Running in debug mode definitely shows a recently expired cert and running it again this time only shows the correct hostname now unlike before. Is this cert something that I can regenerate/renew? I'll find out about getting a new host to test with as well.
[root@ipa1 ~]# ipa-replica-prepare --debug ipa2.domain.tld ipa : DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa : DEBUG args=klist -V ipa : DEBUG stdout=Kerberos 5 version 1.10.3
ipa : DEBUG stderr= ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_61017104 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_61017104 ipa : DEBUG Search DNS for ipa2.domain.tld ipa : DEBUG Check if ipa2.domain.tld. is not a CNAME ipa : DEBUG Check reverse address of 192.168.1.11 ipa : DEBUG Found reverse name: ipa2.domain.tld Preparing replica for ipa2.domain.tld from ipa1.domain.tld ipa.ipaserver.plugins.ldap2.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-TLD.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2c00758> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_62965520 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_62965520 ipa : DEBUG args=/usr/bin/PKCS12Export -d /var/lib/pki-ca/alias/ -p /tmp/tmpPl8m5I -w /tmp/tmpTv1GoU -o /root/cacert.p12 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_62965520 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_62965520 Creating SSL certificate for the Directory Server ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -N -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -A -n DOMAIN.TLD IPA CA -t CT,,C -a ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpMhbi7sipa/realm_info -R -s CN=ipa2.domain.tld,O=DOMAIN.TLD -o /var/lib/ipa/ipa-JGfpWu /tmpcertreq -k rsa -g 2048 -z /tmp/tmpMhbi7sipa/realm_info/noise.txt -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt -a ipa : DEBUG stdout= ipa : DEBUG stderr=
Generating key. This may take a few moments...
ipa : DEBUG https_request ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient' ipa : DEBUG https_request post 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICdjCCAV4CAQAwMTEQMA4GA1UEChMH WkFZTy5VUzEdMBsGA1UEAxMUZGVuMDJ2%0D%0AbWlkbTAyLnpheW8udXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj%0D%0AGVwN6mATZGwEd19aRzDnG8HhED3Q2shjAxmf 0hreFdls079m1mdbRlUtFOWnVx%2Bx%0D%0AFS0BQZZn0dfNXeArYz0dBXw9Plo%2FzFcMaXjmwGGGGtdTqukdQT79vfvwH7k2mB1c%0D%0AbitykHqYvapI%2BzaMXjRTYwOBJzkxKFhwGl QEt8lb3oqgJrCkyH11ldsDDo%2FMcnEI%0D%0AYua50OPKKnDZ9zdOx32wL7t1VM5FRhqV941R4MT7Y9fr7u3EdUbWNpa9hCQ8LTXs%0D%0Az2pU8%2Fu64Nnj%2FzP9vXXzx5YUSQK7NoUe qOl0%2Ft%2F4h%2B8%2FXmmmKLfdu2aD%2Bp%2BzGBYG%0D%0ApkFLT2oZLk7XOFc5xGmrAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAb%2FkkLjcr%0D%0Ay9XLuzePw59UxpOeCQSdCr ET2e6Uy3rEglo5%2F8HcQbdaeCrOfwKyjbmUjJnCXptM%0D%0As6xW%2FOtNU1Xqt7fUJpxTgKDX%2Fsz5gWejuIQyAT20qnxsg8aHz0L7LxrlumW1eCMg%0D%0Af1kIXwLWzfQntBtaEFyN aJx6wEZTXQboKbZqSB281BH96dJF1szaD7nPKCo4ZFfA%0D%0AwKaJbIM89cjQvYjA9utatlqEK0g2CZnc8YtKauTmZz%2FV7W%2B3jpVV1XfgoChVmr%2FV%0D%0A%2BN0czdeA93Ie9jBB 7ZOAko2BCLuPAc2z4w0K1VF4DXBA4slf2AD%2F29xCnv1nYbzZ%0D%0AfuhOgnfI8PIdQw%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true' ipa : DEBUG NSSConnection init ipa1.domain.tld ipa : DEBUG Connecting: 192.168.1.10:0 ipa : DEBUG auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 804978690 (0x2ffb0002) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=DOMAIN.TLD Validity: Not Before: Tue Oct 06 21:27:25 2015 UTC Not After: Mon Sep 25 21:27:25 2017 UTC Subject: CN=ipa1.domain.tld,O=DOMAIN.TLD Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d0:7d:e0:36:af:0c:c5:03:ea:ea:1e:57:35:50:93:ec: 77:97:79:79:fe:7a:4c:14:e9:08:6a:2e:71:3e:fe:14: 55:cd:e5:97:cf:40:31:e1:f1:c4:fb:d9:a8:81:ce:d1: 76:59:80:7c:65:c2:45:c2:06:69:a0:91:96:51:c6:4e: e1:01:42:a0:6f:99:c3:80:83:69:49:8f:f9:7c:88:f2: 20:4a:df:85:d1:a3:01:e4:78:72:51:13:4c:d8:6b:e8: 06:1f:cb:2b:40:94:c7:9a:14:55:85:58:2b:6a:f9:4a: d8:3b:b6:78:a6:d4:bf:04:cf:69:12:9e:e7:58:a4:6b: 11:55:f7:8a:8f:dd:00:7e:7b:e5:5e:f9:29:0a:9d:dd: d0:ed:fa:ce:e1:c8:27:15:d2:01:b4:3a:fb:8c:33:1b: 66:ff:ce:2d:83:01:44:56:d0:0c:8b:7a:77:3d:d1:c1: 14:f0:0f:15:38:8e:68:f6:aa:5b:99:b3:1e:ef:53:03: 53:af:b4:c7:a8:c0:84:06:f8:0e:27:12:5a:e2:b8:29: ba:0d:b5:0c:af:4c:b6:06:22:76:9d:6a:71:5d:96:41: 4c:c8:c1:3f:0a:40:0a:57:eb:5e:7c:6d:a1:d7:1c:22: 60:07:7a:08:c3:9e:d4:cb:1d:20:c3:b9:65:07:c8:39 Exponent: 65537 (0x10001) Signed Extensions: (4 total) Name: Certificate Authority Key Identifier Critical: False Key ID: df:e2:06:f2:94:98:29:17:5a:0f:65:e5:df:eb:0b:c3: 7d:d0:4b:0f Serial Number: None General Names: [0 total]
Name: Authority Information Access Critical: False Authority Information Access: [1 total] Info [1]: Method: PKIX Online Certificate Status Protocol Location: URI: http://ipa1.domain.tld:80/ca/ocsp
Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment
Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate
Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: a0:98:8f:04:39:d9:57:fd:96:3f:e4:d3:29:7a:df:37: 6d:30:c0:d2:3c:af:0f:a0:9f:c0:dc:38:61:84:a7:b5: e0:db:6a:4a:9d:44:3b:45:04:2b:87:d1:fb:d5:5b:d4: 7f:24:3c:db:80:1e:9d:65:1d:09:5a:6a:3e:15:e0:8a: e9:60:e8:ef:c3:c9:92:fe:a6:df:54:dc:e7:d9:52:c9: 93:10:a9:b4:12:b3:fb:34:fb:f8:c1:43:a1:2e:71:c6: 70:aa:c3:4e:2f:c3:d9:56:ba:9b:b8:14:c5:2b:e7:f2: 64:bb:0b:59:99:9c:85:0e:4f:04:54:1e:cf:53:a2:ae: 4e:72:29:37:cb:53:c1:e4:61:26:0d:68:df:34:86:29: 4a:7e:00:4a:a0:70:06:e8:cb:f4:78:f6:cb:5e:a2:2e: 73:73:51:18:0e:a5:b3:3a:6c:e6:c8:11:aa:18:21:a5: d3:85:a0:01:6b:39:90:aa:38:6c:6b:33:b0:f2:89:4a: e0:2d:51:c7:e7:9b:a7:63:cf:4a:af:17:ed:da:2f:0d: 63:81:61:24:b0:d9:db:44:eb:aa:c0:d1:d3:4e:51:60: 92:70:39:a8:39:45:bc:ca:97:bf:cd:9f:02:38:ec:6e: 15:2f:5c:b2:c6:77:de:d6:8d:3e:76:5c:14:34:f5:69 Fingerprint (MD5): fd:4d:92:51:bb:e0:5e:34:8c:83:e4:43:a0:d3:1f:21 Fingerprint (SHA1): 47:4e:12:b6:5a:12:b8:85:b3:c8:53:09:9e:5f:97:a0: 65:ea:cd:1f ipa : ERROR cert validation failed for "CN=ipa1.domain.tld,O=DOMAIN.TLD" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) preparation of replica failed: cannot connect to ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Pee r's Certificate has expired. ipa : DEBUG cannot connect to ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Cert ificate has expired. File "/usr/sbin/ipa-replica-prepare", line 529, in <module> main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb raise e
cannot connect to ' https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. File "/usr/sbin/ipa-replica-prepare", line 529, in <module> main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb raise e
On Thu, Nov 16, 2017 at 5:16 PM, Fraser Tweedale ftweedal@redhat.com wrote:
On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote:
john.bowman--- via FreeIPA-users wrote:
Still looking for any ideas on this one so giving it a bump.
Next time please don't wipe out all the context.
Fraser, it seems to be having a problem connecting to the security
domain.
The full thread is at https://lists.fedoraproject.org/archives/list/freeipa-
users@lists.fedorahosted.org/thread/7CMTT25MZKFDUW26XYLHAEV73DIYW7IV/
rob
For the security domain connection problems, a fix was released in Dogtag 10.5.1 (pki commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3).
As for the expired certificates problem, I'm not sure about that. More logs would be helpful. But perhaps start over again with a fresh host for the replica, and run the latest pki builds (Fedora 27 was just released and it has Dogtag 10.5.1).
Cheers, Fraser