Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
On Wed, Jul 29, 2015 at 11:25 AM, Lukas Slebodnik lsleb...@redhat.com wrote: On (29/07/15 10:52), Guillermo Fuentes wrote: Thanks so much for the info David! We're using the latest version available via EPEL, which is 10.1.2. pki-core is not available in epel7 https://admin.fedoraproject.org/pkgdb/package/pki-core/ So you have the latest version from base CentOS 7.1 CentOS rebuild rhel packages. So you will need to wait for CentOS 7.2 for update. Thanks for clarifying this. List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary would be fine. Or, if it isn't available, where can I start contributing to the port of pki 10.2.6 to CentOS 7? You might try to backport pki-core from Fedora. Good luck. LS Best, Guillermo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
On (29/07/15 10:52), Guillermo Fuentes wrote: Thanks so much for the info David! We're using the latest version available via EPEL, which is 10.1.2. pki-core is not available in epel7 https://admin.fedoraproject.org/pkgdb/package/pki-core/ So you have the latest version from base CentOS 7.1 CentOS rebuild rhel packages. So you will need to wait for CentOS 7.2 for update. List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary would be fine. Or, if it isn't available, where can I start contributing to the port of pki 10.2.6 to CentOS 7? You might try to backport pki-core from Fedora. Good luck. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Hi all, We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1). Starting with FreeIPA 3.0 and to avoid the SSL certificate warning when accessing the GUI, we installed a 3rd part certificate for https: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP We're ready to migrate to FreeIPA 4.1 and we already have two 4.1 replicas but we're having problems cloning the CA from the 3.0 master. This is our current environment: master1 and master2: CentOS 6.6 (up to date) ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-1.11.6-30.el6_6.4.x86_64 device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-selinux-9.0.3-39.el6_6.noarch pki-common-9.0.3-39.el6_6.noarch pki-native-tools-9.0.3-39.el6_6.x86_64 pki-setup-9.0.3-39.el6_6.noarch pki-util-9.0.3-39.el6_6.noarch pki-symkey-9.0.3-39.el6_6.x86_64 pki-ca-9.0.3-39.el6_6.noarch pki-java-tools-9.0.3-39.el6_6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-silent-9.0.3-39.el6_6.noarch replica1 and replica2: CentOS 7.1 (up to date) ipa-client-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 python-iniparse-0.4-9.el7.noarch ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-1.12.2-58.el7_1.6.x86_64 pki-server-10.1.2-7.el7.noarch krb5-pkinit-1.12.2-14.el7.x86_64 pki-base-10.1.2-7.el7.noarch pki-ca-10.1.2-7.el7.noarch pki-symkey-10.1.2-7.el7.x86_64 pki-tools-10.1.2-7.el7.x86_64 # ipa-replica-manage list master1.example.com: master master2.example.com: master replica1.example.com: master replica2.example.com.com: master # ipa-csreplica-manage list Directory Manager password: replica1.example.com: CA not configured master1.example.com: master master2.example.com: master replica2.example.com: CA not configured When trying to install the CA on replica1 to do the migration: ipa-ca-install --skip-conncheck --skip-schema-check /var/lib/ipa/replica-info-replica1.example.com.gpg we're getting the following error in the /var/log/ipareplica-ca-install.log file: ... 2015-07-28T21:25:14Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-07-28T21:25:14Z DEBUG Starting external process 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql' 2015-07-28T21:25:51Z DEBUG Process finished, return code=1 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmp2ON_ql. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-07-28T21:25:51Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning java.io.IOException: Error: Not authorized 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned non-zero exit status 1 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed ... From /var/log/pki/pki-ca-spawn.20150728172515.log: ... 2015-07-28 17:25:16 pkispawn: INFO ... executing 'certutil -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf' 2015-07-28 17:25:16 pkispawn: INFO ... executing 'systemctl daemon-reload' 2015-07-28 17:25:16 pkispawn: INFO ... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2015-07-28 17:25:16 pkispawn: DEBUG... No connection - server may still be down 2015-07-28 17:25:16 pkispawn: DEBUG... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:17 pkispawn: DEBUG... No connection - server may still be down 2015-07-28 17:25:17 pkispawn: DEBUG
Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
On 29/07/15 01:47, Guillermo Fuentes wrote: Hi all, We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1). Starting with FreeIPA 3.0 and to avoid the SSL certificate warning when accessing the GUI, we installed a 3rd part certificate for https: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP We're ready to migrate to FreeIPA 4.1 and we already have two 4.1 replicas but we're having problems cloning the CA from the 3.0 master. This is our current environment: master1 and master2: CentOS 6.6 (up to date) ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-1.11.6-30.el6_6.4.x86_64 device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-selinux-9.0.3-39.el6_6.noarch pki-common-9.0.3-39.el6_6.noarch pki-native-tools-9.0.3-39.el6_6.x86_64 pki-setup-9.0.3-39.el6_6.noarch pki-util-9.0.3-39.el6_6.noarch pki-symkey-9.0.3-39.el6_6.x86_64 pki-ca-9.0.3-39.el6_6.noarch pki-java-tools-9.0.3-39.el6_6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-silent-9.0.3-39.el6_6.noarch replica1 and replica2: CentOS 7.1 (up to date) ipa-client-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 python-iniparse-0.4-9.el7.noarch ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-1.12.2-58.el7_1.6.x86_64 pki-server-10.1.2-7.el7.noarch krb5-pkinit-1.12.2-14.el7.x86_64 pki-base-10.1.2-7.el7.noarch pki-ca-10.1.2-7.el7.noarch pki-symkey-10.1.2-7.el7.x86_64 pki-tools-10.1.2-7.el7.x86_64 # ipa-replica-manage list master1.example.com: master master2.example.com: master replica1.example.com: master replica2.example.com.com: master # ipa-csreplica-manage list Directory Manager password: replica1.example.com: CA not configured master1.example.com: master master2.example.com: master replica2.example.com: CA not configured When trying to install the CA on replica1 to do the migration: ipa-ca-install --skip-conncheck --skip-schema-check /var/lib/ipa/replica-info-replica1.example.com.gpg we're getting the following error in the /var/log/ipareplica-ca-install.log file: ... 2015-07-28T21:25:14Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-07-28T21:25:14Z DEBUG Starting external process 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql' 2015-07-28T21:25:51Z DEBUG Process finished, return code=1 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmp2ON_ql. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-07-28T21:25:51Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning java.io.IOException: Error: Not authorized 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned non-zero exit status 1 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed ... From /var/log/pki/pki-ca-spawn.20150728172515.log: ... 2015-07-28 17:25:16 pkispawn: INFO ... executing 'certutil -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf' 2015-07-28 17:25:16 pkispawn: INFO ... executing 'systemctl daemon-reload' 2015-07-28 17:25:16 pkispawn: INFO ... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2015-07-28 17:25:16 pkispawn: DEBUG... No connection - server may still be down 2015-07-28 17:25:16 pkispawn: DEBUG... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:17 pkispawn: DEBUG... No connection - server may
Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Thanks so much for the info David! We're using the latest version available via EPEL, which is 10.1.2. List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary would be fine. Or, if it isn't available, where can I start contributing to the port of pki 10.2.6 to CentOS 7? Thanks! Guillermo On Wed, Jul 29, 2015 at 9:13 AM, David Kupka dku...@redhat.com wrote: On 29/07/15 01:47, Guillermo Fuentes wrote: Hi all, We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1). Starting with FreeIPA 3.0 and to avoid the SSL certificate warning when accessing the GUI, we installed a 3rd part certificate for https: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP We're ready to migrate to FreeIPA 4.1 and we already have two 4.1 replicas but we're having problems cloning the CA from the 3.0 master. This is our current environment: master1 and master2: CentOS 6.6 (up to date) ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-1.11.6-30.el6_6.4.x86_64 device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-selinux-9.0.3-39.el6_6.noarch pki-common-9.0.3-39.el6_6.noarch pki-native-tools-9.0.3-39.el6_6.x86_64 pki-setup-9.0.3-39.el6_6.noarch pki-util-9.0.3-39.el6_6.noarch pki-symkey-9.0.3-39.el6_6.x86_64 pki-ca-9.0.3-39.el6_6.noarch pki-java-tools-9.0.3-39.el6_6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-silent-9.0.3-39.el6_6.noarch replica1 and replica2: CentOS 7.1 (up to date) ipa-client-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 python-iniparse-0.4-9.el7.noarch ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-1.12.2-58.el7_1.6.x86_64 pki-server-10.1.2-7.el7.noarch krb5-pkinit-1.12.2-14.el7.x86_64 pki-base-10.1.2-7.el7.noarch pki-ca-10.1.2-7.el7.noarch pki-symkey-10.1.2-7.el7.x86_64 pki-tools-10.1.2-7.el7.x86_64 # ipa-replica-manage list master1.example.com: master master2.example.com: master replica1.example.com: master replica2.example.com.com: master # ipa-csreplica-manage list Directory Manager password: replica1.example.com: CA not configured master1.example.com: master master2.example.com: master replica2.example.com: CA not configured When trying to install the CA on replica1 to do the migration: ipa-ca-install --skip-conncheck --skip-schema-check /var/lib/ipa/replica-info-replica1.example.com.gpg we're getting the following error in the /var/log/ipareplica-ca-install.log file: ... 2015-07-28T21:25:14Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-07-28T21:25:14Z DEBUG Starting external process 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql' 2015-07-28T21:25:51Z DEBUG Process finished, return code=1 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmp2ON_ql. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-07-28T21:25:51Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning java.io.IOException: Error: Not authorized 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned non-zero exit status 1 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed ... From /var/log/pki/pki-ca-spawn.20150728172515.log: ... 2015-07-28 17:25:16 pkispawn: INFO ... executing 'certutil -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf' 2015-07-28 17:25:16 pkispawn: INFO