Hello dear FreeIPA people, After weeks of unsuccessful attempts, I seems to run out of sane ideas of how to proceed.
I have been using FreeIPA in Docker container https://github.com/ adelton/docker-freeipa for over half a year now, and everything was fine up until this August when after a subsequent update my FreeIPA couldn't boot. I was messing things around and broke some files permissions, and it seems that during that process my PKI got reinstalled, so CA certificate and other certificates were regenerated... But they only got updated in the PKI (according to `certutil -L -d /etc/pki/pki-tomcat/alias ...` information it has certificates from August while `/etc/dirsrv/sldap-*/` and `/etc/httpd/alias/` have certificates from March). Unfortunately, I don't have backups from the time before the issue... Currently, everything but `pki-tomcat` is running successfully, though I think I won't be able to add a new host into the setup. I use `ipactl start --force` to ignore the PKI failure, but I would love to recover FreeIPA. The most relevant log I have found is `/var/log/pki/pki-tomcat/ca/debug`, which reveals the following error: ``` [localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca Could not connect to LDAP server host freeipa.xxx.yyy.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. (-1) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5337) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) ``` This is quite expected, given that PKI doesn't trust the old certificates that are still used by LDAP. I have attempted several approaches: 1. Migration of my users and groups to a fresh FreeIPA installation succeeded, but it cannot migrate passwords nicely (meaning without asking users to visit a special page, which won't be available to them because FreeIPA is used for a VPN auth, and is only available inside the VPN). It seems like I need to migrate kerberos keys also. How can I do that? 2. Renewing the certificates once again (using `ipa-cacert-manage renew --self-signed`) fails with the following errors: ``` Server at https://freeipa.xxx.yyy.com/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (500)). CA certificate is not tracked by certmonger ``` And indeed, ``` # getcert list Number of certificates and requests being tracked: 0. ``` 3. Installing new CA certificate following steps for "external CA" (using `ipa-cacert manage install ./ca.crt`) didn't work either: ``` Failed to install the certificate: subject public key info mismatch ``` Reading the Troubleshooting page, I learned that this error means that "The new CA certificate issued by the external CA uses a different public / private key pair than the old CA certificate." Also, I don't think this will help as PKI still cannot communicate with LDAP and HTTPD due to the already unsynced state. Can anybody help me with this?
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
