Re: [Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting
Hello, Seems like I indeed have expired certs. The problem is, how I can renew these. I tried to do: --- root@ipa1 ca]# systemctl restart dirsrv.target [root@ipa1 ca]# ipa-cacert-manage renew Renewing CA certificate, please wait Error resubmitting certmonger request '20150814121620', please check the request manually --- I still have old certs: Request ID '20150814121606': status: CA_WORKING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='654666959930' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PLANWEE.LOCAL subject: CN=CA Audit,O=PLANWEE.LOCAL expires: 2015-09-29 20:22:26 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20150814121614': status: CA_WORKING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='654666959930' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PLANWEE.LOCAL subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL expires: 2015-09-29 20:22:25 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20150814121618': status: CA_WORKING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='654666959930' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PLANWEE.LOCAL subject: CN=CA Subsystem,O=PLANWEE.LOCAL expires: 2015-09-29 20:22:25 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20150814121621': status: CA_WORKING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PLANWEE.LOCAL subject: CN=IPA RA,O=PLANWEE.LOCAL expires: 2015-09-29 20:23:10 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes On 12/11/2015 10:23 AM, Martin Kosek wrote: On 12/11/2015 08:31 AM, Jani West wrote: Hello, Pki-tomcatd seems to have difficulties when connecting to CA. LDAP server is starting ok when starting it directly with "systemctl start dirsrv.target". When starting "systemctl start ipa" everything else will startup exept the pki-tomcatd. Obviously same thing happens when starting with ipactl directly: [root@ipa1 ca]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Shutting down Aborting ipactl /var/log/pki/pki-tomcat/localhost.2015-12-11.log SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. /var/log/dirsrv/slapd-PLANWEE-LOCAL/errors [11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for LDAPS requests [11/Dec/2015:01:02:19 +0200] - Listening on /var/run/slapd-PLANWEE-LOCAL.soc
Re: [Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting
Hello, Seems like I indeed have expired certs. The problem is, how I can renew these. I tried to do: --- root@ipa1 ca]# systemctl restart dirsrv.target [root@ipa1 ca]# ipa-cacert-manage renew Renewing CA certificate, please wait Error resubmitting certmonger request '20150814121620', please check the request manually --- I still have old certs: Request ID '20150814121606': status: CA_WORKING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='654666959930' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PLANWEE.LOCAL subject: CN=CA Audit,O=PLANWEE.LOCAL expires: 2015-09-29 20:22:26 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20150814121614': status: CA_WORKING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='654666959930' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PLANWEE.LOCAL subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL expires: 2015-09-29 20:22:25 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20150814121618': status: CA_WORKING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='654666959930' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PLANWEE.LOCAL subject: CN=CA Subsystem,O=PLANWEE.LOCAL expires: 2015-09-29 20:22:25 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20150814121621': status: CA_WORKING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PLANWEE.LOCAL subject: CN=IPA RA,O=PLANWEE.LOCAL expires: 2015-09-29 20:23:10 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes On 12/11/2015 10:23 AM, Martin Kosek wrote: On 12/11/2015 08:31 AM, Jani West wrote: Hello, Pki-tomcatd seems to have difficulties when connecting to CA. LDAP server is starting ok when starting it directly with "systemctl start dirsrv.target". When starting "systemctl start ipa" everything else will startup exept the pki-tomcatd. Obviously same thing happens when starting with ipactl directly: [root@ipa1 ca]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Shutting down Aborting ipactl /var/log/pki/pki-tomcat/localhost.2015-12-11.log SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. /var/log/dirsrv/slapd-PLANWEE-LOCAL/errors [11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for LDAPS requests [11/Dec/2015:01:02:19 +0200] - Listening on /var/run/slapd-PLANWEE-LOCAL.socket for LDAPI requests [11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
[Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting
Hello, Pki-tomcatd seems to have difficulties when connecting to CA. LDAP server is starting ok when starting it directly with "systemctl start dirsrv.target". When starting "systemctl start ipa" everything else will startup exept the pki-tomcatd. Obviously same thing happens when starting with ipactl directly: [root@ipa1 ca]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Shutting down Aborting ipactl /var/log/pki/pki-tomcat/localhost.2015-12-11.log SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. /var/log/dirsrv/slapd-PLANWEE-LOCAL/errors [11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for LDAPS requests [11/Dec/2015:01:02:19 +0200] - Listening on /var/run/slapd-PLANWEE-LOCAL.socket for LDAPI requests [11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) /var/log/pki/pki-tomcat/ca/debug Internal Database Error encountered: Could not connect to LDAP server host ipa1.backend.planwee.local port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Environment: CentOS 7 IPA 4.1 The problem looks the same as this: https://access.redhat.com/solutions/2022123 Unfortunately I cannot view resolution. is this related to expired CA certificates? -- -- Jani West -- jw...@iki.fi -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully that will do the trick. rob -- -- Jani West -- jw...@iki.fi -- +358 40 5010914 -- -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND -- Haluaisin, että Suomi olisi paljon monikulttuurisempi. Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana. On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen. Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu. Ei ymmärretä, että maahanmuuttajat voivat tuoda Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä, että koko kansaa kuullaan, myös eri kulttuureista tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella maahanmuuttajia enemmän. HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
On old master apache logs looks like this: --- [Tue Feb 24 23:37:40 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:37:41 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:38:22 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca 192.168.177.8 - - [24/Feb/2015:10:35:47 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 192.168.177.8 - - [24/Feb/2015:23:37:40 +0200] GET /ca/rest/securityDomain/domainInfo HTTP/1.1 404 325 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/admin/ca/getDomainXML HTTP/1.1 200 1158 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:19 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getCookie HTTP/1.1 200 4088 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 153 192.168.177.8 - - [24/Feb/2015:23:38:30 +0200] POST /ca/admin/ca/getConfigEntries HTTP/1.0 200 13714 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 200 115 - and /var/log/ipareplica-install.log on new replica looks like this: pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 2015-02-24T21:40:54Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpR56_Ck' returned non-zero exit status 1 2015-02-24T21:40:54Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 667, in main CA = cainstance.install_replica_ca(config) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1689, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 615, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2015-02-24T21:40:54Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed Just give me a shout if you want me to run replication again and if you need any extra logs. On 02/25/2015 12:00 AM, Rob Crittenden wrote: Jani West wrote: Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available That is expected. pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 I think a fresh set of logs is in needed. rob . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Hi, How I can check the cert and test? I did curl -v -k https://xxx/ca/admin/ca/getDomainXML According to that the cert have plenty of time left. On the otherhand https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but also http 404. On 02/19/2015 06:22 PM, Martin Kosek wrote: On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your master? Can you check your FW please? This line makes me think that expired certs may be involved: [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired CCing JanCh who have the best context in this area. -- -- Jani West -- jw...@iki.fi -- +358 40 5010914 -- -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND -- Haluaisin, että Suomi olisi paljon monikulttuurisempi. Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana. On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen. Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu. Ei ymmärretä, että maahanmuuttajat voivat tuoda Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä, että koko kansaa kuullaan, myös eri kulttuureista tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella maahanmuuttajia enemmän. HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? -- -- Jani West -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project