[Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update

David Kupka dkupka at redhat.com
Thu Jun 18 12:43:50 UTC 2015 

Dne 18.6.2015 v 13:18 Jan Cholasta napsal(a):
> Dne 17.6.2015 v 12:26 Fraser Tweedale napsal(a):
>> On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote:
>>> On 06/12/2015 03:18 PM, Fraser Tweedale wrote:
>>>> On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote:
>>>>> On 06/04/2015 04:03 PM, Petr Vobornik wrote:
>>>>>> - ipa-replica-prepare works
>>>>>> - old IPA server was upgraded to today's master (with Cert profiles
>>>>>> patches)
>>>>>> - ipa-replica-prepare fails with:
>>>>>>
>>>>>> Log:
>>>>>>
>>>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
>>>>>> ipa: DEBUG: cert valid True for "CN=repl.example.com,O=EXAMPLE.COM"
>>>>>> ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443
>>>>>> ipa: DEBUG: Protocol: TLS1.2
>>>>>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256
>>>>>> ipa: DEBUG: request status 200
>>>>>> ipa: DEBUG: request reason_phrase u'OK'
>>>>>> ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT',
>>>>>> 'content-length': '148', 'content-type': 'application/xml', 'server':
>>>>>> 'Apache-Coyote/1.1'}
>>>>>> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
>>>>>> standalone="no"?><XMLResponse><Status>1</Status><Error>Profile
>>>>>> caIPAserviceCert Not Found</Error></XMLResponse>'
>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>>>>>> 171, in
>>>>>> execute
>>>>>>      return_value = self.run()
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>>>
>>>>>> line 338, in run
>>>>>>      self.copy_ds_certificate()
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>>>
>>>>>> line 383, in copy_ds_certificate
>>>>>>      self.export_certdb("dscert", passwd_fname)
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>>>
>>>>>> line 595, in export_certdb
>>>>>>      db.create_server_cert(nickname, hostname, ca_db)
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>>>>> line 337, in create_server_cert
>>>>>>      cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>>>>> line 419, in issue_server_cert
>>>>>>      raise RuntimeError("Certificate issuance failed")
>>>>>>
>>>>>
>>>>> Bump, I have also came across this issue (see log:
>>>>> http://pastebin.test.redhat.com/289434).
>>>>>
>>>>> --
>>>>> Martin^3 Babinsky
>>>>
>>>> It was reported to me that the issue was reproducible after upgrade
>>> >from 4.1.4 to master, but I was not able to reproduce.  Can anyone
>>>> who has encountered it please:
>>>>
>>>> - state fedora version(s) affected and precise build of Dogtag
>>>> - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug
>>>>
>>>> Thanks,
>>>> Fraser
>>>>
>>>
>>> I  see similar issue when creating a replica file from second
>>> replica/master, all git master. I.e. the prepare on first server
>>> obviously
>>> works.
>>>
>>> The error is different though:
>>>
>>> ipa: DEBUG: request status 200
>>> ipa: DEBUG: request reason_phrase u'OK'
>>> ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT',
>>> 'content-length': '133', 'content-type': 'application/xml', 'server':
>>> 'Apache-Coyote/1.1'}
>>> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
>>> standalone="no"?><XMLResponse><Status>1</Status><Error>Invalid
>>> Credential.</Error></XMLResponse>'
>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>>> execute
>>>      return_value = self.run()
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>
>>> line 338, in run
>>>      self.copy_ds_certificate()
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>
>>> line 383, in copy_ds_certificate
>>>      self.export_certdb("dscert", passwd_fname)
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>
>>> line 595, in export_certdb
>>>      db.create_server_cert(nickname, hostname, ca_db)
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>>> 337, in create_server_cert
>>>      cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>>> 419, in issue_server_cert
>>>      raise RuntimeError("Certificate issuance failed")
>>>
>>> --
>>> Petr Vobornik
>>
>> I spent some time debugging tihs issue today.  It appears to be
>> introduced by commit:
>>
>>      commit 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034
>>      Author: David Kupka <dkupka at redhat.com>
>>      Date:   Mon Jun 8 05:23:56 2015 +0000
>>
>>          Move CA installation code into single module.
>>
>>          https://fedorahosted.org/freeipa/ticket/4468
>>
>>          Reviewed-By: Jan Cholasta <jcholast at redhat.com>
>>
>> During the execution of ipa-replica-prepare, the RA cert (nickname
>> "ipaCert") gets added to the /etc/httpd/alias/ NSSDB, but then
>> removed somehow while executing http.create_instance().  I have not
>> yet precisely identified the cause enough to fix it.  Hopefully
>> David or Honza can some light.
>
> Fixed.
>
Works for me, ACK.

-- 
David Kupka

More information about the Freeipa-devel mailing list