Hi,
Dne 8.8.2014 v 14:46 Nicklas Björk napsal(a):
Trying to upgrade from FreeIPA 3.0 running on CentOS 6 to 3.3 on CentOS
7 using migration. I seem to have run into some certificate problems and
the replica installation halts half-way through. We have a simple
CA-structure, where FreeIPA has been installed as a sub-ca directly
under ca root ca.
A replica bundle was created on the master using:
ipa-replica-prepare replica.example.net --ip-address 192.168.100.2
the gpg-file was copied to replica:/var/lib/ipa and the following
command was executed:
ipa-replica-install --mkhomedir -d --setup-ca --setup-dns
--no-forwarders /var/lib/ipa/replica-info-replica.example.net.gpg
During the first attempt, I was instructed to also run
copy-schema-to-ca.py on the master server, which has been done. The
replica installation halts complainig that ca.crt contains more than one
certificate. Both the FreeIPA CA and the Root CA certificates are in
that file.
Debug output in /var/log/ipareplica-install.log tells the following:
2014-08-08T12:22:08Z DEBUG [17/34]: configuring ssl for ds instance
2014-08-08T12:22:08Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -N -f
/etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/pk12util -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -i
/tmp/tmpNOzZ3cipa/realm_info/dscert.p12 -k
/etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt -v -w /dev/stdin
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -L
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
CN=Example Root CA,O=Example AB,,
EXAMPLE.NET IPA CA ,,
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -A -n CA -t CT,CT, -a
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 664, in main
ds = install_replica_ds(config)
File "/usr/sbin/ipa-replica-install", line 189, in install_replica_ds
ca_file=config.dir + "/ca.crt",
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
360, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
606, in enable_ssl
ca_file=self.ca_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 841, in create_from_pkcs12
self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 240, in import_pem_cert
location)
2014-08-08T12:22:08Z DEBUG The ipa-replica-install command failed,
exception: ValueError: /tmp/tmpNOzZ3cipa/realm_info/ca.crt contains more
than one certificate
Is there anything obvious that is wrong or odd with this setup or process?
It seems you somehow ended up with more than one certificate in
/etc/ipa/ca.crt on the master. It should contain only the IPA CA
certificate, if you delete all other certificates from it and re-run
ipa-replica-prepare, you should be able to successfully install the
replica using ipa-replica-install.
Best regards
Nicklas Björk
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
