[Freeipa-users] CA setup and ipa-gertcert questions

Mon Jan 13 08:34:03 UTC 2014

On 01/13/2014 12:53 AM, Charlie Derwent wrote:
> On Sun, Jan 12, 2014 at 11:01 PM, Dmitri Pal <dpal at redhat.com> wrote:
> 
>>  On 01/11/2014 09:20 AM, Charlie Derwent wrote:
>>
>>  Hi
>>
>>  I'm experiencing an issue trying to use ipa-getcert on my IPA clients.
>>
>>  When I run a command similar to this
>> ipa-getcert request -K principal/`hostname` -D `hostname` \
>>  -k /var/lib/ssl/private_keys/`hostname`.pem \
>>  -f /var/lib/ssl/certs/`hostname`.pem
>>
>>  Sometimes it will work, but 9 times out of 10 an "ipa-getcert list" will
>> show the request failed with a status of CA_UNREACHABLE. I'm fairly certain
>> it's not a time related issue as I tend to run the command just after
>> enrolment and our NTP servers are rock solid.
>>
>>  Now please correct me if I'm wrong (because it feels like I
>> am wrong) but I think this is happening because not all of my replicas are
>> Certificate Authorities but the clients are still trying to validate their
>> certificate signing requests with them.
>>
>>  Am I mistaken? Have I misconfigured something? If my theory is
>> correct is there a way to force the client to only talk to the replica(s)
>> running the CA service for these types of tasks?
>>
>>  Anyway to try and get round the issue I decided to try and make all my
>> IPA replicas Certificate Authorities and ran into the issue linked below
>>
>>  Bug 905064 - ipa install error Unable to find preop.pin
>> https://bugzilla.redhat.com/show_bug.cgi?id=905064
>>
>>  This has stopped me from rolling out the CA functionality across all of
>> my replicas (and I almost trashed a replica in the process of trying to
>> work around it).
>>
>>  I'm not really bothered which way I go about solving the problem but
>> would really appreciate some assistance as it feels like I'm stuck between
>> a rock and a hard place.
>>
>>  Thanks,
>> Charlie
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> Even if the replica does not have CA it has code to turn around and proxy
>> request to the corresponding replica that has CA.
>> The first thing to check is the logs on the certmonger side that does the
>> certificate request to see which replica it is trying to connect and httpd
>> logs from the replica it tries to hit. If the requests do not hit (which I
>> suspect the case since the client returned CA_UNREACHABLE) then it might be
>> a firewall issue between the client and the replica. If it hits the server
>> but server fails to proxy and returns CA_UNREACHABLE to the client then it
>> is probably a FW issue between replicas.
>>
>> At least this is where I would dig.
>>
>> Also the bug you mentioned is a race condition and seems like a rare one
>> so there is a chance it would not happen all the time if you try more than
>> once or may be choose a different system.
>> Do you hit every time you try?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> 
> Thanks for the tips regarding the CA authorization chain I'll try to take a
> closer log at the logs now I know what I'm looking for.
> 
> Regarding the replica CA setup, once the installation failed the first time
> I didn't get another chance. No matter what I did the replica was convinced
> there was another CA already installed. I even resorted to uninstalling the
> replica completely by running "ipa-setup-install --uninstall" a few times
> consecutively to make sure everything was gone but whenever I tried to
> re-install adding the --setup-ca option it didn't work.
> 
> I assumed there was a file or a service I had to stop or remove to get it
> going again so when I found this bug here
> https://bugzilla.redhat.com/show_bug.cgi?id=953488 I followed Tomas' steps
> in comment 4, not all the paths were the same (differences between  IPA
> 3.0.0 and 3.2.0 I assume) but still no success.
> 
> In the end dropping the --setup-ca option and reinstalling got me back to
> where I had left off.
> 
> Was there a file/service I missed? I appreciate the help.
> Thanks
> Charlie

It is hard to tell what went wrong without logs from ipareplica-install.log or PKI.

But I would guess that the failed PKI instance is still here and not being
uninstalled by IPA uninstaller. Tomas' instructions were for Dogtag 10 based
CA, while you seem to use Dogtag 9. You can try uninstalling the Dogtag 9 based
CA instance with following command run on the replica with broken CA (if it is
still there):

# /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force

If that does not help, we would need the logs to continue investigating.

Martin