Running in debug mode definitely shows a recently expired cert and running
it again this time only shows the correct hostname now unlike before. Is
this cert something that I can regenerate/renew? I'll find out about
getting a new host to test with as well.
[root@ipa1 ~]# ipa-replica-prepare --debug ipa2.domain.tld
ipa : DEBUG importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa : DEBUG args=klist -V
ipa : DEBUG stdout=Kerberos 5 version 1.10.3
ipa : DEBUG stderr=
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa : DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection
context.ldap2_61017104
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection
context.ldap2_61017104
ipa : DEBUG Search DNS for ipa2.domain.tld
ipa : DEBUG Check if ipa2.domain.tld. is not a CNAME
ipa : DEBUG Check reverse address of 192.168.1.11
ipa : DEBUG Found reverse name: ipa2.domain.tld
Preparing replica for ipa2.domain.tld from ipa1.domain.tld
ipa.ipaserver.plugins.ldap2.SchemaCache: DEBUG retrieving schema for
SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-TLD.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2c00758>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection
context.ldap2_62965520
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection
context.ldap2_62965520
ipa : DEBUG args=/usr/bin/PKCS12Export -d /var/lib/pki-ca/alias/
-p /tmp/tmpPl8m5I -w /tmp/tmpTv1GoU -o /root/cacert.p12
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection
context.ldap2_62965520
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection
context.ldap2_62965520
Creating SSL certificate for the Directory Server
ipa : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUG args=/usr/bin/certutil -d
/tmp/tmpMhbi7sipa/realm_info -N -f /tmp/tmpMhbi7sipa/realm_info/pwdfile.txt
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa : DEBUG args=/usr/bin/certutil -d
/tmp/tmpMhbi7sipa/realm_info -A -n DOMAIN.TLD IPA CA -t CT,,C -a
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa : DEBUG args=/usr/bin/certutil -d
/tmp/tmpMhbi7sipa/realm_info -R -s CN=ipa2.domain.tld,O=DOMAIN.TLD -o
/var/lib/ipa/ipa-JGfpWu
/tmpcertreq -k rsa -g 2048 -z /tmp/tmpMhbi7sipa/realm_info/noise.txt -f
/tmp/tmpMhbi7sipa/realm_info/pwdfile.txt -a
ipa : DEBUG stdout=
ipa : DEBUG stderr=
Generating key. This may take a few moments...
ipa : DEBUG https_request '
https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient'
ipa : DEBUG https_request post
'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICdjCCAV4CAQAwMTEQMA4GA1UEChMH
WkFZTy5VUzEdMBsGA1UEAxMUZGVuMDJ2%0D%0AbWlkbTAyLnpheW8udXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj%0D%0AGVwN6mATZGwEd19aRzDnG8HhED3Q2shjAxmf
0hreFdls079m1mdbRlUtFOWnVx%2Bx%0D%0AFS0BQZZn0dfNXeArYz0dBXw9Plo%2FzFcMaXjmwGGGGtdTqukdQT79vfvwH7k2mB1c%0D%0AbitykHqYvapI%2BzaMXjRTYwOBJzkxKFhwGl
QEt8lb3oqgJrCkyH11ldsDDo%2FMcnEI%0D%0AYua50OPKKnDZ9zdOx32wL7t1VM5FRhqV941R4MT7Y9fr7u3EdUbWNpa9hCQ8LTXs%0D%0Az2pU8%2Fu64Nnj%2FzP9vXXzx5YUSQK7NoUe
qOl0%2Ft%2F4h%2B8%2FXmmmKLfdu2aD%2Bp%2BzGBYG%0D%0ApkFLT2oZLk7XOFc5xGmrAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAb%2FkkLjcr%0D%0Ay9XLuzePw59UxpOeCQSdCr
ET2e6Uy3rEglo5%2F8HcQbdaeCrOfwKyjbmUjJnCXptM%0D%0As6xW%2FOtNU1Xqt7fUJpxTgKDX%2Fsz5gWejuIQyAT20qnxsg8aHz0L7LxrlumW1eCMg%0D%0Af1kIXwLWzfQntBtaEFyN
aJx6wEZTXQboKbZqSB281BH96dJF1szaD7nPKCo4ZFfA%0D%0AwKaJbIM89cjQvYjA9utatlqEK0g2CZnc8YtKauTmZz%2FV7W%2B3jpVV1XfgoChVmr%2FV%0D%0A%2BN0czdeA93Ie9jBB
7ZOAko2BCLuPAc2z4w0K1VF4DXBA4slf2AD%2F29xCnv1nYbzZ%0D%0AfuhOgnfI8PIdQw%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true'
ipa : DEBUG NSSConnection init ipa1.domain.tld
ipa : DEBUG Connecting: 192.168.1.10:0
ipa : DEBUG auth_certificate_callback: check_sig=True
is_server=False
Data:
Version: 3 (0x2)
Serial Number: 804978690 (0x2ffb0002)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=DOMAIN.TLD
Validity:
Not Before: Tue Oct 06 21:27:25 2015 UTC
Not After: Mon Sep 25 21:27:25 2017 UTC
Subject: CN=ipa1.domain.tld,O=DOMAIN.TLD
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d0:7d:e0:36:af:0c:c5:03:ea:ea:1e:57:35:50:93:ec:
77:97:79:79:fe:7a:4c:14:e9:08:6a:2e:71:3e:fe:14:
55:cd:e5:97:cf:40:31:e1:f1:c4:fb:d9:a8:81:ce:d1:
76:59:80:7c:65:c2:45:c2:06:69:a0:91:96:51:c6:4e:
e1:01:42:a0:6f:99:c3:80:83:69:49:8f:f9:7c:88:f2:
20:4a:df:85:d1:a3:01:e4:78:72:51:13:4c:d8:6b:e8:
06:1f:cb:2b:40:94:c7:9a:14:55:85:58:2b:6a:f9:4a:
d8:3b:b6:78:a6:d4:bf:04:cf:69:12:9e:e7:58:a4:6b:
11:55:f7:8a:8f:dd:00:7e:7b:e5:5e:f9:29:0a:9d:dd:
d0:ed:fa:ce:e1:c8:27:15:d2:01:b4:3a:fb:8c:33:1b:
66:ff:ce:2d:83:01:44:56:d0:0c:8b:7a:77:3d:d1:c1:
14:f0:0f:15:38:8e:68:f6:aa:5b:99:b3:1e:ef:53:03:
53:af:b4:c7:a8:c0:84:06:f8:0e:27:12:5a:e2:b8:29:
ba:0d:b5:0c:af:4c:b6:06:22:76:9d:6a:71:5d:96:41:
4c:c8:c1:3f:0a:40:0a:57:eb:5e:7c:6d:a1:d7:1c:22:
60:07:7a:08:c3:9e:d4:cb:1d:20:c3:b9:65:07:c8:39
Exponent:
65537 (0x10001)
Signed Extensions: (4 total)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
df:e2:06:f2:94:98:29:17:5a:0f:65:e5:df:eb:0b:c3:
7d:d0:4b:0f
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Location: URI:
http://ipa1.domain.tld:80/ca/ocsp
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
a0:98:8f:04:39:d9:57:fd:96:3f:e4:d3:29:7a:df:37:
6d:30:c0:d2:3c:af:0f:a0:9f:c0:dc:38:61:84:a7:b5:
e0:db:6a:4a:9d:44:3b:45:04:2b:87:d1:fb:d5:5b:d4:
7f:24:3c:db:80:1e:9d:65:1d:09:5a:6a:3e:15:e0:8a:
e9:60:e8:ef:c3:c9:92:fe:a6:df:54:dc:e7:d9:52:c9:
93:10:a9:b4:12:b3:fb:34:fb:f8:c1:43:a1:2e:71:c6:
70:aa:c3:4e:2f:c3:d9:56:ba:9b:b8:14:c5:2b:e7:f2:
64:bb:0b:59:99:9c:85:0e:4f:04:54:1e:cf:53:a2:ae:
4e:72:29:37:cb:53:c1:e4:61:26:0d:68:df:34:86:29:
4a:7e:00:4a:a0:70:06:e8:cb:f4:78:f6:cb:5e:a2:2e:
73:73:51:18:0e:a5:b3:3a:6c:e6:c8:11:aa:18:21:a5:
d3:85:a0:01:6b:39:90:aa:38:6c:6b:33:b0:f2:89:4a:
e0:2d:51:c7:e7:9b:a7:63:cf:4a:af:17:ed:da:2f:0d:
63:81:61:24:b0:d9:db:44:eb:aa:c0:d1:d3:4e:51:60:
92:70:39:a8:39:45:bc:ca:97:bf:cd:9f:02:38:ec:6e:
15:2f:5c:b2:c6:77:de:d6:8d:3e:76:5c:14:34:f5:69
Fingerprint (MD5):
fd:4d:92:51:bb:e0:5e:34:8c:83:e4:43:a0:d3:1f:21
Fingerprint (SHA1):
47:4e:12:b6:5a:12:b8:85:b3:c8:53:09:9e:5f:97:a0:
65:ea:cd:1f
ipa : ERROR cert validation failed for
"CN=ipa1.domain.tld,O=DOMAIN.TLD" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's
Certificate has expired.)
preparation of replica failed: cannot connect to '
https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient';:
(SEC_ERROR_EXPIRED_CERTIFICATE) Pee
r's Certificate has expired.
ipa : DEBUG cannot connect to '
https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient';:
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Cert
ificate has expired.
File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb
raise e
cannot connect to '
https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient';:
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 400, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb
raise e
On Thu, Nov 16, 2017 at 5:16 PM, Fraser Tweedale <ftweedal(a)redhat.com>
wrote:
On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote:
> john.bowman--- via FreeIPA-users wrote:
> > Still looking for any ideas on this one so giving it a bump.
>
> Next time please don't wipe out all the context.
>
> Fraser, it seems to be having a problem connecting to the security
domain.
>
> The full thread is at
>
https://lists.fedoraproject.org/archives/list/freeipa-
users(a)lists.fedorahosted.org/thread/7CMTT25MZKFDUW26XYLHAEV73DIYW7IV/
>
> rob
>
For the security domain connection problems, a fix was released in
Dogtag 10.5.1 (pki commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3).
As for the expired certificates problem, I'm not sure about that.
More logs would be helpful. But perhaps start over again with a
fresh host for the replica, and run the latest pki builds (Fedora 27
was just released and it has Dogtag 10.5.1).
Cheers,
Fraser
--
John Bowman
System Engineer
4500 S 129th East Avenue,
Suite 132
Tulsa, OK 74134
(c) 918.633.4191
(o) 918.295.7043
john.bowman(a)zayo.com