Re: [Freeipa-users] New install, unsupported format?
On Tue, Feb 28, 2017 at 4:26 AM, Standa Laznickawrote: > On 02/27/2017 04:51 PM, Steve Huston wrote: >> It seems there might be two issues here; the one I originally reported >> was that the ipa-server packages installed on a client machine are >> unable to talk to the server, even though it obviously knows what the >> server is (the "unsupported format" error I originally shared). The >> second is with setting up a replica in general. > > The server rpm packages should have no impact on client settings if neither > server nor replica are installed on the given machine. IIRC client only uses > the NSS database in /etc/ipa/nssdb, you may want to check the permissions > there (should be o+xr for the folder, o+r for the *.db files there). I'll look into this more later, since it's less of an issue (I don't plan on having the server packages installed on a machine that isn't a server, and once it's a server it works fine). > I believe your machine might have been in some kind of undecided state when > you tried to promote a client to a replica. What happens during replica > installation on domain level 1 is that client installation is checked first. > If client is installed the installation continues with other steps, if it's > not, it tries to install the client. > In your case, you probably had your client installed at first and tried to > install replica. Something bad happened, can't be sure what, the > installation failed and tried to uninstall the client but that might have > failed, too. Eventually, you uninstalled the client yourself successfully, > all files were removed and its records were also removed from the server. > This made it possible to eventually successfully install a replica. > I wouldn't bet my life on it but I'd think the installation could have gone > successfully even if you installed a client and tried to promote it again :) Quite possible - I thought I accounted for everything, but I'll admit that when a client gets installed and provisioned it's not with ipa-client-install but via puppet. I did this because I needed a programmatic way to determine if a host was already provisioned (preferably locally) and execute the proper commands to do so, and in my experimenting I found following the instructions for provisioning manually worked well and use the presence of /etc/krb5.keytab as an indicator of "has this host been provisioned" (its absence is a negative). It's likely that ipa-client-install does something else that I never noticed, which ipa-replica-install relies on to know what's going on - especially since when I run on a client, it first uninstalls the client and then tries to reinstall it, and that's where it fails. I may experiment with that a bit too since it won't take long to do. > Anyway, I am sorry to hear you had such troubles, the replica installation > is not usually such a painful process, I hope you will have more luck with > FreeIPA in the future. While it has been frustrating, it has definitely been a learning experience. I grow more confident in the system's abilities as I discover more about it, and that means should something break in the future I'm already in a position of knowledge of some of the internals and less afraid to poke gently to fix it. The support on this mailing list has also been wonderful, so thank you all for that! -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University |ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] New install, unsupported format?
On 02/27/2017 04:51 PM, Steve Huston wrote: On Mon, Feb 27, 2017 at 5:56 AM, Standa Laznickawrote: Sorry for the hold up. Two questions - is this domain level 1 or 0 (you can run `ipa domainlevel-get` on the master if you don't know)? Did you have a client installed prior to ipa-replica-install? It's level 1. I did have a couple clients installed, and the machine I was trying to promote to a replica was one of them. This whole instance is a testing instance, with live data but not in production, while I make sure everything works as expected before I deploy it, so the servers and their data are new as of a couple weeks ago and began life as a RHEL7.3 install. It seems there might be two issues here; the one I originally reported was that the ipa-server packages installed on a client machine are unable to talk to the server, even though it obviously knows what the server is (the "unsupported format" error I originally shared). The second is with setting up a replica in general. The server rpm packages should have no impact on client settings if neither server nor replica are installed on the given machine. IIRC client only uses the NSS database in /etc/ipa/nssdb, you may want to check the permissions there (should be o+xr for the folder, o+r for the *.db files there). I had tried the various methods outlined in the RedHat IdM documentation, including promoting a client via an administrators TGT, adding the client to the ipaservers group on the server, etc. What did finally work was unprovisioning the client, setting a one-time password, and running "ipa-replica-install -v --domain=astro.princeton.edu --server=ipa.astro.princeton.edu --realm=ASTRO.PRINCETON.EDU --hostname=syrinx.astro.princeton.edu --setup-ca -p foobar" - this yielded a fully working replica when it finished. All of the previous failures happened in the same way as mentioned before - it seems to unprovision the client for some reason, then fail in reprovisioning it. I believe your machine might have been in some kind of undecided state when you tried to promote a client to a replica. What happens during replica installation on domain level 1 is that client installation is checked first. If client is installed the installation continues with other steps, if it's not, it tries to install the client. In your case, you probably had your client installed at first and tried to install replica. Something bad happened, can't be sure what, the installation failed and tried to uninstall the client but that might have failed, too. Eventually, you uninstalled the client yourself successfully, all files were removed and its records were also removed from the server. This made it possible to eventually successfully install a replica. I wouldn't bet my life on it but I'd think the installation could have gone successfully even if you installed a client and tried to promote it again :) Anyway, I am sorry to hear you had such troubles, the replica installation is not usually such a painful process, I hope you will have more luck with FreeIPA in the future. One problem which has cropped up before and caused problems is with DNS capitalization. DNS reports the domain name of "Princeton.EDU" for hosts here, which means in order to do just about anything with a FreeIPA server I have to manually add the host to /etc/hosts with all lowercase letters. I also have to force all of the host names via command line switches so that DNS is not consulted for lookups, which will return the StudlyCaps names and fail. I suppose I should raise that as a separate issue, because my understanding is that hostnames/domainnames should be case insensitive so I'm not sure why FreeIPA cares (and it may be easier to steer the entire project to not care than convince those in control of DNS here to change it :D ) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] New install, unsupported format?
On Mon, Feb 27, 2017 at 5:56 AM, Standa Laznickawrote: > Sorry for the hold up. Two questions - is this domain level 1 or 0 (you can > run `ipa domainlevel-get` on the master if you don't know)? Did you have a > client installed prior to ipa-replica-install? It's level 1. I did have a couple clients installed, and the machine I was trying to promote to a replica was one of them. This whole instance is a testing instance, with live data but not in production, while I make sure everything works as expected before I deploy it, so the servers and their data are new as of a couple weeks ago and began life as a RHEL7.3 install. It seems there might be two issues here; the one I originally reported was that the ipa-server packages installed on a client machine are unable to talk to the server, even though it obviously knows what the server is (the "unsupported format" error I originally shared). The second is with setting up a replica in general. I had tried the various methods outlined in the RedHat IdM documentation, including promoting a client via an administrators TGT, adding the client to the ipaservers group on the server, etc. What did finally work was unprovisioning the client, setting a one-time password, and running "ipa-replica-install -v --domain=astro.princeton.edu --server=ipa.astro.princeton.edu --realm=ASTRO.PRINCETON.EDU --hostname=syrinx.astro.princeton.edu --setup-ca -p foobar" - this yielded a fully working replica when it finished. All of the previous failures happened in the same way as mentioned before - it seems to unprovision the client for some reason, then fail in reprovisioning it. One problem which has cropped up before and caused problems is with DNS capitalization. DNS reports the domain name of "Princeton.EDU" for hosts here, which means in order to do just about anything with a FreeIPA server I have to manually add the host to /etc/hosts with all lowercase letters. I also have to force all of the host names via command line switches so that DNS is not consulted for lookups, which will return the StudlyCaps names and fail. I suppose I should raise that as a separate issue, because my understanding is that hostnames/domainnames should be case insensitive so I'm not sure why FreeIPA cares (and it may be easier to steer the entire project to not care than convince those in control of DNS here to change it :D ) -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University |ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] New install, unsupported format?
On 02/24/2017 08:38 PM, Steve Huston wrote: So, I tried a different tack. Took my bare VM configured as an IPA client, did a 'yum install ipa-server' and edited the cainstance.py file to fix the IPv6 issue. Then, without adding the host to ipaservers in the webui, I simply tried to promote it: # kinit admin Password for ad...@astro.princeton.edu: # ipa-replica-install --verbose ipa.ipapython.install.cli.install_tool(Replica): DEBUGLogging to /var/log/ipareplica-install.log ipa.ipapython.install.cli.install_tool(Replica): DEBUG ipa-replica-install was invoked with arguments [] and options: {'no_dns_sshfp': None, 'skip_schema_check': None, 'setup_kra': None, 'ip_addresses': None , 'mkhomedir': None, 'http_cert_files': None, 'ssh_trust_dns': None, 'reverse_zones': None, 'no_forwarders': None, 'keytab': None, 'no_ntp': None, 'domain_name': None, 'http_cert_name': None, 'dirsrv_cert_files ': None, 'no_dnssec_validation': None, 'no_reverse': None, 'unattended': False, 'auto_reverse': None, 'auto_forwarders': None, 'no_host_dns': None, 'no_sshd': None, 'no_ui_redirect': None, 'dirsrv_config_file': None, 'forwarders': None, 'verbose': True, 'setup_ca': None, 'realm_name': None, 'skip_conncheck': None, 'no_ssh': None, 'forward_policy': None, 'dirsrv_cert_name': None, 'quiet': False, 'server': None, 'setup_dns': None, 'host_name': None, 'log_file': None, 'allow_zone_overlap': None} ipa.ipapython.install.cli.install_tool(Replica): DEBUGIPA version 4.4.0-14.el7_3.4 ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/selinuxenabled ipa : DEBUGProcess finished, return code=0 ipa : DEBUGstdout= ipa : DEBUGstderr= ipa : DEBUGLoading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUGLoading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUGhttpd is not configured ipa : DEBUGkadmin is not configured ipa : DEBUGdirsrv is not configured ipa : DEBUGpki-tomcatd is not configured ipa : DEBUGinstall is not configured ipa : DEBUGkrb5kdc is not configured ipa : DEBUGntpd is not configured ipa : DEBUGnamed is not configured ipa : DEBUGipa_memcached is not configured ipa : DEBUGfilestore is tracking no files ipa : DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa : DEBUGConfiguring client side components Configuring client side components ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended --no-ntp IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. ipa : DEBUGProcess finished, return code=3 Removing client side components ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended --uninstall Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nslcd daemon is not installed, skip configuration Client uninstall complete. ipa : DEBUGProcess finished, return code=0 ipa.ipapython.install.cli.install_tool(Replica): DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, in run self.validate() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, in validate for nothing in self._validator(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 564, in _configure next(validator) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File
Re: [Freeipa-users] New install, unsupported format?
So, I tried a different tack. Took my bare VM configured as an IPA client, did a 'yum install ipa-server' and edited the cainstance.py file to fix the IPv6 issue. Then, without adding the host to ipaservers in the webui, I simply tried to promote it: # kinit admin Password for ad...@astro.princeton.edu: # ipa-replica-install --verbose ipa.ipapython.install.cli.install_tool(Replica): DEBUGLogging to /var/log/ipareplica-install.log ipa.ipapython.install.cli.install_tool(Replica): DEBUG ipa-replica-install was invoked with arguments [] and options: {'no_dns_sshfp': None, 'skip_schema_check': None, 'setup_kra': None, 'ip_addresses': None , 'mkhomedir': None, 'http_cert_files': None, 'ssh_trust_dns': None, 'reverse_zones': None, 'no_forwarders': None, 'keytab': None, 'no_ntp': None, 'domain_name': None, 'http_cert_name': None, 'dirsrv_cert_files ': None, 'no_dnssec_validation': None, 'no_reverse': None, 'unattended': False, 'auto_reverse': None, 'auto_forwarders': None, 'no_host_dns': None, 'no_sshd': None, 'no_ui_redirect': None, 'dirsrv_config_file': None, 'forwarders': None, 'verbose': True, 'setup_ca': None, 'realm_name': None, 'skip_conncheck': None, 'no_ssh': None, 'forward_policy': None, 'dirsrv_cert_name': None, 'quiet': False, 'server': None, 'setup_dns': None, 'host_name': None, 'log_file': None, 'allow_zone_overlap': None} ipa.ipapython.install.cli.install_tool(Replica): DEBUGIPA version 4.4.0-14.el7_3.4 ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/selinuxenabled ipa : DEBUGProcess finished, return code=0 ipa : DEBUGstdout= ipa : DEBUGstderr= ipa : DEBUGLoading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUGLoading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUGhttpd is not configured ipa : DEBUGkadmin is not configured ipa : DEBUGdirsrv is not configured ipa : DEBUGpki-tomcatd is not configured ipa : DEBUGinstall is not configured ipa : DEBUGkrb5kdc is not configured ipa : DEBUGntpd is not configured ipa : DEBUGnamed is not configured ipa : DEBUGipa_memcached is not configured ipa : DEBUGfilestore is tracking no files ipa : DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa : DEBUGConfiguring client side components Configuring client side components ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended --no-ntp IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. ipa : DEBUGProcess finished, return code=3 Removing client side components ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended --uninstall Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nslcd daemon is not installed, skip configuration Client uninstall complete. ipa : DEBUGProcess finished, return code=0 ipa.ipapython.install.cli.install_tool(Replica): DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, in run self.validate() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, in validate for nothing in self._validator(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 564, in _configure next(validator) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in
Re: [Freeipa-users] New install, unsupported format?
On Fri, Feb 24, 2017 at 2:31 AM, Standa Laznickawrote: > Hello, > I don't quite understand your situation - have the error happened during an > addition of the host to the "ipaservers" group or during replica > installation? It was during the addition of the host. In fact, any 'ipa' command fails with the same error, even 'ipa help'. I could understand if the CA needs to be setup before these commands work, but then I'm pretty sure I followed the order of the instructions for creating a replica and this was the result. Interestingly, when I first started to do this, I had other failures related to the directory level. I later realized that it's because I was trying to create the replica on the test VM that I hadn't yet upgraded from RHEL6 to RHEL7 so was trying to use IPA 3.x. In that instance, the command to add the soon-to-be replica to ipaservers succeeded, but the command to create the replica failed with needing the replica file (which I later realized what was going on and reinstalled the VM as I intended originally). > Certutil is a wonderful piece of software that returns > "(SEC_ERROR_LEGACY_DATABASE)" in about 90% of most common cases but I have > never seen an actual legacy database. Usually, this error means that the > directory you're pointing the certutil tool to either does not exist or you > don't have the permissions to read/write in this exact directory. Everything else on the server seems to be working fine, and the error containing the URL to the running server leads me to believe it's a problem with communication between the two. However there is no firewalling on either host (yet) so I'm not sure why they wouldn't be able to communicate. I did run an strace of the process and didn't see anything highly useful, in fact the only connect syscall I saw was to the socket of the local nscd. Debug output of 'ipa -d help': ipa: DEBUG: Starting external process ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@astro.princeton.edu ipa: DEBUG: Process finished, return code=1 ipa: DEBUG: stdout= ipa: DEBUG: stderr=keyctl_search: Required key not available ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'ad...@astro.princeton.edu' ipa: INFO: trying https://ipa.astro.princeton.edu/ipa/json ipa: DEBUG: Created connection context.rpcclient_49093200 ipa: INFO: Forwarding 'schema' to json server 'https://ipa.astro.princeton.edu/ipa/json' ipa: DEBUG: NSSConnection init ipa.astro.princeton.edu ipa: DEBUG: Destroyed connection context.rpcclient_49093200 ipa: ERROR: cannot connect to 'https://ipa.astro.princeton.edu/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. > Cheers, > Standa > > P.S.: I might have sent you this email twice because I am a bad person when > it comes to the "Send" button, please reply to the email which has > "freeipa-users" in CC :) No worries :D > On 02/23/2017 10:38 PM, Steve Huston wrote: >> >> I already had to do that previously to get other things to work; I had >> solved it by changing line 582 of >> /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from >> "::1" to "localhost" before installing the server. I did do this on >> the to-be-promoted client as well, to no avail. >> >> On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittenden >> wrote: >>> >>> Steve Huston wrote: Next stage of my testing was to make a replica of the FreeIPA server, and I started by doing a 'yum install ipa-server' and then moved on to adding the host to the ipaservers group. This fails every time however, with the error: ipa: ERROR: cannot connect to 'https://ipa.astro.princeton.edu/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Searches on this seem to turn up things like expired certificates, or "reboot httpd" (I went ahead and rebooted the whole ipa server), but nothing concrete. Suggestions? Everything (server and soon-to-be replica) running RHEL7.3 with all updates. >>> See the workaround in >>> https://fedorahosted.org/freeipa/ticket/6575#comment:9 >>> >>> rob >> >> >> > -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University |ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] New install, unsupported format?
Hello, I don't quite understand your situation - have the error happened during an addition of the host to the "ipaservers" group or during replica installation? Certutil is a wonderful piece of software that returns "(SEC_ERROR_LEGACY_DATABASE)" in about 90% of most common cases but I have never seen an actual legacy database. Usually, this error means that the directory you're pointing the certutil tool to either does not exist or you don't have the permissions to read/write in this exact directory. Cheers, Standa P.S.: I might have sent you this email twice because I am a bad person when it comes to the "Send" button, please reply to the email which has "freeipa-users" in CC :) On 02/23/2017 10:38 PM, Steve Huston wrote: I already had to do that previously to get other things to work; I had solved it by changing line 582 of /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from "::1" to "localhost" before installing the server. I did do this on the to-be-promoted client as well, to no avail. On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittendenwrote: Steve Huston wrote: Next stage of my testing was to make a replica of the FreeIPA server, and I started by doing a 'yum install ipa-server' and then moved on to adding the host to the ipaservers group. This fails every time however, with the error: ipa: ERROR: cannot connect to 'https://ipa.astro.princeton.edu/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Searches on this seem to turn up things like expired certificates, or "reboot httpd" (I went ahead and rebooted the whole ipa server), but nothing concrete. Suggestions? Everything (server and soon-to-be replica) running RHEL7.3 with all updates. See the workaround in https://fedorahosted.org/freeipa/ticket/6575#comment:9 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] New install, unsupported format?
I already had to do that previously to get other things to work; I had solved it by changing line 582 of /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from "::1" to "localhost" before installing the server. I did do this on the to-be-promoted client as well, to no avail. On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittendenwrote: > Steve Huston wrote: >> Next stage of my testing was to make a replica of the FreeIPA server, >> and I started by doing a 'yum install ipa-server' and then moved on to >> adding the host to the ipaservers group. This fails every time >> however, with the error: >> >> ipa: ERROR: cannot connect to >> 'https://ipa.astro.princeton.edu/ipa/json': >> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, >> unsupported format. >> >> Searches on this seem to turn up things like expired certificates, or >> "reboot httpd" (I went ahead and rebooted the whole ipa server), but >> nothing concrete. Suggestions? Everything (server and soon-to-be >> replica) running RHEL7.3 with all updates. >> > > See the workaround in https://fedorahosted.org/freeipa/ticket/6575#comment:9 > > rob -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University |ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] New install, unsupported format?
Steve Huston wrote: > Next stage of my testing was to make a replica of the FreeIPA server, > and I started by doing a 'yum install ipa-server' and then moved on to > adding the host to the ipaservers group. This fails every time > however, with the error: > > ipa: ERROR: cannot connect to > 'https://ipa.astro.princeton.edu/ipa/json': > (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, > unsupported format. > > Searches on this seem to turn up things like expired certificates, or > "reboot httpd" (I went ahead and rebooted the whole ipa server), but > nothing concrete. Suggestions? Everything (server and soon-to-be > replica) running RHEL7.3 with all updates. > See the workaround in https://fedorahosted.org/freeipa/ticket/6575#comment:9 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project