[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30)fails to start
Yeah I actually modified the PEM outputs because I wasn't sure if it was sensible. The second attribute userCertificate has the serial 21. What about the ra-agent.key? When I put the certificate from the LDAP to the file named ra-agent.pem, does the .key file need to be updated, too? Thank you so much. I'm looking forward to a working upgrade, soon ;-) Jochen Am Dienstag, 4. Februar 2020 17:47:05 CET schrieb Florence Blanc-Renaud: On 2/3/20 9:07 AM, Jochen Demmer via FreeIPA-users wrote: Hi, unfortunately currently there's is no other node, which is why I'm trying to update to Fedora 31. I used to replicate between two machines but on got lost. I installed a new machine which is supposed to work as my new replica but this is being virtualized in bhyve / FreeNAS and this doesn't allow Fedora 30 to be installed so I'm stuck with Fedora 31. In the docs it's said that versions between replicas need to be consistent so I'm trying to update the only running FreeIPA node (srv107) to Fedora 31 first. Ok, so in this case we need to work on this single node... Jochen On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via FreeIPA-users wrote: ... We can see that there is an inconsistency between the /var/lib/ipa/ra-agent.pem file and the LDAP content. You need to choose which one to pick as the source of truth and update the other one. If the cert in /var/lib/ipa/ra-agent.pem is still valid, you can use this one. To check the validity: $ openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem Look for the lines: Validity Not Before: Not After : If the cert is valid, use this one as source of truth and update the ldap entry with ldapmodify (the description attribute and the usercertificate attribute). If the cert is not valid, you need to find which one in the ldap entry corresponds to the serial 21. I did not manage to read the content of the usercertificate attribute, did you cut the ldapsearch output? I tried with $ openssl x509 -noout -text -BEGIN CERTIFICATE- MII... -END CERTIFICATE- but the 2 certs in the usercertificate attribute failed with "unable to load certificate". flo ... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines ... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
Hi, unfortunately currently there's is no other node, which is why I'm trying to update to Fedora 31. I used to replicate between two machines but on got lost. I installed a new machine which is supposed to work as my new replica but this is being virtualized in bhyve / FreeNAS and this doesn't allow Fedora 30 to be installed so I'm stuck with Fedora 31. In the docs it's said that versions between replicas need to be consistent so I'm trying to update the only running FreeIPA node (srv107) to Fedora 31 first. Jochen On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via FreeIPA-users wrote: On 2/2/20 11:30 PM, Jochen Demmer via FreeIPA-users wrote: > Hi, > > this is the outputs: > [root@srv107 ipa]# openssl x509 -noout -in /var/lib/ipa/ra-agent.pem > -serial -subject -issuer -nameopt RFC2253 > serial=15 > subject=CN=IPA RA,O=UNIX.domain.NET > issuer=CN=Certificate Authority,O=UNIX.domain.NET > > [root@srv107 ipa]# openssl x509 -noout -in ra-agent.pem -serial -subject > -issuer -nameopt RFC2253 > serial=15 > subject=CN=IPA RA,O=UNIX.domain.NET > issuer=CN=Certificate Authority,O=UNIX.domain.NET > [root@srv107 ipa]# ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory > manager" -W -b uid=ipara,ou=people,o=ipaca dn description usercertificate > Enter LDAP Password: > dn: uid=ipara,ou=people,o=ipaca > description: 2;21;CN=Certificate Authority,O=UNIX.domain.NET;CN=IPA > RA,O=UNIX.domain.NET > usercertificate:: > MIIDccCCAlqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcyODE0MTIyMFoXDTE4MDcxODE0MTIyMFowKjEXMBUGA1UECgwOVU5JWC5HT1NJWC5ORVQxDzANBfNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24aQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBkzCBkDAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9zcnYxMDcuZ29zaXgubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAg6wMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi8CxlPVaFHi7XlT1sSY74WPy9BlZW/Dt9by94wDCs14pZeMalmwkY8iHkvQtTagoS7y/Nq0p7PTHbcr7y9CisiAP+DykYZHdIyBtjrQ37GIADjyXhbYJ+Y90O/J24M2q2t1X8xbSIhxqQ8eN4ICTDHqzBIn2YkAHxT1QkitNIZWlMSWdEImcpmQB5CIU1q8swaK6u1k5ksC4mNwUxkSzi1nr+ixuuIkSDjuC3f1kGOaJGV92fJRk+TbRvP6hxKMY9ITwy0upwcUvO/Sv8kdJ21pJ/VJmxfZDilHW6ZrZtME6zaMUmVCVmchxIV2jTvJ3PCAqly6fI41oOsEoPSYu1Q== > usercertificate:: > MIIadDCCAlygAwIBAgIBFTANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDYyMDE0MTI1MloXDTIwMDYwOTE0MTI1MlowKjEXMBUGA1UEChMOVU5JWC5HT1NJWC5ORVQxDzANBgNVBAMTBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24qQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBlTCBkjAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQB+WTlsE5LmEvbfEk/fOlKfwkNv187o/6AtwBxrjvC0D0QobfnxSIgd7R905haHf9fyONYsQKn8mlbghtY3URfGnfYNXJ9ez1pOqoCAlpy5Z5tvDlQMGvVVjk/9pSibTI90noZeMrUE+Tetq45c8ZjFXxcrH4R07xUDRXZg8AXviQMyclUSZbWKsIL7a979Hp13q8sJ8MAod1OhqdP6EOk84AOyRcQuRhv5uEdeDSN4k+4mMSZGnMlKO+0gKnhUIq63/TlW8wp7NhCE+kYdOkF4M0lBYOPE66d/4VdX45soMdp4WphjZMrirarhFJvHpHloUwdoiIFglPvOkvbWndbM > > > I can see that the serial is different but I cannot compare the > usercertificate attributes since they are not given in the openssl > command output. > Hi, Serial is 15 on the node srv107 but 21 in LDAP. This means that the cert was renewed but the local file didn't get updated. Can you check first which node is your CA renewal master? $ kinit admin $ ipa config-show | grep "CA renewal master" IPA CA renewal master: master.ipa.domain On this node check that the file /var/lib/ipa/ra-agent.pem and the content in ldap are consistent. You can do just $ cat /var/lib/ipa/ra-agent.pem to compare the content of the cert with the usercertificate attribute of the ldap entry. If everything is OK on the renewal master, you can copy the file /var/lib/ipa/ra-agent.pem to the failing node srv107. HTH, flo > Shall I just adjust the serial and try again? > > Jochen > > > On Friday, January 31, 2020 10:29 CET, Florence Blanc-Renaud via > FreeIPA-users wrote: >> >> This error occurs when IPA framewor
[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
> key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190904114927': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=UNIX.domain.net > subject: CN=IPA RA,O=UNIX.domain.net > expires: 2020-06-09 16:12:52 CEST > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20190904114928': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=UNIX.domain.net > subject: CN=srv107.domain.net,O=UNIX.domain.net > expires: 2020-07-01 16:13:09 CEST > principal name: ldap/srv107.domain@unix.domain.net > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > UNIX-domain.net-NET > track: yes > auto-renew: yes > Request ID '20190904114929': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/srv107.domain.net-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority,O=UNIX.domain.net > subject: CN=srv107.domain.net,O=UNIX.domain.net > expires: 2020-07-01 16:18:01 CEST > principal name: HTTP/srv107.domain@unix.domain.net > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > Thank you if you maybe find something I've overlooked. > > Jochen > > On Monday, January 20, 2020 13:15 CET, Florence Blanc-Renaud > wrote: >> On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote: >> > I suffer the exact same problem and already tried to upgrade twice but >> > every time the update fails. >> > >> > The ldap server does not listen when I check with ss or netstat. >> > I reverted back to Fedora 30 with snapshots every time. >> > >> Hi, >> >> can you paste the logs from /var/logs/ipaupgrade.log? We would need the >> full logs as the error may differ between a first run and a second run. >> When the packages are upgraded, the script ipa-server-upgrade is called >> and starts by disabling the LDAP server ports to avoid any LDAP >> operation during the upgrade. Then the script performs its duty, and >> re-enables the port. >> If there is an untrapped failure before the ports are re-enabled, or the >> user repeatedly presses CTRL-C, we sometimes end up in a situation where >> the ports are still disabled (please see ticket >> https://pagure.io/freeipa/issue/7534) after the ipa-server-upgrade >> script exits. If the user re-runs ipa-server-upgrade at this point, the >> script output will be completely different but will not give us any hint >> related to the original failure root cause. That's why we need the full >> logs. >> >> If you are in a situation where the LDAP server isn't listening: >> 0. stop IPA with ipactl stop >> 1. edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif >> 2. set nsslapd-port to 389 >> 3. set nsslapd-security to on >> 4. set nsslapd-global-backend-lock to off (if you have this attribute at >> all) >> 5. restart IPA with ipactl start >> >> If the services are able to restart at this point, try to run >> ipa-server-upgrade and provide full logs. >> >> HTH, >> flo >> >
