[Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
Fraser Tweedale
ftweedal at redhat.com
Fri Jun 12 13:18:52 UTC 2015
On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote:
> On 06/04/2015 04:03 PM, Petr Vobornik wrote:
> >- ipa-replica-prepare works
> >- old IPA server was upgraded to today's master (with Cert profiles
> >patches)
> >- ipa-replica-prepare fails with:
> >
> >Log:
> >
> >ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> >ipa: DEBUG: cert valid True for "CN=repl.example.com,O=EXAMPLE.COM"
> >ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443
> >ipa: DEBUG: Protocol: TLS1.2
> >ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256
> >ipa: DEBUG: request status 200
> >ipa: DEBUG: request reason_phrase u'OK'
> >ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT',
> >'content-length': '148', 'content-type': 'application/xml', 'server':
> >'Apache-Coyote/1.1'}
> >ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
> >standalone="no"?><XMLResponse><Status>1</Status><Error>Profile
> >caIPAserviceCert Not Found</Error></XMLResponse>'
> >ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
> >"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> >execute
> > return_value = self.run()
> > File
> >"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> >line 338, in run
> > self.copy_ds_certificate()
> > File
> >"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> >line 383, in copy_ds_certificate
> > self.export_certdb("dscert", passwd_fname)
> > File
> >"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> >line 595, in export_certdb
> > db.create_server_cert(nickname, hostname, ca_db)
> > File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> >line 337, in create_server_cert
> > cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
> > File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> >line 419, in issue_server_cert
> > raise RuntimeError("Certificate issuance failed")
> >
>
> Bump, I have also came across this issue (see log:
> http://pastebin.test.redhat.com/289434).
>
> --
> Martin^3 Babinsky
It was reported to me that the issue was reproducible after upgrade
from 4.1.4 to master, but I was not able to reproduce. Can anyone
who has encountered it please:
- state fedora version(s) affected and precise build of Dogtag
- provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug
Thanks,
Fraser
More information about the Freeipa-devel
mailing list