[Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update
Fraser Tweedale
ftweedal at redhat.com
Wed Jun 17 10:26:34 UTC 2015
On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote:
> On 06/12/2015 03:18 PM, Fraser Tweedale wrote:
> >On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote:
> >>On 06/04/2015 04:03 PM, Petr Vobornik wrote:
> >>>- ipa-replica-prepare works
> >>>- old IPA server was upgraded to today's master (with Cert profiles
> >>>patches)
> >>>- ipa-replica-prepare fails with:
> >>>
> >>>Log:
> >>>
> >>>ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> >>>ipa: DEBUG: cert valid True for "CN=repl.example.com,O=EXAMPLE.COM"
> >>>ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443
> >>>ipa: DEBUG: Protocol: TLS1.2
> >>>ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256
> >>>ipa: DEBUG: request status 200
> >>>ipa: DEBUG: request reason_phrase u'OK'
> >>>ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09 GMT',
> >>>'content-length': '148', 'content-type': 'application/xml', 'server':
> >>>'Apache-Coyote/1.1'}
> >>>ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
> >>>standalone="no"?><XMLResponse><Status>1</Status><Error>Profile
> >>>caIPAserviceCert Not Found</Error></XMLResponse>'
> >>>ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
> >>>"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> >>>execute
> >>> return_value = self.run()
> >>> File
> >>>"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> >>>line 338, in run
> >>> self.copy_ds_certificate()
> >>> File
> >>>"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> >>>line 383, in copy_ds_certificate
> >>> self.export_certdb("dscert", passwd_fname)
> >>> File
> >>>"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> >>>line 595, in export_certdb
> >>> db.create_server_cert(nickname, hostname, ca_db)
> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> >>>line 337, in create_server_cert
> >>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> >>>line 419, in issue_server_cert
> >>> raise RuntimeError("Certificate issuance failed")
> >>>
> >>
> >>Bump, I have also came across this issue (see log:
> >>http://pastebin.test.redhat.com/289434).
> >>
> >>--
> >>Martin^3 Babinsky
> >
> >It was reported to me that the issue was reproducible after upgrade
> >from 4.1.4 to master, but I was not able to reproduce. Can anyone
> >who has encountered it please:
> >
> >- state fedora version(s) affected and precise build of Dogtag
> >- provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug
> >
> >Thanks,
> >Fraser
> >
>
> I see similar issue when creating a replica file from second
> replica/master, all git master. I.e. the prepare on first server obviously
> works.
>
> The error is different though:
>
> ipa: DEBUG: request status 200
> ipa: DEBUG: request reason_phrase u'OK'
> ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT',
> 'content-length': '133', 'content-type': 'application/xml', 'server':
> 'Apache-Coyote/1.1'}
> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
> standalone="no"?><XMLResponse><Status>1</Status><Error>Invalid
> Credential.</Error></XMLResponse>'
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 338, in run
> self.copy_ds_certificate()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 383, in copy_ds_certificate
> self.export_certdb("dscert", passwd_fname)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 595, in export_certdb
> db.create_server_cert(nickname, hostname, ca_db)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
> 337, in create_server_cert
> cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
> 419, in issue_server_cert
> raise RuntimeError("Certificate issuance failed")
>
> --
> Petr Vobornik
I spent some time debugging tihs issue today. It appears to be
introduced by commit:
commit 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034
Author: David Kupka <dkupka at redhat.com>
Date: Mon Jun 8 05:23:56 2015 +0000
Move CA installation code into single module.
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Jan Cholasta <jcholast at redhat.com>
During the execution of ipa-replica-prepare, the RA cert (nickname
"ipaCert") gets added to the /etc/httpd/alias/ NSSDB, but then
removed somehow while executing http.create_instance(). I have not
yet precisely identified the cause enough to fix it. Hopefully
David or Honza can some light.
Cheers,
Fraser
More information about the Freeipa-devel
mailing list