Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully that will do the trick. rob -- -- Jani West -- jw...@iki.fi -- +358 40 5010914 -- -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND -- Haluaisin, että Suomi olisi paljon monikulttuurisempi. Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana. On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen. Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu. Ei ymmärretä, että maahanmuuttajat voivat tuoda Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä, että koko kansaa kuullaan, myös eri kulttuureista tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella maahanmuuttajia enemmän. HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
West, Jani wrote: Hi, Validity, status and serials seems to be fine. One interesting pick: While the installation is not too old it might be installed initially with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398. # getcert list |grep expires expires: 2016-11-21 13:40:41 UTC expires: 2016-11-21 13:40:44 UTC expires: 2016-11-21 13:40:41 UTC expires: 2016-10-30 09:08:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC # getcert list -d /etc/httpd/alias -n ipaCert |egrep -i '(status|expires)' status: MONITORING expires: 2016-10-30 09:07:12 UTC # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 31 (0x1f) # ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca description # extended LDIF # # LDAPv3 # base uid=ipara,ou=People,o=ipaca with scope subtree # filter: (objectclass=*) # requesting: description # # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 I suspect you are bootstrapping the replica with expired certs. After the failed install the certs probably still exist on the replica in /var/lib/pki-ca/alias. Check the dates. I think you needsto refresh /root/cacerts.p12 on the master you are preparing the replica on. In newer IPA we regenerate this on-the-fly but it isn't in 3.0. Use PKCS12Export to do this. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. -- -- Jani West On 24.2.2015 17:06, Rob Crittenden wrote: West, Jani wrote: Hi, Validity, status and serials seems to be fine. One interesting pick: While the installation is not too old it might be installed initially with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398. # getcert list |grep expires expires: 2016-11-21 13:40:41 UTC expires: 2016-11-21 13:40:44 UTC expires: 2016-11-21 13:40:41 UTC expires: 2016-10-30 09:08:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC # getcert list -d /etc/httpd/alias -n ipaCert |egrep -i '(status|expires)' status: MONITORING expires: 2016-10-30 09:07:12 UTC # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 31 (0x1f) # ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca description # extended LDIF # # LDAPv3 # base uid=ipara,ou=People,o=ipaca with scope subtree # filter: (objectclass=*) # requesting: description # # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 I suspect you are bootstrapping the replica with expired certs. After the failed install the certs probably still exist on the replica in /var/lib/pki-ca/alias. Check the dates. I think you needsto refresh /root/cacerts.p12 on the master you are preparing the replica on. In newer IPA we regenerate this on-the-fly but it isn't in 3.0. Use PKCS12Export to do this. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully that will do the trick. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
On old master apache logs looks like this: --- [Tue Feb 24 23:37:40 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:37:41 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:38:22 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca 192.168.177.8 - - [24/Feb/2015:10:35:47 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 192.168.177.8 - - [24/Feb/2015:23:37:40 +0200] GET /ca/rest/securityDomain/domainInfo HTTP/1.1 404 325 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/admin/ca/getDomainXML HTTP/1.1 200 1158 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:19 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getCookie HTTP/1.1 200 4088 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 153 192.168.177.8 - - [24/Feb/2015:23:38:30 +0200] POST /ca/admin/ca/getConfigEntries HTTP/1.0 200 13714 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 200 115 - and /var/log/ipareplica-install.log on new replica looks like this: pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 2015-02-24T21:40:54Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpR56_Ck' returned non-zero exit status 1 2015-02-24T21:40:54Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 667, in main CA = cainstance.install_replica_ca(config) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1689, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 615, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2015-02-24T21:40:54Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed Just give me a shout if you want me to run replication again and if you need any extra logs. On 02/25/2015 12:00 AM, Rob Crittenden wrote: Jani West wrote: Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available That is expected. pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 I think a fresh set of logs is in needed. rob . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Jani West wrote: Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available That is expected. pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 I think a fresh set of logs is in needed. rob . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully that will do the trick. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Jani West wrote: On old master apache logs looks like this: --- [Tue Feb 24 23:37:40 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:37:41 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:38:22 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca 192.168.177.8 - - [24/Feb/2015:10:35:47 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 192.168.177.8 - - [24/Feb/2015:23:37:40 +0200] GET /ca/rest/securityDomain/domainInfo HTTP/1.1 404 325 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/admin/ca/getDomainXML HTTP/1.1 200 1158 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:19 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getCookie HTTP/1.1 200 4088 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 153 192.168.177.8 - - [24/Feb/2015:23:38:30 +0200] POST /ca/admin/ca/getConfigEntries HTTP/1.0 200 13714 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 200 115 - and /var/log/ipareplica-install.log on new replica looks like this: pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 2015-02-24T21:40:54Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpR56_Ck' returned non-zero exit status 1 2015-02-24T21:40:54Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 667, in main CA = cainstance.install_replica_ca(config) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1689, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 615, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2015-02-24T21:40:54Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed Just give me a shout if you want me to run replication again and if you need any extra logs. The full ipaserver-install.log and /var/log/pki/pki-tomcat/ca/debug would be handy. Feel free to send them to me directly as they are probably rather large. rob On 02/25/2015 12:00 AM, Rob Crittenden wrote: Jani West wrote: Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available That is expected. pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 I think a fresh set of logs is in needed. rob . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Hi, Validity, status and serials seems to be fine. One interesting pick: While the installation is not too old it might be installed initially with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398. # getcert list |grep expires expires: 2016-11-21 13:40:41 UTC expires: 2016-11-21 13:40:44 UTC expires: 2016-11-21 13:40:41 UTC expires: 2016-10-30 09:08:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC # getcert list -d /etc/httpd/alias -n ipaCert |egrep -i '(status|expires)' status: MONITORING expires: 2016-10-30 09:07:12 UTC # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 31 (0x1f) # ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca description # extended LDIF # # LDAPv3 # base uid=ipara,ou=People,o=ipaca with scope subtree # filter: (objectclass=*) # requesting: description # # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- -- Jani West On 20.2.2015 01:07, Dmitri Pal wrote: On 02/19/2015 02:54 PM, Jim Richard wrote: Hey guys, for what it's worth, I spent a couple weeks working with Endi Sukma Dewata, edew...@redhat.com, Re: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail. Unfortunately my post subject was not accurate but in fact, I was attempting the exact same thing and seeing the exact same error. The main LDAP instance would come up ok but upon attempting to migrate the PKI stuff with the new ldap schema etc, it just fails… If you have been gradually upgrading it might very well be that you are hitting some of the earlier bugs related to cert tracking. The page can help you with troubleshooting http://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates [4] You need to see whether the certs on the master have expired and whether they are now properly tracked. Rob is this the right way of checking the cert validity (see previous mail in the thread)? In the end we couldn't figure it out, basically had to just give up. Maybe one of you could reach out to Endi and he could share some insights. I'd love to be able to make this work as well but as of now it looks like my only option if I want to upgrade to version 3.3/Centos 7 is well, there is no option…. I'd be happy to share or help in any way. Jim Richard | PlaceIQ [1] | Systems Administrator | jrich...@placeiq.com | +1 (646) 338-8905 On Feb 19, 2015, at 11:37 AM, Jani West jw...@iki.fi wrote: Hi, How I can check the cert and test? I did curl -v -k https://xxx/ca/admin/ca/getDomainXML [2] According to that the cert have plenty of time left. On the otherhand https://xxx/ca/admin/ca/updateDomainXML [3] is givin the the same cert but also http 404. On 02/19/2015 06:22 PM, Martin Kosek wrote: On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUG Starting external process ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUG stderr=pkispawn : WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Hey guys, for what it’s worth, I spent a couple weeks working with Endi Sukma Dewata, edew...@redhat.com, Re: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail”. Unfortunately my post subject was not accurate but in fact, I was attempting the exact same thing and seeing the exact same error. The main LDAP instance would come up ok but upon attempting to migrate the PKI stuff with the new ldap schema etc, it just fails… In the end we couldn’t figure it out, basically had to just give up. Maybe one of you could reach out to Endi and he could share some insights. I’d love to be able to make this work as well but as of now it looks like my only option if I want to upgrade to version 3.3/Centos 7 is well, there is no option…. I’d be happy to share or help in any way. Jim Richard | PlaceIQ http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2Fsa=Dsntz=1usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw | Systems Administrator | jrich...@placeiq.com mailto:n...@placeiq.com | +1 (646) 338-8905 On Feb 19, 2015, at 11:37 AM, Jani West jw...@iki.fi wrote: Hi, How I can check the cert and test? I did curl -v -k https://xxx/ca/admin/ca/getDomainXML According to that the cert have plenty of time left. On the otherhand https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but also http 404. On 02/19/2015 06:22 PM, Martin Kosek wrote: On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your master? Can you check your FW please? This line makes me think that expired certs may be involved: [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired CCing JanCh who have the best context in this area. -- -- Jani West -- jw...@iki.fi -- +358 40 5010914 -- -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND -- Haluaisin, että Suomi olisi paljon monikulttuurisempi. Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana. On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen. Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu. Ei ymmärretä, että maahanmuuttajat voivat tuoda
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your master? Can you check your FW please? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Hi, How I can check the cert and test? I did curl -v -k https://xxx/ca/admin/ca/getDomainXML According to that the cert have plenty of time left. On the otherhand https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but also http 404. On 02/19/2015 06:22 PM, Martin Kosek wrote: On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your master? Can you check your FW please? This line makes me think that expired certs may be involved: [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired CCing JanCh who have the best context in this area. -- -- Jani West -- jw...@iki.fi -- +358 40 5010914 -- -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND -- Haluaisin, että Suomi olisi paljon monikulttuurisempi. Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana. On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen. Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu. Ei ymmärretä, että maahanmuuttajat voivat tuoda Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä, että koko kansaa kuullaan, myös eri kulttuureista tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella maahanmuuttajia enemmän. HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your master? Can you check your FW please? This line makes me think that expired certs may be involved: [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired CCing JanCh who have the best context in this area. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
On 02/19/2015 02:54 PM, Jim Richard wrote: Hey guys, for what it's worth, I spent a couple weeks working with Endi Sukma Dewata, edew...@redhat.com mailto:edew...@redhat.com, Re: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail. Unfortunately my post subject was not accurate but in fact, I was attempting the exact same thing and seeing the exact same error. The main LDAP instance would come up ok but upon attempting to migrate the PKI stuff with the new ldap schema etc, it just fails... If you have been gradually upgrading it might very well be that you are hitting some of the earlier bugs related to cert tracking. The page can help you with troubleshooting http://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates You need to see whether the certs on the master have expired and whether they are now properly tracked. Rob is this the right way of checking the cert validity (see previous mail in the thread)? In the end we couldn't figure it out, basically had to just give up. Maybe one of you could reach out to Endi and he could share some insights. I'd love to be able to make this work as well but as of now it looks like my only option if I want to upgrade to version 3.3/Centos 7 is well, there is no option I'd be happy to share or help in any way. Jim Richard | PlaceIQ http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2Fsa=Dsntz=1usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw | Systems Administrator | jrich...@placeiq.com mailto:n...@placeiq.com | +1 (646) 338-8905 On Feb 19, 2015, at 11:37 AM, Jani West jw...@iki.fi mailto:jw...@iki.fi wrote: Hi, How I can check the cert and test? I did curl -v -k https://xxx/ca/admin/ca/getDomainXML According to that the cert have plenty of time left. On the otherhand https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but also http 404. On 02/19/2015 06:22 PM, Martin Kosek wrote: On 02/19/2015 05:14 PM, Dmitri Pal wrote: On 02/19/2015 10:07 AM, Jani West wrote: Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication. I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum. When running ipa-replica-install --setup-ca -d installation will always stuck on: -- Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [2/19]: configuring certificate server instance ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Loading deployment configuration from /tmp/tmpHJBhR5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 -- Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement. Apache logs on old CentOS 6 server have these errors. -- 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!? -- What certificate this means? ca.crt have more than five years left. Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints? Are CA ports accessible on your