Re: [Freeipa-users] CA cert issues
On 01/17/2013 12:54 PM, Rob Crittenden wrote: Orion Poplawski wrote: It seems like a most of the problems would be alleviated if instead of wiping out the old NSS dbs, it simply added the new certs. I don't know if there are any other security implications of this or not. Yes, that is probably true. I think the reasoning was we didn't know what was in the database already so starting over seemed safer. Filed https://fedorahosted.org/freeipa/ticket/3363 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CA cert issues
Orion Poplawski wrote: On 01/17/2013 09:27 AM, Rob Crittenden wrote: Orion Poplawski wrote: But then on ipa-replica-install, problems as predicted: ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg ... [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmpPAtailipa/realm_info/dscert.p12 Ok, I think what I would recommend is preparing a replica w/o replacing the certs (e.g. let the CA issue certs for all the services). Install the replica. Then replace with the wildcard certs once the install is up and functioning. rob That gets to: [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipa.cora.nwra.com] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Because on ipa.cora : [17/Jan/2013:09:31:42 -0700] NSMMReplicationPlugin - agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.) because the new cert install wiped out the old slapd-NWRA-COM certs. Installed the NWRA.COM IPA CA there. It seems like a most of the problems would be alleviated if instead of wiping out the old NSS dbs, it simply added the new certs. I don't know if there are any other security implications of this or not. Yes, that is probably true. I think the reasoning was we didn't know what was in the database already so starting over seemed safer. I'm also tempted to start over and do the --dirsrv-cert options on the initial ipa-server-install to see if that helps. Anyway, tried again and now: Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication creation of replica failed: list index out of range 2013-01-17T16:41:33Z DEBUG [7/9]: enable GSSAPI for replication 2013-01-17T16:41:33Z INFO Setting agreement cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2013-01-17T16:41:34Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config 2013-01-17T16:41:35Z INFO Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 2013-01-17T16:41:35Z INFO Setting agreement cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2013-01-17T16:41:36Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config 2013-01-17T16:41:37Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20130117164126Z: end: 20130117164127Z 2013-01-17T16:41:37Z DEBUG list index out of range File "/usr/sbin/ipa-replica-install", line 496, in main() File "/usr/sbin/ipa-replica-install", line 441, in main krb = install_krb(config, setup_pkinit=options.setup_pkinit) File "/usr/sbin/ipa-replica-install", line 163, in install_krb setup_pkinit, pkcs12_info) File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 207, in create_replica self.start_creation("Configuring Kerberos KDC", 30) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 257, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 442, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 833, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 557, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 550, in setup_krb_princs_as_replica_binddns mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)] This error means that we lack one of the ldap principals on one of the replicas. We've improved the reporting about this error in newer versions and we try a bit harder to make sure things are ok before trying the conversion. It may be because of the replication trust issues, or it could just be bad timing. I also see this in /var/log/dirsrv/slapd-NWRA-COM/errors on the master: [17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin - agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Schema repl
Re: [Freeipa-users] CA cert issues
On 01/17/2013 09:49 AM, Orion Poplawski wrote: Anyway, tried again and now: Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication creation of replica failed: list index out of range Okay, this is more cert stuff, on the replica: [17/Jan/2013:09:41:55 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) Because the ds instance there doesn't recognize the cert on the master. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CA cert issues
On 01/17/2013 09:49 AM, Orion Poplawski wrote: On 01/17/2013 09:27 AM, Rob Crittenden wrote: Orion Poplawski wrote: But then on ipa-replica-install, problems as predicted: ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg ... [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmpPAtailipa/realm_info/dscert.p12 Ok, I think what I would recommend is preparing a replica w/o replacing the certs (e.g. let the CA issue certs for all the services). Install the replica. Then replace with the wildcard certs once the install is up and functioning. rob That gets to: [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipa.cora.nwra.com] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Because on ipa.cora : [17/Jan/2013:09:31:42 -0700] NSMMReplicationPlugin - agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.) because the new cert install wiped out the old slapd-NWRA-COM certs. Installed the NWRA.COM IPA CA there. It seems like a most of the problems would be alleviated if instead of wiping out the old NSS dbs, it simply added the new certs. I don't know if there are any other security implications of this or not. I'm also tempted to start over and do the --dirsrv-cert options on the initial ipa-server-install to see if that helps. Anyway, tried again and now: Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication creation of replica failed: list index out of range 2013-01-17T16:41:33Z DEBUG [7/9]: enable GSSAPI for replication 2013-01-17T16:41:33Z INFO Setting agreement cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2013-01-17T16:41:34Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config 2013-01-17T16:41:35Z INFO Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 2013-01-17T16:41:35Z INFO Setting agreement cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2013-01-17T16:41:36Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config 2013-01-17T16:41:37Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20130117164126Z: end: 20130117164127Z 2013-01-17T16:41:37Z DEBUG list index out of range File "/usr/sbin/ipa-replica-install", line 496, in main() File "/usr/sbin/ipa-replica-install", line 441, in main krb = install_krb(config, setup_pkinit=options.setup_pkinit) File "/usr/sbin/ipa-replica-install", line 163, in install_krb setup_pkinit, pkcs12_info) File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 207, in create_replica self.start_creation("Configuring Kerberos KDC", 30) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 257, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 442, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 833, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 557, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 550, in setup_krb_princs_as_replica_binddns mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)] I also see this in /var/log/dirsrv/slapd-NWRA-COM/errors on the master: [17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin - agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Schema replication update failed: Type or value exists [17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin - agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Warning: unable to replicate schema: rc=1 Which is probably due to some schema modifications I've made, but these don't really seem related to the error above. And schema replication failures do not prevent the rest of replication from working __
Re: [Freeipa-users] CA cert issues
On 01/17/2013 09:27 AM, Rob Crittenden wrote: Orion Poplawski wrote: But then on ipa-replica-install, problems as predicted: ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg ... [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmpPAtailipa/realm_info/dscert.p12 Ok, I think what I would recommend is preparing a replica w/o replacing the certs (e.g. let the CA issue certs for all the services). Install the replica. Then replace with the wildcard certs once the install is up and functioning. rob That gets to: [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipa.cora.nwra.com] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Because on ipa.cora : [17/Jan/2013:09:31:42 -0700] NSMMReplicationPlugin - agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.) because the new cert install wiped out the old slapd-NWRA-COM certs. Installed the NWRA.COM IPA CA there. It seems like a most of the problems would be alleviated if instead of wiping out the old NSS dbs, it simply added the new certs. I don't know if there are any other security implications of this or not. I'm also tempted to start over and do the --dirsrv-cert options on the initial ipa-server-install to see if that helps. Anyway, tried again and now: Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication creation of replica failed: list index out of range 2013-01-17T16:41:33Z DEBUG [7/9]: enable GSSAPI for replication 2013-01-17T16:41:33Z INFO Setting agreement cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2013-01-17T16:41:34Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config 2013-01-17T16:41:35Z INFO Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 2013-01-17T16:41:35Z INFO Setting agreement cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2013-01-17T16:41:36Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config 2013-01-17T16:41:37Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20130117164126Z: end: 20130117164127Z 2013-01-17T16:41:37Z DEBUG list index out of range File "/usr/sbin/ipa-replica-install", line 496, in main() File "/usr/sbin/ipa-replica-install", line 441, in main krb = install_krb(config, setup_pkinit=options.setup_pkinit) File "/usr/sbin/ipa-replica-install", line 163, in install_krb setup_pkinit, pkcs12_info) File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 207, in create_replica self.start_creation("Configuring Kerberos KDC", 30) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 257, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 442, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 833, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 557, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 550, in setup_krb_princs_as_replica_binddns mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)] I also see this in /var/log/dirsrv/slapd-NWRA-COM/errors on the master: [17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin - agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Schema replication update failed: Type or value exists [17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin - agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Warning: unable to replicate schema: rc=1 Which is probably due to some schema modifications I've made, but these don't really seem related to the error above. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane
Re: [Freeipa-users] CA cert issues
Orion Poplawski wrote: On 01/16/2013 06:50 PM, Rob Crittenden wrote: We really need to put a big fat warning on this too: there be dragons. It is really meant for v1 servers where we didn't have a full CA. The CA is really integrated into IPA v2+ such that replacing certs is going to cause some amount of grief (as you've seen). I didn't think we blew away the existing NSS database using the tool, though it certainly sounds like we are. What you're missing in the ipaCert in /etc/httpd/alias. This is used to authenticate to dogtag. Can you poke around in /etc/httpd to see if a backup was made, or use certutil to get a list of the nicknames in there? I'm guessing it is trying to issue an SSL cert for the CA 389-ds instance. There are no cli options for providing that. Even if you did manage to get a prepared file you'd likely run into a whole new batch of install problems. Sorry about that. We really need to decide whether this tool is worth supporting at all and fix it (or make it safer) or simply do away with it. Right now it's just a really sharp tool waiting to cut someone. rob Well, it looks like it move all of the existing files in /etc/httpd/alias to .orig extensions. I moved those over to an alias.orig directory and imported the ipaCert key. That allowed ipa-replica-prepare to run. Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12 Creating SSL certificate for the dogtag Directory Server Copying SSL certificate for the Web Server from STAR_cora_nwra_com.p12 Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg But then on ipa-replica-install, problems as predicted: ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg ... [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmpPAtailipa/realm_info/dscert.p12 Ok, I think what I would recommend is preparing a replica w/o replacing the certs (e.g. let the CA issue certs for all the services). Install the replica. Then replace with the wildcard certs once the install is up and functioning. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CA cert issues
On 01/16/2013 06:50 PM, Rob Crittenden wrote: We really need to put a big fat warning on this too: there be dragons. It is really meant for v1 servers where we didn't have a full CA. The CA is really integrated into IPA v2+ such that replacing certs is going to cause some amount of grief (as you've seen). I didn't think we blew away the existing NSS database using the tool, though it certainly sounds like we are. What you're missing in the ipaCert in /etc/httpd/alias. This is used to authenticate to dogtag. Can you poke around in /etc/httpd to see if a backup was made, or use certutil to get a list of the nicknames in there? I'm guessing it is trying to issue an SSL cert for the CA 389-ds instance. There are no cli options for providing that. Even if you did manage to get a prepared file you'd likely run into a whole new batch of install problems. Sorry about that. We really need to decide whether this tool is worth supporting at all and fix it (or make it safer) or simply do away with it. Right now it's just a really sharp tool waiting to cut someone. rob Well, it looks like it move all of the existing files in /etc/httpd/alias to .orig extensions. I moved those over to an alias.orig directory and imported the ipaCert key. That allowed ipa-replica-prepare to run. Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12 Creating SSL certificate for the dogtag Directory Server Copying SSL certificate for the Web Server from STAR_cora_nwra_com.p12 Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg But then on ipa-replica-install, problems as predicted: ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg ... [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmpPAtailipa/realm_info/dscert.p12 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CA cert issues
On 01/16/2013 06:50 PM, Rob Crittenden wrote: Orion Poplawski wrote: On 01/16/2013 04:28 PM, Orion Poplawski wrote: I've installed ipa 2.2 on EL6. I initially simply did an ipa-server-install. Then I changed the cert used via ipa-server-certinstall to use a wildcard SSL cert issued by Comodo. This has led to a lot of grief and needing to install the Comodo CA chain into lots of SSL dbs. Now I'm looking at replicating the server with: ipa-replica-prepare ipapub.cora.nwra.com --dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=x --http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xx But I get: Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12 Creating SSL certificate for the dogtag Directory Server ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. File "/usr/sbin/ipa-replica-prepare", line 459, in main() File "/usr/sbin/ipa-replica-prepare", line 353, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb raise e Any suggestions? I don't really understand how the dogtag ca fits in with this scenario. Should I just get rid of it? Can I? I (re?) added the dogtag ca cert to the /etc/httpd/alias db: certutil -d /var/lib/pki-ca/alias/ -L -n 'caSigningCert cert-pki-ca' -a > IPACA.asc certutil -d /etc/httpd/alias -A -n 'IPA CA' -i IPACA.asc -t CTu,Cu,Cu Now I get: Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12 Creating SSL certificate for the dogtag Directory Server Certificate issuance failed /var/log/pki-ca/debug shows: [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter xmlOutput='true' [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [16/Jan/2013:16:46:35][http-9444-2]: End of ProfileSubmitServlet Input Parameters [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: start serving [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: SubId=profile [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: isRenewal false [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: profileId caIPAserviceCert [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authenticator raCertAuth found [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet:setCredentialsIntoContext() authIds` null [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmistServlet: set Inputs into profile Context [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: set sslClientCertProvider [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: start [16/Jan/2013:16:46:35][http-9444-2]: authenticator instance name is raCertAuth [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: got provider [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: retrieving client certificate [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: No SSL Client Certs Found [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authentication error Invalid Credential. What cert needs to be created? Aren't I already specifying the certs for the new server? Thanks. We really need to put a big fat warning on this too: there be dragons. It is really meant for v1 servers where we didn't have a full CA. The CA is really integrated into IPA v2+ such that replacing certs is going to cause some amount of grief (as you've seen). I didn't think we blew away the existing NSS database using the tool, though it certainly sounds like we are. What you're missing in the ipaCert in /etc/httpd/alias. This is used to authenticate to dogtag. Can you poke around in /etc/httpd to see if a backup was made, or use certutil to get a list of the nicknames in there? I'm guessing it is trying to issue an SSL cert for the CA 389-ds instance. There are no cli options for providing that. Even if you did manage to get a prepared file you'd likely run into a whole new batch of install problems. Sorry about that. We really need to decide whether this tool is worth supporting at all and fix it (or make it safer) or simply do away with it. Right now it's just a really s
Re: [Freeipa-users] CA cert issues
Orion Poplawski wrote: On 01/16/2013 04:28 PM, Orion Poplawski wrote: I've installed ipa 2.2 on EL6. I initially simply did an ipa-server-install. Then I changed the cert used via ipa-server-certinstall to use a wildcard SSL cert issued by Comodo. This has led to a lot of grief and needing to install the Comodo CA chain into lots of SSL dbs. Now I'm looking at replicating the server with: ipa-replica-prepare ipapub.cora.nwra.com --dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=x --http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xx But I get: Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12 Creating SSL certificate for the dogtag Directory Server ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. File "/usr/sbin/ipa-replica-prepare", line 459, in main() File "/usr/sbin/ipa-replica-prepare", line 353, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb raise e Any suggestions? I don't really understand how the dogtag ca fits in with this scenario. Should I just get rid of it? Can I? I (re?) added the dogtag ca cert to the /etc/httpd/alias db: certutil -d /var/lib/pki-ca/alias/ -L -n 'caSigningCert cert-pki-ca' -a > IPACA.asc certutil -d /etc/httpd/alias -A -n 'IPA CA' -i IPACA.asc -t CTu,Cu,Cu Now I get: Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12 Creating SSL certificate for the dogtag Directory Server Certificate issuance failed /var/log/pki-ca/debug shows: [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter xmlOutput='true' [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [16/Jan/2013:16:46:35][http-9444-2]: End of ProfileSubmitServlet Input Parameters [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: start serving [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: SubId=profile [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: isRenewal false [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: profileId caIPAserviceCert [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authenticator raCertAuth found [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet:setCredentialsIntoContext() authIds` null [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmistServlet: set Inputs into profile Context [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: set sslClientCertProvider [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: start [16/Jan/2013:16:46:35][http-9444-2]: authenticator instance name is raCertAuth [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: got provider [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: retrieving client certificate [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: No SSL Client Certs Found [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authentication error Invalid Credential. What cert needs to be created? Aren't I already specifying the certs for the new server? Thanks. We really need to put a big fat warning on this too: there be dragons. It is really meant for v1 servers where we didn't have a full CA. The CA is really integrated into IPA v2+ such that replacing certs is going to cause some amount of grief (as you've seen). I didn't think we blew away the existing NSS database using the tool, though it certainly sounds like we are. What you're missing in the ipaCert in /etc/httpd/alias. This is used to authenticate to dogtag. Can you poke around in /etc/httpd to see if a backup was made, or use certutil to get a list of the nicknames in there? I'm guessing it is trying to issue an SSL cert for the CA 389-ds instance. There are no cli options for providing that. Even if you did manage to get a prepared file you'd likely run into a whole new batch of install problems. Sorry about that. We really need to decide whether this tool is worth supporting at all and fix it (or make it safer) or simply do away with it. Right now it's just a really sharp tool waiting to cut someone.
Re: [Freeipa-users] CA cert issues
On 01/16/2013 04:28 PM, Orion Poplawski wrote: I've installed ipa 2.2 on EL6. I initially simply did an ipa-server-install. Then I changed the cert used via ipa-server-certinstall to use a wildcard SSL cert issued by Comodo. This has led to a lot of grief and needing to install the Comodo CA chain into lots of SSL dbs. Now I'm looking at replicating the server with: ipa-replica-prepare ipapub.cora.nwra.com --dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=x --http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xx But I get: Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12 Creating SSL certificate for the dogtag Directory Server ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. File "/usr/sbin/ipa-replica-prepare", line 459, in main() File "/usr/sbin/ipa-replica-prepare", line 353, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb raise e Any suggestions? I don't really understand how the dogtag ca fits in with this scenario. Should I just get rid of it? Can I? I (re?) added the dogtag ca cert to the /etc/httpd/alias db: certutil -d /var/lib/pki-ca/alias/ -L -n 'caSigningCert cert-pki-ca' -a > IPACA.asc certutil -d /etc/httpd/alias -A -n 'IPA CA' -i IPACA.asc -t CTu,Cu,Cu Now I get: Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12 Creating SSL certificate for the dogtag Directory Server Certificate issuance failed /var/log/pki-ca/debug shows: [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter xmlOutput='true' [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [16/Jan/2013:16:46:35][http-9444-2]: End of ProfileSubmitServlet Input Parameters [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: start serving [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: SubId=profile [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: isRenewal false [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: profileId caIPAserviceCert [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authenticator raCertAuth found [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet:setCredentialsIntoContext() authIds` null [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmistServlet: set Inputs into profile Context [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: set sslClientCertProvider [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: start [16/Jan/2013:16:46:35][http-9444-2]: authenticator instance name is raCertAuth [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: got provider [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: retrieving client certificate [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: No SSL Client Certs Found [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authentication error Invalid Credential. What cert needs to be created? Aren't I already specifying the certs for the new server? Thanks. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] CA cert issues
I've installed ipa 2.2 on EL6. I initially simply did an ipa-server-install. Then I changed the cert used via ipa-server-certinstall to use a wildcard SSL cert issued by Comodo. This has led to a lot of grief and needing to install the Comodo CA chain into lots of SSL dbs. Now I'm looking at replicating the server with: ipa-replica-prepare ipapub.cora.nwra.com --dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=x --http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xx But I get: Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12 Creating SSL certificate for the dogtag Directory Server ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. File "/usr/sbin/ipa-replica-prepare", line 459, in main() File "/usr/sbin/ipa-replica-prepare", line 353, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb raise e Any suggestions? I don't really understand how the dogtag ca fits in with this scenario. Should I just get rid of it? Can I? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users