[Freeipa-users] CA cert issues
Rob Crittenden
rcritten at redhat.com
Thu Jan 17 19:54:03 UTC 2013
Orion Poplawski wrote:
> On 01/17/2013 09:27 AM, Rob Crittenden wrote:
>> Orion Poplawski wrote:
>>> But then on ipa-replica-install, problems as predicted:
>>>
>>> ipa-replica-install --setup-ca
>>> /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
>>> ...
>>> [16/30]: configuring ssl for ds instance
>>> creation of replica failed: Could not find a CA cert in
>>> /tmp/tmpPAtailipa/realm_info/dscert.p12
>>>
>>
>> Ok, I think what I would recommend is preparing a replica w/o
>> replacing the
>> certs (e.g. let the CA issue certs for all the services).
>>
>> Install the replica.
>>
>> Then replace with the wildcard certs once the install is up and
>> functioning.
>>
>> rob
>
> That gets to:
>
> [21/30]: setting up initial replication
> Starting replication, please wait until this has completed.
> [ipa.cora.nwra.com] reports: Update failed! Status: [-11 - System error]
> creation of replica failed: Failed to start replication
>
> Because on ipa.cora :
> [17/Jan/2013:09:31:42 -0700] NSMMReplicationPlugin -
> agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Replication bind with
> SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error
> -8172:Peer's certificate issuer has been marked as not trusted by the
> user.)
>
> because the new cert install wiped out the old slapd-NWRA-COM certs.
> Installed the NWRA.COM IPA CA there.
>
> It seems like a most of the problems would be alleviated if instead of
> wiping out the old NSS dbs, it simply added the new certs. I don't know
> if there are any other security implications of this or not.
Yes, that is probably true. I think the reasoning was we didn't know
what was in the database already so starting over seemed safer.
>
> I'm also tempted to start over and do the --dirsrv-cert options on the
> initial ipa-server-install to see if that helps.
>
> Anyway, tried again and now:
>
> Configuring Kerberos KDC: Estimated time 30 seconds
> [1/9]: adding sasl mappings to the directory
> [2/9]: writing stash file from DS
> [3/9]: configuring KDC
> [4/9]: creating a keytab for the directory
> [5/9]: creating a keytab for the machine
> [6/9]: adding the password extension to the directory
> [7/9]: enable GSSAPI for replication
> creation of replica failed: list index out of range
>
>
> 2013-01-17T16:41:33Z DEBUG [7/9]: enable GSSAPI for replication
> 2013-01-17T16:41:33Z INFO Setting agreement
> cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping
> tree,cn=config schedule to 2358-2359 0 to force synch
> 2013-01-17T16:41:34Z INFO Deleting schedule 2358-2359 0 from agreement
> cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping
> tree,cn=config
> 2013-01-17T16:41:35Z INFO Replication Update in progress: FALSE: status:
> -11 - System error: start: 0: end: 0
> 2013-01-17T16:41:35Z INFO Setting agreement
> cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config
> schedule to 2358-2359 0 to force synch
> 2013-01-17T16:41:36Z INFO Deleting schedule 2358-2359 0 from agreement
> cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping tree,cn=config
>
> 2013-01-17T16:41:37Z INFO Replication Update in progress: FALSE: status:
> 0 Replica acquired successfully: Incremental update succeeded: start:
> 20130117164126Z: end: 20130117164127Z
> 2013-01-17T16:41:37Z DEBUG list index out of range
> File "/usr/sbin/ipa-replica-install", line 496, in <module>
> main()
>
> File "/usr/sbin/ipa-replica-install", line 441, in main
> krb = install_krb(config, setup_pkinit=options.setup_pkinit)
>
> File "/usr/sbin/ipa-replica-install", line 163, in install_krb
> setup_pkinit, pkcs12_info)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
> line 207, in create_replica
> self.start_creation("Configuring Kerberos KDC", 30)
>
> File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> line 257, in start_creation
> method()
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
> line 442, in __convert_to_gssapi_replication
> r_bindpw=self.dm_password)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py",
> line 833, in convert_to_gssapi_replication
> self.gssapi_update_agreements(self.conn, r_conn)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py",
> line 557, in gssapi_update_agreements
> self.setup_krb_princs_as_replica_binddns(a, b)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py",
> line 550, in setup_krb_princs_as_replica_binddns
> mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]
This error means that we lack one of the ldap principals on one of the
replicas. We've improved the reporting about this error in newer
versions and we try a bit harder to make sure things are ok before
trying the conversion. It may be because of the replication trust
issues, or it could just be bad timing.
>
>
> I also see this in /var/log/dirsrv/slapd-NWRA-COM/errors on the master:
>
> [17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin -
> agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Schema replication
> update failed: Type or value exists
> [17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin -
> agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Warning: unable to
> replicate schema: rc=1
>
> Which is probably due to some schema modifications I've made, but these
> don't really seem related to the error above.
>
We try to do all schema modifications online so they end up in
99user.ldif. This ensures that things replicate smoothly.
rob
More information about the Freeipa-users
mailing list