subject:"\[Freeipa\-users\] Another Migration from 3.0 \(CentOS 6.6\) to 4.1 \(CentOS 7.1\)"

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-07-30 Thread Guillermo Fuentes

On Wed, Jul 29, 2015 at 11:25 AM, Lukas Slebodnik lsleb...@redhat.com wrote:
 On (29/07/15 10:52), Guillermo Fuentes wrote:
Thanks so much for the info David!
We're using the latest version available via EPEL, which is 10.1.2.

 pki-core is not available in epel7
 https://admin.fedoraproject.org/pkgdb/package/pki-core/

 So you have the latest version from base CentOS 7.1
 CentOS rebuild rhel packages. So you will need
 to wait for CentOS 7.2 for update.
Thanks for clarifying this.


List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary
would be fine. Or, if it isn't available, where can I start
contributing to the port of pki 10.2.6 to CentOS 7?

 You might try to backport pki-core from Fedora.
 Good luck.

 LS

Best,
Guillermo

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-07-29 Thread Lukas Slebodnik

On (29/07/15 10:52), Guillermo Fuentes wrote:
Thanks so much for the info David!
We're using the latest version available via EPEL, which is 10.1.2.

pki-core is not available in epel7
https://admin.fedoraproject.org/pkgdb/package/pki-core/

So you have the latest version from base CentOS 7.1
CentOS rebuild rhel packages. So you will need
to wait for CentOS 7.2 for update.

List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary
would be fine. Or, if it isn't available, where can I start
contributing to the port of pki 10.2.6 to CentOS 7?

You might try to backport pki-core from Fedora.
Good luck.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-07-29 Thread Guillermo Fuentes

Hi all,

We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1).

Starting with FreeIPA 3.0 and to avoid the SSL certificate warning
when accessing the GUI, we installed a 3rd part certificate for https:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

We're ready to migrate to FreeIPA 4.1 and we already have two 4.1
replicas but we're having problems cloning the CA from the 3.0 master.

This is our current environment:
master1 and master2:
CentOS 6.6 (up to date)
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-1.11.6-30.el6_6.4.x86_64
device-mapper-multipath-0.4.9-80.el6_6.3.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
ipa-python-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
sssd-ipa-1.11.6-30.el6_6.4.x86_64
pki-selinux-9.0.3-39.el6_6.noarch
pki-common-9.0.3-39.el6_6.noarch
pki-native-tools-9.0.3-39.el6_6.x86_64
pki-setup-9.0.3-39.el6_6.noarch
pki-util-9.0.3-39.el6_6.noarch
pki-symkey-9.0.3-39.el6_6.x86_64
pki-ca-9.0.3-39.el6_6.noarch
pki-java-tools-9.0.3-39.el6_6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-silent-9.0.3-39.el6_6.noarch


replica1 and replica2:
CentOS 7.1 (up to date)
ipa-client-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-1.12.2-58.el7_1.6.x86_64
pki-server-10.1.2-7.el7.noarch
krb5-pkinit-1.12.2-14.el7.x86_64
pki-base-10.1.2-7.el7.noarch
pki-ca-10.1.2-7.el7.noarch
pki-symkey-10.1.2-7.el7.x86_64
pki-tools-10.1.2-7.el7.x86_64


# ipa-replica-manage list
master1.example.com: master
master2.example.com: master
replica1.example.com: master
replica2.example.com.com: master

# ipa-csreplica-manage list
Directory Manager password:

replica1.example.com: CA not configured
master1.example.com: master
master2.example.com: master
replica2.example.com: CA not configured


When trying to install the CA on replica1 to do the migration:
ipa-ca-install --skip-conncheck --skip-schema-check
/var/lib/ipa/replica-info-replica1.example.com.gpg

we're getting the following error in the
/var/log/ipareplica-ca-install.log file:
...
2015-07-28T21:25:14Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-07-28T21:25:14Z DEBUG Starting external process
2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmp2ON_ql'
2015-07-28T21:25:51Z DEBUG Process finished, return code=1
2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration
from /tmp/tmp2ON_ql.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2015-07-28T21:25:51Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration
Servlet: Failed to obtain configuration entries from the master for
cloning java.io.IOException: Error: Not authorized

2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned
non-zero exit status 1
2015-07-28T21:25:51Z DEBUG Traceback (most recent call last):
  File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 382, in start_creation
run_step(full_msg, method)
  File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 372, in run_step
method()
  File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
...


From /var/log/pki/pki-ca-spawn.20150728172515.log:
...
2015-07-28 17:25:16 pkispawn: INFO ... executing 'certutil
-N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf'
2015-07-28 17:25:16 pkispawn: INFO ... executing
'systemctl daemon-reload'
2015-07-28 17:25:16 pkispawn: INFO ... executing
'systemctl start pki-tomcatd@pki-tomcat.service'
2015-07-28 17:25:16 pkispawn: DEBUG... No connection -
server may still be down
2015-07-28 17:25:16 pkispawn: DEBUG... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:17 pkispawn: DEBUG... No connection -
server may still be down
2015-07-28 17:25:17 pkispawn: DEBUG

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-07-29 Thread David Kupka


On 29/07/15 01:47, Guillermo Fuentes wrote:

Hi all,

We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1).

Starting with FreeIPA 3.0 and to avoid the SSL certificate warning
when accessing the GUI, we installed a 3rd part certificate for https:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

We're ready to migrate to FreeIPA 4.1 and we already have two 4.1
replicas but we're having problems cloning the CA from the 3.0 master.

This is our current environment:
master1 and master2:
CentOS 6.6 (up to date)
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-1.11.6-30.el6_6.4.x86_64
device-mapper-multipath-0.4.9-80.el6_6.3.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
ipa-python-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
sssd-ipa-1.11.6-30.el6_6.4.x86_64
pki-selinux-9.0.3-39.el6_6.noarch
pki-common-9.0.3-39.el6_6.noarch
pki-native-tools-9.0.3-39.el6_6.x86_64
pki-setup-9.0.3-39.el6_6.noarch
pki-util-9.0.3-39.el6_6.noarch
pki-symkey-9.0.3-39.el6_6.x86_64
pki-ca-9.0.3-39.el6_6.noarch
pki-java-tools-9.0.3-39.el6_6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-silent-9.0.3-39.el6_6.noarch


replica1 and replica2:
CentOS 7.1 (up to date)
ipa-client-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-1.12.2-58.el7_1.6.x86_64
pki-server-10.1.2-7.el7.noarch
krb5-pkinit-1.12.2-14.el7.x86_64
pki-base-10.1.2-7.el7.noarch
pki-ca-10.1.2-7.el7.noarch
pki-symkey-10.1.2-7.el7.x86_64
pki-tools-10.1.2-7.el7.x86_64


# ipa-replica-manage list
master1.example.com: master
master2.example.com: master
replica1.example.com: master
replica2.example.com.com: master

# ipa-csreplica-manage list
Directory Manager password:

replica1.example.com: CA not configured
master1.example.com: master
master2.example.com: master
replica2.example.com: CA not configured


When trying to install the CA on replica1 to do the migration:
ipa-ca-install --skip-conncheck --skip-schema-check
/var/lib/ipa/replica-info-replica1.example.com.gpg

we're getting the following error in the
/var/log/ipareplica-ca-install.log file:
...
2015-07-28T21:25:14Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-07-28T21:25:14Z DEBUG Starting external process
2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmp2ON_ql'
2015-07-28T21:25:51Z DEBUG Process finished, return code=1
2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration
from /tmp/tmp2ON_ql.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2015-07-28T21:25:51Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
   InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration
Servlet: Failed to obtain configuration entries from the master for
cloning java.io.IOException: Error: Not authorized

2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned
non-zero exit status 1
2015-07-28T21:25:51Z DEBUG Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 382, in start_creation
 run_step(full_msg, method)
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 372, in run_step
 method()
   File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 673, in __spawn_instance
 raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
...



From /var/log/pki/pki-ca-spawn.20150728172515.log:

...
2015-07-28 17:25:16 pkispawn: INFO ... executing 'certutil
-N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf'
2015-07-28 17:25:16 pkispawn: INFO ... executing
'systemctl daemon-reload'
2015-07-28 17:25:16 pkispawn: INFO ... executing
'systemctl start pki-tomcatd@pki-tomcat.service'
2015-07-28 17:25:16 pkispawn: DEBUG... No connection -
server may still be down
2015-07-28 17:25:16 pkispawn: DEBUG... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:17 pkispawn: DEBUG... No connection -
server may

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-07-29 Thread Guillermo Fuentes

Thanks so much for the info David!
We're using the latest version available via EPEL, which is 10.1.2.

List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary
would be fine. Or, if it isn't available, where can I start
contributing to the port of pki 10.2.6 to CentOS 7?

Thanks!
Guillermo

On Wed, Jul 29, 2015 at 9:13 AM, David Kupka dku...@redhat.com wrote:
 On 29/07/15 01:47, Guillermo Fuentes wrote:

 Hi all,

 We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1).

 Starting with FreeIPA 3.0 and to avoid the SSL certificate warning
 when accessing the GUI, we installed a 3rd part certificate for https:
 https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP


 We're ready to migrate to FreeIPA 4.1 and we already have two 4.1
 replicas but we're having problems cloning the CA from the 3.0 master.

 This is our current environment:
 master1 and master2:
 CentOS 6.6 (up to date)
 ipa-admintools-3.0.0-42.el6.centos.x86_64
 ipa-server-3.0.0-42.el6.centos.x86_64
 python-iniparse-0.3.1-2.1.el6.noarch
 ipa-pki-common-theme-9.0.3-7.el6.noarch
 libipa_hbac-1.11.6-30.el6_6.4.x86_64
 device-mapper-multipath-0.4.9-80.el6_6.3.x86_64
 ipa-client-3.0.0-42.el6.centos.x86_64
 ipa-server-selinux-3.0.0-42.el6.centos.x86_64
 ipa-python-3.0.0-42.el6.centos.x86_64
 ipa-pki-ca-theme-9.0.3-7.el6.noarch
 sssd-ipa-1.11.6-30.el6_6.4.x86_64
 pki-selinux-9.0.3-39.el6_6.noarch
 pki-common-9.0.3-39.el6_6.noarch
 pki-native-tools-9.0.3-39.el6_6.x86_64
 pki-setup-9.0.3-39.el6_6.noarch
 pki-util-9.0.3-39.el6_6.noarch
 pki-symkey-9.0.3-39.el6_6.x86_64
 pki-ca-9.0.3-39.el6_6.noarch
 pki-java-tools-9.0.3-39.el6_6.noarch
 ipa-pki-ca-theme-9.0.3-7.el6.noarch
 pki-silent-9.0.3-39.el6_6.noarch


 replica1 and replica2:
 CentOS 7.1 (up to date)
 ipa-client-4.1.0-18.el7.centos.3.x86_64
 libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
 sssd-ipa-1.12.2-58.el7_1.6.x86_64
 python-iniparse-0.4-9.el7.noarch
 ipa-admintools-4.1.0-18.el7.centos.3.x86_64
 ipa-server-4.1.0-18.el7.centos.3.x86_64
 ipa-python-4.1.0-18.el7.centos.3.x86_64
 libipa_hbac-1.12.2-58.el7_1.6.x86_64
 pki-server-10.1.2-7.el7.noarch
 krb5-pkinit-1.12.2-14.el7.x86_64
 pki-base-10.1.2-7.el7.noarch
 pki-ca-10.1.2-7.el7.noarch
 pki-symkey-10.1.2-7.el7.x86_64
 pki-tools-10.1.2-7.el7.x86_64


 # ipa-replica-manage list
 master1.example.com: master
 master2.example.com: master
 replica1.example.com: master
 replica2.example.com.com: master

 # ipa-csreplica-manage list
 Directory Manager password:

 replica1.example.com: CA not configured
 master1.example.com: master
 master2.example.com: master
 replica2.example.com: CA not configured


 When trying to install the CA on replica1 to do the migration:
 ipa-ca-install --skip-conncheck --skip-schema-check
 /var/lib/ipa/replica-info-replica1.example.com.gpg

 we're getting the following error in the
 /var/log/ipareplica-ca-install.log file:
 ...
 2015-07-28T21:25:14Z DEBUG Saving StateFile to
 '/var/lib/ipa/sysrestore/sysrestore.state'
 2015-07-28T21:25:14Z DEBUG Starting external process
 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
 '/tmp/tmp2ON_ql'
 2015-07-28T21:25:51Z DEBUG Process finished, return code=1
 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration
 from /tmp/tmp2ON_ql.
 Installing CA into /var/lib/pki/pki-tomcat.
 Storing deployment configuration into
 /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

 Installation failed.


 2015-07-28T21:25:51Z DEBUG
 stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771:
 InsecureRequestWarning: Unverified HTTPS request is being made. Adding
 certificate verification is strongly advised. See:
 https://urllib3.readthedocs.org/en/latest/security.html

InsecureRequestWarning)
 pkispawn: WARNING  ... unable to validate security domain
 user/password through REST interface. Interface not available
 pkispawn: ERROR... Exception from Java Configuration
 Servlet: Failed to obtain configuration entries from the master for
 cloning java.io.IOException: Error: Not authorized

 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command
 ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned
 non-zero exit status 1
 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 382, in start_creation
  run_step(full_msg, method)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 372, in run_step
  method()
File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
 line 673, in __spawn_instance
  raise RuntimeError('Configuration of CA failed')
 RuntimeError: Configuration of CA failed
 ...


 From /var/log/pki/pki-ca-spawn.20150728172515.log:

 ...
 2015-07-28 17:25:16 pkispawn: INFO ... executing 'certutil
 -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf'
 2015-07-28 17:25:16 pkispawn: INFO

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

[Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

5 matches

Site Navigation

Mail list logo

Footer information