[Freeipa-users] RHEL 7 Upgrade experience so far

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Sun Jul 27 07:02:42 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/26/2014 07:12 PM, Erinn Looney-Triggs wrote:
> On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote:
>> Well it hasn't been all the pretty trying to move from RHEL 6.5
>> to RHEL 7.
> 
>> I have two servers providing my ipa instances ipa and ipa2.
>> Given that I don't have a great deal of spare capacity the plan
>> was to remove ipa2 from the replication agreement, modify DNS so
>> that only IPA was available in SRV logs (IPA does not manage DNS
>> at this point, was waiting for DNSSEC). As well, I would change
>> my sudo-ldap config files to point to ipa and remove ipa2.
> 
>> Well that all worked well, installed RHEL 7 on the system and 
>> began working through the steps in the upgrade guide.
> 
>> First major problem was running into this bug: 
>> https://fedorahosted.org/freeipa/ticket/4375 ValueError: 
>> nsDS5ReplicaId has 2 values, one expected.
> 
>> Went and patched the replication.py file to get around that
>> issue, and we moved on.
> 
>> Next up is my current issue: Exception from Java Configuration 
>> Servlet: Clone does not have all the required certificates.
> 
>> I suspect this is because I am running the CA as a subordinate
>> to an AD CS instance, but I am unsure at this point.
> 
>> It has been a haul to get here, despite the short explanation. It
>>  seems that my primary ipa instance is working on only a hit or 
>> miss basis for kerberos tickets which has made all this a bit of
>> a pain. You can kinit as admin once it will fail unable to find
>> KDC, try again another three times, it will work. I have even
>> modified the krb5.conf file to point directly at the server, thus
>> bypassing DNS SRV lookups, however, that hasn't worked.
> 
>> Point is, any help would be appreciated on the aforementioned 
>> error.
> 
>> -Erinn
> 
> 
> To reply to myself here, I believe the problem may be that I had
> to renew the CA certificates and as such the certificates in 
> /root/cacert.p12 are no longer valid. It is this file that gets 
> bundled up with whatever else using ipa-replica-prepare, so I will 
> have to create a new one that has the valid certificates in it.
> 
> One way or another though, if it isn't already documented, during a
> CA renewal this file should probably be updated with the correct 
> certificates.
> 
> -Erinn
> 
> -Erinn
> 
> 

Well thanks to this:
http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

I have gotten a little further down the road an created a new
cacert.p12 which looks to be complete.

However, installation still fails in the same place:

2014-07-27T06:33:04Z DEBUG Starting external process
2014-07-27T06:33:04Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp5QGhUx
2014-07-27T06:33:25Z DEBUG Process finished, return code=1
2014-07-27T06:33:25Z DEBUG stdout=Loading deployment configuration
from /tmp/tmp5QGhUx.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.


2014-07-27T06:33:25Z DEBUG stderr=pkispawn    : WARNING  .......
unable to validate security domain user/password through REST
interface. Interface not available
pkispawn    : ERROR    ....... Exception from Java Configuration
Servlet: Clone does not have all the required certificates

2014-07-27T06:33:25Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmp5QGhUx' returned non-zero exit
status 1
2014-07-27T06:33:25Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 667, in main
    CA = cainstance.install_replica_ca(config)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1678, in install_replica_ca
    subject_base=config.subject_base)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 478, in configure_instance
    self.start_creation(runtime=210)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
364, in start_creation
    method()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 604, in __spawn_instance
    raise RuntimeError('Configuration of CA failed')

2014-07-27T06:33:25Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Configuration of CA failed


So some of the required certificates must be missing still.

Unhelpfully, the ipa-server-install --uninstall process is not
cleaning up everything after this failure, it leaves the CA intact and
the next run through the installer believes the CA is working so it
does not configure it. As such, I guess a re-install is necessary or
some other steps to truly clean everything that I haven't found yet.

- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJT1KQNAAoJEFg7BmJL2iPOeBIH/AyqKoybrpbt/k3E6HgE9YJB
5zEzSxnKCax52PYqLEg3h5CkBFmHsmIblTeM6pKhqCed6fheGTZeTpUYjwrsQfjC
h7PTyX8ymc0FVMhmCDSNEufOerV9UKXfV8yCta4dfo3ei4lv76mI4R7/rJLM3urL
Xpk6Fufm7ioNb/n9xBPgguI7omxMjOVci2TYt8Z2ZZKj4nwhuJrvJ36ym+h0Pc/v
zukhfgEniZTH2nF9PamPtAJlN76jaFzLqJNqj1sA1GHZiW/SVj7/tHLOXmlMFrB1
vSWzUHnaZ5BPkZKkbq5GfzqqoNbw+FU2jfYXbFoNxoTM2PqzHp2sScxCzIVNBpA=
=HmSa
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list