[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
HonzaCholasta
freeipa-github-notification at redhat.com
Fri Jan 20 06:56:09 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
Here's what I did
```
# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
# rm -rf /var/lib/ipa/radb
# ipa-replica-install --domain abc.idm.lab.eng.brq.redhat.com --server vm-226.abc.idm.lab.eng.brq.redhat.com --principal admin --password blablabla
...
[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20170120063423':
status: CA_UNREACHABLE
ca-error: Server at https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://vm-226.abc.idm.lab.eng.brq.redhat.com:443/ca/rest/account/login': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
# certutil -d /var/lib/ipa/radb -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
# stat /var/lib/ipa/radb
stat: cannot stat '/var/lib/ipa/radb': No such file or directory
```
Here's the full replica install log: http://pastebin.com/kwj8nFcC
"""
See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-273991634
More information about the Freeipa-devel
mailing list