously works. The error is different though: ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT', 'content-length': '133', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorInvalid Credential./Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) -- Petr Vobornik I spent some time debugging tihs issue today. It appears to be introduced by commit: commit 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 Author: David Kupka dku...@redhat.com Date: Mon Jun 8 05:23:56 2015 + Move CA installation code into single module. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta jchol...@redhat.com During the execution of ipa-replica-prepare, the RA cert (nickname ipaCert) gets added to the /etc/httpd/alias/ NSSDB, but then removed somehow while executing http.create_instance(). I have not yet precisely identified the cause enough to fix it. Hopefully David or Honza can some light. Fixed. -- Jan Cholasta From dca319d651c578a3c7c763a32160aaa70e16efd2 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 18 Jun 2015 10:35:09 + Subject: [PATCH] install: Fix ipa-replica-install not installing RA cert https://fedorahosted.org/freeipa/ticket/4468 ---
Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
On 06/18/2015 02:43 PM, David Kupka wrote: Dne 18.6.2015 v 13:18 Jan Cholasta napsal(a): Dne 17.6.2015 v 12:26 Fraser Tweedale napsal(a): On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote: On 06/12/2015 03:18 PM, Fraser Tweedale wrote: On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote: On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for CN=repl.example.com,O=EXAMPLE.COM ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT', 'content-length': '148', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorProfile caIPAserviceCert Not Found/Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) Bump, I have also came across this issue (see log: http://pastebin.test.redhat.com/289434). -- Martin^3 Babinsky It was reported to me that the issue was reproducible after upgrade from 4.1.4 to master, but I was not able to reproduce. Can anyone who has encountered it please: - state fedora version(s) affected and precise build of Dogtag - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug Thanks, Fraser I see similar issue when creating a replica file from second replica/master, all git master. I.e. the prepare on first server obviously works. The error is different though: ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT', 'content-length': '133', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorInvalid Credential./Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) -- Petr Vobornik I spent some time debugging tihs issue today. It appears to be introduced by commit: commit 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 Author: David Kupka dku...@redhat.com Date: Mon Jun 8 05:23:56 2015 + Move CA installation code into single module. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta jchol...@redhat.com During the execution of ipa-replica-prepare, the RA cert (nickname ipaCert) gets added to the /etc/httpd/alias/ NSSDB, but then removed somehow while executing http.create_instance(). I have not yet precisely identified the cause enough to fix it. Hopefully David or Honza can some light. Fixed. Works for me, ACK. Pushed to master: c3a3d789b5da353a6abf2722932df4f5fc05dbe5 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list:
Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote: On 06/12/2015 03:18 PM, Fraser Tweedale wrote: On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote: On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for CN=repl.example.com,O=EXAMPLE.COM ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT', 'content-length': '148', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorProfile caIPAserviceCert Not Found/Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) Bump, I have also came across this issue (see log: http://pastebin.test.redhat.com/289434). -- Martin^3 Babinsky It was reported to me that the issue was reproducible after upgrade from 4.1.4 to master, but I was not able to reproduce. Can anyone who has encountered it please: - state fedora version(s) affected and precise build of Dogtag - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug Thanks, Fraser I see similar issue when creating a replica file from second replica/master, all git master. I.e. the prepare on first server obviously works. The error is different though: ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT', 'content-length': '133', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorInvalid Credential./Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) -- Petr Vobornik I spent some time debugging tihs issue today. It appears to be introduced by commit: commit 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 Author: David Kupka dku...@redhat.com Date: Mon Jun 8 05:23:56 2015 + Move CA installation code into single module. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta jchol...@redhat.com During the execution of ipa-replica-prepare, the RA cert (nickname ipaCert) gets added to the /etc/httpd/alias/ NSSDB, but then removed somehow while executing http.create_instance(). I have not yet precisely identified the cause enough to fix it. Hopefully David or Honza can some light. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
On 06/12/2015 03:18 PM, Fraser Tweedale wrote: On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote: On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for CN=repl.example.com,O=EXAMPLE.COM ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT', 'content-length': '148', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorProfile caIPAserviceCert Not Found/Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) Bump, I have also came across this issue (see log: http://pastebin.test.redhat.com/289434). -- Martin^3 Babinsky It was reported to me that the issue was reproducible after upgrade from 4.1.4 to master, but I was not able to reproduce. Can anyone who has encountered it please: - state fedora version(s) affected and precise build of Dogtag - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug Thanks, Fraser I see similar issue when creating a replica file from second replica/master, all git master. I.e. the prepare on first server obviously works. The error is different though: ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT', 'content-length': '133', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorInvalid Credential./Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote: On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for CN=repl.example.com,O=EXAMPLE.COM ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT', 'content-length': '148', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorProfile caIPAserviceCert Not Found/Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) Bump, I have also came across this issue (see log: http://pastebin.test.redhat.com/289434). -- Martin^3 Babinsky It was reported to me that the issue was reproducible after upgrade from 4.1.4 to master, but I was not able to reproduce. Can anyone who has encountered it please: - state fedora version(s) affected and precise build of Dogtag - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote: On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for CN=repl.example.com,O=EXAMPLE.COM ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT', 'content-length': '148', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorProfile caIPAserviceCert Not Found/Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) Bump, I have also came across this issue (see log: http://pastebin.test.redhat.com/289434). -- Martin^3 Babinsky Thanks for the reports. I will try to reproduce and fix tomorr... *looks at clock*... later on today, after the sun rises and I have had some sleep :) Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for CN=repl.example.com,O=EXAMPLE.COM ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT', 'content-length': '148', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: request body '?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus1/StatusErrorProfile caIPAserviceCert Not Found/Error/XMLResponse' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 338, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 383, in copy_ds_certificate self.export_certdb(dscert, passwd_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 595, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 419, in issue_server_cert raise RuntimeError(Certificate issuance failed) Bump, I have also came across this issue (see log: http://pastebin.test.redhat.com/289434). -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code