Hello. Trying to enroll Ubuntu 24.04 to domain, but it says "certificate verify failed: Hostname mismatch, certificate is not valid for 'ipa2.dom.loc'. (_ssl.c :1000)" But when I trying ipa web adress via browser it's seems fine. It's selfsigned like always, but date and name are fine. And just recently I have successfully added another one host How can I fix it? Maybe I can disable certificate checking somehow, just for start?
sudo ipa-client-install --hostname dit-ntb-spc39-1797875.dom.loc --server=ipa2.dom.loc --enable-dns-updates --domain dom.loc --mkhomedir -p admin -w Password --force-join
This program will set up IPA client.
Version 4.11.1
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
Using existing certificate '/etc/ipa/ca.crt'.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: y
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: dit-ntb-spc39-1797875.dom.loc
Realm: dom.loc
DNS Domain: dom.loc
IPA Server: ipa2.dom.loc
BaseDN: dc=l3874,dc=ru
Continue to configure the system with these values? [no]: y
Removed old keys for realm dom.loc from /etc/krb5.keytab
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Enrolled in IPA realm dom.loc
Created /etc/ipa/default.conf
Domain dom.loc is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Connection to https://ipa2.dom.loc/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipa2.dom.loc'. (_ssl.c :1000)
Connection to https://ipa.dom.loc/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipa.dom.loc'. (_ssl.c:1000)
cannot connect to 'любой из настроенных серверов': https://ipa2.dom.loc/ipa/json, https://ipa.dom.loc/ipa/json
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Dmitry Krasov via FreeIPA-users wrote:
Hello. Trying to enroll Ubuntu 24.04 to domain, but it says "certificate verify failed: Hostname mismatch, certificate is not valid for 'ipa2.dom.loc'. (_ssl.c :1000)" But when I trying ipa web adress via browser it's seems fine. It's selfsigned like always, but date and name are fine. And just recently I have successfully added another one host How can I fix it? Maybe I can disable certificate checking somehow, just for start?
sudo ipa-client-install --hostname dit-ntb-spc39-1797875.dom.loc --server=ipa2.dom.loc --enable-dns-updates --domain dom.loc --mkhomedir -p admin -w Password --force-join
This program will set up IPA client.
Version 4.11.1
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
Using existing certificate '/etc/ipa/ca.crt'.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: y
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: dit-ntb-spc39-1797875.dom.loc
Realm: dom.loc
DNS Domain: dom.loc
IPA Server: ipa2.dom.loc
BaseDN: dc=l3874,dc=ru
Continue to configure the system with these values? [no]: y
Removed old keys for realm dom.loc from /etc/krb5.keytab
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Enrolled in IPA realm dom.loc
Created /etc/ipa/default.conf
Domain dom.loc is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Connection to https://ipa2.dom.loc/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipa2.dom.loc'. (_ssl.c :1000)
Connection to https://ipa.dom.loc/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipa.dom.loc'. (_ssl.c:1000)
cannot connect to 'любой из настроенных серверов': https://ipa2.dom.loc/ipa/json, https://ipa.dom.loc/ipa/json
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
There is no option to disable cert validation.
On the IPA server you can see what names it will answer for in this output:
# openssl x509 -noout -in /var/lib/ipa/certs/httpd.crt -ext subjectAltName
rob
Hello Rob. Thanks for answering.
I trying to go to Authentication tab and got "IPA Error 4301: CertificateOperationError".
I checked via getcert list command, and it sayis that this certs expires in about 2 years. Maybe I should update them? How can I renew certificate for https?
Dmitry Krasov via FreeIPA-users wrote:
Hello Rob. Thanks for answering.
I trying to go to Authentication tab and got "IPA Error 4301: CertificateOperationError".
That's interesting but what about verifying that the SAN is correct in the certificate that is preventing Ubuntu clients from enrolling?
It's best to tackle things one at a time. I doubt these are related. For the certificateoperationerror you'll need to dig into the Apache and/or PKI logs to see what happened.
As for the certs expiring in two years, that is the issuance period. Renewing is not necessary.
rob
here is getcert list:
Number of certificates and requests being tracked: 8. Request ID '20241204101230': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20241204101231': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=OCSP Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20241204101232': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20241204101233': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=Certificate Authority,O=DOM.LOC expires: 2042-11-30 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20241204101234': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=IPA RA,O=DOM.LOC expires: 2024-11-19 05:25:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20241204101235': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa2.dom.loc,O=DOM.LOC expires: 2026-01-07 13:11:56 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20241204101236': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa2.dom.loc,O=DOM.LOC expires: 2026-01-18 12:56:36 UTC principal name: ldap/ipa2.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC track: yes auto-renew: yes Request ID '20241204101237': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa2.dom.loc,O=DOM.LOC expires: 2026-01-18 12:57:47 UTC principal name: HTTP/ipa2.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes
It was wrong server. This is the right one: ---------------------------------------------
Number of certificates and requests being tracked: 8.
Request ID '20241204100432':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=CA Audit,O=DOM.LOC
expires: 2024-12-01 13:19:15 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20241204100433':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=OCSP Subsystem,O=DOM.LOC
expires: 2024-12-01 13:19:13 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20241204100434':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=CA Subsystem,O=DOM.LOC
expires: 2024-12-01 13:19:13 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20241204100435':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=Certificate Authority,O=DOM.LOC
expires: 2042-12-12 13:19:12 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20241204100436':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=IPA RA,O=DOM.LOC
expires: 2024-12-01 13:19:43 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20241204100437':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=ipa.dom.loc,O=DOM.LOC
expires: 2024-12-01 13:19:13 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20241204100438':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-L3874-RU',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-L3874-RU/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-L3874-RU',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=ipa.dom.loc,O=DOM.LOC
expires: 2026-11-16 07:24:40 UTC
principal name: ldap/ipa.dom.loc@DOM.LOC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv L3874-RU
track: yes
auto-renew: yes
Request ID '20241204100439':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=ipa.dom.loc,O=DOM.LOC
expires: 2026-11-16 07:24:49 UTC
principal name: HTTP/ipa.dom.loc@DOM.LOC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Hi,
on the ipa.dom.loc server, the following certs are expired:
- auditSigningCert cert-pki-ca (2024-12-01) - ocspSigningCert cert-pki-ca (2024-12-01) - subsystemCert cert-pki-ca (2024-12-01) - ipaCert (2024-12-01) - Server-Cert cert-pki-ca (2024-12-01)
on the ipa2.dom.loc server, the following certs are expired:
- auditSigningCert cert-pki-ca (2024-11-19) - ocspSigningCert cert-pki-ca (2024-11-19) - subsystemCert cert-pki-ca (2024-11-19) - ipaCert (2024-11-19)
If both masters are part of the same topology, there clearly is an issue as the certs (except Server-Cert cert-pki-ca) should be identical on both machines. Are they replicating to each other?
You need to find the CA renewal master: # kinit admin # ipa config-show
Then start by repairing this server. You can follow https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html-sin...
HTH, flo
On Mon, Dec 9, 2024 at 6:25 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello Rob. is there enough information? -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I tryied to update certs on test environment with this instructions, but it updated webserver's certs only with CA_UNREACHABLE status. https://www.freeipa.org/page/IPA_2x_Certificate_Renewal
Number of certificates and requests being tracked: 8. Request ID '20221130052539': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052540': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=OCSP Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052541': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052542': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=Certificate Authority,O=DOM.LOC expires: 2042-11-30 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052543': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=IPA RA,O=DOM.LOC expires: 2024-11-19 05:25:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221130052544': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052605': status: CA_UNREACHABLE ca-error: Server at https://ipa.dom.loc/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 21:32:34 UTC principal name: ldap/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC track: yes auto-renew: yes Request ID '20221130052625': status: CA_UNREACHABLE ca-error: Server at https://ipa.dom.loc/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)). stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 21:32:23 UTC principal name: HTTP/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Hi,
On Wed, Dec 18, 2024 at 11:00 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I tryied to update certs on test environment with this instructions, but it updated webserver's certs only with CA_UNREACHABLE status. https://www.freeipa.org/page/IPA_2x_Certificate_Renewal
The above instructions are for IPA 2.x and do not apply to IPA 4.11. The code of the CA helpers was consolidated and the tracking requests do not use the same CA helpers.
Number of certificates and requests being tracked: 8. Request ID '20221130052539': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
With IPA 4.11 this cert is using the CA helper dogtag-ipa-ca-renew-agent, not dogtag-ipa-renew-agent.
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert"auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052540': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
Same comment, the tracking is now using a wrong CA helper.
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=OCSP Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert"ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052541': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
Same comment.
issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052542': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=Certificate Authority,O=DOM.LOC expires: 2042-11-30 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052543': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
Same comment
issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=IPA RA,O=DOM.LOC expires: 2024-11-19 05:25:36 UTC key usage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221130052544': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
Same comment.
issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052605': status: CA_UNREACHABLE ca-error: Server at https://ipa.dom.loc/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 21:32:34 UTC principal name: ldap/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC track: yes auto-renew: yes Request ID '20221130052625': status: CA_UNREACHABLE ca-error: Server at https://ipa.dom.loc/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)). stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 21:32:23 UTC principal name: HTTP/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes
You will have to fix the tracking requests first (call getcert start-tracking with the right -c argument), and then you can follow the link https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html-single/managing_certificates_in_idm/index#renewing-expired-system-certificates-on-a-ca_renewing-expired-system-certificates-when-idm-is-offline I provided in my first message or this one: https://www.freeipa.org/page/Troubleshooting/PKI.html#ipa-won-t-start-expire... to use ipa-cert-fix.
HTH, flo
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I turned back in time, and fixed certs with resubmit command after "-c" option, and now 2 last seems fine. But the other 6 can't find CA. What if change their CA to "CA: IPA" ? screenshot with "https://ipa.dom.loc:8443/ca/agent/ca/profileReview" page: https://i.ibb.co/bXsvYBD/image.png ----------------------------------------------------- Number of certificates and requests being tracked: 8. Request ID '20221130052539': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052540': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=OCSP Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052541': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052542': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=Certificate Authority,O=DOM.LOC expires: 2042-11-30 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052543': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=IPA RA,O=DOM.LOC expires: 2024-11-19 05:25:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221130052544': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052605': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 20:36:25 UTC principal name: ldap/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC track: yes auto-renew: yes Request ID '20221130052625': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 20:36:33 UTC principal name: HTTP/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Hi,
On Thu, Dec 19, 2024 at 9:09 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I turned back in time, and fixed certs with resubmit command after "-c" option, and now 2 last seems fine. But the other 6 can't find CA. What if change their CA to "CA: IPA" ?
Please don't. The certificates that are tracked with dogtag-ipa-ca-renew-agent are shared certificates (the same cert is installed on all the replicas and the CA helper is smart enough to know if he needs to request a new certificate or download the new one). If you switch the the CA:IPA, your topology looses this logic.
Do you have any strong reason for using the method go-back-in-time rather than ipa-cert-fix command? The drawback is that you need to carefully select your date in the past: the certificates must not be expired yet but also have to *be already valid* (LDAP and HTTP certs have been renewed, they will expire 2026-10-18, but what is their valid-from date? If you go back in the past to a date before they are valid, they are unusable). flo
screenshot with "https://ipa.dom.loc:8443/ca/agent/ca/profileReview" page:
https://i.ibb.co/bXsvYBD/image.png
Number of certificates and requests being tracked: 8. Request ID '20221130052539': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052540': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=OCSP Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052541': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052542': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=Certificate Authority,O=DOM.LOC expires: 2042-11-30 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052543': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=IPA RA,O=DOM.LOC expires: 2024-11-19 05:25:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221130052544': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052605': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 20:36:25 UTC principal name: ldap/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC track: yes auto-renew: yes Request ID '20221130052625': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 20:36:33 UTC principal name: HTTP/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
"ipa-cert-fix" doesn't work. So I checked expire date and changed date to about 1 mounth before. But updated only 2 last certs. How can I fix the others? What's wrong with this CA? Maybe I should change it to other one some how?
Hi,
On Fri, Dec 20, 2024 at 11:40 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
"ipa-cert-fix" doesn't work. So I checked expire date and changed date to about 1 mounth before.
First, make sure that the machine where you are running the commands is the CA renewal master: # ipa config-show | grep renew IPA CA renewal master: server.ipa.test
The command ipa config-mod --ca-renewal-master-server=STR can be used to set the machine as renewal master.
You need to carefully pick a date where all the certs are valid. For the certificates in an NSS database, you can find the dates using # certutil -L -d /path/to/NSSdatabase -n certnickname | grep -E 'Not Before|Not After'
For instance: # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca' | grep -E 'Not Before|Not After' Not Before: Thu Dec 14 15:55:20 2023 Not After : Wed Dec 03 15:55:20 2025
Then you need to find a date that fits before/after for all the certificates. Move back to that date, restart the services (don't restart ntpd or chronyd as it would bring you back to the current date), and call getcert resubmit for one certificate at a time. If there are any errors, they will be displayed in the journal.
HTH, flo
But updated only 2 last certs.
How can I fix the others? What's wrong with this CA? Maybe I should change it to other one some how? -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I checked the date and got:
Not Before: Wed Nov 30 05:25:15 2022 Not After : Tue Nov 19 05:25:15 2024 Not Before: Wed Nov 30 05:25:14 2022 Not After : Tue Nov 19 05:25:14 2024 Not Before: Wed Nov 30 05:25:14 2022 Not After : Tue Nov 19 05:25:14 2024 Not Before: Wed Nov 30 05:25:14 2022 Not After : Sun Nov 30 05:25:14 2042 Not Before: Wed Nov 30 05:25:14 2022 Not After : Tue Nov 19 05:25:14 2024 Not Before: Wed Nov 30 05:25:36 2022 Not After : Tue Nov 19 05:25:36 2024 Not Before: Wed Nov 30 05:26:25 2022 Not After : Sat Nov 30 05:26:25 2024 Not Before: Wed Nov 30 05:26:05 2022 Not After : Sat Nov 30 05:26:05 2024
I changed it to Nov 17 00:00:00 2024 ipactl restart
But I was able to update the last 2 certs only (Server-Cert) -------------------- getcert resubmit -i 20221130052539 log:
Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: AS_REQ (6 etypes {18 17 16 23 25 26}) 65.152.254.100: NEEDED_PREAUTH: host/ipa.dom.loc@DOM.LOC for krbtgt/DOM.LOC@DOM.LOC, Additional pre-authentication required Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5 Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: AS_REQ (6 etypes {18 17 16 23 25 26}) 65.152.254.100: ISSUE: authtime 1731789998, etypes {rep=18 tkt=18 ses=18}, host/ipa.dom.loc@DOM.LOC for krbtgt/DOM.LOC@DOM.LOC Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5 Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1 Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1 Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: TGS_REQ (6 etypes {18 17 16 23 25 26}) 65.152.254.100: ISSUE: authtime 1731789998, etypes {rep=18 tkt=18 ses=18}, host/ipa.dom.loc@DOM.LOC for ldap/ipa.dom.loc@DOM.LOC Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5 Nov 17 00:46:38 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 1 Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1 Nov 17 00:46:39 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 2 Nov 17 00:46:39 ipa.dom.loc python2[10168]: GSSAPI client step 2 Nov 17 00:46:39 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 3 Nov 17 00:46:39 ipa.dom.loc dogtag-ipa-ca-renew-agent-submit[10168]: Forwarding request to dogtag-ipa-renew-agent Nov 17 00:46:39 ipa.dom.loc dogtag-ipa-ca-renew-agent-submit[10168]: dogtag-ipa-renew-agent returned 3 Nov 17 00:46:39 ipa.dom.loc certmonger[1032]: 2024-11-17 00:46:39 [1032] Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
----------------------------
Request ID '20221130052539': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes
Hi,
On Mon, Dec 23, 2024 at 2:09 PM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I checked the date and got:
Not Before: Wed Nov 30 05:25:15 2022 Not After : Tue Nov 19 05:25:15 2024 Not Before: Wed Nov 30 05:25:14 2022 Not After : Tue Nov 19 05:25:14 2024 Not Before: Wed Nov 30 05:25:14 2022 Not After : Tue Nov 19 05:25:14 2024 Not Before: Wed Nov 30 05:25:14 2022 Not After : Sun Nov 30 05:25:14 2042 Not Before: Wed Nov 30 05:25:14 2022 Not After : Tue Nov 19 05:25:14 2024 Not Before: Wed Nov 30 05:25:36 2022 Not After : Tue Nov 19 05:25:36 2024 Not Before: Wed Nov 30 05:26:25 2022 Not After : Sat Nov 30 05:26:25 2024 Not Before: Wed Nov 30 05:26:05 2022 Not After : Sat Nov 30 05:26:05 2024I changed it to Nov 17 00:00:00 2024 ipactl restart
But I was able to update the last 2 certs only (Server-Cert)
getcert resubmit -i 20221130052539 log:
Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: AS_REQ (6 etypes {18 17 16 23 25 26}) 65.152.254.100: NEEDED_PREAUTH: host/ipa.dom.loc@DOM.LOC for krbtgt/DOM.LOC@DOM.LOC, Additional pre-authentication required Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5 Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: AS_REQ (6 etypes {18 17 16 23 25 26}) 65.152.254.100: ISSUE: authtime 1731789998, etypes {rep=18 tkt=18 ses=18}, host/ipa.dom.loc@DOM.LOC for krbtgt/DOM.LOC@DOM.LOC Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5 Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1 Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1 Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: TGS_REQ (6 etypes {18 17 16 23 25 26}) 65.152.254.100: ISSUE: authtime 1731789998, etypes {rep=18 tkt=18 ses=18}, host/ipa.dom.loc@DOM.LOC for ldap/ipa.dom.loc@DOM.LOC Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5 Nov 17 00:46:38 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 1 Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1 Nov 17 00:46:39 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 2 Nov 17 00:46:39 ipa.dom.loc python2[10168]: GSSAPI client step 2 Nov 17 00:46:39 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 3 Nov 17 00:46:39 ipa.dom.loc dogtag-ipa-ca-renew-agent-submit[10168]: Forwarding request to dogtag-ipa-renew-agent Nov 17 00:46:39 ipa.dom.loc dogtag-ipa-ca-renew-agent-submit[10168]: dogtag-ipa-renew-agent returned 3 Nov 17 00:46:39 ipa.dom.loc certmonger[1032]: 2024-11-17 00:46:39 [1032] Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
Request ID '20221130052539': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
This error happens when the file /etc/ipa/ca.crt is missing or not readable. On my system I have -rw-r--r--. 1 root root
If the file is missing, you can re-create it. It must contain IPA CA certificate (if it's self-signed) or IPA CA and its chain (if it is externally signed). You can find IPA CA cert using: # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' -a Copy-paste the output in /etc/ipa/ca.crt, set the right permissions, re-try getcert resubmit.
flo
stuck: no key pair storage:type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I did chmod 777 for /etc/ipa/ca.crt and html/ca.crt but got same error. Maybe there is some wrong path in some place? Also I compared this cert with cert in browser here https://ipa.dom.loc:8443/ca/agent/ca/profileReview and they looks different. Is it fine? ------------------------------------- /etc/ipa/ca.crt and html/ca.crt:
-----BEGIN CERTIFICATE----- MIIDfzCCAmegAwIBAgIBATANBgkqhkiG9w0BAQsFADAyMRAwDgYDVQQKDAdET00u TE9DMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIxMTMwMDUy NTE0WhcNNDIxMTMwMDUyNTE0WjAyMRAwDgYDVQQKDAdET00uTE9DMR4wHAYDVQQD DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDScx6Ah9lD3MZ9Y/FnmC2BuM1l5mbaDo6n8ke07So+J2ryG13kKWf6 eGyaMiFf3o6bi9zTB2gDlIWDAgjsjYeVo7dz3dO+DM4o57C8OYGecySsJ3VSsYTs utNNKxqMprOxqNB2ascwLiR6Oy2NWzOFtg0ZP4GBW1uqv26cYl0s28CcL1xU+Rnh FsXTtn5yGdkUKPj9vBFxiQI11ILV+mp58NmIddqjjzsXzHrAJ7+v7EcVS1tlZvLA bfgWVgaHE1GNdmL7DzkBtrIX6nwzVhbVFhKpYAAGJUPHFS9yMxgwGFejkVmyFOzG o/cwikq699YHujpgPLej98BM6e9VIpxvAgMBAAGjgZ8wgZwwHwYDVR0jBBgwFoAU CBaGdFi3XREanbDOr1fXZH4KKakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E BAMCAcYwHQYDVR0OBBYEFAgWhnRYt10RGp2wzq9X12R+CimpMDkGCCsGAQUFBwEB BC0wKzApBggrBgEFBQcwAYYdaHR0cDovL2lwYS5kb20ubG9jOjgwL2NhL29jc3Aw DQYJKoZIhvcNAQELBQADggEBAEDtgTehcANC+hTvgxXsV6tboYBAza6+Gvs+jQd4 2LfBwZNJClqTL0F2u2vUBH6m4gaUMWmPoP6bwqFJ7Yw+ZT04DlGpt0JyaVfP8zAU FV3k9fygY9Qk6+WGyIi172uB+7GR7CIDT90cGftq3RqF5kapnbRXmT46RHNIC2gB /Ld/fG4SPWwmSB91YPbiaRJcWdCC2QZsn7i2pikqyOfn7m9Oim8HZhd4/t1TMezD +AJcfwCkWyqaLZPGwvdt8gf6vk7DR+FYIvmLxGbhrmS3yfuBmcJ8LgCKK5QtMXUo FNc869oM4O6QoH87gzef9Lu9LrbWH23V7LH33G0aY1v5Jxs= -----END CERTIFICATE----- ---------------------------------
ipa.dom.loc.crt from browser: --------------------------------- -----BEGIN CERTIFICATE----- MIIDWjCCAkKgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAyMRAwDgYDVQQKDAdET00u TE9DMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIxMTMwMDUy NTE0WhcNMjQxMTE5MDUyNTE0WjAoMRAwDgYDVQQKDAdET00uTE9DMRQwEgYDVQQD DAtpcGEuZG9tLmxvYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+g HAHNMXIjF022FYZwJUUL2qVL3PoW/hewj99Gms6HwPusVSzgOwG70deGRMvXGyfQ XUvzkuVKQbQ8zdsm6/WQMyGPyBf7XGMtjbvGRApvP6EpuUGspExD1s6dlZu+B/Ey Bpdxn8foipn5us8LLohBGhDODWo/AycorZL/UXAU9FbrIweJGCSiKYSKTlb5ZsP+ Ac7DHrr/siphqb3R6Qu9K2smDVEWWdEH44LID0jAMdPX5CfWPYxmG8YDG8MKV6bD qajm4Jt0Rt4/fCdupPKmlHBGzej9IQL0hzMzhx1k2aDaCwkWsbZlg+LiEgmrugP0 HM77f0TolUjHDv8ZJi0CAwEAAaOBhDCBgTAfBgNVHSMEGDAWgBQIFoZ0WLddERqd sM6vV9dkfgopqTA5BggrBgEFBQcBAQQtMCswKQYIKwYBBQUHMAGGHWh0dHA6Ly9p cGEuZG9tLmxvYzo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAK BggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAT9wXrumBSXL3PCh8YKTWRO7q H1xmi24K7zckLKZNJyLtBmLA1pG9pOw3ZNuknj1dmmhxgW1laGSD86EbdymOl2jk jU/WYmXXVNGjEFnFpMfaPtdY1/S4M6anrjPwG0SJaGO+0Avf7+odr9wMbL/IUY+t u2sF9+sj4M0Mq6cxZyCfaANC83Q4exiIvQ34OQdD2mH77r3eKis9KPsf44GTojSt WxSZeeZr2Isq/N95qN4/vA+cXjPEAi65YS4TJvXujVmN/KmawNnv3WNLVSAx638r RxUhZ7pJ5K+ixymk6KhBBm5PRmgqkEdfPlyzt9ksaJ7wTNpVOU3js53yTqarVQ== -----END CERTIFICATE-----
Hi,
On Tue, Dec 24, 2024 at 7:56 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I did chmod 777 for /etc/ipa/ca.crt and html/ca.crt but got same error.
Do you have selinux in enforcing mode? What is the output of ls -lZ /etc/ipa/ca.crt ?
Maybe there is some wrong path in some place?
Also I compared this cert with cert in browser here https://ipa.dom.loc:8443/ca/agent/ca/profileReview and they looks different. Is it fine?
Yes it's normal.
/etc/ipa/ca.crt contains the Certificate Authority cert (the same as in the NSS database /etc/pki/pki-tomcat/alias/ with the alias 'caSigningCert cert-pki-ca). According to the content pasted below, this one is valid between Nov 30 05:25:14 2022 GMT and Nov 30 05:25:14 2042 GMT.
The one that you can see in your browser is the server certificate for HTTP, issued by the Certificate Authority. It is valid from Nov 30 05:25:14 2022 GMT to Nov 19 05:25:14 2024 GMT.
flo
-------------------------------------
/etc/ipa/ca.crt and html/ca.crt:
-----BEGIN CERTIFICATE----- MIIDfzCCAmegAwIBAgIBATANBgkqhkiG9w0BAQsFADAyMRAwDgYDVQQKDAdET00u TE9DMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIxMTMwMDUy NTE0WhcNNDIxMTMwMDUyNTE0WjAyMRAwDgYDVQQKDAdET00uTE9DMR4wHAYDVQQD DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDScx6Ah9lD3MZ9Y/FnmC2BuM1l5mbaDo6n8ke07So+J2ryG13kKWf6 eGyaMiFf3o6bi9zTB2gDlIWDAgjsjYeVo7dz3dO+DM4o57C8OYGecySsJ3VSsYTs utNNKxqMprOxqNB2ascwLiR6Oy2NWzOFtg0ZP4GBW1uqv26cYl0s28CcL1xU+Rnh FsXTtn5yGdkUKPj9vBFxiQI11ILV+mp58NmIddqjjzsXzHrAJ7+v7EcVS1tlZvLA bfgWVgaHE1GNdmL7DzkBtrIX6nwzVhbVFhKpYAAGJUPHFS9yMxgwGFejkVmyFOzG o/cwikq699YHujpgPLej98BM6e9VIpxvAgMBAAGjgZ8wgZwwHwYDVR0jBBgwFoAU CBaGdFi3XREanbDOr1fXZH4KKakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E BAMCAcYwHQYDVR0OBBYEFAgWhnRYt10RGp2wzq9X12R+CimpMDkGCCsGAQUFBwEB BC0wKzApBggrBgEFBQcwAYYdaHR0cDovL2lwYS5kb20ubG9jOjgwL2NhL29jc3Aw DQYJKoZIhvcNAQELBQADggEBAEDtgTehcANC+hTvgxXsV6tboYBAza6+Gvs+jQd4 2LfBwZNJClqTL0F2u2vUBH6m4gaUMWmPoP6bwqFJ7Yw+ZT04DlGpt0JyaVfP8zAU FV3k9fygY9Qk6+WGyIi172uB+7GR7CIDT90cGftq3RqF5kapnbRXmT46RHNIC2gB /Ld/fG4SPWwmSB91YPbiaRJcWdCC2QZsn7i2pikqyOfn7m9Oim8HZhd4/t1TMezD +AJcfwCkWyqaLZPGwvdt8gf6vk7DR+FYIvmLxGbhrmS3yfuBmcJ8LgCKK5QtMXUo FNc869oM4O6QoH87gzef9Lu9LrbWH23V7LH33G0aY1v5Jxs=
-----END CERTIFICATE-----
ipa.dom.loc.crt from browser:
-----BEGIN CERTIFICATE----- MIIDWjCCAkKgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAyMRAwDgYDVQQKDAdET00u TE9DMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIxMTMwMDUy NTE0WhcNMjQxMTE5MDUyNTE0WjAoMRAwDgYDVQQKDAdET00uTE9DMRQwEgYDVQQD DAtpcGEuZG9tLmxvYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+g HAHNMXIjF022FYZwJUUL2qVL3PoW/hewj99Gms6HwPusVSzgOwG70deGRMvXGyfQ XUvzkuVKQbQ8zdsm6/WQMyGPyBf7XGMtjbvGRApvP6EpuUGspExD1s6dlZu+B/Ey Bpdxn8foipn5us8LLohBGhDODWo/AycorZL/UXAU9FbrIweJGCSiKYSKTlb5ZsP+ Ac7DHrr/siphqb3R6Qu9K2smDVEWWdEH44LID0jAMdPX5CfWPYxmG8YDG8MKV6bD qajm4Jt0Rt4/fCdupPKmlHBGzej9IQL0hzMzhx1k2aDaCwkWsbZlg+LiEgmrugP0 HM77f0TolUjHDv8ZJi0CAwEAAaOBhDCBgTAfBgNVHSMEGDAWgBQIFoZ0WLddERqd sM6vV9dkfgopqTA5BggrBgEFBQcBAQQtMCswKQYIKwYBBQUHMAGGHWh0dHA6Ly9p cGEuZG9tLmxvYzo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAK BggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAT9wXrumBSXL3PCh8YKTWRO7q H1xmi24K7zckLKZNJyLtBmLA1pG9pOw3ZNuknj1dmmhxgW1laGSD86EbdymOl2jk jU/WYmXXVNGjEFnFpMfaPtdY1/S4M6anrjPwG0SJaGO+0Avf7+odr9wMbL/IUY+t u2sF9+sj4M0Mq6cxZyCfaANC83Q4exiIvQ34OQdD2mH77r3eKis9KPsf44GTojSt WxSZeeZr2Isq/N95qN4/vA+cXjPEAi65YS4TJvXujVmN/KmawNnv3WNLVSAx638r RxUhZ7pJ5K+ixymk6KhBBm5PRmgqkEdfPlyzt9ksaJ7wTNpVOU3js53yTqarVQ==
-----END CERTIFICATE-----
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Have not selinux.
ls -lZ /etc/ipa/ca.crt: -rwxrwxrwx 1 root root ? 1291 Nov 30 2022 /etc/ipa/ca.crt
Dmitry Krasov via FreeIPA-users wrote:
How can I migrate ipa Data base to other new one server?
I guess you're giving up trying to get your certificates renewed?
I'm not sure you ever told us the distribution you run the IPA server on.
IPA 4.12.0 introduced a migration tool to migrate all of the data from one server to another. The catch is that this new server must be a fresh install so it has a new CA. You can retain the same domain and realm. No secrets are migrated so all users will need to migrate their password (see the docs), re-enroll all clients, re-distribute the new CA certificate and if any other services or hosts were given certificates then they will need to be re-issued from the new CA.
rob
It's 4.3.1, and I can't update it.
And this Migration option seems not so easy, almost like recreate the server.
I don't understand what happened to this certs? If nobody toched them at all. I am pretty sure it's some inside problem of this version.
Dmitry Krasov via FreeIPA-users wrote:
It's 4.3.1, and I can't update it.
And this Migration option seems not so easy, almost like recreate the server.
I don't understand what happened to this certs? If nobody toched them at all. I am pretty sure it's some inside problem of this version.
They expired. Why is a mystery at this point but there are some moving parts that can be messed up.
You're running a release from 2016 so your options are particularly limited. It's unclear what is going on with your CA because you haven't shared a lot of details, but if it is unrecoverable then migration is your only option.
rob
Dmitry Krasov via FreeIPA-users wrote:
Rob, I can share you any of details. Just tell me commands.
We need to know what distribution you have and the full package version.
The current state of the certificates: getcert list
What you've done to date.
The system journal can be handy to see what certmonger is doing. We might need that paired with the PKI debug log from the same period.
rob
it's ubuntu 16.04.7. Freeipa 4.3.1-0ubuntu1 which packages do you need else? ----------------------------------- ------------------------------------ getcert list: ------------ Request ID '20221130052539': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052540': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=OCSP Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052541': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052542': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=Certificate Authority,O=DOM.LOC expires: 2042-11-30 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052543': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=IPA RA,O=DOM.LOC expires: 2024-11-19 05:25:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221130052544': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052605': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-11-18 20:02:32 UTC principal name: ldap/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC track: yes auto-renew: yes Request ID '20221130052625': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-11-18 20:02:42 UTC principal name: HTTP/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes -------------------------------
ipa-cacert-manage renew -v: -------------------------------
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: Not logging to a file ipa: DEBUG: importing all plugin modules in ipalib.plugins... ipa: DEBUG: importing plugin module ipalib.plugins.aci ipa: DEBUG: importing plugin module ipalib.plugins.automember ipa: DEBUG: importing plugin module ipalib.plugins.automount ipa: DEBUG: importing plugin module ipalib.plugins.baseldap ipa: DEBUG: importing plugin module ipalib.plugins.baseuser ipa: DEBUG: importing plugin module ipalib.plugins.batch ipa: DEBUG: importing plugin module ipalib.plugins.caacl ipa: DEBUG: importing plugin module ipalib.plugins.cert ipa: DEBUG: importing plugin module ipalib.plugins.certprofile ipa: DEBUG: importing plugin module ipalib.plugins.config ipa: DEBUG: importing plugin module ipalib.plugins.delegation ipa: DEBUG: importing plugin module ipalib.plugins.dns ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel ipa: DEBUG: importing plugin module ipalib.plugins.group ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipalib.plugins.hbactest ipa: DEBUG: importing plugin module ipalib.plugins.host ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup ipa: DEBUG: importing plugin module ipalib.plugins.idrange ipa: DEBUG: importing plugin module ipalib.plugins.idviews ipa: DEBUG: importing plugin module ipalib.plugins.internal ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipalib.plugins.migration ipa: DEBUG: importing plugin module ipalib.plugins.misc ipa: DEBUG: importing plugin module ipalib.plugins.netgroup ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig ipa: DEBUG: importing plugin module ipalib.plugins.otptoken ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipalib.plugins.passwd ipa: DEBUG: importing plugin module ipalib.plugins.permission ipa: DEBUG: importing plugin module ipalib.plugins.ping ipa: DEBUG: importing plugin module ipalib.plugins.pkinit ipa: DEBUG: importing plugin module ipalib.plugins.privilege ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy ipa: DEBUG: Starting external process ipa: DEBUG: args=klist -V ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.13.2
ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains ipa: DEBUG: importing plugin module ipalib.plugins.role ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient ipa: DEBUG: importing plugin module ipalib.plugins.selfservice ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipalib.plugins.server ipa: DEBUG: importing plugin module ipalib.plugins.service ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation ipa: DEBUG: importing plugin module ipalib.plugins.session ipa: DEBUG: importing plugin module ipalib.plugins.stageuser ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipalib.plugins.sudorule ipa: DEBUG: importing plugin module ipalib.plugins.topology ipa: DEBUG: importing plugin module ipalib.plugins.trust ipa: DEBUG: importing plugin module ipalib.plugins.user ipa: DEBUG: importing plugin module ipalib.plugins.vault ipa: DEBUG: importing plugin module ipalib.plugins.virtual ipa: DEBUG: importing all plugin modules in ipaserver.plugins... ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag ipa: DEBUG: importing plugin module ipaserver.plugins.join ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipa: DEBUG: importing plugin module ipaserver.plugins.rabase ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipa.ipalib.session.SessionAuthManager: DEBUG: SessionAuthManager.register: name=jsonserver_session_140159754316752 ipa.ipalib.session.SessionAuthManager: DEBUG: SessionAuthManager.register: name=xmlserver_session_140159754359568 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' ipa.ipaserver.rpcserver.xmlserver: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' ipa.ipaserver.rpcserver.xmlserver_session: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.xmlserver_session: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' ipa.ipaserver.rpcserver.login_password: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' ipa.ipaserver.rpcserver.jsonserver_session: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' ipa.ipaserver.rpcserver.jsonserver_kerb: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' ipa.ipaserver.rpcserver.login_kerberos: DEBUG: session_auth_duration: 0:20:00 ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: Found certmonger request id dbus.String(u'20221130052542', variant_level=1) ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/pki/pki-tomcat/alias -L -n caSigningCert cert-pki-ca -a ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDfzCCAmegAwIBAgIBATANBgkqhkiG9w0BAQsFADAyMRAwDgYDVQQKDAdET00u TE9DMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIxMTMwMDUy NTE0WhcNNDIxMTMwMDUyNTE0WjAyMRAwDgYDVQQKDAdET00uTE9DMR4wHAYDVQQD DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDScx6Ah9lD3MZ9Y/FnmC2BuM1l5mbaDo6n8ke07So+J2ryG13kKWf6 eGyaMiFf3o6bi9zTB2gDlIWDAgjsjYeVo7dz3dO+DM4o57C8OYGecySsJ3VSsYTs utNNKxqMprOxqNB2ascwLiR6Oy2NWzOFtg0ZP4GBW1uqv26cYl0s28CcL1xU+Rnh FsXTtn5yGdkUKPj9vBFxiQI11ILV+mp58NmIddqjjzsXzHrAJ7+v7EcVS1tlZvLA bfgWVgaHE1GNdmL7DzkBtrIX6nwzVhbVFhKpYAAGJUPHFS9yMxgwGFejkVmyFOzG o/cwikq699YHujpgPLej98BM6e9VIpxvAgMBAAGjgZ8wgZwwHwYDVR0jBBgwFoAU CBaGdFi3XREanbDOr1fXZH4KKakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E BAMCAcYwHQYDVR0OBBYEFAgWhnRYt10RGp2wzq9X12R+CimpMDkGCCsGAQUFBwEB BC0wKzApBggrBgEFBQcwAYYdaHR0cDovL2lwYS5kb20ubG9jOjgwL2NhL29jc3Aw DQYJKoZIhvcNAQELBQADggEBAEDtgTehcANC+hTvgxXsV6tboYBAza6+Gvs+jQd4 2LfBwZNJClqTL0F2u2vUBH6m4gaUMWmPoP6bwqFJ7Yw+ZT04DlGpt0JyaVfP8zAU FV3k9fygY9Qk6+WGyIi172uB+7GR7CIDT90cGftq3RqF5kapnbRXmT46RHNIC2gB /Ld/fG4SPWwmSB91YPbiaRJcWdCC2QZsn7i2pikqyOfn7m9Oim8HZhd4/t1TMezD +AJcfwCkWyqaLZPGwvdt8gf6vk7DR+FYIvmLxGbhrmS3yfuBmcJ8LgCKK5QtMXUo FNc869oM4O6QoH87gzef9Lu9LrbWH23V7LH33G0aY1v5Jxs= -----END CERTIFICATE-----
ipa: DEBUG: stderr= Renewing CA certificate, please wait ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-DOM-LOC.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f797c741248> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: resubmitting certmonger request '20221130052542' ipa: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1) ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1) ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line 114, in run rc = self.renew() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line 172, in renew return self.renew_self_signed(ca) File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line 184, in renew_self_signed self.resubmit_request(ca, 'caCACert') File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line 314, in resubmit_request "please check the request manually" % self.request_id)
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The ipa-cacert-manage command failed, exception: ScriptError: Error resubmitting certmonger request '20221130052542', please check the request manually ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Error resubmitting certmonger request '20221130052542', please check the request manually ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The ipa-cacert-manage command failed.
Comments in-line.
Dmitry Krasov via FreeIPA-users wrote:
it's ubuntu 16.04.7. Freeipa 4.3.1-0ubuntu1 which packages do you need else?
That's enough.
I'm was under the impression that Ubuntu never worked with renewal though your certificates seem to have been renewed at least once so maybe there is a glimmer of hope.
I forget if you tried ipa-cert-fix or not. If not I'd give that a shot. It will attempt to renew the CA subsystem certificates off-line. I assume you tried going back in time to November 18, 2024 and that seems to have renewed two certificates but no the CA subsystem certificates.
If you want to try that again you can. You need to stop any time service, go back in time, restart all of IPA, then certmonger, then give certmonger a chance to try to renew the certificates. If it fails then I'd need to see the journal and PKI debug log.
If it ends up being unrecoverable there is no "get a new CA" option. The only option is a re-install which will be very intrusive. For that you have three main options.
1. Use ipa migrate-ds to migrate only users and groups to a new IPA server. This is documented in the official docs but it isn't ideal because you lose all HBAC, sudo rules, private groups become POSIX groups and more.
2. Export to LDIF, manually massage the data and re-import into a newly installed IPA server. This requires pretty deep understanding of the data but mostly you need to remove any private key material and need to be careful not to overwrite certain entries. It can be prone to error and it's unlikely something we would work out over an e-mail.
3. Install a replacement server in Fedora 41 and use the ipa-migrate command to pull all the data over that way. It is also overwhelming because you'll need to re-enroll all clients, migrate all user passwords and depending on how custom your environment is potentially re-create some manual keytabs and certificates.
#3 is the recommendation if you can't get your server working.
If you do somehow get it working then the recommendation would be to get off Ubuntu as quickly as possible. It was not well supported in 2016 much less today.
getcert list:
Request ID '20221130052539': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052540': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=OCSP Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052541': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052542': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=Certificate Authority,O=DOM.LOC expires: 2042-11-30 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052543': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=IPA RA,O=DOM.LOC expires: 2024-11-19 05:25:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221130052544': status: MONITORING ca-error: Server at "https://ipa.dom.loc:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052605': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-11-18 20:02:32 UTC principal name: ldap/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC track: yes auto-renew: yes Request ID '20221130052625': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-11-18 20:02:42 UTC principal name: HTTP/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes
ipa-cacert-manage renew -v:
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: Not logging to a file ipa: DEBUG: importing all plugin modules in ipalib.plugins... ipa: DEBUG: importing plugin module ipalib.plugins.aci ipa: DEBUG: importing plugin module ipalib.plugins.automember ipa: DEBUG: importing plugin module ipalib.plugins.automount ipa: DEBUG: importing plugin module ipalib.plugins.baseldap ipa: DEBUG: importing plugin module ipalib.plugins.baseuser ipa: DEBUG: importing plugin module ipalib.plugins.batch ipa: DEBUG: importing plugin module ipalib.plugins.caacl ipa: DEBUG: importing plugin module ipalib.plugins.cert ipa: DEBUG: importing plugin module ipalib.plugins.certprofile ipa: DEBUG: importing plugin module ipalib.plugins.config ipa: DEBUG: importing plugin module ipalib.plugins.delegation ipa: DEBUG: importing plugin module ipalib.plugins.dns ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel ipa: DEBUG: importing plugin module ipalib.plugins.group ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipalib.plugins.hbactest ipa: DEBUG: importing plugin module ipalib.plugins.host ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup ipa: DEBUG: importing plugin module ipalib.plugins.idrange ipa: DEBUG: importing plugin module ipalib.plugins.idviews ipa: DEBUG: importing plugin module ipalib.plugins.internal ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipalib.plugins.migration ipa: DEBUG: importing plugin module ipalib.plugins.misc ipa: DEBUG: importing plugin module ipalib.plugins.netgroup ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig ipa: DEBUG: importing plugin module ipalib.plugins.otptoken ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipalib.plugins.passwd ipa: DEBUG: importing plugin module ipalib.plugins.permission ipa: DEBUG: importing plugin module ipalib.plugins.ping ipa: DEBUG: importing plugin module ipalib.plugins.pkinit ipa: DEBUG: importing plugin module ipalib.plugins.privilege ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy ipa: DEBUG: Starting external process ipa: DEBUG: args=klist -V ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.13.2
ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains ipa: DEBUG: importing plugin module ipalib.plugins.role ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient ipa: DEBUG: importing plugin module ipalib.plugins.selfservice ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipalib.plugins.server ipa: DEBUG: importing plugin module ipalib.plugins.service ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation ipa: DEBUG: importing plugin module ipalib.plugins.session ipa: DEBUG: importing plugin module ipalib.plugins.stageuser ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipalib.plugins.sudorule ipa: DEBUG: importing plugin module ipalib.plugins.topology ipa: DEBUG: importing plugin module ipalib.plugins.trust ipa: DEBUG: importing plugin module ipalib.plugins.user ipa: DEBUG: importing plugin module ipalib.plugins.vault ipa: DEBUG: importing plugin module ipalib.plugins.virtual ipa: DEBUG: importing all plugin modules in ipaserver.plugins... ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag ipa: DEBUG: importing plugin module ipaserver.plugins.join ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipa: DEBUG: importing plugin module ipaserver.plugins.rabase ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipa.ipalib.session.SessionAuthManager: DEBUG: SessionAuthManager.register: name=jsonserver_session_140159754316752 ipa.ipalib.session.SessionAuthManager: DEBUG: SessionAuthManager.register: name=xmlserver_session_140159754359568 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' ipa.ipaserver.rpcserver.xmlserver: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' ipa.ipaserver.rpcserver.xmlserver_session: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.xmlserver_session: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' ipa.ipaserver.rpcserver.login_password: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' ipa.ipaserver.rpcserver.jsonserver_session: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' ipa.ipaserver.rpcserver.jsonserver_kerb: DEBUG: session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' ipa.ipaserver.rpcserver.login_kerberos: DEBUG: session_auth_duration: 0:20:00 ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: Found certmonger request id dbus.String(u'20221130052542', variant_level=1) ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/pki/pki-tomcat/alias -L -n caSigningCert cert-pki-ca -a ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDfzCCAmegAwIBAgIBATANBgkqhkiG9w0BAQsFADAyMRAwDgYDVQQKDAdET00u TE9DMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIxMTMwMDUy NTE0WhcNNDIxMTMwMDUyNTE0WjAyMRAwDgYDVQQKDAdET00uTE9DMR4wHAYDVQQD DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDScx6Ah9lD3MZ9Y/FnmC2BuM1l5mbaDo6n8ke07So+J2ryG13kKWf6 eGyaMiFf3o6bi9zTB2gDlIWDAgjsjYeVo7dz3dO+DM4o57C8OYGecySsJ3VSsYTs utNNKxqMprOxqNB2ascwLiR6Oy2NWzOFtg0ZP4GBW1uqv26cYl0s28CcL1xU+Rnh FsXTtn5yGdkUKPj9vBFxiQI11ILV+mp58NmIddqjjzsXzHrAJ7+v7EcVS1tlZvLA bfgWVgaHE1GNdmL7DzkBtrIX6nwzVhbVFhKpYAAGJUPHFS9yMxgwGFejkVmyFOzG o/cwikq699YHujpgPLej98BM6e9VIpxvAgMBAAGjgZ8wgZwwHwYDVR0jBBgwFoAU CBaGdFi3XREanbDOr1fXZH4KKakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E BAMCAcYwHQYDVR0OBBYEFAgWhnRYt10RGp2wzq9X12R+CimpMDkGCCsGAQUFBwEB BC0wKzApBggrBgEFBQcwAYYdaHR0cDovL2lwYS5kb20ubG9jOjgwL2NhL29jc3Aw DQYJKoZIhvcNAQELBQADggEBAEDtgTehcANC+hTvgxXsV6tboYBAza6+Gvs+jQd4 2LfBwZNJClqTL0F2u2vUBH6m4gaUMWmPoP6bwqFJ7Yw+ZT04DlGpt0JyaVfP8zAU FV3k9fygY9Qk6+WGyIi172uB+7GR7CIDT90cGftq3RqF5kapnbRXmT46RHNIC2gB /Ld/fG4SPWwmSB91YPbiaRJcWdCC2QZsn7i2pikqyOfn7m9Oim8HZhd4/t1TMezD +AJcfwCkWyqaLZPGwvdt8gf6vk7DR+FYIvmLxGbhrmS3yfuBmcJ8LgCKK5QtMXUo FNc869oM4O6QoH87gzef9Lu9LrbWH23V7LH33G0aY1v5Jxs= -----END CERTIFICATE-----
ipa: DEBUG: stderr= Renewing CA certificate, please wait ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-DOM-LOC.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f797c741248> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: resubmitting certmonger request '20221130052542' ipa: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1) ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1) ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line 114, in run rc = self.renew() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line 172, in renew return self.renew_self_signed(ca) File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line 184, in renew_self_signed self.resubmit_request(ca, 'caCACert') File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line 314, in resubmit_request "please check the request manually" % self.request_id)
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The ipa-cacert-manage command failed, exception: ScriptError: Error resubmitting certmonger request '20221130052542', please check the request manually ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Error resubmitting certmonger request '20221130052542', please check the request manually ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The ipa-cacert-manage command failed.
This was the wrong command to run. It does not renew the subsystem certs. It attempts to renew the CA. It is lucky that it failed.
rob
Question about "3. Install a replacement server in Fedora 41 and use the ipa-migrate command"
is it should be new separated clear ipa server, or I should enroll it to this domain first? And next I should enter this command on this new server, right?
"ipa-migrate prod-mode ipa.dom.loc"
I created another ipa server with fedora 39....
ipa-server-install --setup-dns --forwarder=8.8.8.8 -n dom.loc -r DOM.LOC --no-dnssec-validation -a pass -p pass ipa-migrate -v prod-mode ipa.dom.loc -w pass: ----------------------------------------------------- Connecting to local server ... ipaserver.install.ipa_migrate: INFO: ================================================================================ ipaserver.install.ipa_migrate: INFO: IPA to IPA migration starting ... ipaserver.install.ipa_migrate: INFO: Migration options: ipaserver.install.ipa_migrate: INFO: --mode=prod-mode ipaserver.install.ipa_migrate: INFO: --hostname=ipa.dom.loc ipaserver.install.ipa_migrate: INFO: --verbose=True ipaserver.install.ipa_migrate: INFO: --bind-dn=cn=directory manager ipaserver.install.ipa_migrate: INFO: --bind-pw-file=None ipaserver.install.ipa_migrate: INFO: --cacertfile=None ipaserver.install.ipa_migrate: INFO: --subtree=[] ipaserver.install.ipa_migrate: INFO: --log-file=/var/log/ipa-migrate.log ipaserver.install.ipa_migrate: INFO: --skip-schema=False ipaserver.install.ipa_migrate: INFO: --skip-config=False ipaserver.install.ipa_migrate: INFO: --migrate-dns=False ipaserver.install.ipa_migrate: INFO: --dryrun=False ipaserver.install.ipa_migrate: INFO: --dryrun-record=None ipaserver.install.ipa_migrate: INFO: --force=False ipaserver.install.ipa_migrate: INFO: --quiet=False ipaserver.install.ipa_migrate: INFO: --schema-overwrite=False ipaserver.install.ipa_migrate: INFO: --reset-range=False ipaserver.install.ipa_migrate: INFO: --db-ldif=None ipaserver.install.ipa_migrate: INFO: --schema-ldif=None ipaserver.install.ipa_migrate: INFO: --config-ldif=None ipaserver.install.ipa_migrate: INFO: --no-prompt=False ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f50455afd70> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.dom.loc conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f5043330f80> ipaserver.install.ipa_migrate: INFO: Found realm from remote server: DOM.LOC ipaserver.install.ipa_migrate: INFO: Migrating schema ... ipaserver.install.ipa_migrate: INFO: Getting schema from the remote server ... ipaserver.install.ipa_migrate: INFO: Retrieved 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrated 0 attributes and 0 objectClasses ipaserver.install.ipa_migrate: INFO: Skipped 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrating configuration ... ipaserver.install.ipa_migrate: INFO: Getting config from the remote server ... ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f50455afd70> ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-exclude-suffix' added: '{remote_vals}' under 'cn=Retro Changelog Plugin,cn=plugins,cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'dnaMaxValue' replaced '['1766399999']' with '1339499999' in 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'dnaNextValue' replaced '['1766200002']' with '1339400014' in 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'dnaNextValue', [b'1339400014']), (2, 'dnaMaxValue', [b'1339499999'])] ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-idlistscanlimit' replaced '['2147483646']' with '100000' in 'cn=config,cn=ldbm database,cn=plugins,cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-import-cachesize' replaced '['16777216']' with '20000000' in 'cn=config,cn=ldbm database,cn=plugins,cn=config' ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'nsslapd-idlistscanlimit', [b'100000']), (1, 'nsslapd-import-cachesize', [b'16777216']), (0, 'nsslapd-import-cachesize', [b'20000000'])] ipaserver.install.ipa_migrate: INFO: Migrating database ... (this make take a while) ipaserver.install.ipa_migrate: INFO: Database search succeeded: type 101 msgid 8 ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=domain,dc=loc' attribute 'memberPrincipal' add val 'HTTP/ipa2.domain.loc@DOMAIN.LOC' not in ['HTTP/ipa.domain.loc@DOMAIN.LOC'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'memberPrincipal', [b'HTTP/ipa2.domain.loc@DOMAIN.LOC'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=domain,dc=loc' attribute 'memberPrincipal' add val 'ldap/ipa2.domain.loc@DOMAIN.LOC' not in ['ldap/ipa.domain.loc@DOMAIN.LOC'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'memberPrincipal', [b'ldap/ipa2.domain.loc@DOMAIN.LOC'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'uid=admin,cn=users,cn=accounts,dc=domain,dc=loc' attribute 'uidNumber' replaced with val '1339400000' old value: ['1766200000'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'uid=admin,cn=users,cn=accounts,dc=domain,dc=loc' attribute 'gidNumber' replaced with val '1339400000' old value: ['1766200000'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'uidNumber', [b'1339400000']), (2, 'gidNumber', [b'1339400000']), (2, 'krbLastSuccessfulAuth', [b'20241116200755Z'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=admins,cn=groups,cn=accounts,dc=domain,dc=loc' attribute 'gidNumber' replaced with val '1339400000' old value: ['1766200000'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'gidNumber', [b'1339400000'])] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'member', [b'uid=user32,cn=users,cn=accounts,dc=domain,dc=loc', b'uid=testgroup,cn=users,cn=accounts,dc=domain,dc=loc', b'uid=desktop,cn=users,cn=accounts,dc=domain,dc=loc'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=editors,cn=groups,cn=accounts,dc=domain,dc=loc' attribute 'gidNumber' replaced with val '1339400002' old value: ['1766200002'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'gidNumber', [b'1339400002'])] ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa2.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipaConfig,cn=etc,dc=domain,dc=loc' attribute 'ipaDefaultLoginShell' replaced with val '/bin/bash' old value: ['/bin/sh'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipaConfig,cn=etc,dc=domain,dc=loc' attribute 'ipaSELinuxUserMapOrder' replaced with val 'guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' old value: ['guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipaConfig,cn=etc,dc=domain,dc=loc' attribute 'aci' add val '(targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)' not in ['(targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipadomainresolutionorder || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxhostnamelength || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserdefaultsubordinateid || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'aci', [b'(targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)']), (2, 'ipaSELinuxUserMapOrder', [b'guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023']), (2, 'ipaDefaultLoginShell', [b'/bin/bash'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC_id_range,cn=ranges,cn=etc,dc=domain,dc=loc' attribute 'ipaBaseID' replaced with val '1339400000' old value: ['1766200000'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaBaseID', [b'1339400000'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=loc' attribute 'userPassword' add val '{SSHA}1vO9TveMns01JdvX8Wlu0vLWkpyKJ7Li0KZQig==' not in ['{PBKDF2-SHA512}10000$rDx4BupiNh/Vtk0Uuk01hwFnUsqm3kDM$+Xy1WvtN3AylXKInR2b3dsQyDddVgB/C9Z1MNH1t0JaW5zlGTnW8V79kLpFnPywnfrhCFuUk7z+HIJIKVTOCwQ=='] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'userPassword', [b'{SSHA}1vO9TveMns01JdvX8Wlu0vLWkpyKJ7Li0KZQig=='])] ipaserver.install.ipa_migrate: INFO: Added entry: ipaUniqueID=31c8f78b-706f-11ed-9372-080027deeb0c,cn=hbac,dc=domain,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=domain,cn=topology,cn=ipa,cn=etc,dc=domain,dc=loc' attribute 'nsDS5ReplicatedAttributeList' add val '(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount' not in ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=domain,cn=topology,cn=ipa,cn=etc,dc=domain,dc=loc' attribute 'nsDS5ReplicatedAttributeListTotal' add val '(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount' not in ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'nsDS5ReplicatedAttributeListTotal', [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']), (0, 'nsDS5ReplicatedAttributeList', [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'])] ipaserver.install.ipa_migrate: INFO: Skipping remote certificate entry: 'cn=DOM.LOC IPA CA,cn=certificates,cn=ipa,cn=etc,dc=dom,dc=loc' Issuer: CN=Certificate Authority,O=DOM.LOC ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'krbSupportedEncSaltTypes' add val 'des3-hmac-sha1:normal' not in ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'aes128-sha2:normal', 'aes128-sha2:special', 'aes256-sha2:normal', 'aes256-sha2:special', 'camellia128-cts-cmac:normal', 'camellia128-cts-cmac:special', 'camellia256-cts-cmac:normal', 'camellia256-cts-cmac:special'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'krbSupportedEncSaltTypes' add val 'des3-hmac-sha1:special' not in ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'aes128-sha2:normal', 'aes128-sha2:special', 'aes256-sha2:normal', 'aes256-sha2:special', 'camellia128-cts-cmac:normal', 'camellia128-cts-cmac:special', 'camellia256-cts-cmac:normal', 'camellia256-cts-cmac:special', 'des3-hmac-sha1:normal'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'krbSupportedEncSaltTypes' add val 'arcfour-hmac:normal' not in ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'aes128-sha2:normal', 'aes128-sha2:special', 'aes256-sha2:normal', 'aes256-sha2:special', 'camellia128-cts-cmac:normal', 'camellia128-cts-cmac:special', 'camellia256-cts-cmac:normal', 'camellia256-cts-cmac:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'krbSupportedEncSaltTypes' add val 'arcfour-hmac:special' not in ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'aes128-sha2:normal', 'aes128-sha2:special', 'aes256-sha2:normal', 'aes256-sha2:special', 'camellia128-cts-cmac:normal', 'camellia128-cts-cmac:special', 'camellia256-cts-cmac:normal', 'camellia256-cts-cmac:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetattr = "cn || cospriority || createtimestamp || entryusn || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'aci', [b'(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', b'(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', b'(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', b'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', b'(targetattr = "cn || cospriority || createtimestamp || entryusn || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)']), (0, 'krbSupportedEncSaltTypes', [b'des3-hmac-sha1:normal', b'des3-hmac-sha1:special', b'arcfour-hmac:normal', b'arcfour-hmac:special'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbPrincipalName=K/M@DOMAIN.LOC,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'objectClass' add val 'ipakrbprincipal' not in ['krbprincipal', 'krbprincipalaux', 'krbTicketPolicyAux', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaKrbPrincipalAlias', [b'K/M@DOMAIN.LOC']), (0, 'objectClass', [b'ipakrbprincipal'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbPrincipalName=krbtgt/DOMAIN.LOC@DOMAIN.LOC,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'objectClass' add val 'ipakrbprincipal' not in ['krbprincipal', 'krbprincipalaux', 'krbTicketPolicyAux', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaKrbPrincipalAlias', [b'krbtgt/DOMAIN.LOC@DOMAIN.LOC']), (0, 'objectClass', [b'ipakrbprincipal'])] ipaserver.install.ipa_migrate: INFO: Added entry: krbPrincipalName=kadmin/ipa.domain.loc@DOMAIN.LOC,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbPrincipalName=kadmin/admin@DOMAIN.LOC,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'objectClass' add val 'ipakrbprincipal' not in ['krbprincipal', 'krbprincipalaux', 'krbTicketPolicyAux', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaKrbPrincipalAlias', [b'kadmin/admin@DOMAIN.LOC']), (0, 'objectClass', [b'ipakrbprincipal'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbPrincipalName=kadmin/changepw@DOMAIN.LOC,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'objectClass' add val 'ipakrbprincipal' not in ['krbprincipal', 'krbprincipalaux', 'krbTicketPolicyAux', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaKrbPrincipalAlias', [b'kadmin/changepw@DOMAIN.LOC']), (0, 'objectClass', [b'ipakrbprincipal'])] ipaserver.install.ipa_migrate: INFO: Added entry: krbPrincipalName=kiprop/ipa.domain.loc@DOMAIN.LOC,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom.loc@DOM.LOC,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom.loc@DOM.LOC,cn=services,cn=accounts,dc=dom,dc=loc ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'krbLastSuccessfulAuth', [b'20241116200051Z'])] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'enrolledBy', [b'uid=admin,cn=users,cn=accounts,dc=domain,dc=loc']), (2, 'krbLastSuccessfulAuth', [b'20241116211548Z'])] ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=HTTP/ipa.dom.loc@DOM.LOC,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbprincipalname=HTTP/ipa.domain.loc@DOMAIN.LOC,cn=services,cn=accounts,dc=domain,dc=loc' attribute 'objectClass' add val 'krbTicketPolicyAux' not in ['krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'krbLastSuccessfulAuth', [b'20241116200700Z']), (0, 'objectClass', [b'krbTicketPolicyAux'])] ipaserver.install.ipa_migrate: ERROR: Failed to update "krbprincipalname=HTTP/ipa.domain.loc@DOMAIN.LOC,cn=services,cn=accounts,dc=domain,dc=loc" error: Type or value exists
On Няд, 26 сту 2025, Dmitry Krasov via FreeIPA-users wrote:
I created another ipa server with fedora 39....
ipa-server-install --setup-dns --forwarder=8.8.8.8 -n dom.loc -r DOM.LOC --no-dnssec-validation -a pass -p pass ipa-migrate -v prod-mode ipa.dom.loc -w pass:
ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbprincipalname=HTTP/ipa.domain.loc@DOMAIN.LOC,cn=services,cn=accounts,dc=domain,dc=loc' attribute 'objectClass' add val 'krbTicketPolicyAux' not in ['krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal', 'top'] ipapython.ipaldap:DEBUG: update_entry modlist [(2, 'krbLastSuccessfulAuth', [b'20241116200700Z']), (0, 'objectClass', [b'krbTicketPolicyAux'])] ipaserver.install.ipa_migrate: ERROR: Failed to update "krbprincipalname=HTTP/ipa.domain.loc@DOMAIN.LOC,cn=services,cn=accounts,dc=domain,dc=loc" error: Type or value exists
Can you please create an issue at https://pagure.io/freeipa/new_issue?
Looks like the value comparison is done in exact way but the value locally and remotely are in different cases:
attribute 'objectClass' add val 'krbTicketPolicyAux' not in ['krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal', 'top']
E.g. 'krbTicketPolicyAux' is not the same as 'krbticketpolicyaux'. There is a method that is supposed to normalize attribute values but it does not do it.
https://pagure.io/freeipa/issue/9736
So can I fix it locally in some way? Or maybe should I try fedora 41?
On Няд, 26 сту 2025, Dmitry Krasov via FreeIPA-users wrote:
https://pagure.io/freeipa/issue/9736
So can I fix it locally in some way? Or maybe should I try fedora 41?
Try the patch I added to the issue.
F40-42 all have the same code at this moment, at least in this area.
On Няд, 26 сту 2025, Dmitry Krasov via FreeIPA-users wrote:
could you type commands here apply this patch
This is purely for test purposes.
Something like:
- download the patch: cd /tmp wget -O temp-fix.patch https://pagure.io/freeipa/issue/raw/files/4a84840cc82bfb2680aa12410fcadd6a94...
- install 'patch' utility: sudo dnf install patch
- patch the files from python3-ipaserver package:
sudo -i cd /usr/lib/python3.12/site-packages patch -p1 < /tmp/temp-fix.patch
The last step would look something like
# patch -p1 < /tmp/temp-fix.patch patching file ipaserver/install/ipa_migrate.py Hunk #1 succeeded at 1085 (offset -21 lines). Hunk #2 succeeded at 1099 (offset -21 lines). Hunk #3 succeeded at 1322 (offset -43 lines). patching file ipaserver/install/ipa_migrate.py Hunk #1 succeeded at 1510 (offset -118 lines).
Now you can try ipa-migrate again.
Note that it is not going to survive any upgrade until the fix is available in Fedora.
I installed this patch, tried again, but there was same error. I did reboot, tried again, but got error. Is it fine, I didn't reinstalled ipa server again? ----------------------- [root@ipa site-packages]# patch -p1 < /tmp/temp-fix.patch patching file ipaserver/install/ipa_migrate.py Hunk #1 succeeded at 1085 (offset -21 lines). Hunk #2 succeeded at 1099 (offset -21 lines). Hunk #3 succeeded at 1322 (offset -43 lines). patching file ipaserver/install/ipa_migrate.py Hunk #1 succeeded at 1510 (offset -118 lines). ------------------------ [root@ipa user]# ipa-migrate -v prod-mode ipa.dom.loc Enter the password for cn=directory manager: Warning - the migration process is irreversible! Make sure you have a backup of the local IPA server before doing the migration To proceed type "yes": yes Initializing ... Connecting to local server ... ipaserver.install.ipa_migrate: INFO: ================================================================================ ipaserver.install.ipa_migrate: INFO: IPA to IPA migration starting ... ipaserver.install.ipa_migrate: INFO: Migration options: ipaserver.install.ipa_migrate: INFO: --mode=prod-mode ipaserver.install.ipa_migrate: INFO: --hostname=ipa.dom.loc ipaserver.install.ipa_migrate: INFO: --verbose=True ipaserver.install.ipa_migrate: INFO: --bind-dn=cn=directory manager ipaserver.install.ipa_migrate: INFO: --bind-pw-file=None ipaserver.install.ipa_migrate: INFO: --cacertfile=None ipaserver.install.ipa_migrate: INFO: --subtree=[] ipaserver.install.ipa_migrate: INFO: --log-file=/var/log/ipa-migrate.log ipaserver.install.ipa_migrate: INFO: --skip-schema=False ipaserver.install.ipa_migrate: INFO: --skip-config=False ipaserver.install.ipa_migrate: INFO: --migrate-dns=False ipaserver.install.ipa_migrate: INFO: --dryrun=False ipaserver.install.ipa_migrate: INFO: --dryrun-record=None ipaserver.install.ipa_migrate: INFO: --force=False ipaserver.install.ipa_migrate: INFO: --quiet=False ipaserver.install.ipa_migrate: INFO: --schema-overwrite=False ipaserver.install.ipa_migrate: INFO: --reset-range=False ipaserver.install.ipa_migrate: INFO: --db-ldif=None ipaserver.install.ipa_migrate: INFO: --schema-ldif=None ipaserver.install.ipa_migrate: INFO: --config-ldif=None ipaserver.install.ipa_migrate: INFO: --no-prompt=False ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f830b627ce0> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.dom.loc conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f8309384e30> ipaserver.install.ipa_migrate: INFO: Found realm from remote server: DOM.LOC ipaserver.install.ipa_migrate: INFO: Migrating schema ... ipaserver.install.ipa_migrate: INFO: Getting schema from the remote server ... ipaserver.install.ipa_migrate: INFO: Retrieved 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrated 0 attributes and 0 objectClasses ipaserver.install.ipa_migrate: INFO: Skipped 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrating configuration ... ipaserver.install.ipa_migrate: INFO: Getting config from the remote server ... ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f830b627ce0> ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-idletimeout' replaced '['3600']' with '0' in 'cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-ioblocktimeout' replaced '['10000']' with '1800000' in 'cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-sizelimit' replaced '['100000']' with '2000' in 'cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-unhashed-pw-switch' replaced '['nolog']' with 'on' in 'cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-auditlog-logrotationtimeunit' replaced '['week']' with 'day' in 'cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-auditlog-maxlogsperdir' replaced '['2']' with '1' in 'cn=config' ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'nsslapd-idletimeout', [b'0']), (2, 'nsslapd-auditlog-logrotationtimeunit', [b'day']), (2, 'nsslapd-sizelimit', [b'2000']), (2, 'nsslapd-ioblocktimeout', [b'1800000']), (1, 'nsslapd-auditlog-maxlogsperdir', [b'2']), (0, 'nsslapd-auditlog-maxlogsperdir', [b'1']), (2, 'nsslapd-unhashed-pw-switch', [b'on'])] ipaserver.install.ipa_migrate: ERROR: Error updating local entry: change collided with another change
I tryied migrate command again, and got same error: --------------------------------------------------- ipaserver.install.ipa_migrate: INFO: ================================================================================ ipaserver.install.ipa_migrate: INFO: IPA to IPA migration starting ... ipaserver.install.ipa_migrate: INFO: Migration options: ipaserver.install.ipa_migrate: INFO: --mode=prod-mode ipaserver.install.ipa_migrate: INFO: --hostname=ipa.dom.loc ipaserver.install.ipa_migrate: INFO: --verbose=True ipaserver.install.ipa_migrate: INFO: --bind-dn=cn=directory manager ipaserver.install.ipa_migrate: INFO: --bind-pw-file=None ipaserver.install.ipa_migrate: INFO: --cacertfile=None ipaserver.install.ipa_migrate: INFO: --subtree=[] ipaserver.install.ipa_migrate: INFO: --log-file=/var/log/ipa-migrate.log ipaserver.install.ipa_migrate: INFO: --skip-schema=False ipaserver.install.ipa_migrate: INFO: --skip-config=False ipaserver.install.ipa_migrate: INFO: --migrate-dns=False ipaserver.install.ipa_migrate: INFO: --dryrun=False ipaserver.install.ipa_migrate: INFO: --dryrun-record=None ipaserver.install.ipa_migrate: INFO: --force=False ipaserver.install.ipa_migrate: INFO: --quiet=False ipaserver.install.ipa_migrate: INFO: --schema-overwrite=False ipaserver.install.ipa_migrate: INFO: --reset-range=False ipaserver.install.ipa_migrate: INFO: --db-ldif=None ipaserver.install.ipa_migrate: INFO: --schema-ldif=None ipaserver.install.ipa_migrate: INFO: --config-ldif=None ipaserver.install.ipa_migrate: INFO: --no-prompt=False ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fceb476b560> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.dom.loc conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fceb242c740> ipaserver.install.ipa_migrate: INFO: Found realm from remote server: DOM.LOC ipaserver.install.ipa_migrate: INFO: Migrating schema ... ipaserver.install.ipa_migrate: INFO: Getting schema from the remote server ... ipaserver.install.ipa_migrate: INFO: Retrieved 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrated 0 attributes and 0 objectClasses ipaserver.install.ipa_migrate: INFO: Skipped 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrating configuration ... ipaserver.install.ipa_migrate: INFO: Getting config from the remote server ... ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fceb476b560> ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-exclude-suffix' added: '{remote_vals}' under 'cn=Retro Changelog Plugin,cn=plugins,cn=config' ipaserver.install.ipa_migrate: INFO: Migrating database ... (this make take a while) ipaserver.install.ipa_migrate: INFO: Database search succeeded: type 101 msgid 8 ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa2.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Skipping remote certificate entry: 'cn=DOM.LOC IPA CA,cn=certificates,cn=ipa,cn=etc,dc=dom,dc=loc' Issuer: CN=Certificate Authority,O=DOM.LOC ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom.loc@DOM.LOC,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom.loc@DOM.LOC,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'fqdn=ipa.domain.loc,cn=computers,cn=accounts,dc=domain,dc=loc' attribute 'krbLastSuccessfulAuth' replaced with val '20250126154214Z' old value: ['20250126153127Z'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'krbLastSuccessfulAuth', [b'20250126154214Z'])] ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=HTTP/ipa.dom.loc@DOM.LOC,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbprincipalname=HTTP/ipa.domain.loc@DOMAIN.LOC,cn=services,cn=accounts,dc=domain,dc=loc' attribute 'objectClass' add val 'krbTicketPolicyAux' not in ['krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'objectClass', [b'krbTicketPolicyAux']), (2, 'krbLastSuccessfulAuth', [b'20241116200700Z'])] ipaserver.install.ipa_migrate: ERROR: Failed to update "krbprincipalname=HTTP/ipa.domain.loc@DOMAIN.LOC,cn=services,cn=accounts,dc=domain,dc=loc" error: Type or value exists
On Няд, 26 сту 2025, Dmitry Krasov via FreeIPA-users wrote:
I tryied migrate command again, and got same error:
ipaserver.install.ipa_migrate: INFO: ================================================================================ ipaserver.install.ipa_migrate: INFO: IPA to IPA migration starting ... ipaserver.install.ipa_migrate: INFO: Migration options: ipaserver.install.ipa_migrate: INFO: --mode=prod-mode ipaserver.install.ipa_migrate: INFO: --hostname=ipa.dom.loc ipaserver.install.ipa_migrate: INFO: --verbose=True ipaserver.install.ipa_migrate: INFO: --bind-dn=cn=directory manager ipaserver.install.ipa_migrate: INFO: --bind-pw-file=None ipaserver.install.ipa_migrate: INFO: --cacertfile=None ipaserver.install.ipa_migrate: INFO: --subtree=[] ipaserver.install.ipa_migrate: INFO: --log-file=/var/log/ipa-migrate.log ipaserver.install.ipa_migrate: INFO: --skip-schema=False ipaserver.install.ipa_migrate: INFO: --skip-config=False ipaserver.install.ipa_migrate: INFO: --migrate-dns=False ipaserver.install.ipa_migrate: INFO: --dryrun=False ipaserver.install.ipa_migrate: INFO: --dryrun-record=None ipaserver.install.ipa_migrate: INFO: --force=False ipaserver.install.ipa_migrate: INFO: --quiet=False ipaserver.install.ipa_migrate: INFO: --schema-overwrite=False ipaserver.install.ipa_migrate: INFO: --reset-range=False ipaserver.install.ipa_migrate: INFO: --db-ldif=None ipaserver.install.ipa_migrate: INFO: --schema-ldif=None ipaserver.install.ipa_migrate: INFO: --config-ldif=None ipaserver.install.ipa_migrate: INFO: --no-prompt=False ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fceb476b560> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.dom.loc conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fceb242c740> ipaserver.install.ipa_migrate: INFO: Found realm from remote server: DOM.LOC ipaserver.install.ipa_migrate: INFO: Migrating schema ... ipaserver.install.ipa_migrate: INFO: Getting schema from the remote server ... ipaserver.install.ipa_migrate: INFO: Retrieved 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrated 0 attributes and 0 objectClasses ipaserver.install.ipa_migrate: INFO: Skipped 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrating configuration ... ipaserver.install.ipa_migrate: INFO: Getting config from the remote server ... ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fceb476b560> ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-exclude-suffix' added: '{remote_vals}' under 'cn=Retro Changelog Plugin,cn=plugins,cn=config' ipaserver.install.ipa_migrate: INFO: Migrating database ... (this make take a while) ipaserver.install.ipa_migrate: INFO: Database search succeeded: type 101 msgid 8 ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa2.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Skipping remote certificate entry: 'cn=DOM.LOC IPA CA,cn=certificates,cn=ipa,cn=etc,dc=dom,dc=loc' Issuer: CN=Certificate Authority,O=DOM.LOC ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom.loc@DOM.LOC,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom.loc@DOM.LOC,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'fqdn=ipa.domain.loc,cn=computers,cn=accounts,dc=domain,dc=loc' attribute 'krbLastSuccessfulAuth' replaced with val '20250126154214Z' old value: ['20250126153127Z'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'krbLastSuccessfulAuth', [b'20250126154214Z'])] ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=HTTP/ipa.dom.loc@DOM.LOC,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbprincipalname=HTTP/ipa.domain.loc@DOMAIN.LOC,cn=services,cn=accounts,dc=domain,dc=loc' attribute 'objectClass' add val 'krbTicketPolicyAux' not in ['krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'objectClass', [b'krbTicketPolicyAux']), (2, 'krbLastSuccessfulAuth', [b'20241116200700Z'])] ipaserver.install.ipa_migrate: ERROR: Failed to update "krbprincipalname=HTTP/ipa.domain.loc@DOMAIN.LOC,cn=services,cn=accounts,dc=domain,dc=loc" error: Type or value exists
Thanks, this means more work is needed on this. Since you have created a ticket, team will look into it.
Please note that the upcoming couple weeks are challenging as we'll have FOSDEM next weekend and will be travelling/runing FOSDEM IAM devroom.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Dmitry Krasov -
Florence Blanc-Renaud -
Rob Crittenden