Re: [Freeipa-users] 7.x replica install from 6.x master fails
I too ran into this issue of certificate serial mismatch. Just wanted to
shoot a note thanking the two of you for helping. Your questions and
answers were very well articulated and very detailed. I used the info in
this thread to get my replica installed. Thank you! =)
___
Ryan Clough
Information Systems
Decision Sciences <http://www.decisionsciencescorp.com/>
On Fri, Apr 15, 2016 at 8:53 AM, Petr Vobornik <pvobo...@redhat.com> wrote:
> On 04/15/2016 05:13 PM, Ott, Dennis wrote:
> > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have
> a cert database at:
> >
> > /etc/pki/pki-tomcat/alias
> >
> > At:
> >
> > /var/lib/pki-ca/alias
>
> right
>
> >
> > subsystemCert cert-pki-ca has a serial number of 18 (0x12)
> >
> > At:
> >
> > uid=CA-$HOST-8443,ou=people,o=ipaca
> >
> > the certificate has a serial number of 4.
> >
> >
> > What is the best way to fix this?
> >
> > If it matters, the master installation is old enough to have had its
> certs auto-renewed.
>
> Yes, certs were renewed but the PKI user entry was not which causes the
> issue. This has been seen on very old IPA installations.
>
> 1) Login into IPA Master (RHEL 6) - as root.
>
> 2) Redirect "subsystemCert cert-pki-ca" to a file.
>
> # certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca"
> -a > /tmp/subsystemcert.pem
>
> 3) Drop the header/footer and combine this into a single line.
>
> # echo && cat /tmp/subsystemcert.pem | sed -rn '/^-BEGIN
> CERTIFICATE-$/{:1;n;/^-END
> CERTIFICATE-$/b2;H;b1};:2;${x;s/\s//g;p}'
>
> 4) String generated in step 3 needs to be added under attribute
> "usercertificate;binary:" below.
>
>
> ===
> # ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF
> dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca
> changetype: modify
> add: usercertificate;binary
> usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string
> from step 3.
> -
> replace: description
> description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
> Subsystem,O=EXAMPLE.COM
> EOF
>
> ===
>
> Note: the description field attribute has format:
>::: subjectdn>
>
>
> 5) Once the above command is successful restart IPA service
>
> # service ipa restart
>
> 6) Check if the mapping is now correct.
>
> # pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User
> ID|Description"
>
> >
> > Dennis
> >
> >
> > -Original Message-
> > From: Petr Vobornik [mailto:pvobo...@redhat.com]
> > Sent: Friday, April 15, 2016 10:06 AM
> > To: Ott, Dennis; Freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
> >
> > On 04/15/2016 03:51 PM, Ott, Dennis wrote:
> >> Looks like we're out of ideas.
> >>
> >> I'll proceed with Plan B.
> >>
> >
> > A possibility is also to check if
> >
> > Serial number of
> >
> > certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca'
> >
> > matches serial number of the cert below (4) and if
> >
> > uid=CA-$HOST-8443,ou=people,o=ipaca
> >
> > has actually the same cert in userCertificate attribute
> >
> > Or maybe to do the same with other PKI users in ou=people,o=ipaca
> >
> >> -Original Message-
> >> From: Ott, Dennis
> >> Sent: Monday, April 11, 2016 12:27 PM
> >> To: Ott, Dennis; Petr Vobornik; Freeipa-users@redhat.com
> >> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails
> >>
> >> As a test, I attempted to do a replica install on a Fedora 23 machine.
> It fails with the same error.
> >>
> >> Dennis
> >>
> >>
> >>
> >> -Original Message-
> >> From: freeipa-users-boun...@redhat.com
> >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ott, Dennis
> >> Sent: Thursday, April 07, 2016 5:39 PM
> >> To: Petr Vobornik; Freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
> >>
> >> It doesn't look like that is my problem. The output of pki-server
> ca-group-member-find "Subsystem Group" gives:
> >>
> >>
> >> User ID: CA-ptip
Re: [Freeipa-users] 7.x replica install from 6.x master fails
I too ran into this issue of certificate serial mismatch. Just wanted to
shoot a note thanking the two of you for helping. Your questions and
answers were very well articulated and very detailed. I used the info in
this thread to get my replica installed. Thank you! =)
On Fri, Apr 15, 2016 at 11:55 AM, Ott, Dennis <dennis@mckesson.com>
wrote:
> This allowed the replica install to complete. Thank you.
>
> However, when I try to kinit admin on the replica I get:
>
> kinit: Invalid UID in persistent keyring name while getting default ccache
>
> After some research I found that by commenting out this line in
> /etc/krb5.conf
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> and restarting IPA, I was able to use kinit.
>
> What is the correct way to fix this, or what are the implications of just
> leaving it commented out?
>
>
> Dennis
>
>
>
> -Original Message-
> From: Petr Vobornik [mailto:pvobo...@redhat.com]
> Sent: Friday, April 15, 2016 11:54 AM
> To: Ott, Dennis; Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
>
> On 04/15/2016 05:13 PM, Ott, Dennis wrote:
> > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have
> a cert database at:
> >
> > /etc/pki/pki-tomcat/alias
> >
> > At:
> >
> > /var/lib/pki-ca/alias
>
> right
>
> >
> > subsystemCert cert-pki-ca has a serial number of 18 (0x12)
> >
> > At:
> >
> > uid=CA-$HOST-8443,ou=people,o=ipaca
> >
> > the certificate has a serial number of 4.
> >
> >
> > What is the best way to fix this?
> >
> > If it matters, the master installation is old enough to have had its
> certs auto-renewed.
>
> Yes, certs were renewed but the PKI user entry was not which causes the
> issue. This has been seen on very old IPA installations.
>
> 1) Login into IPA Master (RHEL 6) - as root.
>
> 2) Redirect "subsystemCert cert-pki-ca" to a file.
>
> # certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca"
> -a > /tmp/subsystemcert.pem
>
> 3) Drop the header/footer and combine this into a single line.
>
> # echo && cat /tmp/subsystemcert.pem | sed -rn '/^-BEGIN
> CERTIFICATE-$/{:1;n;/^-END
> CERTIFICATE-$/b2;H;b1};:2;${x;s/\s//g;p}'
>
> 4) String generated in step 3 needs to be added under attribute
> "usercertificate;binary:" below.
>
>
> ===
> # ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF
> dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca
> changetype: modify
> add: usercertificate;binary
> usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string
> from step 3.
> -
> replace: description
> description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
> Subsystem,O=EXAMPLE.COM EOF
> ===
>
> Note: the description field attribute has format:
>::: subjectdn>
>
>
> 5) Once the above command is successful restart IPA service
>
> # service ipa restart
>
> 6) Check if the mapping is now correct.
>
> # pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User
> ID|Description"
>
> >
> > Dennis
> >
> >
> > -Original Message-
> > From: Petr Vobornik [mailto:pvobo...@redhat.com]
> > Sent: Friday, April 15, 2016 10:06 AM
> > To: Ott, Dennis; Freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
> >
> > On 04/15/2016 03:51 PM, Ott, Dennis wrote:
> >> Looks like we're out of ideas.
> >>
> >> I'll proceed with Plan B.
> >>
> >
> > A possibility is also to check if
> >
> > Serial number of
> >
> > certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca'
> >
> > matches serial number of the cert below (4) and if
> >
> > uid=CA-$HOST-8443,ou=people,o=ipaca
> >
> > has actually the same cert in userCertificate attribute
> >
> > Or maybe to do the same with other PKI users in ou=people,o=ipaca
> >
> >> -Original Message-----
> >> From: Ott, Dennis
> >> Sent: Monday, April 11, 2016 12:27 PM
> >> To: Ott, Dennis; Petr Vobornik; Freeipa-users@redhat.com
> >> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master
> >> fails
> >>
> >> As a test, I attempted to do a replica install on a Fedora 23 machine.
> It f
Re: [Freeipa-users] 7.x replica install from 6.x master fails
This allowed the replica install to complete. Thank you.
However, when I try to kinit admin on the replica I get:
kinit: Invalid UID in persistent keyring name while getting default ccache
After some research I found that by commenting out this line in /etc/krb5.conf
default_ccache_name = KEYRING:persistent:%{uid}
and restarting IPA, I was able to use kinit.
What is the correct way to fix this, or what are the implications of just
leaving it commented out?
Dennis
-Original Message-
From: Petr Vobornik [mailto:pvobo...@redhat.com]
Sent: Friday, April 15, 2016 11:54 AM
To: Ott, Dennis; Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
On 04/15/2016 05:13 PM, Ott, Dennis wrote:
> My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have a
> cert database at:
>
> /etc/pki/pki-tomcat/alias
>
> At:
>
> /var/lib/pki-ca/alias
right
>
> subsystemCert cert-pki-ca has a serial number of 18 (0x12)
>
> At:
>
> uid=CA-$HOST-8443,ou=people,o=ipaca
>
> the certificate has a serial number of 4.
>
>
> What is the best way to fix this?
>
> If it matters, the master installation is old enough to have had its certs
> auto-renewed.
Yes, certs were renewed but the PKI user entry was not which causes the issue.
This has been seen on very old IPA installations.
1) Login into IPA Master (RHEL 6) - as root.
2) Redirect "subsystemCert cert-pki-ca" to a file.
# certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca"
-a > /tmp/subsystemcert.pem
3) Drop the header/footer and combine this into a single line.
# echo && cat /tmp/subsystemcert.pem | sed -rn '/^-BEGIN
CERTIFICATE-$/{:1;n;/^-END
CERTIFICATE-$/b2;H;b1};:2;${x;s/\s//g;p}'
4) String generated in step 3 needs to be added under attribute
"usercertificate;binary:" below.
===
# ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF
dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string from
step 3.
-
replace: description
description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
Subsystem,O=EXAMPLE.COM EOF
===
Note: the description field attribute has format:
:::
5) Once the above command is successful restart IPA service
# service ipa restart
6) Check if the mapping is now correct.
# pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User
ID|Description"
>
> Dennis
>
>
> -Original Message-
> From: Petr Vobornik [mailto:pvobo...@redhat.com]
> Sent: Friday, April 15, 2016 10:06 AM
> To: Ott, Dennis; Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
>
> On 04/15/2016 03:51 PM, Ott, Dennis wrote:
>> Looks like we're out of ideas.
>>
>> I'll proceed with Plan B.
>>
>
> A possibility is also to check if
>
> Serial number of
>
> certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca'
>
> matches serial number of the cert below (4) and if
>
> uid=CA-$HOST-8443,ou=people,o=ipaca
>
> has actually the same cert in userCertificate attribute
>
> Or maybe to do the same with other PKI users in ou=people,o=ipaca
>
>> -Original Message-
>> From: Ott, Dennis
>> Sent: Monday, April 11, 2016 12:27 PM
>> To: Ott, Dennis; Petr Vobornik; Freeipa-users@redhat.com
>> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master
>> fails
>>
>> As a test, I attempted to do a replica install on a Fedora 23 machine. It
>> fails with the same error.
>>
>> Dennis
>>
>>
>>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ott, Dennis
>> Sent: Thursday, April 07, 2016 5:39 PM
>> To: Petr Vobornik; Freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master
>> fails
>>
>> It doesn't look like that is my problem. The output of pki-server
>> ca-group-member-find "Subsystem Group" gives:
>>
>>
>> User ID: CA-ptipa1.example.com-9443
>> Common Name: CA-ptipa1.example.com-9443
>> Surname: CA-ptipa1.example.com-9443
>> Type: agentType
>> Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
>> Subsystem,O=EXAMPLE.COM
>> E-mail:
>>
>> All the certs seem valid:
>>
>> #
Re: [Freeipa-users] 7.x replica install from 6.x master fails
On 04/15/2016 05:13 PM, Ott, Dennis wrote:
> My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have a
> cert database at:
>
> /etc/pki/pki-tomcat/alias
>
> At:
>
> /var/lib/pki-ca/alias
right
>
> subsystemCert cert-pki-ca has a serial number of 18 (0x12)
>
> At:
>
> uid=CA-$HOST-8443,ou=people,o=ipaca
>
> the certificate has a serial number of 4.
>
>
> What is the best way to fix this?
>
> If it matters, the master installation is old enough to have had its certs
> auto-renewed.
Yes, certs were renewed but the PKI user entry was not which causes the
issue. This has been seen on very old IPA installations.
1) Login into IPA Master (RHEL 6) - as root.
2) Redirect "subsystemCert cert-pki-ca" to a file.
# certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca"
-a > /tmp/subsystemcert.pem
3) Drop the header/footer and combine this into a single line.
# echo && cat /tmp/subsystemcert.pem | sed -rn '/^-BEGIN
CERTIFICATE-$/{:1;n;/^-END
CERTIFICATE-$/b2;H;b1};:2;${x;s/\s//g;p}'
4) String generated in step 3 needs to be added under attribute
"usercertificate;binary:" below.
===
# ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF
dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string
from step 3.
-
replace: description
description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
Subsystem,O=EXAMPLE.COM
EOF
===
Note: the description field attribute has format:
:::
5) Once the above command is successful restart IPA service
# service ipa restart
6) Check if the mapping is now correct.
# pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User
ID|Description"
>
> Dennis
>
>
> -Original Message-
> From: Petr Vobornik [mailto:pvobo...@redhat.com]
> Sent: Friday, April 15, 2016 10:06 AM
> To: Ott, Dennis; Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
>
> On 04/15/2016 03:51 PM, Ott, Dennis wrote:
>> Looks like we're out of ideas.
>>
>> I'll proceed with Plan B.
>>
>
> A possibility is also to check if
>
> Serial number of
>
> certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca'
>
> matches serial number of the cert below (4) and if
>
> uid=CA-$HOST-8443,ou=people,o=ipaca
>
> has actually the same cert in userCertificate attribute
>
> Or maybe to do the same with other PKI users in ou=people,o=ipaca
>
>> -Original Message-
>> From: Ott, Dennis
>> Sent: Monday, April 11, 2016 12:27 PM
>> To: Ott, Dennis; Petr Vobornik; Freeipa-users@redhat.com
>> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails
>>
>> As a test, I attempted to do a replica install on a Fedora 23 machine. It
>> fails with the same error.
>>
>> Dennis
>>
>>
>>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ott, Dennis
>> Sent: Thursday, April 07, 2016 5:39 PM
>> To: Petr Vobornik; Freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
>>
>> It doesn't look like that is my problem. The output of pki-server
>> ca-group-member-find "Subsystem Group" gives:
>>
>>
>> User ID: CA-ptipa1.example.com-9443
>> Common Name: CA-ptipa1.example.com-9443
>> Surname: CA-ptipa1.example.com-9443
>> Type: agentType
>> Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
>> Subsystem,O=EXAMPLE.COM
>> E-mail:
>>
>> All the certs seem valid:
>>
>> # getcert list | grep expires
>> expires: 2017-07-18 00:55:14 UTC
>> expires: 2017-07-18 00:54:14 UTC
>> expires: 2017-07-18 00:54:14 UTC
>> expires: 2017-07-18 00:54:14 UTC
>> expires: 2017-07-18 00:54:14 UTC
>> expires: 2017-08-09 00:54:19 UTC
>> expires: 2017-08-09 00:54:19 UTC
>> expires: 2017-08-09 00:54:21 UTC #
>>
>> I was wondering if I might be hitting this:
>>
>> http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpI
>> SHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJh
>> bctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalI
>>
Re: [Freeipa-users] 7.x replica install from 6.x master fails
Petr,
Original 6.x master installed at:
ipa-server-2.1.3-9
pki-ca-9.0.3-20
At the time the migration was attempted, the 6.x master had been updated to:
ipa-server-3.0.0-47
pki-ca-9.0.3-45
The 7.x replica install has been attempted using a variety of versions. The log
excerpts at the beginning of this email were from an installation attempt using:
ipa-server-4.2.0-15.0.1
pki-ca-10.2.5-6
It's a standard CA installation. This line is from
/var/log/ipaserverinstall.log showing selfsign as False:
2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked with
options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': None,
'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, 'subject': None,
'no_forwarders': False, 'persistent_search': True, 'ui_redirect': True,
'domain_name': None, 'idmax': 0, 'hbac_allow': True, 'no_reverse': False,
'dirsrv_pkcs12': None, 'unattended': False, 'selfsign': False, 'trust_sshfp':
False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None,
'zone_notif': False, 'forwarders': None, 'idstart': 9, 'external_ca':
False, 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True,
'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': False,
'external_cert_file': None, 'uninstall': False}
2013-09-04T18:41:20Z DEBUG missing options might be asked for interactively
later
-Original Message-
From: Petr Vobornik [mailto:pvobo...@redhat.com]
Sent: Tuesday, March 29, 2016 6:43 AM
To: Ott, Dennis; Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
On 03/24/2016 04:29 PM, Ott, Dennis wrote:
> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x.
> After working through and solving a few issues, my current efforts
> fail when setting up the replica CA.
>
> If I set up a new, pristine master on OS 6.7, I am able to create an
> OS 7.x replica without any problem. However, if I try to create a
> replica from my two year old test lab instance (production will be
> another matter for the future) it fails. The test lab master was
> created a couple of years ago on OS 6.3 / IPA 2.x and has been
> upgraded to the latest versions in the 6.x chain. It is old enough to
> have had all the certificates renewed, but I believe I have worked through
> all the issues related to that.
>
> Below is what I believe are the useful portions of the pertinent logs.
> I’ve not been able to find anything online that speaks to the errors I
> am seeing
>
> Thanks for your help.
Hello Dennis,
what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x
replica?
What kind of CA installation does the old 6.x master install have? Is standard
installation with CA or does it also use external CA?
I assume it is not self-sign (very old unsupported type, which could be
converted in 7.x as CA-less).
>
> /var/log/ipareplica-install.log
>
> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd).
> Estimated time: 3 minutes 30 seconds
>
> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user
>
> 2016-03-23T21:55:11Z DEBUG group pkiuser exists
>
> 2016-03-23T21:55:11Z DEBUG user pkiuser exists
>
> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds
>
> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance
>
> 2016-03-23T21:55:11Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
>
> 2016-03-23T21:55:11Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
>
> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file
> (/tmp/tmpGQ59ZC):
>
> [CA]
>
> pki_security_domain_name = IPA
>
> pki_enable_proxy = True
>
> pki_restart_configured_instance = False
>
> pki_backup_keys = True
>
> pki_backup_password =
>
> pki_profiles_in_ldap = True
>
> pki_client_database_dir = /tmp/tmp-g0CKZ3
>
> pki_client_database_password =
>
> pki_client_database_purge = False
>
> pki_client_pkcs12_password =
>
> pki_admin_name = admin
>
> pki_admin_uid = admin
>
> pki_admin_email = root@localhost
>
> pki_admin_password =
>
> pki_admin_nickname = ipa-ca-agent
>
> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
>
> pki_client_admin_cert_p12 = /root/ca-agent.p12
>
> pki_ds_ldap_port = 389
>
> pki_ds_password =
>
> pki_ds_base_dn = o=ipaca
>
> pki_ds_database = ipaca
>
> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
>
> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
>
> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM
>
> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
>
> pki_ca_si
Re: [Freeipa-users] 7.x replica install from 6.x master fails
On 03/24/2016 04:29 PM, Ott, Dennis wrote: I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. After working through and solving a few issues, my current efforts fail when setting up the replica CA. If I set up a new, pristine master on OS 6.7, I am able to create an OS 7.x replica without any problem. However, if I try to create a replica from my two year old test lab instance (production will be another matter for the future) it fails. The test lab master was created a couple of years ago on OS 6.3 / IPA 2.x and has been upgraded to the latest versions in the 6.x chain. It is old enough to have had all the certificates renewed, but I believe I have worked through all the issues related to that. Below is what I believe are the useful portions of the pertinent logs. I’ve not been able to find anything online that speaks to the errors I am seeing Thanks for your help. Hello Dennis, what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). /var/log/ipareplica-install.log 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user 2016-03-23T21:55:11Z DEBUG group pkiuser exists 2016-03-23T21:55:11Z DEBUG user pkiuser exists 2016-03-23T21:55:11Z DEBUG duration: 0 seconds 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance 2016-03-23T21:55:11Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-23T21:55:11Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = pki_profiles_in_ldap = True pki_client_database_dir = /tmp/tmp-g0CKZ3 pki_client_database_password = pki_client_database_purge = False pki_client_pkcs12_password = pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_security_domain_hostname = ptipa1.example.com pki_security_domain_https_port = 443 pki_security_domain_user = admin pki_security_domain_password = pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = pki_clone_replication_security = TLS pki_clone_replication_master_port = 7389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://ptipa1.example.com:443 2016-03-23T21:55:11Z DEBUG Starting external process 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 2016-03-23T21:56:51Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160323175511.log Loading deployment configuration from /tmp/tmpGQ59ZC. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-03-23T21:56:51Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn: ERROR... ParseError: not well-formed (invalid token): line 1, column 0:
[Freeipa-users] 7.x replica install from 6.x master fails
I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. After working
through and solving a few issues, my current efforts fail when setting up the
replica CA.
If I set up a new, pristine master on OS 6.7, I am able to create an OS 7.x
replica without any problem. However, if I try to create a replica from my two
year old test lab instance (production will be another matter for the future)
it fails. The test lab master was created a couple of years ago on OS 6.3 / IPA
2.x and has been upgraded to the latest versions in the 6.x chain. It is old
enough to have had all the certificates renewed, but I believe I have worked
through all the issues related to that.
Below is what I believe are the useful portions of the pertinent logs. I've not
been able to find anything online that speaks to the errors I am seeing
Thanks for your help.
/var/log/ipareplica-install.log
2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd).
Estimated time: 3 minutes 30 seconds
2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user
2016-03-23T21:55:11Z DEBUG group pkiuser exists
2016-03-23T21:55:11Z DEBUG user pkiuser exists
2016-03-23T21:55:11Z DEBUG duration: 0 seconds
2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance
2016-03-23T21:55:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-03-23T21:55:11Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file
(/tmp/tmpGQ59ZC):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password =
pki_profiles_in_ldap = True
pki_client_database_dir = /tmp/tmp-g0CKZ3
pki_client_database_password =
pki_client_database_purge = False
pki_client_pkcs12_password =
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password =
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password =
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM
pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_key_algorithm = SHA256withRSA
pki_security_domain_hostname = ptipa1.example.com
pki_security_domain_https_port = 443
pki_security_domain_user = admin
pki_security_domain_password =
pki_clone = True
pki_clone_pkcs12_path = /tmp/ca.p12
pki_clone_pkcs12_password =
pki_clone_replication_security = TLS
pki_clone_replication_master_port = 7389
pki_clone_replication_clone_port = 389
pki_clone_replicate_schema = False
pki_clone_uri = https://ptipa1.example.com:443
2016-03-23T21:55:11Z DEBUG Starting external process
2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpGQ59ZC'
2016-03-23T21:56:51Z DEBUG Process finished, return code=1
2016-03-23T21:56:51Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160323175511.log
Loading deployment configuration from /tmp/tmpGQ59ZC.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-03-23T21:56:51Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: WARNING ... unable to validate security domain user/password
through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid token):
line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}
2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned non-zero exit
status 1
2016-03-23T21:56:51Z CRITICAL See the installation logs and the following
files/directories for more information:
2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log
