[Freeipa-users] bug in pki during install of CA replica and workaround/solution
Les Stott
Less at imagine-sw.com
Fri Feb 13 08:33:10 UTC 2015
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Les Stott
> Sent: Saturday, 7 February 2015 9:39 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
> workaround/solution
>
>
>
> > -----Original Message-----
> > From: Endi Sukma Dewata [mailto:edewata at redhat.com]
> > Sent: Saturday, 7 February 2015 1:53 AM
> > To: Martin Kosek; Les Stott; freeipa-users at redhat.com; Matthew Harmsen
> > Subject: Re: [Freeipa-users] bug in pki during install of CA replica
> > and workaround/solution
> >
> > On 2/6/2015 8:39 AM, Martin Kosek wrote:
> > >> Reinstalling the pki-selinux rpm (found references in some other
> > >> forum
> > posts) via yum reinstall pki-selinux is not enough to help.
> > >>
> > >> The solution is as follows:
> > >>
> > >> yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
> > >> pki-java-tools pki-symkey pki-util pki-native-tools which takes
> > >> components back to 9.0.3-32 then yum -y update pki-selinux pki-ca
> > >> pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
> > >> pki-native-tools then (after cleaning up half installed pki
> > >> components) ipa-ca-install
> > >> /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
> > >>
> > >> Then, the CA replication completes successfully.
> > >>
> > >> Regards,
> > >>
> > >> Les
> > >
> > > I saw this one around, e.g. in:
> > >
> > > http://www.redhat.com/archives/freeipa-devel/2014-
> > May/msg00507.html
> > >
> > > Did you try reinstalling pki-selinux before ipa-server-install?
> > >
> > > Endi/Matthew, do we have a bug/fix for this?
> > >
> > > Thanks,
> > > Martin
> > >
> >
> > Yes, we have a ticket for this:
> > https://fedorahosted.org/pki/ticket/1243
> > The default selinux-policy is version 3.7.19-231. It needs to be
> > updated to at least version 3.7.19-260.
> >
> > --
> > Endi S. Dewata
>
> I will test this out (update to 3.7.19-260) next week as I've got a few more CA
> replicas to setup.
>
I'm still having issues. Different one this time.
As I have previously worked around the install of CA replicas in my production Production environment as above, I went to setup CA replication in DR (both environments are completely separate).
Make sure I did a yum update for all packages, including selinux-policy, and also making sure all needed modules were loaded in httpd.conf I proceeded to retry installation of CA replication. However, it failed with the following:
Note: sb2sys01.domain.com is the replica I am trying to install....
(abbreviated below)
#############################################
Attempting to connect to: sb2sys01.domain.com:9445
Connected.
Posting Query = https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Fri, 13 Feb 2015 08:09:35 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
END COPYRIGHT BLOCK -->
<response>
<panel>admin/console/config/restorekeycertpanel.vm</panel>
<res/>
<updateStatus>failure</updateStatus>
<password/>
<errorString>The pkcs12 file is not correct.</errorString>
<size>19</size>
Error in RestoreKeyCertPanel(): updateStatus returns failure
ERROR: ConfigureCA: RestoreKeyCertPanel() failure
ERROR: unable to create CA
############################################
In /var/log/pki-ca/catalina.out I see...
CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.
Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a working system).
grep DirAclAuthz /etc/pki-ca/CS.cfg
authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
authz.instance.DirAclAuthz.ldap=internaldb
authz.instance.DirAclAuthz.pluginName=DirAclAuthz
authz.instance.DirAclAuthz.ldap._000=##
authz.instance.DirAclAuthz.ldap._001=## Internal Database
authz.instance.DirAclAuthz.ldap._002=##
authz.instance.DirAclAuthz.ldap.basedn=
authz.instance.DirAclAuthz.ldap.maxConns=15
authz.instance.DirAclAuthz.ldap.minConns=3
authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database
authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
authz.instance.DirAclAuthz.ldap.ldapconn.host=
authz.instance.DirAclAuthz.ldap.ldapconn.port=
authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false
authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false
The CA cert looks ok to me on the master. It does get copied to the replica in /usr/share/ipa/html/ca.crt
I don't see any errors in httpd error or access logs on the master or the intended replica.
The ipa-pki-proxy.conf config has the profilesubmit section.
# matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
I can confirm that pki-cad does start (but is unconfigured) and that it does listen on port 9445.
# netstat -apn |grep 9445
tcp 0 0 :::9445 :::* LISTEN 31264/java
# service pki-cad status
pki-ca (pid 31264) is running... [ OK ]
'pki-ca' must still be CONFIGURED!
(see /var/log/pki-ca-install.log)
I am not sure what to try next.
Appreciate any help to get over this error.
Thanks,
Les
More information about the Freeipa-users
mailing list