On 1/8/19 4:37 AM, Mitchell Smith via FreeIPA-users wrote:
Hi List,
I am running in to an issue joining a new replica to our IPA environment.
It’s worth noting that we have had issues with expired certs on our master server for a
while but I thought we had resolved them, and when I connect to ports 443 and 636 on the
master server I get certs back expiring in 2020.
So I have run IPA-client-install and the client joins successfully.
I can ‘kinit admin’ and kerberos auth appears to work.
When I run ipa-replica-install it hangs on step 27 restarting directory server.
When I check syslog I see that dirsrv has failed to restart, and the following message.
Jan 8 02:20:11 ds02 certmonger[8516]: 2019-01-08 02:20:11 [8516] Server at
https://ds01.prod.xyz.internal/ipa/xml failed request, will retry: 907 (RPC failed at
server. cannot connect to
'https://ds01.prod.xyz.internal:443/ca/eeca/ca/profileSubmitSSLClient':
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
Where ds02 is the new replica I am installing and ds01 is the original master.
Running FreeIPA 4.3.1.
Any suggestions on how to move past this point would be greatly appreciated.
Thanks in advance.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Hi,
can you check on ds02 if certmonger was able to get cert for the LDAP
server (with "getcert list")? If not, I suspect that the IPA RA agent
certificate is expired and as a consequence the installer was not able
to get a cert for LDAP and HTTPs (the IPA RA agent cert is used to
authenticate to Dogtag, which is the component delivering certs).
On the master, IPA RA agent is stored in /etc/httpd/alias with the
nickname ipaCert. Check if it is still valid with
# certutil -L -d /etc/httpd/alias -n ipaCert | grep "Not After"
If it is expired, you need to fix this issue first (it requires to move
the date back in time, so that the cert is still valid, and let
certmonger renew it).
If it is not expired, check that the entry uid=ipara,ou=People,o=ipaca
has been updated with the most recent IPA RA agent certificate:
1. get the serial from the cert in the NSS db:
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
Serial Number: 7 (0x7)
2. get the whole cert in a single-line, without the header and trailer:
# certutil -L -d /etc/httpd/alias -n ipaCert -a | tail -n +2 | head -n
-1 | tr -d '\r\n'
MIIDv...
3. Check the content of the entry in LDAP:
# ldapsearch -D "cn=directory manager" -W -LLL -o ldif-wrap=no -b
uid=ipara,ou=people,o=ipaca description usercertificate
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA
RA,O=DOMAIN.COM
usercertificate:: MIIDv...
The description attribute must contain 2;<Serial from step
1>;CN=Certificate Authority,O=<DOMAIN.COM>;CN=IPA RA,O=<DOMAIN.COM>
(replace <DOMAIN.COM> with your own domain).
The usercertificate attribute must contain the same value as obtained in
step 2. If it is not the case, you can use ldapmodify to update the
certificate with the value obtained in step 2 (do not forget to replace
DOMAIN.COM with your own domain).
# ldapmodify -x -D 'cn=directory manager' -w password
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate
usercertificate:: MIIDv...
-
replace: description
description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA
RA,O=DOMAIN.COM
<extra blank line to finish>
HTH,
flo