November 2020 - FreeIPA-users - Fedora Mailing-Lists

by Rainer Duffner

Hi, I’m trying to install FreeIPA on CentOS 8.2 with the ansible-freeipa module. After a few hiccups, it seems to work now. I want to run three masters in the end. Using the cluster-playbook, it looks like (from the Topology-Graph in the Web-GUI) that I end up with something like this: 3 < -- > 1 < -- > 2 Which seems to indicate that 3 does not talk to 2. From the documentation, it looks like I want/need replication agreements between 1+2, 1+3 and 2+3 so that if 1 is down, 2 and 3 can still be updated and talk to each other. This would - as far as I have understood the documentation - result in a playbook like this: --- - name: Add topology segments hosts: ipaserver become: true gather_facts: false vars: ipatopology_segments: - {suffix: domain+ca, left: ipa-ansible1.ipa.example.org, right: ipa-ansible2.ipa.example.org} - {suffix: domain+ca, left: ipa-ansible1.ipa.example.org, right: ipa-ansible3.ipa.example.org} - {suffix: domain+ca, left: ipa-ansible2.ipa.example.org, right: ipa-ansible3.ipa.example.org} tasks: - name: Add topology segment ipatopologysegment: ipaadmin_password: "{{ ipaadmin_password }}" suffix: "{{ item.suffix }}" name: "{{ item.name | default(omit) }}" left: "{{ item.left }}" right: "{{ item.right }}" state: checked loop: "{{ ipatopology_segments | default([]) }}“ However, when I run that, it doesn’t seem to do anything. Maybe somebody can add some information here? Rainer

1 year, 7 months

2
3
0 / 0

Unable to install KRA Replica - 4.8.7

by David Andrzejewski

I'm attempting to reinstall a replica that I had previously removed. When I run ipa-replica-install and include the --setup-kra option, it eventually fails. I've included the output of the ipa-replica-install command, and the only "bad" thing I can find is the following in the tomcat debug log: > 2020-11-29 03:51:35 [ajp-nio-127.0.0.1-8009-exec-3] SEVERE: addConnector: Connector is already defined I've gone through and run ipa-healthcheck, all is well there. After uninstalling, I couldn't find any old references to the replica in the LDAP database.... the ipa-replica-install works fine if I do not include --setup-kra. Any help would be appreciated. I'm happy to provide whatever additional logs that may be needed. I've replaced my internal DNS suffix with 'example.com'. Thanks! - Dave Failed to configure KRA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'KRA', '-f', '/tmp/tmpf6kaucv2', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to security domain at https://ipa.example.com:443\nINFO: Getting security domain info\nINFO: Logging into security domain IPA\nDEBUG: Installing Maven dependencies: False\nINFO: BEGIN spawning KRA subsystem in pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Setting up pkiuser group\nINFO: Reusing existing pkiuser group with GID 17\nINFO: Setting up pkiuser user\nINFO: Reusing existing pkiuser user with UID 17\nDEBUG: Retrieving UID for \'pkiuser\'\nDEBUG: UID of \'pkiuser\' is 17\nDEBUG: Retrieving GID for \'pkiuser\'\nDEBUG: GID of \'pkiuser\' is 17\nINFO: Initialization\nINFO: Appending logs to /var/log/pki/pki-tomcat\nINFO: Setting up infrastructure\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chmod 770 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: cp -p /usr/share/pki/server/etc/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: touch /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nINFO: Creating /var/lib/pki/pki-tomcat\nINFO: Creating /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra\nINFO: Preparing pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /etc/pki/pki-tomcat\nWARNING: Directory already exists: /etc/pki/pki-tomcat\nINFO: Creating /etc/pki/pki-tomcat/password.conf\nINFO: Reusing server NSS database password\nINFO: Using specified internal database password\nINFO: Reusing replication manager password\nINFO: Installing pki-tomcat instance\nINFO: Creating KRA subsystem\nINFO: Creating /var/log/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra\nINFO: Creating /var/log/pki/pki-tomcat/kra/archive\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/archive\nINFO: Creating /var/log/pki/pki-tomcat/kra/signedAudit\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/signedAudit\nINFO: Creating /etc/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /etc/pki/pki-tomcat/kra\nINFO: Creating /etc/pki/pki-tomcat/kra/CS.cfg\nDEBUG: Command: cp /usr/share/pki/kra/conf/CS.cfg /etc/pki/pki-tomcat/kra/CS.cfg\nINFO: Creating /etc/pki/pki-tomcat/kra/registry.cfg\nINFO: Creating /var/lib/pki/pki-tomcat/kra/conf\nDEBUG: Command: ln -s /etc/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/conf\nINFO: Creating /var/lib/pki/pki-tomcat/kra/logs\nDEBUG: Command: ln -s /var/log/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/logs\nINFO: Creating /var/lib/pki/pki-tomcat/kra/registry\nDEBUG: Command: ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/kra/registry\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Deploying /kra web application\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Setting up ownerships, permissions, and ACLs on /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Creating /etc/pki/pki-tomcat/Catalina/localhost/kra.xml\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating password file: /etc/pki/pki-tomcat/pfile\nINFO: Updating /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chmod 660 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chown 17:17 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/kra/alias\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Certificates in PKCS #12 file:\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Module: pkcs12\nINFO: Module: cert\nINFO: Module: find\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nINFO: - auditSigningCert cert-pki-kra\nINFO: - caSigningCert cert-pki-ca\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Importing CA certificates:\nINFO: - caSigningCert cert-pki-ca\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n caSigningCert cert-pki-ca -a\nWARNING: Certificate already exists: caSigningCert cert-pki-ca\nINFO: Importing user certificates:\nINFO: - auditSigningCert cert-pki-kra\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug auditSigningCert cert-pki-kra storageCert cert-pki-kra subsystemCert cert-pki-ca transportCert cert-pki-kra\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug "auditSigningCert cert-pki-kra" "storageCert cert-pki-kra" "subsystemCert cert-pki-ca" "transportCert cert-pki-kra"\nINFO: Module: pkcs12\nINFO: Module: import\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nDEBUG: Command: certutil -M -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n auditSigningCert cert-pki-kra -t u,u,Pu\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias\nDEBUG: Result of CA certificate export: \nINFO: Removing /etc/pki/pki-tomcat/pfile\nDEBUG: Command: rm -f /etc/pki/pki-tomcat/pfile\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Creating /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: mkdir -p /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chmod 755 /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra\nINFO: Creating password file: /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Storing PKCS #12 password in /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chown 17:17 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nWARNING: Directory already exists: /var/lib/ipa/tmp-6ae9ficu\nDEBUG: Command: certutil -N -d /var/lib/ipa/tmp-6ae9ficu -f /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Creating SELinux contexts\nINFO: Generating system keys\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Configuring subsystem\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nDEBUG: Setting ephemeral requests to true\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Importing sslserver cert data from CA\nINFO: Importing subsystem cert data from CA\nINFO: Importing sslserver request data from CA\nINFO: Importing subsystem request data from CA\nINFO: Joining existing domain\nINFO: Getting install token\nINFO: Using CA at https://ipa.example.com:443\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Reusing replicated database\nINFO: Initializing database\nDEBUG: Command: sudo -u pkiuser /usr/lib/jvm/jre-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/kra/webapps/kra/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI kra-db-init --setup-schema --setup-db-manager --setup-vlv-indexes --debug\nINFO: Loading /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Initializing database ipaca for o=kra,o=ipaca\nINFO: Creating com.netscape.cmsutil.password.PlainPasswordFile\nFINE: PlainPasswordFile: Initializing PlainPasswordFile\nFINE: LdapAuthInfo: init()\nFINE: LdapAuthInfo: init begins\nFINE: LdapAuthInfo: init ends\nFINE: TCP Keep-Alive: true\nFINE: LdapAuthInfo: init: prompt is internaldb\nFINE: LdapAuthInfo: init: try getting from memory cache\nFINE: LdapAuthInfo: init: password not in memory\nFINE: LdapAuthInfo: getPasswordFromStore: try to get it from password store\nFINE: LdapAuthInfo: getPasswordFromStore: about to get from passwored store: internaldb\nFINE: LdapAuthInfo: getPasswordFromStore: password store available\nFINE: LdapAuthInfo: getPasswordFromStore: password found for prompt in password store\nFINE: LdapAuthInfo: password ok: store in memory cache\nFINE: LdapBoundConnection: Connecting to ipa.example.com:636 with basic auth as cn=Directory Manager\nFINE: ldapconn/PKISocketFactory.makeSSLSocket: begins\nFINE: PKIClientSocketListener.handshakeCompleted: begins\nFINE: Handshake completed:\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH\nFINE: PKIClientSocketListener.handshakeCompleted: CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS\nFINE: PKIClientSocketListener.handshakeCompleted: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636\nFINE: SSL handshake happened\nINFO: Configuring directory\nINFO: Importing /usr/share/pki/server/conf/database.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-549427834453303422.ldif\nINFO: Modifying cn=config\nINFO: - replacing nsslapd-maxbersize: 209715200\nINFO: Enabling USN\nINFO: Importing /usr/share/pki/server/conf/usn.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-784255222034676900.ldif\nINFO: Modifying cn=USN,cn=plugins,cn=config\nINFO: - replacing nsslapd-pluginenabled: on\nINFO: Setting up PKI schema\nINFO: Importing /usr/share/pki/server/conf/schema.ldif\nINFO: Adding attributetypes: ( usertype-oid NAME \'usertype\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userstate-oid NAME \'userstate\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( cmsuser-oid NAME \'cmsuser\' DESC \'CMS User\' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( archivedBy-oid NAME \'archivedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( adminMessages-oid NAME \'adminMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithm-oid NAME \'algorithm\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithmId-oid NAME \'algorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( signingAlgorithmId-oid NAME \'signingAlgorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( autoRenew-oid NAME \'autoRenew\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certStatus-oid NAME \'certStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlName-oid NAME \'crlName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlSize-oid NAME \'crlSize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaSize-oid NAME \'deltaSize\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlNumber-oid NAME \'crlNumber\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaNumber-oid NAME \'deltaNumber\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( firstUnsaved-oid NAME \'firstUnsaved\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlCache-oid NAME \'crlCache\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedCerts-oid NAME \'revokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( unrevokedCerts-oid NAME \'unrevokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( expiredCerts-oid NAME \'expiredCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlExtensions-oid NAME \'crlExtensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfArchival-oid NAME \'dateOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRecovery-oid NAME \'dateOfRecovery\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRevocation-oid NAME \'dateOfRevocation\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( duration-oid NAME \'duration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extension-oid NAME \'extension\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuedBy-oid NAME \'issuedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issueInfo-oid NAME \'issueInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuerName-oid NAME \'issuerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keySize-oid NAME \'keySize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( clientId-oid NAME \'clientId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dataType-oid NAME \'dataType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( status-oid NAME \'status\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyState-oid NAME \'keyState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( metaInfo-oid NAME \'metaInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextUpdate-oid NAME \'nextUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notAfter-oid NAME \'notAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notBefore-oid NAME \'notBefore\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( ownerName-oid NAME \'ownerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( password-oid NAME \'password\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( p12Expiration-oid NAME \'p12Expiration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( proofOfArchival-oid NAME \'proofOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyData-oid NAME \'publicKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyFormat-oid NAME \'publicKeyFormat\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( privateKeyData-oid NAME \'privateKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestId-oid NAME \'requestId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestInfo-oid NAME \'requestInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestState-oid NAME \'requestState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestResult-oid NAME \'requestResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestOwner-oid NAME \'requestOwner\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestAgentGroup-oid NAME \'requestAgentGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestSourceId-oid NAME \'requestSourceId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestType-oid NAME \'requestType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestFlag-oid NAME \'requestFlag\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestError-oid NAME \'requestError\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( resourceACLS-oid NAME \'resourceACLS\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revInfo-oid NAME \'revInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedBy-oid NAME \'revokedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedOn-oid NAME \'revokedOn\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( serialno-oid NAME \'serialno\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextRange-oid NAME \'nextRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publishingStatus-oid NAME \'publishingStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( beginRange-oid NAME \'beginRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( endRange-oid NAME \'endRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( subjectName-oid NAME \'subjectName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( sessionContext-oid NAME \'sessionContext\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( thisUpdate-oid NAME \'thisUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transId-oid NAME \'transId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transStatus-oid NAME \'transStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transName-oid NAME \'transName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transOps-oid NAME \'transOps\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userDN-oid NAME \'userDN\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userMessages-oid NAME \'userMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( version-oid NAME \'version\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( Clone-oid NAME \'Clone\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( DomainManager-oid NAME \'DomainManager\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecurePort-oid NAME \'SecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAgentPort-oid NAME \'SecureAgentPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAdminPort-oid NAME \'SecureAdminPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureEEClientAuthPort-oid NAME \'SecureEEClientAuthPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( UnSecurePort-oid NAME \'UnSecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SubsystemName-oid NAME \'SubsystemName\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( cmsUserGroup-oid NAME \'cmsUserGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( realm-oid NAME \'realm\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( CertACLS-oid NAME \'CertACLS\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( repository-oid NAME \'repository\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ou MAY ( serialno $ description $ nextRange $ publishingStatus ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( request-oid NAME \'request\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( transaction-oid NAME \'transaction\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( crlIssuingPointRecord-oid NAME \'crlIssuingPointRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaRevocationList $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certificateRecord-oid NAME \'certificateRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( userDetails-oid NAME \'userDetails\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( keyRecord-oid NAME \'keyRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityDomain-oid NAME \'pkiSecurityDomain\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityGroup-oid NAME \'pkiSecurityGroup\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSubsystem-oid NAME \'pkiSubsystem\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiRange-oid NAME \'pkiRange\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ beginRange $ endRange $ Host $ SecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( securityDomainSessionEntry-oid NAME \'securityDomainSessionEntry\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ host $ uid $ cmsUserGroup $ dateOfCreate ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( modified-oid NAME \'modified\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenUserID-oid NAME \'tokenUserID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenStatus-oid NAME \'tokenStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenAppletID-oid NAME \'tokenAppletID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyInfo-oid NAME \'keyInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfResets-oid NAME \'numberOfResets\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfEnrollments-oid NAME \'numberOfEnrollments\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRenewals-oid NAME \'numberOfRenewals\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRecoveries-oid NAME \'numberOfRecoveries\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( allowPinReset-oid NAME \'allowPinReset\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extensions-oid NAME \'extensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOp-oid NAME \'tokenOp\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenID-oid NAME \'tokenID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenMsg-oid NAME \'tokenMsg\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenResult-oid NAME \'tokenResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIP-oid NAME \'tokenIP\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenPolicy-oid NAME \'tokenPolicy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIssuer-oid NAME \'tokenIssuer\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSubject-oid NAME \'tokenSubject\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSerial-oid NAME \'tokenSerial\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOrigin-oid NAME \'tokenOrigin\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenType-oid NAME \'tokenType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenKeyType-oid NAME \'tokenKeyType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenReason-oid NAME \'tokenReason\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotBefore-oid NAME \'tokenNotBefore\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotAfter-oid NAME \'tokenNotAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( profileID-oid NAME \'profileID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenRecord-oid NAME \'tokenRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ modified $ tokenReason $ tokenUserID $ tokenStatus $ tokenAppletID $ keyInfo $ tokenPolicy $ extensions $ numberOfResets $ numberOfEnrollments $ numberOfRenewals $ numberOfRecoveries $ userCertificate $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenActivity-oid NAME \'tokenActivity\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ tokenOp $ tokenIP $ tokenResult $ tokenID $ tokenUserID $ tokenMsg $ extensions $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenCert-oid NAME \'tokenCert\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ userCertificate $ tokenUserID $ tokenID $ tokenIssuer $ tokenOrigin $ tokenSubject $ tokenSerial $ tokenStatus $ tokenType $ tokenKeyType $ tokenNotBefore $ tokenNotAfter $ extensions ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tpsProfileID-oid NAME \'tpsProfileID\' DESC \'CMS defined class\' SUP top AUXILIARY MAY ( profileID ) X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( classId-oid NAME \'classId\' DESC \'Certificate profile class ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certProfileConfig-oid NAME \'certProfileConfig\' DESC \'Certificate profile configuration\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certProfile-oid NAME \'certProfile\' DESC \'Certificate profile\' SUP top STRUCTURAL MUST cn MAY ( classId $ certProfileConfig ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityID-oid NAME \'authorityID\' DESC \'Authority ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyNickname-oid NAME \'authorityKeyNickname\' DESC \'Authority key nickname\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( authorityParentID-oid NAME \'authorityParentID\' DESC \'Authority Parent ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityEnabled-oid NAME \'authorityEnabled\' DESC \'Authority Enabled\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityDN-oid NAME \'authorityDN\' DESC \'Authority DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authoritySerial-oid NAME \'authoritySerial\' DESC \'Authority certificate serial number\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityParentDN-oid NAME \'authorityParentDN\' DESC \'Authority Parent DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyHost-oid NAME \'authorityKeyHost\' DESC \'Authority Key Hosts\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( authority-oid NAME \'authority\' DESC \'Certificate Authority\' SUP top STRUCTURAL MUST ( cn $ authorityID $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY ( authoritySerial $ authorityParentID $ authorityParentDN $ authorityKeyHost $ description ) X-ORIGIN \'user defined\' )\nINFO: Setting up ACME schema\nINFO: Importing /usr/share/pki/acme/database/ldap/schema.ldif\nINFO: Adding attributetypes: ( acmeExpires-oid NAME \'acmeExpires\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeValidatedAt-oid NAME \'acmeValidatedAt\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeStatus-oid NAME \'acmeStatus\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeError-oid NAME \'acmeError\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeNonceId-oid NAME \'acmeNonceId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountId-oid NAME \'acmeAccountId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountContact-oid NAME \'acmeAccountContact\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch )\nINFO: Adding attributetypes: ( acmeAccountKey-oid NAME \'acmeAccountKey\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeOrderId-oid NAME \'acmeOrderId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeIdentifier-oid NAME \'acmeIdentifier\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch )\nINFO: Adding attributetypes: ( acmeAuthorizationId-oid NAME \'acmeAuthorizationId\' SUP name )\nINFO: Adding attributetypes: ( acmeAuthorizationWildcard-oid NAME \'acmeAuthorizationWildcard\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 EQUALITY booleanMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeChallengeId-oid NAME \'acmeChallengeId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeToken-oid NAME \'acmeToken\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\nINFO: Adding attributetypes: ( acmeCertificateId-oid NAME \'acmeCertificateId\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SINGLE-VALUE )\nINFO: Adding objectclasses: ( acmeNonce-oid NAME \'acmeNonce\' STRUCTURAL MUST ( acmeNonceId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAccount-oid NAME \'acmeAccount\' STRUCTURAL MUST ( acmeAccountId $ acmeAccountKey $ acmeStatus ) MAY acmeAccountContact )\nINFO: Adding objectclasses: ( acmeOrder-oid NAME \'acmeOrder\' STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeStatus $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAuthorization-oid NAME \'acmeAuthorization\' STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires )\nINFO: Adding objectclasses: ( acmeChallenge-oid NAME \'acmeChallenge\' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) )\nINFO: Adding objectclasses: ( acmeChallengeDns01-oid NAME \'acmeChallengeDns01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeChallengeHttp01-oid NAME \'acmeChallengeHttp01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeCertificate-oid NAME \'acmeCertificate\' STRUCTURAL MUST ( acmeCertificateId $ userCertificate ) MAY acmeExpires )\nINFO: Creating indexes\nINFO: Importing /usr/share/pki/kra/conf/index.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-25296192129415365.ldif\nINFO: Adding cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=realm,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nINFO: Setting up database manager\nINFO: Importing /usr/share/pki/server/conf/manager.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-3984013368624234966.ldif\nINFO: Adding ou=csusers,cn=config\nWARNING: Unable to add ou=csusers,cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Modifying o=kra,o=ipaca\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager access v2"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify o=kra,o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nINFO: Modifying cn=ldbm database,cn=plugins,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying ou=csusers,cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn=tasks,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Creating VLV indexes\nINFO: Importing /usr/share/pki/kra/conf/vlv.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-1261970238527115258.ldif\nINFO: Adding cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=allKeys-pki-tomcatIndex, cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcatIndex, cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcatIndex, cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcatIndex, cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcatIndex, cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcatIndex, cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcatIndex, cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcatIndex, cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcatIndex, cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcatIndex, cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcatIndex, cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcatIndex, cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcatIndex, cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Rebuilding VLV indexes\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-kra-reindex-8248341685647863582.ldif\nINFO: Adding cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Waiting for task cn=index1160527115, cn=index, cn=tasks, cn=config (1s)\nINFO: Getting cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Task cn=index1160527115, cn=index, cn=tasks, cn=config complete\nFINE: PKIClientSocketListener.alertReceived: begins\nFINE: SSL alert received:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: begins\nFINE: PKIClientSocketListener.alertSent: got description:0\nFINE: PKIClientSocketListener.alertSent: got reason:CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: SSL alert sent:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nINFO: Updating ranges for KRA clone\nINFO: Updating request ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request request --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:24 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting request range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 57\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:25 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 165\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>99980001</beginNumber><endNumber>99990000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 99980001\nINFO: End: 99990000\nINFO: Updating serial number range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request serialNo --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:28 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting serialNo range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 58\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:29 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 167\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>11ffe0001</beginNumber><endNumber>11fff0000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 11ffe0001\nINFO: End: 11fff0000\nINFO: Updating replica ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request replicaId --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting replicaId range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 59\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 157\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>1285</beginNumber><endNumber>1289</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 1285\nINFO: End: 1289\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Updating configuration for KRA clone\nINFO: Updating configuration\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-config-export --names internaldb.ldapauth.password,internaldb.replication.password,cloning.ca.type --substores internaldb,internaldb.ldapauth,internaldb.ldapconn,kra.transport,kra.storage,kra.subsystem,kra.audit_signing --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Getting configuration properties\nINFO: HTTP request: POST /kra/admin/kra/getConfigEntries HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 269\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 10909\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Status: 0\nINFO: Properties:\nINFO: - internaldb._000\nINFO: - internaldb._001\nINFO: - internaldb._002\nINFO: - internaldb.basedn\nINFO: - internaldb.database\nINFO: - internaldb.maxConns\nINFO: - internaldb.minConns\nINFO: - internaldb.ldapauth.authtype\nINFO: - internaldb.ldapauth.bindDN\nINFO: - internaldb.ldapauth.bindPWPrompt\nINFO: - internaldb.ldapauth.clientCertNickname\nINFO: - internaldb.ldapconn.host\nINFO: - internaldb.ldapconn.port\nINFO: - internaldb.ldapconn.secureConn\nINFO: - kra.transport.cert\nINFO: - kra.transport.certreq\nINFO: - kra.transport.nickname\nINFO: - kra.transport.tokenname\nINFO: - kra.storage.cert\nINFO: - kra.storage.certreq\nINFO: - kra.storage.nickname\nINFO: - kra.storage.tokenname\nINFO: - kra.subsystem.cert\nINFO: - kra.subsystem.certreq\nINFO: - kra.subsystem.dn\nINFO: - kra.subsystem.nickname\nINFO: - kra.subsystem.tokenname\nINFO: - kra.audit_signing.cert\nINFO: - kra.audit_signing.certreq\nINFO: - kra.audit_signing.nickname\nINFO: - kra.audit_signing.tokenname\nINFO: - internaldb.replication.password\nINFO: - cloning.ca.type\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Restarting server\nDEBUG: Command: systemctl restart pki-tomcatd(a)pki-tomcat.service\nINFO: FIPS mode is not enabled\nINFO: Subsystem status: running\nINFO: Configuring KRA subsystem\nINFO: Setting up clone\nINFO: Creating clone setup request\n/usr/lib/python3.6/site-packages/urllib3/connection.py:362: SubjectAltNameWarning: Certificate for ipa.example.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)\n SubjectAltNameWarning\nINFO: Setting up database\nINFO: Creating database setup request\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS database\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpl_0lpu4u/password.txt -n Server-Cert cert-pki-ca -a\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpef27un35/password.txt\nINFO: Setting up transport certificate\nINFO: transport certificate is already set up\nINFO: Setting up storage certificate\nINFO: storage certificate is already set up\nINFO: Setting up sslserver certificate\nINFO: sslserver certificate is already set up\nINFO: Setting up subsystem certificate\nINFO: subsystem certificate is already set up\nINFO: Setting up audit_signing certificate\nINFO: audit_signing certificate is already set up\nINFO: Backing up keys into /etc/pki/pki-tomcat/alias/kra_backup_keys.p12\nDEBUG: Command: pki-server subsystem-cert-export kra -i pki-tomcat --pkcs12-file /etc/pki/pki-tomcat/alias/kra_backup_keys.p12 --pkcs12-password-file /tmp/tmpdeq3qnpk/password.txt\nINFO: Setting up security domain\nINFO: Creating security domain setup request\nINFO: Finalizing KRA configuration\nINFO: Creating finalize config request\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. KRA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@ipa]~#

1 year, 7 months

2
2
0 / 0

ipa failed to start after reboot

by Paul-Henri Hons

Hello, I'm on Centos8 with freeipa installed from several month in lxc container (2 containers with replication). I've intalled custom certificates from letsencrypt for httpd and slapd and they're valid till january 2021. Yesterday, I restarted the containers and on both, Directory service failed to start. The log is below. Can someone help me to find the right direction to solve it ? All my services heavely depends on it :-( Thanks by advance, Paul-Henri [30/Nov/2020:08:16:06.423512539 +0000] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES [30/Nov/2020:08:16:06.440854922 +0000] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/Nov/2020:08:16:06.469627909 +0000] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [30/Nov/2020:08:16:06.499234923 +0000] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/Nov/2020:08:16:06.526831242 +0000] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. [30/Nov/2020:08:16:06.555048556 +0000] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES [30/Nov/2020:08:16:06.591310772 +0000] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/Nov/2020:08:16:06.653648267 +0000] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [30/Nov/2020:08:16:06.686970459 +0000] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/Nov/2020:08:16:06.716504472 +0000] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. [30/Nov/2020:08:16:06.773674674 +0000] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES [30/Nov/2020:08:16:06.807784636 +0000] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/Nov/2020:08:16:06.848156076 +0000] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [30/Nov/2020:08:16:06.881073427 +0000] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/Nov/2020:08:16:06.910055086 +0000] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. [30/Nov/2020:08:16:06.974353372 +0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [30/Nov/2020:08:16:07.039826294 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.152097703 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.172262353 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.204863801 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.215156151 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.216821135 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.219650834 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.238011898 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.249040534 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.274750517 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.283165976 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.290449211 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.309211301 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.344580813 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.371243332 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.381258115 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.442193236 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.464066203 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.479286324 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=hoah,dc=ch does not exist [30/Nov/2020:08:16:07.594646290 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [30/Nov/2020:08:16:07.629034110 +0000] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=hoah,dc=ch--no CoS Templates found, which should be added before the CoS Definition. [30/Nov/2020:08:16:07.651839151 +0000] - ERR - ipalockout_get_global_config - [file ipa_lockout.c, line 178]: krb5_init_context failed (-1429577697) [30/Nov/2020:08:16:07.685167130 +0000] - ERR - ipaenrollment_start - [file ipa_enrollment.c, line 398]: krb5_init_context failed [30/Nov/2020:08:16:07.713369817 +0000] - ERR - ipapwd_start - [file ipa_pwd_extop.c, line 1857]: krb5_init_context failed

1 year, 7 months

2
2
0 / 0

ipa-client-automount server query

by Scott Dungan

When attempting to setup a domain client to query the domain for automounts, we see the following: ipa-client-automount --location=default Searching for IPA server... Autodiscovery was successful but didn't return a server If we specify a server it works: ipa-client-automount --location=default --server idm1.domain.com IPA server: idm1.domain.com Location: default Continue to configure the system with these values? [no]: This implies that the client will only query this server for automount entries, rather than all IPA replicas, so therefore it is not a redundant configuration. My question is how to populate DNS entries so that the command can find the server(s) automatically. We are using an external DNS service, so this may explain why the command is unable to find automount servers?

1 year, 7 months

2
3
0 / 0

Re: subsystemCert appears out of date

by Florence Blanc-Renaud

On 11/27/20 11:54 AM, Marc Pearson | i-Neda Ltd wrote: > Hi Flo, > > I've raised that issue as requested including this full email chain so far: > > https://pagure.io/freeipa/issue/8600 > > Sorry to seem dense, but ssl certs and keys are definatly not my strong suite, and the whole freeipa setup se have was sort of dumped on me when my colleague who was looking after this left the company. Would you be able to be a bit more specific on what I need to do to try and work around this issue, or point me in the correct direction so that I'm able figure out (and hopefully learn more of the freeipa workings) the steps to attempt this work around. > Hi, The directory server is using a server certificate on port 636 for SSL communications. The certificate is stored in a NSS database located in /etc/dirsrv/slap-XXX/, with a nickname configured in /etc/dirsrv/slap-XXX/dse.ldif: ----- dn: cn=RSA,cn=encryption,cn=config cn: RSA nsSSLActivation: on nsSSLPersonalitySSL: Server-Cert <<<< cert nickname nsSSLToken: internal (software) objectClass: top objectClass: nsEncryptionModule [...] ----- We can find a cert with this nickname in the NSS DB: ----- # certutil -L -d /etc/dirsrv/slapd-XXX Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u XXX IPA CA CT,C,C ----- In a usual setup, the nickname is "Server-Cert", but in your NSS DB I didn't see any certificate with this nickname. I assume that the cert nickname is "CN=*.int.i-neda.com" because it's the only one in the database with the trust attributes u,u,u (u means that there is also a private key associated with the certificate and the ldap server needs access to the private key in order to use the cert as a Server Certificate). It's totally ok to use a different nickname, as long as the nsSSLPersonalitySSL value is the same as the nickname in the NSS DB. Except that ipa-cert-fix doesn't take this into account and hardcodes the nickname "Server-Cert": https://pagure.io/freeipa/blob/master/f/ipaserver/install/ipa_cert_fix.py... You can either wait for a fix in ipa-cert-fix, or apply a workaround which consists in renaming the certificate into "Server-Cert". In order to do that: Stop the LDAP server # systemctl stop dirsrv@INT-I-NEDA-COM Start with a backup the existing dse.ldif and NSSDB: # cp /etc/dirsrv/slapd-INT-I-NEDA-COM/dse.ldif /path/to/backup # cp /etc/dirsrv/slapd-INT-I-NEDA-COM/*.db /path/to/backup Edit /etc/dirsrv/slapd-INT-I-NEDA-COM/dse.ldif and replace the certificate nickname with Server-Cert (find the line containing nsSSLPersonalitySSL): nsSSLPersonalitySSL: Server-Cert Rename the certificate in the NSSDB: # certutil -d /etc/dirsrv/slapd-INT-I-NEDA-COM/ --rename -n <old name> --new-n Server-Cert Restart LDAP server # systemctl start dirsrv@INT-I-NEDA-COM At this point you should be able to use ipa-cert-fix. HTH, flo > Thanks for all the help so far, it's been much appreciated. > > Kind Regards, > > Marc. > > -----Original Message----- > From: Florence Blanc-Renaud <flo(a)redhat.com> > Sent: 24 November 2020 10:45 > To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > Subject: Re: [Freeipa-users] subsystemCert appears out of date > > On 11/24/20 10:50 AM, Marc Pearson | i-Neda Ltd wrote: >> Thanks Flo, >> >> I'm suprosed I didn't catch that typeo: >> >> certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM >> >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CN=AddTrust External CA Root,OU=AddTrust External TTP >> Network,O=AddTrust AB,C=SE C,, CN=COMODO High-Assurance Secure Server >> CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, >> comodoCA C,, >> INT.I-NEDA.COM IPA CA CT,C,C >> INT.I-NEDA.COM IPA CA CT,C,C >> INT.I-NEDA.COM IPA CA CT,C,C >> CN=COMODO RSA Certification Authority,O=COMODO CA >> Limited,L=Salford,ST=Greater Manchester,C=GB C,, CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, >> comodoCA2 C,, >> INT.I-NEDA.COM IPA CA CT,C,C >> INT.I-NEDA.COM IPA CA CT,C,C >> comodoCA C,, >> CN=*.int.i-neda.com u,u,u >> INT.I-NEDA.COM IPA CA CT,C,C >> > Ok, so I think the issue with ipa-cert-fix comes from the fact that the LDAP server cert is not called 'Server-Cert' but rather 'CN=*.int.i-neda.com' - you can check with the following command: > # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-INT-I-NEDA-COM/dse.ldif > > Can you log an issue at https://pagure.io/freeipa/new_issue ? > When the LDAP server cert doesn't have the default name, ipa-cert-fix fails. > A possible workaround would be to rename the cert in the NSSDB to 'Server-Cert' with certutil --rename but you will also need to update the dse.ldif file (stop ds, edit, start ds). This will allow you to use ipa-cert-fix and hopefully to move forward. > > flo >> Marc. >> >> -----Original Message----- >> From: Florence Blanc-Renaud <flo(a)redhat.com> >> Sent: 24 November 2020 09:01 >> To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users >> list <freeipa-users(a)lists.fedorahosted.org> >> Subject: Re: [Freeipa-users] subsystemCert appears out of date >> >> On 11/24/20 9:54 AM, Marc Pearson | i-Neda Ltd wrote: >>> Hi Flo, >>> >>> I'm getting a database error when running that command: >>> >>> # certutil -L -d /etc/dirsrc/slapd-INT-I-NEDA-COM >>> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. >>> >> Sorry, I made a typo, it should be dirsrv, not dirsrc: >> # certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM >> >> flo >>> >>> Not sure if that's of any help? >>> >>> Marc. >>> >>> -----Original Message----- >>> From: Florence Blanc-Renaud <flo(a)redhat.com> >>> Sent: 21 November 2020 19:06 >>> To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users >>> list <freeipa-users(a)lists.fedorahosted.org> >>> Subject: Re: [Freeipa-users] subsystemCert appears out of date >>> >>> On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote: >>>> Hi Flo, >>>> >>>> Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate: >>>> >>>> [root@red-auth01 ~]# ipa-cert-fix >>>> Failed to get Server-Cert >>>> The ipa-cert-fix command failed. >>>> >>> Hi, >>> I failed to notice the first time but there is no tracking for the LDAP cert that is stored in /etc/dirsrv/slapd-$DOMAIN/. What is the output of # certutil -L -d /etc/dirsrc/slapd-$DOMAIN You should see Server-Cert (=the ldap server certificate), or maybe a different nickname is used? >>> >>> flo >>> >>>> From the message log: >>>> Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: >>>> Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:32 >>>> red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. >>>> Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: >>>> Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:35 >>>> red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. >>>> >>>> Any advice? >>>> >>>> Marc. >>>> >>>> -----Original Message----- >>>> From: Florence Blanc-Renaud <flo(a)redhat.com> >>>> Sent: 17 November 2020 10:57 >>>> To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users >>>> list <freeipa-users(a)lists.fedorahosted.org> >>>> Subject: Re: [Freeipa-users] subsystemCert appears out of date >>>> >>>> On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote: >>>>> Hi Flo, >>>>> >>>>> Thanks for the help. Included is the output of all the commands as >>>>> you requested. These were all run from a single freeIPA server (red-auth01). >>>>> >>>>> kinit admin; ipa server-role-find --role "CA server" >>>>> Password for admin(a)INT.I-NEDA.COM: >>>>> ---------------------- >>>>> 8 server roles matched >>>>> ---------------------- >>>>> Â Server name: power-auth03.int.i-neda.com Â Role name: CA >>>>> server Â Role status: enabled >>>>> >>>>> Â Server name: power-auth04.int.i-neda.com Â Role name: CA >>>>> server Â Role status: absent >>>>> >>>>> Â Server name: red-auth01.int.i-neda.com Â Role name: CA >>>>> server Â Role status: enabled >>>>> >>>>> Â Server name: red-auth02.int.i-neda.com Â Role name: CA >>>>> server Â Role status: enabled >>>>> >>>>> Â Server name: red-auth03.int.i-neda.com Â Role name: CA >>>>> server Â Role status: enabled >>>>> >>>>> Â Server name: red-auth04.int.i-neda.com Â Role name: CA >>>>> server Â Role status: enabled >>>>> >>>>> Â Server name: white-auth01.int.i-neda.com Â Role name: CA >>>>> server Â Role status: enabled >>>>> >>>>> Â Server name: white-auth02.int.i-neda.com Â Role name: CA >>>>> server Â Role status: enabled >>>>> ---------------------------- >>>>> Number of entries returned 8 >>>>> ---------------------------- >>>>> >>>>> >>>>> Â kinit admin; ipa config-show | grep "renewal" >>>>> Password for admin(a)INT.I-NEDA.COM: >>>>> Â IPA CA renewal master: red-auth01.int.i-neda.com >>>>> >>>>> >>>>> rpm -qa | grep ipa-server >>>>> ipa-server-common-4.6.8-5.el7.centos.noarch >>>>> ipa-server-4.6.8-5.el7.centos.x86_64 >>>>> ipa-server-dns-4.6.8-5.el7.centos.noarch >>>>> >>>>> >>>>> getcert list >>>>> Number of certificates and requests being tracked: 8. >>>>> Request ID '20171101175244': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' >>>>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' >>>>> CA: SelfSign >>>>> issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM >>>>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM >>>>> expires: 2021-08-10 14:04:07 UTC >>>>> principal name: krbtgt/INT.I-NEDA.COM(a)INT.I-NEDA.COM >>>>> certificate template/profile: KDCs_PKINIT_Certs pre-save command: >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> Request ID '20180722081853': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSign >>>>> i n g Cert cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSign >>>>> i n g Cert cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>>> subject: CN=CA Audit,O=INT.I-NEDA.COM >>>>> expires: 2022-09-16 12:36:41 UTC >>>>> key usage: digitalSignature,nonRepudiation pre-save command: >>>>> /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "auditSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> Request ID '20180722081854': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigni >>>>> n g C ert cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigni >>>>> n g C ert cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>>> subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM >>>>> expires: 2022-09-16 12:35:31 UTC >>>>> eku: id-kp-OCSPSigning >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "ocspSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20180722081855': >>>>> status: CA_UNREACHABLE >>>>> ca-error: Error 58 connecting to >>>>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: >>>>> Problem with the local SSL certificate. >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystem >>>>> C e r t cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystem >>>>> C e r t cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>>> subject: CN=CA Subsystem,O=INT.I-NEDA.COM >>>>> expires: 2020-10-24 07:04:35 UTC >>>>> key usage: >>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>>>> /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "subsystemCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> Request ID '20180722081856': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigning >>>>> C e r t cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigning >>>>> C e r t cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>>> subject: CN=Certificate Authority,O=INT.I-NEDA.COM >>>>> expires: 2040-10-10 07:51:04 UTC >>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "caSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> Request ID '20180722081857': >>>>> status: CA_UNREACHABLE >>>>> ca-error: Error 58 connecting to >>>>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: >>>>> Problem with the local SSL certificate. >>>>> stuck: no >>>>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >>>>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>>> subject: CN=IPA RA,O=INT.I-NEDA.COM >>>>> expires: 2020-10-24 07:03:24 UTC >>>>> key usage: >>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>>>> /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> Request ID '20180722081858': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Ce >>>>> r t cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Ce >>>>> r t cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM >>>>> expires: 2021-02-09 11:59:57 UTC >>>>> key usage: >>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "Server-Cert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> Request ID '20200530130439': >>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>> stuck: yes >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' >>>>> CA: IPA >>>>> issuer: >>>>> subject: >>>>> expires: unknown >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>> Hi Marc, >>>> >>>> so the current situation is the following: >>>> - red-auth01 is the renewal master, with multiple replicas hosting the CA role. >>>> - on this server, 'subsystemCert cert-pki-ca' is expired (expires: >>>> 2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires: >>>> 2020-10-24 07:03:24 UTC). >>>> - there is also an issue with the tracking of the cert used by HTTP >>>> >>>> But one of your comments is puzzling me: >>>> >>>>> The signing SSL (int.i-neda.com) is a full wildcard block chain >>>>> that is authorized by a recognised 3rd party. It's worth noting >>>>> though, that we had some issues with the block chain back in April >>>>> as the thrid parties block chain expired. So it's possible that >>>>> this is as a result of that issue, and may require some fettling to resolve. All help is appreciated. >>>> Did you import the new CA chain at that time using ipa-cacert-manage install / ipa-certupdate? >>>> >>>> According to getcert output, the IPA CA is now self-signed. It looks a lot like issue https://pagure.io/freeipa/issue/8176 where the externally-signed IPA CA is renewed/replaced with a self-signed CA. >>>> >>>> As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your system. It will be easier to use this tool to fix the server: >>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin >>>> u >>>> x >>>> /7/html-single/linux_domain_identity_authentication_and_policy_guide >>>> / i ndex#renewing-expired-system-certificate-when-idm-is-offline >>>> >>>> Once the systems are up again, you can switch back to an externally-signed ipa CA: >>>> - import the external CA chain using ipa-cacert-manage install + run >>>> ipa-certupdate on all the ipa nodes >>>> - switch to externally-signed CA with ipa-cacert-manage renew >>>> --external-ca command >>>> (https://access.redhat.com/documentation/en-us/red_hat_enterprise_li >>>> n >>>> u >>>> x/7/html-single/linux_domain_identity_authentication_and_policy_guid >>>> e >>>> / >>>> index#manual-cert-renewal-ext) >>>> >>>> HTH, >>>> flo >>>>> >>>>> My current tempory work around is to set the local clock of the OS >>>>> back by over a month so the server belives the expired CA's are still valid. >>>>> >>>>> Kind Regards, >>>>> >>>>> Marc. >>>>> ------------------------------------------------------------------- >>>>> - >>>>> - >>>>> - >>>>> -- >>>>> *From:* Florence Blanc-Renaud <flo(a)redhat.com> >>>>> *Sent:* 16 November 2020 14:35 >>>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> >>>>> *Cc:* Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com> >>>>> *Subject:* Re: [Freeipa-users] subsystemCert appears out of date On >>>>> 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote: >>>>>> Hi All, >>>>>> >>>>>> My subsystem cert appears to have gone out of date, and IÃ¢â,¬â"¢m >>>>>> unable to get it to update. This has become an issue on my >>>>>> production environment, and my current work around has been to >>>>>> take the system date back by a month. IÃ¢â,¬â"¢ve tried the cert >>>>>> renew tool, but this doesnÃ¢â,¬â"¢t seem to have updated this cert. >>>>>> >>>>>> Is anyone able to point me in the right direction to be able to >>>>>> update this specific certificate as IÃ¢â,¬â"¢ve been unable to find anything online. >>>>>> >>>>>> [auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n >>>>>> 'subsystemCert cert-pki-ca' >>>>>> >>>>>> Certificate: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Data: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Version: 3 (0x2) >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Serial Number: 42 (0x2a) >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Signature Algorithm: PKCS #1 >>>>>> SHA-256 With RSA Encryption >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM" >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Validity: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Not Before: Sun >>>>>> Nov >>>>>> 04 >>>>>> 08:04:35 2018 >>>>>> >>>>>> Not After : Sat Oct 24 07:04:35 2020 >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM" >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Subject Public Key Info: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Public Key Algorithm: >>>>>> PKCS #1 RSA Encryption >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â RSA Public Key: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Modulus: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> Ã,Â Ã,Â Ã,Â 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7 >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> Exponent: 65537 (0x10001) >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Signed Extensions: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Name: Certificate >>>>>> Authority Key Identifier >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Key ID: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> d5:08:c0:3a >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Name: Authority >>>>>> Information Access >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Method: PKIX >>>>>> Online Certificate Status Protocol >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Location: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â URI: "http://ipa-ca.int.i-neda.com/ca/ocsp" >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Name: Certificate >>>>>> Key Usage >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Critical: True >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Usages: Digital >>>>>> Signature >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> Ã,Â Ã,Â Ã,Â Non-Repudiation >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> Ã,Â Ã,Â Ã,Â Key Encipherment >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> Ã,Â Ã,Â Ã,Â Data Encipherment >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Name: Extended Key >>>>>> Usage >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> TLS Web Server Authentication Certificate >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> TLS Web Client Authentication Certificate >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Signature Algorithm: PKCS #1 SHA-256 With RSA >>>>>> Encryption >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Signature: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51 >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Fingerprint (SHA-256): >>>>>> >>>>>> >>>>>> 4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1: >>>>>> 15:13:92:D3:7A:3D:F8:54:44 >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Fingerprint (SHA1): >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>>> 03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6 >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Mozilla-CA-Policy: false (attribute missing) >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Certificate Trust Flags: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â SSL Flags: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â User >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Email Flags: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â User >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Object Signing Flags: >>>>>> >>>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â User >>>>>> >>>>>> Thanks for the help, >>>>>> >>>>>> Marc. >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>>>>> To unsubscribe send an email to >>>>>> freeipa-users-leave(a)lists.fedorahosted.org >>>>>> Fedora Code of Conduct: >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: >>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: >>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.f >>>>>> e >>>>>> d >>>>>> o >>>>>> rahosted.org >>>>>> >>>>> Hi Marc, >>>>> >>>>> we need more information in order to help you: >>>>> - do you have multiple master/replicas with the CA role: >>>>> # kinit admin; ipa server-role-find --role "CA server" >>>>> >>>>> - which server is the renewal master: >>>>> # kinit admin ; ipa config-show | grep "renewal" >>>>> >>>>> - which version is installed: >>>>> # rpm -qa | grep ipa-server >>>>> >>>>> - Is the subsystemCert cert-pki-ca the only expired certificate: >>>>> # getcert list >>>>> >>>>> flo >>>>> >>>> >>> >> >

1 year, 7 months

1
0
0 / 0

Re: subsystemCert appears out of date

by Florence Blanc-Renaud

On 11/24/20 10:50 AM, Marc Pearson | i-Neda Ltd wrote: > Thanks Flo, > > I'm suprosed I didn't catch that typeo: > > certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE C,, > CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, > CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, > comodoCA C,, > INT.I-NEDA.COM IPA CA CT,C,C > INT.I-NEDA.COM IPA CA CT,C,C > INT.I-NEDA.COM IPA CA CT,C,C > CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, > CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, > comodoCA2 C,, > INT.I-NEDA.COM IPA CA CT,C,C > INT.I-NEDA.COM IPA CA CT,C,C > comodoCA C,, > CN=*.int.i-neda.com u,u,u > INT.I-NEDA.COM IPA CA CT,C,C > Ok, so I think the issue with ipa-cert-fix comes from the fact that the LDAP server cert is not called 'Server-Cert' but rather 'CN=*.int.i-neda.com' - you can check with the following command: # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-INT-I-NEDA-COM/dse.ldif Can you log an issue at https://pagure.io/freeipa/new_issue ? When the LDAP server cert doesn't have the default name, ipa-cert-fix fails. A possible workaround would be to rename the cert in the NSSDB to 'Server-Cert' with certutil --rename but you will also need to update the dse.ldif file (stop ds, edit, start ds). This will allow you to use ipa-cert-fix and hopefully to move forward. flo > Marc. > > -----Original Message----- > From: Florence Blanc-Renaud <flo(a)redhat.com> > Sent: 24 November 2020 09:01 > To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > Subject: Re: [Freeipa-users] subsystemCert appears out of date > > On 11/24/20 9:54 AM, Marc Pearson | i-Neda Ltd wrote: >> Hi Flo, >> >> I'm getting a database error when running that command: >> >> # certutil -L -d /etc/dirsrc/slapd-INT-I-NEDA-COM >> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. >> > Sorry, I made a typo, it should be dirsrv, not dirsrc: > # certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM > > flo >> >> Not sure if that's of any help? >> >> Marc. >> >> -----Original Message----- >> From: Florence Blanc-Renaud <flo(a)redhat.com> >> Sent: 21 November 2020 19:06 >> To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users >> list <freeipa-users(a)lists.fedorahosted.org> >> Subject: Re: [Freeipa-users] subsystemCert appears out of date >> >> On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote: >>> Hi Flo, >>> >>> Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate: >>> >>> [root@red-auth01 ~]# ipa-cert-fix >>> Failed to get Server-Cert >>> The ipa-cert-fix command failed. >>> >> Hi, >> I failed to notice the first time but there is no tracking for the LDAP cert that is stored in /etc/dirsrv/slapd-$DOMAIN/. What is the output of # certutil -L -d /etc/dirsrc/slapd-$DOMAIN You should see Server-Cert (=the ldap server certificate), or maybe a different nickname is used? >> >> flo >> >>> From the message log: >>> Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: >>> Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:32 >>> red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. >>> Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: >>> Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:35 >>> red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. >>> >>> Any advice? >>> >>> Marc. >>> >>> -----Original Message----- >>> From: Florence Blanc-Renaud <flo(a)redhat.com> >>> Sent: 17 November 2020 10:57 >>> To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users >>> list <freeipa-users(a)lists.fedorahosted.org> >>> Subject: Re: [Freeipa-users] subsystemCert appears out of date >>> >>> On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote: >>>> Hi Flo, >>>> >>>> Thanks for the help. Included is the output of all the commands as >>>> you requested. These were all run from a single freeIPA server (red-auth01). >>>> >>>> kinit admin; ipa server-role-find --role "CA server" >>>> Password for admin(a)INT.I-NEDA.COM: >>>> ---------------------- >>>> 8 server roles matched >>>> ---------------------- >>>> Â Server name: power-auth03.int.i-neda.com Â Role name: CA >>>> server Â Role status: enabled >>>> >>>> Â Server name: power-auth04.int.i-neda.com Â Role name: CA >>>> server Â Role status: absent >>>> >>>> Â Server name: red-auth01.int.i-neda.com Â Role name: CA >>>> server Â Role status: enabled >>>> >>>> Â Server name: red-auth02.int.i-neda.com Â Role name: CA >>>> server Â Role status: enabled >>>> >>>> Â Server name: red-auth03.int.i-neda.com Â Role name: CA >>>> server Â Role status: enabled >>>> >>>> Â Server name: red-auth04.int.i-neda.com Â Role name: CA >>>> server Â Role status: enabled >>>> >>>> Â Server name: white-auth01.int.i-neda.com Â Role name: CA >>>> server Â Role status: enabled >>>> >>>> Â Server name: white-auth02.int.i-neda.com Â Role name: CA >>>> server Â Role status: enabled >>>> ---------------------------- >>>> Number of entries returned 8 >>>> ---------------------------- >>>> >>>> >>>> Â kinit admin; ipa config-show | grep "renewal" >>>> Password for admin(a)INT.I-NEDA.COM: >>>> Â IPA CA renewal master: red-auth01.int.i-neda.com >>>> >>>> >>>> rpm -qa | grep ipa-server >>>> ipa-server-common-4.6.8-5.el7.centos.noarch >>>> ipa-server-4.6.8-5.el7.centos.x86_64 >>>> ipa-server-dns-4.6.8-5.el7.centos.noarch >>>> >>>> >>>> getcert list >>>> Number of certificates and requests being tracked: 8. >>>> Request ID '20171101175244': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' >>>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' >>>> CA: SelfSign >>>> issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM >>>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM >>>> expires: 2021-08-10 14:04:07 UTC >>>> principal name: krbtgt/INT.I-NEDA.COM(a)INT.I-NEDA.COM >>>> certificate template/profile: KDCs_PKINIT_Certs pre-save command: >>>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert >>>> track: yes >>>> auto-renew: yes >>>> >>>> Request ID '20180722081853': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigni >>>> n g Cert cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigni >>>> n g Cert cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>> subject: CN=CA Audit,O=INT.I-NEDA.COM >>>> expires: 2022-09-16 12:36:41 UTC >>>> key usage: digitalSignature,nonRepudiation pre-save command: >>>> /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "auditSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> >>>> Request ID '20180722081854': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSignin >>>> g C ert cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSignin >>>> g C ert cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>> subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM >>>> expires: 2022-09-16 12:35:31 UTC >>>> eku: id-kp-OCSPSigning >>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "ocspSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20180722081855': >>>> status: CA_UNREACHABLE >>>> ca-error: Error 58 connecting to >>>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: >>>> Problem with the local SSL certificate. >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemC >>>> e r t cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemC >>>> e r t cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>> subject: CN=CA Subsystem,O=INT.I-NEDA.COM >>>> expires: 2020-10-24 07:04:35 UTC >>>> key usage: >>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>>> /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "subsystemCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> >>>> Request ID '20180722081856': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningC >>>> e r t cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningC >>>> e r t cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>> subject: CN=Certificate Authority,O=INT.I-NEDA.COM >>>> expires: 2040-10-10 07:51:04 UTC >>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "caSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> >>>> Request ID '20180722081857': >>>> status: CA_UNREACHABLE >>>> ca-error: Error 58 connecting to >>>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: >>>> Problem with the local SSL certificate. >>>> stuck: no >>>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >>>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>> subject: CN=IPA RA,O=INT.I-NEDA.COM >>>> expires: 2020-10-24 07:03:24 UTC >>>> key usage: >>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>>> /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>>> track: yes >>>> auto-renew: yes >>>> >>>> Request ID '20180722081858': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer >>>> t cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer >>>> t cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM >>>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM >>>> expires: 2021-02-09 11:59:57 UTC >>>> key usage: >>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "Server-Cert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> >>>> Request ID '20200530130439': >>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>> stuck: yes >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' >>>> CA: IPA >>>> issuer: >>>> subject: >>>> expires: unknown >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>>> >>> Hi Marc, >>> >>> so the current situation is the following: >>> - red-auth01 is the renewal master, with multiple replicas hosting the CA role. >>> - on this server, 'subsystemCert cert-pki-ca' is expired (expires: >>> 2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires: >>> 2020-10-24 07:03:24 UTC). >>> - there is also an issue with the tracking of the cert used by HTTP >>> >>> But one of your comments is puzzling me: >>> >>>> The signing SSL (int.i-neda.com) is a full wildcard block chain that >>>> is authorized by a recognised 3rd party. It's worth noting though, >>>> that we had some issues with the block chain back in April as the >>>> thrid parties block chain expired. So it's possible that this is as >>>> a result of that issue, and may require some fettling to resolve. All help is appreciated. >>> Did you import the new CA chain at that time using ipa-cacert-manage install / ipa-certupdate? >>> >>> According to getcert output, the IPA CA is now self-signed. It looks a lot like issue https://pagure.io/freeipa/issue/8176 where the externally-signed IPA CA is renewed/replaced with a self-signed CA. >>> >>> As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your system. It will be easier to use this tool to fix the server: >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linu >>> x >>> /7/html-single/linux_domain_identity_authentication_and_policy_guide/ >>> i ndex#renewing-expired-system-certificate-when-idm-is-offline >>> >>> Once the systems are up again, you can switch back to an externally-signed ipa CA: >>> - import the external CA chain using ipa-cacert-manage install + run >>> ipa-certupdate on all the ipa nodes >>> - switch to externally-signed CA with ipa-cacert-manage renew >>> --external-ca command >>> (https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin >>> u >>> x/7/html-single/linux_domain_identity_authentication_and_policy_guide >>> / >>> index#manual-cert-renewal-ext) >>> >>> HTH, >>> flo >>>> >>>> My current tempory work around is to set the local clock of the OS >>>> back by over a month so the server belives the expired CA's are still valid. >>>> >>>> Kind Regards, >>>> >>>> Marc. >>>> -------------------------------------------------------------------- >>>> - >>>> - >>>> -- >>>> *From:* Florence Blanc-Renaud <flo(a)redhat.com> >>>> *Sent:* 16 November 2020 14:35 >>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> >>>> *Cc:* Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com> >>>> *Subject:* Re: [Freeipa-users] subsystemCert appears out of date On >>>> 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote: >>>>> Hi All, >>>>> >>>>> My subsystem cert appears to have gone out of date, and IÃ¢â,¬â"¢m >>>>> unable to get it to update. This has become an issue on my >>>>> production environment, and my current work around has been to take >>>>> the system date back by a month. IÃ¢â,¬â"¢ve tried the cert renew >>>>> tool, but this doesnÃ¢â,¬â"¢t seem to have updated this cert. >>>>> >>>>> Is anyone able to point me in the right direction to be able to >>>>> update this specific certificate as IÃ¢â,¬â"¢ve been unable to find anything online. >>>>> >>>>> [auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n >>>>> 'subsystemCert cert-pki-ca' >>>>> >>>>> Certificate: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Data: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Version: 3 (0x2) >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Serial Number: 42 (0x2a) >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Signature Algorithm: PKCS #1 >>>>> SHA-256 With RSA Encryption >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM" >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Validity: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Not Before: Sun Nov >>>>> 04 >>>>> 08:04:35 2018 >>>>> >>>>> Not After : Sat Oct 24 07:04:35 2020 >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM" >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Subject Public Key Info: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Public Key Algorithm: >>>>> PKCS #1 RSA Encryption >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â RSA Public Key: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Modulus: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>> Ã,Â Ã,Â Ã,Â 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7 >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>> Exponent: 65537 (0x10001) >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Signed Extensions: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Name: Certificate >>>>> Authority Key Identifier >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Key ID: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>> d5:08:c0:3a >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Name: Authority >>>>> Information Access >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Method: PKIX Online >>>>> Certificate Status Protocol >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Location: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â URI: "http://ipa-ca.int.i-neda.com/ca/ocsp" >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Name: Certificate >>>>> Key Usage >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Critical: True >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Usages: Digital >>>>> Signature >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>> Ã,Â Ã,Â Ã,Â Non-Repudiation >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>> Ã,Â Ã,Â Ã,Â Key Encipherment >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>> Ã,Â Ã,Â Ã,Â Data Encipherment >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Name: Extended Key >>>>> Usage >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â TLS >>>>> Web Server Authentication Certificate >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â TLS >>>>> Web Client Authentication Certificate >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Signature Algorithm: PKCS #1 SHA-256 With RSA >>>>> Encryption >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Signature: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â 7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>> eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51 >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Fingerprint (SHA-256): >>>>> >>>>> >>>>> 4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1: >>>>> 15:13:92:D3:7A:3D:F8:54:44 >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Fingerprint (SHA1): >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â >>>>> 03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6 >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Mozilla-CA-Policy: false (attribute missing) >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Certificate Trust Flags: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â SSL Flags: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â User >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Email Flags: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â User >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Object Signing Flags: >>>>> >>>>> Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â Ã,Â User >>>>> >>>>> Thanks for the help, >>>>> >>>>> Marc. >>>>> >>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>>>> To unsubscribe send an email to >>>>> freeipa-users-leave(a)lists.fedorahosted.org >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fe >>>>> d >>>>> o >>>>> rahosted.org >>>>> >>>> Hi Marc, >>>> >>>> we need more information in order to help you: >>>> - do you have multiple master/replicas with the CA role: >>>> # kinit admin; ipa server-role-find --role "CA server" >>>> >>>> - which server is the renewal master: >>>> # kinit admin ; ipa config-show | grep "renewal" >>>> >>>> - which version is installed: >>>> # rpm -qa | grep ipa-server >>>> >>>> - Is the subsystemCert cert-pki-ca the only expired certificate: >>>> # getcert list >>>> >>>> flo >>>> >>> >> >

1 year, 7 months

2
1
0 / 0

Auditing FreeIPA activities

by Sreenadh Menon

Hi, As part of auditing certain activities such as "User Add" "Group Add" and other modifications, we are trying to setup a tool such as Splunk. When a user gets added or any modification is made in FreeIPA we need to Audit who made that change. But FreeIPA seems to be not logging that particular information, Would like to know if any one here have achieved that here. I noticed the following option, https://github.com/pschiffe/rsyslog-elasticsearch-kibana My understanding is this is a preconfigured Kibana setup where we need to forward all the FreeIPA related logs to this Kibana docker through rsyslog. As per the following image, https://github.com/pschiffe/rsyslog-elasticsearch-kibana/blob/master/doc/... The user who is making the change also is getting logged. For example, we can see that the action "user_add" was committed by the user, admin@KVM. From my research this does not seem to be a Kibana Action as such, but something that is present in the FreeIPA log file. How ever I could not find the string user_add itself anywhere in the log after adding the user. I checked the logs such as, slapd-$REALM/access Is it because the FreeIPA logs have changed over the years and this solution is no longer usable, or is it something entirely generated by Kibana and we can use it with the newer FreeIPA versions as well> Sorry for the long post. Thanks in advance!

1 year, 7 months

1
0
0 / 0

Default Trust View --> not able to resolve AD user on clients

by Pieter Baele

Hi, We only used the default trust view. Recently a colleague added another ID View. After that when adding a lot of new users from AD, with overrides in the Default Trust View we were not able to resolve the new users (id: ‘xxxxxx’: no such user) on IPA clients. No problem on the IPA servers (at first sight) After searching a lot on different parameters (pam_id_timeout etc)and clearing caches we found that the problem disappeared when adding users to a new ID View and removing them from the Default Trust View. Running latest on RHEL 7.x (VERSION: 4.6.8, API_VERSION: 2.237) Any similar reports? Sincerely Pieter

1 year, 7 months

1
0
0 / 0

FreeIPA - Windows 10 Dynamic Dns Updates

by Ben Lewis

Hi All, I have installed a freeipa server an configured a Windows 10 client to authenticate against it. I am able to login to the Windows machine against the IPA realm, the issue I am seeing relates to the Windows client updating its DNS records. I could see ZONENAME/IN denied errors in /var/log/messages, what i also noticed in /var/log/krb5kdc.log at around the same time that the dns update errors occur I see a kerberos error. It seems that the Windows host is attempting to obtain a ticket using the format COMPUTERNAME$(a)EXAMPLE.COM instead of the FQDN. I am using Free IPA Server 4.8.4-7 on a Centos 8.2 server. I have a host and principal in freeipa for the Windows host.

1 year, 7 months

2
1
0 / 0

replica install DNS failure on master CNAME

by Stijn De Weirdt

hello, we are trying to migrate our ipa setup to el8, and are adding a el8 host as a replica. however, this master is somewhat special as it involves classless delegation. it is part of a /27 subnet, so we added it as a ptr record to 0/27.the.24.prefix, and put a cname on the ip in the.24.prefix (not sure i'm using the correct terminology here, but it's done as described in https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation) the master is a functional ipa client before the replica-install is started. running the ipa-replica-install --setup-dns, we get an error: the installer seems to try to always add the master ip as a ptr record, and treats duplicates and something called a EmptyModlist as ok. however, in our case, there's a cname in place, and our install fails with a > 2020-11-26T07:52:36Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any ot\ > her record (RFC 1034, section 3.6.2) my question is the following: is there any hard requirement for a fully functional master to have a ptr record instead of a cname (and/or is it allowed to use the classless setup for a master). if not, is it ok to comment out the part of the install code that tries to add this record, and retry the install? there is a similar/identical issue reported 2 years ago https://pagure.io/freeipa/issue/7693 (and the bugzilla referenced there), but there is a comment "from IPA team" that says "I don't know if using this also for IPA server is a good or desired thing."; so some feedback/guidance is welcome. many thanks, stijn error log > 2020-11-26T07:52:36Z DEBUG step duration: named __generate_rndc_key 0.03 sec > 2020-11-26T07:52:36Z DEBUG [2/8]: setting up our own record > 2020-11-26T07:52:36Z DEBUG raw: dnszone_show('our.domain', version='2.235') > 2020-11-26T07:52:36Z DEBUG dnszone_show(<DNS name our.domain.>, rights=False, all=False, raw=False, version='2.235') > 2020-11-26T07:52:36Z DEBUG raw: dnsrecord_add('our.domain', 'hostname', arecord='1.2.3.4', version='2.235') > 2020-11-26T07:52:36Z DEBUG dnsrecord_add(<DNS name our.domain.>, <DNS name hostname>, arecord=('1.2.3.4',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version='2.235') > 2020-11-26T07:52:36Z DEBUG raw: dnszone_show('4.3.2.1.in-addr.arpa.', version='2.235') > 2020-11-26T07:52:36Z DEBUG dnszone_show(<DNS name 4.3.2.1.in-addr.arpa.>, rights=False, all=False, raw=False, version='2.235') > 2020-11-26T07:52:36Z DEBUG raw: dnszone_show('3.2.1.in-addr.arpa.', version='2.235') > 2020-11-26T07:52:36Z DEBUG dnszone_show(<DNS name 3.2.1.in-addr.arpa.>, rights=False, all=False, raw=False, version='2.235') > 2020-11-26T07:52:36Z DEBUG raw: dnsrecord_add('3.2.1.in-addr.arpa.', '5', ptrrecord='hostname.our.domain.', version='2.235') > 2020-11-26T07:52:36Z DEBUG dnsrecord_add(<DNS name 3.2.1.in-addr.arpa.>, <DNS name 5>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, ptrrecord=('hostname.our.domain.',), force=False, structured=False, all=False, raw=False, version='2.235') > 2020-11-26T07:52:36Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step > method() > File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 921, in __add_self > self.__add_master_records(self.fqdn, self.ip_addresses) > File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 918, in __add_master_records > add_ptr_rr(reverse_zone, addr, fqdn, None, api=self.api) > File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 414, in add_ptr_rr > add_rr(zone, name, "PTR", normalize_zone(fqdn), dns_backup, api) > File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 397, in add_rr > api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) > File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__ > return self.__do_call(*args, **options) > File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call > ret = self.run(*args, **options) > File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run > return self.execute(*args, **options) > File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3655, in execute > result = super(dnsrecord_add, self).execute(*keys, **options) > File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 1199, in execute > *keys, **options) > File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3647, in pre_callback > self.obj.check_record_type_collisions(keys, rrattrs) > File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3261, in check_record_type_collisions > error=_('CNAME record is not allowed to coexist ' > ipalib.errors.ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2) > > 2020-11-26T07:52:36Z DEBUG [error] ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2) > 2020-11-26T07:52:36Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute > return_value = self.run() > File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run > return cfgr.run() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run > return self.execute() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute > for rval in self._executor(): > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner > step() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure > next(executor) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner > step() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install > for unused in self._installer(self.parent): > File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 597, in main > replica_install(self) > File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 402, in decorated > func(installer) > File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1339, in install > dns.install(False, True, options, api) > File "/usr/lib/python3.6/site-packages/ipaserver/install/dns.py", line 342, in install > bind.create_instance() > File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 774, in create_instance > self.start_creation() > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step > method() > File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 921, in __add_self > self.__add_master_records(self.fqdn, self.ip_addresses) > File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 918, in __add_master_records > add_ptr_rr(reverse_zone, addr, fqdn, None, api=self.api) > File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 414, in add_ptr_rr > add_rr(zone, name, "PTR", normalize_zone(fqdn), dns_backup, api) > File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 397, in add_rr > api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) > File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__ > return self.__do_call(*args, **options) > File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call > ret = self.run(*args, **options) > File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run > return self.execute(*args, **options) > File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3655, in execute > result = super(dnsrecord_add, self).execute(*keys, **options) > File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 1199, in execute > *keys, **options) > File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3647, in pre_callback > self.obj.check_record_type_collisions(keys, rrattrs) > File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3261, in check_record_type_collisions > error=_('CNAME record is not allowed to coexist ' > > 2020-11-26T07:52:36Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2) > 2020-11-26T07:52:36Z ERROR invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2) > 2020-11-26T07:52:36Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

1 year, 7 months

1
0
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users November 2020