ok, again some progress.
I found this thread:
https://www.mail-archive.com/freeipa-users@redhat.com/msg21107.html
And the symptons match: this Idm environment was installed in november
2012, and has been upgraded a few times (time flies).
All the certificates are valid:
[root@kdc01 ~]$ getcert list | grep expire
expires: 2016-10-12 10:49:24 UTC
expires: 2016-10-12 10:49:25 UTC
expires: 2016-10-12 10:49:24 UTC
expires: 2018-09-03 12:24:14 UTC
expires: 2018-09-03 12:23:14 UTC
expires: 2018-09-03 12:23:14 UTC
expires: 2018-09-03 12:23:14 UTC
expires: 2018-09-03 12:23:14 UTC
root@kdc01 ~]$ pki-server ca-group-member-find "Subsystem Group"
User ID: CA-kdc01.unix.iriszorg.nl-9443
Common Name: CA-kdc01.unix.iriszorg.nl-9443
Surname: CA-kdc01.unix.iriszorg.nl-9443
Type: agentType
Description: 2;240;CN=Certificate Authority,O=UNIX.IRISZORG.NL;CN=CA
Subsystem,O=UNIX.IRISZORG.NL
E-mail:
User ID: CA-kdc02.unix.iriszorg.nl-9443
Common Name: CA-kdc02.unix.iriszorg.nl-9443
Surname: CA-kdc02.unix.iriszorg.nl-9443
Type: agentType
Description: 2;4;CN=Certificate Authority,O=UNIX.IRISZORG.NL;CN=CA
Subsystem,O=UNIX.IRISZORG.NL
so according to the posts in the mailing list thread, the description field
has the serial number of the certificates, in this case, 240 and 4
and that appears to match with this info:
[root@kdc01 ~]$ certutil -d /var/lib/pki-ca/alias/ -L -n 'subsystemCert
cert-pki-ca' | grep -i serial
Serial Number: 240 (0xf0)
Serial Number: 4 (0x4)
although the one with serial 4 is expired
So, how to procede next?
Do I need to modify the usercertificate attribute of
uid=CA-kdc01.unix.iriszorg.nl-9443,ou=people,o=ipaca?
step 1: dump cert info to temp file:
certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca" -a >
/tmp/subsystemcert.pem
In my case, because of the expired certificate, I get 2 certificates.
step 2: strip begin/end headers of temp certificate:
echo && cat /tmp/subsystemcert.pem | sed -rn '/^-BEGIN
CERTIFICATE-$/{:1;n;/^-END
CERTIFICATE-$/b2;H;b1};:2;${x;s/\s//g;p}'
step 3: modify usercertificate attribute of
uid=CA-kdc01.unix.iriszorg.nl-9443,ou=people,o=ipaca with string generated
in step 2.
step 4: reload ipa/reboot server.
is my procedure correct?
--
regards,
Natxo
On Tue, Sep 13, 2016 at 2:39 PM, Natxo Asenjo
wrote:
>
>
> On Tue, Sep 13, 2016 at 2:10 PM, Natxo Asenjo
> wrote:
>
>> hi,
>>
>> when trying to add a replica to the Idm environment of a host running
>> centos 7 (fully patched) to an existing centos 6.8 realm I get this error:
>>
>
> ok, some progress. I found this:
>
> https://fedorahosted.org/389/ticket/470
>
> So I went ahead and rebooted the master 6.8 kdc I was replicating from and
> then it failed in the certificate server instance:
>
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
> CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpyHV1BW''
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
> [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
> configuration failed.
>
>
> But there is no /var/log/pki-ca-install.log :
>
> # ls -ltr /var/log/
> total 1708
> drwx--. 2 root root 6 Jun 10 2014 ppp
> drwxr-xr-x. 2 ntpntp 6 May 31 12:29 ntpstats
> drwx--. 2 root root 6 Jul 18 17:30 httpd
> drwxr-x---. 2 sssd sssd 6 Aug 2 18:58 sssd
> -rw---. 1 root root 0 Sep 13 13:19 tallylog
> drwx--. 3 root root 16 Sep 13 13:19 samba
> -rw---. 1 root root 0 Sep 13 13:20 spooler
> drwxr-xr-x. 2 root root 4096 Sep 13 13:23 anaconda
> drwxr-x---. 2 root root 22 Sep 13 13:23 audit
> drwxr-xr-x. 2 root root 22 Sep 13 13:23 tuned
> drwxrwx---. 2 tomcat root 25 Sep 13 13:31 tomcat
> -rw---. 1 root root 15126 Sep 13 13:31 yum.log
> -rw---. 1 root root 8786 Sep 13 13:31 ipaupgrade.log
> -rw-r--r--. 1 root root 94862 Sep 13 13:59 dmesg.old
> -rw---. 1 root root 18112 Sep 13 14:29 ipaclient-install.log
> -rw---. 1 root root 40193 Sep 13 14:29 ipaclient-uninstall.log
> -rw---. 1 root root 35796 Sep 13 14:29 ipaserver-uninstall.log
> -rw-r--r--. 1 root root 94862 Sep 13 14:30 dmesg
> -rw-r--r--. 1 root root 8591 Sep 13 14:30 boot.log
> -rw---. 1 root root 2587 Sep 13 14:30 cron
> -rw-r--r--. 1 root root200 Sep 13 14:30 wpa_supplicant.log
> -rw---. 1 root root958 Sep 13 14:30 maillog
> -rw---. 1 root utmp768 Sep 13 14:30 btmp
> -