<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/19/2015 02:54 PM, Jim Richard
wrote:<br>
</div>
<blockquote
cite="mid:E9D7B437-6BFB-4C23-80F8-975E0EE6A5D4@placeiq.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<span class=""></span><span class="">Hey guys, for what it’s
worth, I spent a couple weeks working with </span><span class="">Endi
Sukma Dewata, <a moz-do-not-send="true"
href="mailto:edewata@redhat.com" class="">edewata@redhat.com</a>,
"</span><span class="">Re: [Freeipa-users] Redhat/Centos iDM 3.0
to 3.1 upgrade fail”.</span>
<div class=""><br class="">
</div>
<div class="">Unfortunately my post subject was not accurate but
in fact, I was attempting the exact same thing and seeing the
exact same error. The main LDAP instance would come up ok but
upon attempting to migrate the PKI stuff with the new ldap
schema etc, it just fails…</div>
<div class=""><br class="">
</div>
</blockquote>
<br>
If you have been gradually upgrading it might very well be that you
are hitting some of the earlier bugs related to cert tracking.<br>
The page can help you with troubleshooting
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates">http://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates</a><br>
You need to see whether the certs on the master have expired and
whether they are now properly tracked.<br>
Rob is this the right way of checking the cert validity (see
previous mail in the thread)?<br>
<br>
<br>
<blockquote
cite="mid:E9D7B437-6BFB-4C23-80F8-975E0EE6A5D4@placeiq.com"
type="cite">
<div class=""><br class="">
</div>
<div class="">In the end we couldn’t figure it out, basically had
to just give up. </div>
<div class=""><br class="">
</div>
<div class="">Maybe one of you could reach out to Endi and he
could share some insights. </div>
<div class=""><br class="">
</div>
<div class="">I’d love to be able to make this work as well but as
of now it looks like my only option if I want to upgrade to
version 3.3/Centos 7 is well, there is no option….</div>
<div class=""><br class="">
</div>
<div class="">I’d be happy to share or help in any way.</div>
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); font-family: Verdana;
font-size: 11px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br
class="Apple-interchange-newline">
<br class="">
</div>
<div style="color: rgb(0, 0, 0); font-family: Verdana;
font-size: 11px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<table style="color: rgb(34, 34, 34); margin: 0px;
font-size: 13.63636302948px; font-family: Times;
background-color: rgb(255, 255, 255);" class=""
cellpadding="0" cellspacing="0">
<tbody class="">
<tr class="" height="3">
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top;" class=""><br>
</td>
</tr>
</tbody><tbody class="">
<tr class="" height="3">
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(68,
54, 124);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(99,
80, 178);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(148,
145, 145);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(203,
203, 203);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(148,
145, 145);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(99,
80, 178);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(68,
54, 124);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(99,
80, 178);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(148,
145, 145);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(203,
203, 203);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(148,
145, 145);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(99,
80, 178);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class="" width="5"><br>
</td>
<td style="font-family: arial, sans-serif; margin:
0px; vertical-align: top; background-color: rgb(119,
117, 171);" class=""><br>
</td>
</tr>
</tbody><tbody class="">
<tr class="" height="10">
<td colspan="36" style="font-family: Georgia, serif;
margin: 0px; vertical-align: top; padding-top: 5px;
font-style: italic; font-size: 10px; letter-spacing:
0.1em; line-height: 1.5em; color: rgb(117, 107,
172);" class=""><span style="color: rgb(70, 70,
70);" class="">Jim Richard | </span><a
moz-do-not-send="true"
href="http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2F&sa=D&sntz=1&usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw"
target="_blank" style="color: rgb(117, 107, 172);
text-decoration: none;" class="">PlaceIQ</a> |
Systems Administrator | jrichard<a
moz-do-not-send="true"
href="mailto:name@placeiq.com" target="_blank"
style="color: rgb(117, 107, 172); text-decoration:
none;" class="">@placeiq.com</a> | <a
moz-do-not-send="true" style="color: rgb(17, 85,
204);" class="">+1 (646) 338-8905</a></td>
</tr>
</tbody>
</table>
<div class=""><br class="">
</div>
</div>
<br class="Apple-interchange-newline">
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Feb 19, 2015, at 11:37 AM, Jani West <<a
moz-do-not-send="true" href="mailto:jwest@iki.fi"
class="">jwest@iki.fi</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">Hi,<br class="">
<br class="">
How I can check the cert and test?<br class="">
<br class="">
I did curl -v -k <a moz-do-not-send="true"
href="https://xxx/ca/admin/ca/getDomainXML" class="">https://xxx/ca/admin/ca/getDomainXML</a><br
class="">
<br class="">
According to that the cert have plenty of time left.<br
class="">
<br class="">
On the otherhand<br class="">
<a moz-do-not-send="true"
href="https://xxx/ca/admin/ca/updateDomainXML" class="">https://xxx/ca/admin/ca/updateDomainXML</a>
is givin the the same cert but also http 404.<br class="">
<br class="">
On 02/19/2015 06:22 PM, Martin Kosek wrote:<br class="">
<blockquote type="cite" class="">On 02/19/2015 05:14 PM,
Dmitri Pal wrote:<br class="">
<blockquote type="cite" class="">On 02/19/2015 10:07 AM,
Jani West wrote:<br class="">
<blockquote type="cite" class="">Trying to migrate
from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0
with<br class="">
FreeIPA 3.3.3-28 by using replication.<br class="">
<br class="">
I have prepared replication file and moved it to the
new replica server.<br class="">
Configured the firewalld and installed Ipa and other
needed packages via yum.<br class="">
<br class="">
When running "ipa-replica-install --setup-ca -d"
installation will always<br class="">
stuck on:<br class="">
<br class="">
----------------------------------------------------------------------<br
class="">
"Configuring certificate server (pki-tomcatd):
Estimated time 3 minutes 30<br class="">
seconds<br class="">
[2/19]: configuring certificate server instance<br
class="">
ipa : DEBUG Starting external process<br
class="">
ipa : DEBUG args=/usr/sbin/pkispawn -s CA
-f /tmp/tmpHJBhR5<br class="">
ipa : DEBUG Process finished, return
code=1<br class="">
ipa : DEBUG stdout=Loading deployment
configuration from<br class="">
/tmp/tmpHJBhR5.<br class="">
Installing CA into /var/lib/pki/pki-tomcat.<br
class="">
Storing deployment configuration into<br class="">
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.<br class="">
Installation failed.<br class="">
<br class="">
<br class="">
ipa : DEBUG stderr=pkispawn : WARNING
....... unable to<br class="">
validate security domain user/password through REST
interface. Interface not<br class="">
available<br class="">
pkispawn : ERROR ....... Exception from Java
Configuration Servlet:<br class="">
Error while updating security domain:
java.io.IOException:<br class="">
java.io.IOException: SocketException cannot read on
socket<br class="">
<br class="">
ipa : CRITICAL failed to configure ca
instance Command<br class="">
'/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5'
returned non-zero exit status 1<br class="">
----------------------------------------------------------------------<br
class="">
<br class="">
Betwee the attempts I have cleaned yu ipa and pki
configurations and<br class="">
deleteted the old replication agreement.<br class="">
<br class="">
<br class="">
Apache logs on old CentOS 6 server have these
errors.<br class="">
----------------------------------------------------------------------<br
class="">
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST<br
class="">
/ca/admin/ca/getDomainXML HTTP/1.0" 200 1158<br
class="">
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST<br
class="">
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 -<br
class="">
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST<br
class="">
/ca/agent/ca/updateDomainXML HTTP/1.0" 403 323<br
class="">
[Thu Feb 19 11:38:44 2015] [error] Bad remote server
certificate: -8181<br class="">
[Thu Feb 19 11:38:44 2015] [error] SSL Library
Error: -8181 Certificate has<br class="">
expired<br class="">
[Thu Feb 19 11:38:44 2015] [error] Re-negotiation
handshake failed: Not<br class="">
accepted by client!?<br class="">
----------------------------------------------------------------------<br
class="">
<br class="">
What certificate this means? ca.crt have more than
five years left.<br class="">
<br class="">
Clocks are synced, /ca/admin/ca/updateDomainXML can
be found on<br class="">
ipa-pki-proxy.conf and there are no obvious reason.
Any hints?<br class="">
</blockquote>
<br class="">
Are CA ports accessible on your master? Can you check
your FW please?<br class="">
<br class="">
</blockquote>
<br class="">
This line makes me think that expired certs may be
involved:<br class="">
<br class="">
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error:
-8181 Certificate has<br class="">
expired<br class="">
<br class="">
CCing JanCh who have the best context in this area.<br
class="">
<br class="">
</blockquote>
<br class="">
<br class="">
-- <br class="">
-- Jani West -- <a moz-do-not-send="true"
href="mailto:jwest@iki.fi" class="">jwest@iki.fi</a> --
+358 40 5010914 --<br class="">
-- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND --<br
class="">
<br class="">
"Haluaisin, että Suomi olisi paljon monikulttuurisempi.<br
class="">
Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda<br
class="">
tarpeeksi esille. Jotenkin me pidämme heidät verhojen
takana.<br class="">
On tärkeää, että Suomesta saataisiin avoin ja
suvaitsevainen.<br class="">
Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me<br
class="">
pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin<br
class="">
lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu.<br
class="">
Ei ymmärretä, että maahanmuuttajat voivat tuoda<br
class="">
Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä,<br
class="">
että koko kansaa kuullaan, myös eri kulttuureista<br
class="">
tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän<br
class="">
Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella<br
class="">
maahanmuuttajia enemmän."<br class="">
<br class="">
HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio.<br class="">
<br class="">
-- <br class="">
Manage your subscription for the Freeipa-users mailing
list:<br class="">
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
class="">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br
class="">
Go To <a class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project<br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>