[Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update

Jan Cholasta jcholast at redhat.com
Thu Jun 18 11:18:45 UTC 2015 

Dne 17.6.2015 v 12:26 Fraser Tweedale napsal(a):
> On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote:
>> On 06/12/2015 03:18 PM, Fraser Tweedale wrote:
>>> On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote:
>>>> On 06/04/2015 04:03 PM, Petr Vobornik wrote:
>>>>> - ipa-replica-prepare works
>>>>> - old IPA server was upgraded to today's master (with Cert profiles
>>>>> patches)
>>>>> - ipa-replica-prepare fails with:
>>>>>
>>>>> Log:
>>>>>
>>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
>>>>> ipa: DEBUG: cert valid True for "CN=repl.example.com,O=EXAMPLE.COM"
>>>>> ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443
>>>>> ipa: DEBUG: Protocol: TLS1.2
>>>>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256
>>>>> ipa: DEBUG: request status 200
>>>>> ipa: DEBUG: request reason_phrase u'OK'
>>>>> ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT',
>>>>> 'content-length': '148', 'content-type': 'application/xml', 'server':
>>>>> 'Apache-Coyote/1.1'}
>>>>> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
>>>>> standalone="no"?><XMLResponse><Status>1</Status><Error>Profile
>>>>> caIPAserviceCert Not Found</Error></XMLResponse>'
>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>>>>> execute
>>>>>      return_value = self.run()
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>> line 338, in run
>>>>>      self.copy_ds_certificate()
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>> line 383, in copy_ds_certificate
>>>>>      self.export_certdb("dscert", passwd_fname)
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>> line 595, in export_certdb
>>>>>      db.create_server_cert(nickname, hostname, ca_db)
>>>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>>>> line 337, in create_server_cert
>>>>>      cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>>>> line 419, in issue_server_cert
>>>>>      raise RuntimeError("Certificate issuance failed")
>>>>>
>>>>
>>>> Bump, I have also came across this issue (see log:
>>>> http://pastebin.test.redhat.com/289434).
>>>>
>>>> --
>>>> Martin^3 Babinsky
>>>
>>> It was reported to me that the issue was reproducible after upgrade
>> >from 4.1.4 to master, but I was not able to reproduce.  Can anyone
>>> who has encountered it please:
>>>
>>> - state fedora version(s) affected and precise build of Dogtag
>>> - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug
>>>
>>> Thanks,
>>> Fraser
>>>
>>
>> I  see similar issue when creating a replica file from second
>> replica/master, all git master. I.e. the prepare on first server obviously
>> works.
>>
>> The error is different though:
>>
>> ipa: DEBUG: request status 200
>> ipa: DEBUG: request reason_phrase u'OK'
>> ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT',
>> 'content-length': '133', 'content-type': 'application/xml', 'server':
>> 'Apache-Coyote/1.1'}
>> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
>> standalone="no"?><XMLResponse><Status>1</Status><Error>Invalid
>> Credential.</Error></XMLResponse>'
>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>> execute
>>      return_value = self.run()
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>> line 338, in run
>>      self.copy_ds_certificate()
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>> line 383, in copy_ds_certificate
>>      self.export_certdb("dscert", passwd_fname)
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>> line 595, in export_certdb
>>      db.create_server_cert(nickname, hostname, ca_db)
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>> 337, in create_server_cert
>>      cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>> 419, in issue_server_cert
>>      raise RuntimeError("Certificate issuance failed")
>>
>> --
>> Petr Vobornik
>
> I spent some time debugging tihs issue today.  It appears to be
> introduced by commit:
>
>      commit 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034
>      Author: David Kupka <dkupka at redhat.com>
>      Date:   Mon Jun 8 05:23:56 2015 +0000
>
>          Move CA installation code into single module.
>
>          https://fedorahosted.org/freeipa/ticket/4468
>
>          Reviewed-By: Jan Cholasta <jcholast at redhat.com>
>
> During the execution of ipa-replica-prepare, the RA cert (nickname
> "ipaCert") gets added to the /etc/httpd/alias/ NSSDB, but then
> removed somehow while executing http.create_instance().  I have not
> yet precisely identified the cause enough to fix it.  Hopefully
> David or Honza can some light.

Fixed.

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-447-install-Fix-ipa-replica-install-not-installing-RA-ce.patch
Type: text/x-patch
Size: 2680 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150618/c5ed271b/attachment.bin>

More information about the Freeipa-devel mailing list