[Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update

Petr Vobornik pvoborni at redhat.com
Fri Jun 12 13:47:38 UTC 2015 

On 06/12/2015 03:18 PM, Fraser Tweedale wrote:
> On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote:
>> On 06/04/2015 04:03 PM, Petr Vobornik wrote:
>>> - ipa-replica-prepare works
>>> - old IPA server was upgraded to today's master (with Cert profiles
>>> patches)
>>> - ipa-replica-prepare fails with:
>>>
>>> Log:
>>>
>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
>>> ipa: DEBUG: cert valid True for "CN=repl.example.com,O=EXAMPLE.COM"
>>> ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443
>>> ipa: DEBUG: Protocol: TLS1.2
>>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256
>>> ipa: DEBUG: request status 200
>>> ipa: DEBUG: request reason_phrase u'OK'
>>> ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT',
>>> 'content-length': '148', 'content-type': 'application/xml', 'server':
>>> 'Apache-Coyote/1.1'}
>>> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
>>> standalone="no"?><XMLResponse><Status>1</Status><Error>Profile
>>> caIPAserviceCert Not Found</Error></XMLResponse>'
>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>>> execute
>>>      return_value = self.run()
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>> line 338, in run
>>>      self.copy_ds_certificate()
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>> line 383, in copy_ds_certificate
>>>      self.export_certdb("dscert", passwd_fname)
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>> line 595, in export_certdb
>>>      db.create_server_cert(nickname, hostname, ca_db)
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>> line 337, in create_server_cert
>>>      cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>> line 419, in issue_server_cert
>>>      raise RuntimeError("Certificate issuance failed")
>>>
>>
>> Bump, I have also came across this issue (see log:
>> http://pastebin.test.redhat.com/289434).
>>
>> --
>> Martin^3 Babinsky
>
> It was reported to me that the issue was reproducible after upgrade
> from 4.1.4 to master, but I was not able to reproduce.  Can anyone
> who has encountered it please:
>
> - state fedora version(s) affected and precise build of Dogtag
> - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug
>
> Thanks,
> Fraser
>

I  see similar issue when creating a replica file from second 
replica/master, all git master. I.e. the prepare on first server 
obviously works.

The error is different though:

ipa: DEBUG: request status 200
ipa: DEBUG: request reason_phrase u'OK'
ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT', 
'content-length': '133', 'content-type': 'application/xml', 'server': 
'Apache-Coyote/1.1'}
ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8" 
standalone="no"?><XMLResponse><Status>1</Status><Error>Invalid 
Credential.</Error></XMLResponse>'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
execute
     return_value = self.run()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", 
line 338, in run
     self.copy_ds_certificate()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", 
line 383, in copy_ds_certificate
     self.export_certdb("dscert", passwd_fname)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", 
line 595, in export_certdb
     db.create_server_cert(nickname, hostname, ca_db)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", 
line 337, in create_server_cert
     cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", 
line 419, in issue_server_cert
     raise RuntimeError("Certificate issuance failed")

-- 
Petr Vobornik

More information about the Freeipa-devel mailing list