[Freeipa-users] *SOLVED* Re: ipa-replica-prepare Certificate issuance failed

[Simo Sorce]

On Sat, 2012-05-05 at 21:47 -0400, Chris Evich wrote:
> On 05/05/2012 09:08 PM, Chris Evich wrote:
> > On 05/05/2012 08:01 PM, Chris Evich wrote:
> >> On 05/04/2012 04:17 PM, Chris Evich wrote:
> >> That makes me think maybe there's just a missing service principal or
> >> something I can add? I'll see if I can remove that request and try
> >> running ipa-replica-prepare again to see if it still gives that error
> >> (systems have been restarted since then). Though any other
> >> suggestions/ideas of what I can try or look at are much appreciated.
> >> Thanks.
> >>
> >
> > Replying to myself again, bad-form, but maybe it'll help someone else if
> > they have a similar problem....
> > ...cut...
> > I'm guessing there's something going on with this 'caIPAserviceCert'
> > thing. Granted I didn't try requesting any certs prior to the update,
> > however I can click the 'view' button in the web UI on some service
> > certs from the install, so it was generating them at some point.
> 
> Google was kind to me and I found 
> https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly 
> confirmed was a problem:
> 
> [root@<master> ~]# find /var/lib -name caIPAserviceCert.cfg
> /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
> [root@<master> ~]# cd /var/lib/pki-ca/profiles/ca/
> [root@<master> ca]# ll
> total 424
> -rw-rw----. 1 pkiuser pkiuser  5571 Apr 22 16:42 caAdminCert.cfg
> -rw-rw----. 1 pkiuser pkiuser  5485 Apr 22 16:42 caAgentFileSigning.cfg
> -rw-rw----. 1 pkiuser pkiuser  5279 Apr 22 16:42 caAgentServerCert.cfg
> ...cut...
> -rw-rw----. 1 pkiuser pkiuser  5548 Apr 22 16:42 
> caInternalAuthServerCert.cfg
> -rw-rw----. 1 pkiuser pkiuser  5580 Apr 22 16:42 
> caInternalAuthSubsystemCert.cfg
> -rw-rw----. 1 pkiuser pkiuser  5784 Apr 22 16:42 
> caInternalAuthTransportCert.cfg
> -rw-rw----. 1 root    root     6220 May  4 10:18 caIPAserviceCert.cfg
> ...cut...
> [root@<master> ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg
> [root@<master> ca]# fixfiles restore *
> [root@<master> ~]# systemctl restart pki-cad at pki-ca.service 
> certmonger.service ipa.service
> 
> (Probably only needed to restart ipa.service) Now generating the cert 
> works like a champ! with a whole boat-load more stuff showing up in the 
> debug log:
> 
> [root@<replica> ~]# ipa cert-request --principal=imap/<replica 
> fqdn>@<domain> dovecot.pem.csr
>    Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE
> ...blahblahblah...
> fXlqt7LmHUSbfg==
>    Subject: CN=<replica fqdn>,O=<domain>
>    Issuer: CN=Certificate Authority,O=<domain>
>    Not Before: Sun May 06 01:20:26 2012 UTC
>    Not After: Wed May 07 01:20:26 2014 UTC
>    Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82
>    Fingerprint (SHA1): 
> e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b
> 
> Feeling confident, I tried ipa-replica-prepare and it worked!
> [root@<master> ca]# ipa-replica-prepare king.yewess.us
> Directory Manager (existing master) password:
> 
> Preparing replica for <replica fqdn> from <master fqdn>
> Creating SSL certificate for the Directory Server
> Creating SSL certificate for the dogtag Directory Server
> Creating SSL certificate for the Web Server
> Exporting RA certificate
> Copying additional files
> Finalizing configuration
> Packaging replica information into /var/lib/ipa/replica-info-<replica 
> fqdn>.gpg
> 
> I'm guessing what happened was I got bit by BZ 675742 or similar before 
> or after the upgrade but never noticed b/c I haven't used the cert 
> system until now.  Maybe whatever the fix for this bug was should be 
> revisited, or the upgrade process should make sure this file gets reset 
> with the correct ownership.  Otherwise, hopefully this exercise will be 
> helpful to someone else, and thanks Rob for responding so quickly the 
> other day.

Chris,
thanks a lot for getting back with your solution, it is very valuable
for all users that may end up in the same weird situation.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York