[Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
David Kupka
dkupka at redhat.com
Thu Jun 18 12:43:50 UTC 2015
Dne 18.6.2015 v 13:18 Jan Cholasta napsal(a):
> Dne 17.6.2015 v 12:26 Fraser Tweedale napsal(a):
>> On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote:
>>> On 06/12/2015 03:18 PM, Fraser Tweedale wrote:
>>>> On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote:
>>>>> On 06/04/2015 04:03 PM, Petr Vobornik wrote:
>>>>>> - ipa-replica-prepare works
>>>>>> - old IPA server was upgraded to today's master (with Cert profiles
>>>>>> patches)
>>>>>> - ipa-replica-prepare fails with:
>>>>>>
>>>>>> Log:
>>>>>>
>>>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
>>>>>> ipa: DEBUG: cert valid True for "CN=repl.example.com,O=EXAMPLE.COM"
>>>>>> ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443
>>>>>> ipa: DEBUG: Protocol: TLS1.2
>>>>>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256
>>>>>> ipa: DEBUG: request status 200
>>>>>> ipa: DEBUG: request reason_phrase u'OK'
>>>>>> ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT',
>>>>>> 'content-length': '148', 'content-type': 'application/xml', 'server':
>>>>>> 'Apache-Coyote/1.1'}
>>>>>> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
>>>>>> standalone="no"?><XMLResponse><Status>1</Status><Error>Profile
>>>>>> caIPAserviceCert Not Found</Error></XMLResponse>'
>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>>>>>> 171, in
>>>>>> execute
>>>>>> return_value = self.run()
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>>>
>>>>>> line 338, in run
>>>>>> self.copy_ds_certificate()
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>>>
>>>>>> line 383, in copy_ds_certificate
>>>>>> self.export_certdb("dscert", passwd_fname)
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>>>
>>>>>> line 595, in export_certdb
>>>>>> db.create_server_cert(nickname, hostname, ca_db)
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>>>>> line 337, in create_server_cert
>>>>>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>>>>> line 419, in issue_server_cert
>>>>>> raise RuntimeError("Certificate issuance failed")
>>>>>>
>>>>>
>>>>> Bump, I have also came across this issue (see log:
>>>>> http://pastebin.test.redhat.com/289434).
>>>>>
>>>>> --
>>>>> Martin^3 Babinsky
>>>>
>>>> It was reported to me that the issue was reproducible after upgrade
>>> >from 4.1.4 to master, but I was not able to reproduce. Can anyone
>>>> who has encountered it please:
>>>>
>>>> - state fedora version(s) affected and precise build of Dogtag
>>>> - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug
>>>>
>>>> Thanks,
>>>> Fraser
>>>>
>>>
>>> I see similar issue when creating a replica file from second
>>> replica/master, all git master. I.e. the prepare on first server
>>> obviously
>>> works.
>>>
>>> The error is different though:
>>>
>>> ipa: DEBUG: request status 200
>>> ipa: DEBUG: request reason_phrase u'OK'
>>> ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT',
>>> 'content-length': '133', 'content-type': 'application/xml', 'server':
>>> 'Apache-Coyote/1.1'}
>>> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
>>> standalone="no"?><XMLResponse><Status>1</Status><Error>Invalid
>>> Credential.</Error></XMLResponse>'
>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>>> execute
>>> return_value = self.run()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>
>>> line 338, in run
>>> self.copy_ds_certificate()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>
>>> line 383, in copy_ds_certificate
>>> self.export_certdb("dscert", passwd_fname)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>
>>> line 595, in export_certdb
>>> db.create_server_cert(nickname, hostname, ca_db)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>>> 337, in create_server_cert
>>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>>> 419, in issue_server_cert
>>> raise RuntimeError("Certificate issuance failed")
>>>
>>> --
>>> Petr Vobornik
>>
>> I spent some time debugging tihs issue today. It appears to be
>> introduced by commit:
>>
>> commit 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034
>> Author: David Kupka <dkupka at redhat.com>
>> Date: Mon Jun 8 05:23:56 2015 +0000
>>
>> Move CA installation code into single module.
>>
>> https://fedorahosted.org/freeipa/ticket/4468
>>
>> Reviewed-By: Jan Cholasta <jcholast at redhat.com>
>>
>> During the execution of ipa-replica-prepare, the RA cert (nickname
>> "ipaCert") gets added to the /etc/httpd/alias/ NSSDB, but then
>> removed somehow while executing http.create_instance(). I have not
>> yet precisely identified the cause enough to fix it. Hopefully
>> David or Honza can some light.
>
> Fixed.
>
Works for me, ACK.
--
David Kupka
More information about the Freeipa-devel
mailing list