[Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update

Petr Vobornik pvoborni at redhat.com
Thu Jun 18 12:48:57 UTC 2015 

On 06/18/2015 02:43 PM, David Kupka wrote:
> Dne 18.6.2015 v 13:18 Jan Cholasta napsal(a):
>> Dne 17.6.2015 v 12:26 Fraser Tweedale napsal(a):
>>> On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote:
>>>> On 06/12/2015 03:18 PM, Fraser Tweedale wrote:
>>>>> On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote:
>>>>>> On 06/04/2015 04:03 PM, Petr Vobornik wrote:
>>>>>>> - ipa-replica-prepare works
>>>>>>> - old IPA server was upgraded to today's master (with Cert profiles
>>>>>>> patches)
>>>>>>> - ipa-replica-prepare fails with:
>>>>>>>
>>>>>>> Log:
>>>>>>>
>>>>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
>>>>>>> ipa: DEBUG: cert valid True for "CN=repl.example.com,O=EXAMPLE.COM"
>>>>>>> ipa: DEBUG: handshake complete, peer = [beef::cafe]:8443
>>>>>>> ipa: DEBUG: Protocol: TLS1.2
>>>>>>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256
>>>>>>> ipa: DEBUG: request status 200
>>>>>>> ipa: DEBUG: request reason_phrase u'OK'
>>>>>>> ipa: DEBUG: request headers {'date': 'Thu, 04 Jun 2015 13:54:09
>>>>>>> GMT',
>>>>>>> 'content-length': '148', 'content-type': 'application/xml',
>>>>>>> 'server':
>>>>>>> 'Apache-Coyote/1.1'}
>>>>>>> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
>>>>>>> standalone="no"?><XMLResponse><Status>1</Status><Error>Profile
>>>>>>> caIPAserviceCert Not Found</Error></XMLResponse>'
>>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>>>>>>> File
>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>>>>>>> 171, in
>>>>>>> execute
>>>>>>>      return_value = self.run()
>>>>>>>    File
>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>>>>
>>>>>>>
>>>>>>> line 338, in run
>>>>>>>      self.copy_ds_certificate()
>>>>>>>    File
>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>>>>
>>>>>>>
>>>>>>> line 383, in copy_ds_certificate
>>>>>>>      self.export_certdb("dscert", passwd_fname)
>>>>>>>    File
>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>>>>
>>>>>>>
>>>>>>> line 595, in export_certdb
>>>>>>>      db.create_server_cert(nickname, hostname, ca_db)
>>>>>>>    File
>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>>>>>> line 337, in create_server_cert
>>>>>>>      cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>>>>>>    File
>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>>>>>> line 419, in issue_server_cert
>>>>>>>      raise RuntimeError("Certificate issuance failed")
>>>>>>>
>>>>>>
>>>>>> Bump, I have also came across this issue (see log:
>>>>>> http://pastebin.test.redhat.com/289434).
>>>>>>
>>>>>> --
>>>>>> Martin^3 Babinsky
>>>>>
>>>>> It was reported to me that the issue was reproducible after upgrade
>>>> >from 4.1.4 to master, but I was not able to reproduce.  Can anyone
>>>>> who has encountered it please:
>>>>>
>>>>> - state fedora version(s) affected and precise build of Dogtag
>>>>> - provide ipaupgrade.log and /var/log/pki/pki-tomcat/ca/debug
>>>>>
>>>>> Thanks,
>>>>> Fraser
>>>>>
>>>>
>>>> I  see similar issue when creating a replica file from second
>>>> replica/master, all git master. I.e. the prepare on first server
>>>> obviously
>>>> works.
>>>>
>>>> The error is different though:
>>>>
>>>> ipa: DEBUG: request status 200
>>>> ipa: DEBUG: request reason_phrase u'OK'
>>>> ipa: DEBUG: request headers {'date': 'Fri, 12 Jun 2015 13:46:32 GMT',
>>>> 'content-length': '133', 'content-type': 'application/xml', 'server':
>>>> 'Apache-Coyote/1.1'}
>>>> ipa: DEBUG: request body '<?xml version="1.0" encoding="UTF-8"
>>>> standalone="no"?><XMLResponse><Status>1</Status><Error>Invalid
>>>> Credential.</Error></XMLResponse>'
>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>>>> execute
>>>>      return_value = self.run()
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>
>>>>
>>>> line 338, in run
>>>>      self.copy_ds_certificate()
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>
>>>>
>>>> line 383, in copy_ds_certificate
>>>>      self.export_certdb("dscert", passwd_fname)
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>>>>
>>>>
>>>> line 595, in export_certdb
>>>>      db.create_server_cert(nickname, hostname, ca_db)
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>>>> 337, in create_server_cert
>>>>      cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>>>> 419, in issue_server_cert
>>>>      raise RuntimeError("Certificate issuance failed")
>>>>
>>>> --
>>>> Petr Vobornik
>>>
>>> I spent some time debugging tihs issue today.  It appears to be
>>> introduced by commit:
>>>
>>>      commit 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034
>>>      Author: David Kupka <dkupka at redhat.com>
>>>      Date:   Mon Jun 8 05:23:56 2015 +0000
>>>
>>>          Move CA installation code into single module.
>>>
>>>          https://fedorahosted.org/freeipa/ticket/4468
>>>
>>>          Reviewed-By: Jan Cholasta <jcholast at redhat.com>
>>>
>>> During the execution of ipa-replica-prepare, the RA cert (nickname
>>> "ipaCert") gets added to the /etc/httpd/alias/ NSSDB, but then
>>> removed somehow while executing http.create_instance().  I have not
>>> yet precisely identified the cause enough to fix it.  Hopefully
>>> David or Honza can some light.
>>
>> Fixed.
>>
> Works for me, ACK.
>

Pushed to master: c3a3d789b5da353a6abf2722932df4f5fc05dbe5
-- 
Petr Vobornik

More information about the Freeipa-devel mailing list