[Freeipa-users] Fwd: Fwd: Fwd: Scorched earth
Morning update. I made the change Rob suggested to /etc/ipa/default.conf, which appeared to work, but didn't quite. It asked me to back out the whole server installation and start over: [ipamaster2]# ipa-ca-install --skip-conncheck replica-info-ipamaster2.foo.net.gpg Directory Manager (existing master) password: COnfiguring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpVC28HP' returned non-zero exit status 1 Your system may be partly configured. Run/usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed. [ipamaster2]# Which uninstallation cleanup I did. Now, when trying to re-install the replica file: [ipamaster2]# ipa-replica-install --setup-dns --no-forwarders --setup-ca /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg Directory manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipamaster.foo.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (686): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The followign list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@foo.net password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipamaster2.foo.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (686): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK The host ipamaster2.foo.net already exists on the master server. You should remove it before proceeding: % ipa host-del ipamaster2.foo.net ipa : ERRORCould not resolve hostname ipamaster.foo.net using DNS Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: *yes* [ipamaster2]# host ipamaster.foo.net ipamaster.foo.net has address 1.2.3.4 No matter what answer I give to the Continue? prompt, it just exits. nslookup returns the same value, and I have three different nameservers configured for this host (including ipamaster and two of the older replicas). And this message is the one that has prompted me to want to delete hosts before installing in the past, Simo. Any thoughts on how best to proceed now? *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Thu, Aug 29, 2013 at 2:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: Okay, I got the cacert.p12 (turns out it was taking my passphrase, but the messages looked like errors to my addled eyes). This system is on a different network, so getting the file transferred would take me about 24 hours. Is there something I can get that'll tell you what you need but is plaintext? Ok, that's fine. Try this. Set ra_plugin to dogtag in /etc/ipa/default.conf. This will let it get past the error and it should install a CA. I'm trying to think worst case scenario what it might do and I'm not coming up with anything. I think the worst that happens is that adding a CA fails later. rob I tried this and hope this subset of information is helpful: # openssl pkcs12 -in cacert.p12 -out cacert.pem.bdw -cacerts -nokeys # cat cacert.pem.bdw Bag Attributes: No Attributes subject=/O=FOO.NET/CN=**Certificate http://FOO.NET/CN=Certificate http://FOO.NET/CN=Certificate** Authority/ issuer=/O=FOO.NET/CN=**Certificate http://FOO.NET/CN=Certificate http://FOO.NET/CN=Certificate** Authority -BEGIN CERTIFICATE- MIIDgzCCA... ...Iwk4r -END CERTIFICATE- # openssl pkcs12 -in cacert.p12 -out cert.pem.bdw -clcerts -nokeys # cat cert.pem.bdw Bag Attributes: localKeyID: 82 81 2D 6E 5C 13 43 9A 5F BB C8 4D F5 6B DE 6C A7 2E 53 88 friendlyName: caSigningCert cert-pki-ca subject=/O=FOO.NET/CN=**Certificate http://FOO.NET/CN=Certificate http://FOO.NET/CN=Certificate** Authority issuer=/O=FOO.NET/CN=**Certificate http://FOO.NET/CN=Certificate http://FOO.NET/CN=Certificate** Authority -BEGIN CERTIFICATE- MIIDgzCCA... ...Iwk4r -END CERTIFICATE- Bag Attributes: localKeyID: 88 BF DF 56 30 BB A9 47 12 D4 5F 7B AE 39 DC BF CF F5 92 22 friendlyName: ocspSigningCert cert-pki-ca subject=/O=FOO.NET/CN=OCSP
Re: [Freeipa-users] Fwd: Fwd: Fwd: Scorched earth
On 08/30/2013 10:23 AM, Bret Wortman wrote: Morning update. I made the change Rob suggested to /etc/ipa/default.conf, which appeared to work, but didn't quite. It asked me to back out the whole server installation and start over: [ipamaster2]# ipa-ca-install --skip-conncheck replica-info-ipamaster2.foo.net.gpg Directory Manager (existing master) password: COnfiguring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpVC28HP' returned non-zero exit status 1 Your system may be partly configured. Run/usr/sbin/ipa-server-install --uninstall to clean up. Can you look into /var/log/ipareplica-ca-install.log? It should have more information on what caused pkispawn to fail. Configuration of CA failed. [ipamaster2]# Which uninstallation cleanup I did. Now, when trying to re-install the replica file: [ipamaster2]# ipa-replica-install --setup-dns --no-forwarders --setup-ca /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg Directory manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipamaster.foo.net http://ipamaster.foo.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (686): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The followign list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@foo.net mailto:ad...@foo.net password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipamaster2.foo.net http://ipamaster2.foo.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (686): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK The host ipamaster2.foo.net http://ipamaster2.foo.net already exists on the master server. You should remove it before proceeding: % ipa host-del ipamaster2.foo.net http://ipamaster2.foo.net ipa : ERRORCould not resolve hostname ipamaster.foo.net http://ipamaster.foo.net using DNS Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: *yes* [ipamaster2]# host ipamaster.foo.net http://ipamaster.foo.net ipamaster.foo.net http://ipamaster.foo.net has address 1.2.3.4 No matter what answer I give to the Continue? prompt, it just exits. nslookup returns the same value, and I have three different nameservers configured for this host (including ipamaster and two of the older replicas). The error that caused the installation to fail is that ipamaster2.foo.net already exists on the master server. The DNS warning and its Continue? prompt is unrelated, but the order of the output is very confusing. I've filed ticket 3889 for this. Anyway, to do this DNS resolution check you'd need to explicitly ask for the IPA server: $ dig @ipamaster.foo.net ipamaster2.foo.net And this message is the one that has prompted me to want to delete hosts before installing in the past, Simo. Any thoughts on how best to proceed now? I believe you do need to delete he host at this point, but I'd rather have Rob or Simo confirm. *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Thu, Aug 29, 2013 at 2:59 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Bret Wortman wrote: Okay, I got the cacert.p12 (turns out it was taking my passphrase, but the messages looked like errors to my addled eyes). This system is on a different network, so getting the file transferred would take me about 24 hours. Is there something I can get that'll tell you what you need but is plaintext? Ok, that's fine. Try this. Set ra_plugin to dogtag in /etc/ipa/default.conf. This will let it get past the error and it should install a CA. I'm trying to think worst case scenario what it might do and I'm not coming up with anything. I think the worst that happens is that adding a CA fails later. rob I tried this and hope this subset of information is helpful: # openssl pkcs12 -in cacert.p12 -out cacert.pem.bdw -cacerts -nokeys # cat cacert.pem.bdw Bag Attributes:
Re: [Freeipa-users] Fwd: Fwd: Fwd: Scorched earth
Bret Wortman wrote: Still odder ... I went ahead and tried to delete the agreement: [ipamaster]# ipa-replica-manage del ipamaster3.foo.net http://ipamaster3.foo.net --force 'ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'ipamaster3.foo.net http://ipamaster3.foo.net' [ipamaster]# Dug back into the script and realized upon further reading (and widening my read to more of the code) that found was being set True elsewhere -- where it was complaining about how ipamaster knew about ipamaster3 already. Fair enough. So I hopped on over there and removed it. Which worked. And now the script proceeds much better. Guess the third cup of coffee helped. CA configuration still failed, though, at the same place as before (though executed as part of ipa-replica-install --setup-ca this time): [2/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpnq_J4d' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed. /This/ time, I'm not going to run the --uninstall command until someone on the team tells me to do so Ok. What we'll need to see is the full /var/log/ipareplica-install.log and the CA debug log from /var/log/pki/pki-tomcat/ca/debug. The CA team sometimes wants the debug log from the master you're cloning from too. You can send these to me out of band if you'd like, the debug logs in particular tend to be humongous. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users