Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

2016-09-23 Thread Rob Crittenden 

Petr Vobornik wrote:

On 09/21/2016 05:06 PM, Natxo Asenjo wrote:

hi Petr,

On Wed, Sep 21, 2016 at 4:38 PM, Petr Vobornik > wrote:

 On 09/21/2016 10:50 AM, Natxo Asenjo wrote:

 > When I try to resubmit certificates from certmonger they still hit the 
kdc01 web
 > server, so the requests hang on an status: CA_UNREACHABLE
 >  ca-error: Server failed request, will retry: 4301 (RPC failed at 
server.
 > Certificate operation cannot be completed: Failure decoding Certificate 
Signing
 > Request).

 Where does it happen? On arbitrary client which was installed in a past
 against the removed kdc01?


yes.


 If so could you look into /etc/ipa/default.conf and change host option
 from kdc01 to the 7.2 IPA sever?


ok, done.

In fact, change both the domain as the xmlrpc_uri directives in the global
section was necessary. Now It worked :-)

So, what should be the correct value for dns discovery for both directives using
dns discovery?


I don't think there is a support for DNS discovery in Certmonger. CCing Rob.


That is correct, it uses the value from the ipa config file.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

2016-09-23 Thread Natxo Asenjo 
On Fri, Sep 23, 2016 at 9:29 AM, Petr Vobornik  wrote:

> On 09/21/2016 05:06 PM, Natxo Asenjo wrote:
>
> > So, what should be the correct value for dns discovery for both
> directives using
> > dns discovery?
>
> I don't think there is a support for DNS discovery in Certmonger. CCing
> Rob.
>

Well, as soon as I remove the old replica running centos 6.8, I will create
a dns A record with the old replica host name pointing to the new replica.
So I think that will solve this particular problem.

It would be much more convinient to have dns discovery in certmonger though.

Thanks!

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

2016-09-23 Thread Petr Vobornik 
On 09/21/2016 05:06 PM, Natxo Asenjo wrote:
> hi Petr,
> 
> On Wed, Sep 21, 2016 at 4:38 PM, Petr Vobornik  > wrote:
> 
> On 09/21/2016 10:50 AM, Natxo Asenjo wrote:
> 
> > When I try to resubmit certificates from certmonger they still hit the 
> kdc01 web
> > server, so the requests hang on an status: CA_UNREACHABLE
> >  ca-error: Server failed request, will retry: 4301 (RPC failed at 
> server.
> > Certificate operation cannot be completed: Failure decoding Certificate 
> Signing
> > Request).
> 
> Where does it happen? On arbitrary client which was installed in a past
> against the removed kdc01?
> 
> 
> yes.
> 
> 
> If so could you look into /etc/ipa/default.conf and change host option
> from kdc01 to the 7.2 IPA sever?
> 
> 
> ok, done.
> 
> In fact, change both the domain as the xmlrpc_uri directives in the global 
> section was necessary. Now It worked :-)
> 
> So, what should be the correct value for dns discovery for both directives 
> using 
> dns discovery?

I don't think there is a support for DNS discovery in Certmonger. CCing Rob.

> 
> thanks!
> --
> Groeten,
> natxo
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

2016-09-22 Thread Natxo Asenjo 
On Wed, Sep 21, 2016 at 5:06 PM, Natxo Asenjo 
wrote:

> ok, done.
>
> In fact, change both the domain as the xmlrpc_uri directives in the global
> section was necessary. Now It worked :-)
>

I meant the server, not the domain options obviously.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

2016-09-21 Thread Natxo Asenjo 
hi Petr,

On Wed, Sep 21, 2016 at 4:38 PM, Petr Vobornik  wrote:

> On 09/21/2016 10:50 AM, Natxo Asenjo wrote:
>
> > When I try to resubmit certificates from certmonger they still hit the
> kdc01 web
> > server, so the requests hang on an status: CA_UNREACHABLE
> >  ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.
> > Certificate operation cannot be completed: Failure decoding Certificate
> Signing
> > Request).
>
> Where does it happen? On arbitrary client which was installed in a past
> against the removed kdc01?
>

yes.


>
> If so could you look into /etc/ipa/default.conf and change host option
> from kdc01 to the 7.2 IPA sever?
>
>
ok, done.

In fact, change both the domain as the xmlrpc_uri directives in the global
section was necessary. Now It worked :-)

So, what should be the correct value for dns discovery for both directives
using dns discovery?

thanks!
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

2016-09-21 Thread Petr Vobornik 
On 09/21/2016 10:50 AM, Natxo Asenjo wrote:
> hi,
> 
> I followed the instructions here: 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
> 
> and now after some issues I have a replica with both pki and dns data running 
> centos 7.
> 
> So now I have 3 replicas:
> 
> centos 6.8:
> kdc01.unix.iriszorg.nl 
> kdc02.unix.iriszorg.nl 
> 
> centos 7.2
> kdc03.unix.iriszorg.nl 
> 
> The replica was created with an agreement to kdc01.unix.iriszorg.nl 
>  which was the master for crl updates. I 
> followed 
> the steps to disabled crlcache and crlupdates on the kdc01 and to enable them 
> on 
> the kdc03.
> 
> So in the kdc01 I edited /etc/httpd/conf.d/ipa-pki-proxy.conf and uncommented
> 
> # Only enable this on servers that are not generating a CRL
> RewriteRule ^/ipa/crl/MasterCRL.bin 
> https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL=MasterCRL
>  
> [L,R=301,NC]
> 
> and on the kdc03 i commented this out:
> 
> # Only enable this on servers that are not generating a CRL
> #RewriteRule ^/ipa/crl/MasterCRL.bin 
> https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL=MasterCRL
>  
> [L,R=301,NC]
> 
> 
> When I try to resubmit certificates from certmonger they still hit the kdc01 
> web 
> server, so the requests hang on an status: CA_UNREACHABLE
>  ca-error: Server failed request, will retry: 4301 (RPC failed at server. 
>  
> Certificate operation cannot be completed: Failure decoding Certificate 
> Signing 
> Request).

Where does it happen? On arbitrary client which was installed in a past
against the removed kdc01?

If so could you look into /etc/ipa/default.conf and change host option
from kdc01 to the 7.2 IPA sever?

If this is correct then IMO it is quite a serious bug which needs to be
fixed (i.e. DNS discovery needs to be used).
> 
> 
> Which was the problem on a recent thread on the list (trying to get rid of 
> this 
> replica now to fix this problem as well).
> 
> So something is not redirecting properly and I would appreciate your 
> assistance.
> 
> TIA.
> --
> Groeten,
> natxo
> 

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] replica added, but clients still try renewing certificates with old master

2016-09-21 Thread Natxo Asenjo 
hi,

I followed the instructions here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

and now after some issues I have a replica with both pki and dns data
running centos 7.

So now I have 3 replicas:

centos 6.8:
kdc01.unix.iriszorg.nl
kdc02.unix.iriszorg.nl

centos 7.2
kdc03.unix.iriszorg.nl

The replica was created with an agreement to kdc01.unix.iriszorg.nl which
was the master for crl updates. I followed the steps to disabled crlcache
and crlupdates on the kdc01 and to enable them on the kdc03.

So in the kdc01 I edited /etc/httpd/conf.d/ipa-pki-proxy.conf and
uncommented

# Only enable this on servers that are not generating a CRL
RewriteRule ^/ipa/crl/MasterCRL.bin
https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL=MasterCRL
[L,R=301,NC]

and on the kdc03 i commented this out:

# Only enable this on servers that are not generating a CRL
#RewriteRule ^/ipa/crl/MasterCRL.bin
https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL=MasterCRL
[L,R=301,NC]


When I try to resubmit certificates from certmonger they still hit the
kdc01 web server, so the requests hang on an status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).


Which was the problem on a recent thread on the list (trying to get rid of
this replica now to fix this problem as well).

So something is not redirecting properly and I would appreciate your
assistance.

TIA.
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project