On Wed, Aug 2, 2017 at 1:31 PM, Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote:
john.bowman--- via FreeIPA-users wrote:
Since taking over our FreeIPA environment I've been unable to create a new CA replica. A bunch of failed attempts and upgrades over the last year and I keep running in to issues. After my latest attempt I noticed something that I had not seen before (likely a result of an recent upgrade) and I was wondering if this would cause a CA install to fail.
Our env: 3 x ipa-server-3.0.0-51.el6.x86_64 3 x ipa-server-4.4.0-14.el7_3.7.x86_64
2 of the 3.x IPA servers are currently acting as CAs and I've been trying to create a new 4.x CA replica in order to start removing the 3.x IPA servers. I've been able to do a simple test with vanilla CentOS 6.9 and 7.3 and it seems to work fine as far as I can tell but when I try it in our environment it fails. I noticed this error in one of the logs and something jumped out at me that I had never seen before:
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization === [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security domain [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml from CA... [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA
<Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec
ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld </Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using admin interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using agent interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate: [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject: CN=ipa-master.domain.tld,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML: status=1
[14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security domain: 2 java.io.IOException: Unable to update security domain: 2
This error message means that pkispawn cannot authenticate to Dogtag on master by a certificate. Usually cert doesn't match the one in Dogtag user db in LDAP or cert serial number mapping is wrong.
More info is in: * https://www.freeipa.org/page/Troubleshooting#Migrating_from_RHEL_6.2FCentOS_...
resp. * https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html
But Dogtag team made an utility which should do the steps described in the above post automatically
So run on RHEL 6 master: # python /usr/share/pki/scripts/restore-subsystem-user.py -v
Then remove previous installation attempt by * ipa-replica-manage del $replica * ipa-csreplica-manage del $replica
Try again * generate new replica file by ipa-replica-prepare * run replica installation again with the new replica file
The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x servers but the other two listed in that domainxml file one does not exist (it may have at some point been renamed) and the other server is not a CA replica but it is a replica.
Is it possible this bad info would cause a failure when trying to create a new CA replica? If so is it something I can try cleaning up?
Any info would be appreciated. Thanks!
I think one of the dogtag devs will need to look at it. It may take a few days, things get a bit slow around here in the summer.
rob
This went off my radar, but now it back on my radar. Looks like it could be another case of [1]?
[1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org