[Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones
Steven.Jones at vuw.ac.nz
Mon Feb 16 22:46:14 UTC 2015
?
====
[root at xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
SASL/GSSAPI authentication started
SASL username: xxxx
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=CAcert,cn=ipa,cn=etc,> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
# numResponses: 1
====
regards
Steven
________________________________________
From: Rob Crittenden <rcritten at redhat.com>
Sent: Tuesday, 17 February 2015 10:59 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones wrote:
> Hi,
>
> I have no idea how.
$ kinit admin
$ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
It should have an attribuete cACertificate;binary likely beginning with
MII. If it begins with TU then it is likely double-encoded.
And remember, this may be a red herring.
rob
>
> regards
>
> Steven
> ________________________________________
> From: Rob Crittenden <rcritten at redhat.com>
> Sent: Tuesday, 17 February 2015 10:40 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
>
> Steven Jones wrote:
>> While attempting to initialise the new server I am getting,
>>
>>
>> [root at xx <mailto:root at vuwunicoipam001> replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug
>>
>>
>> =====8><----
>> packages/ipaserver/install/plugins/update_uniqueness.py'
>> ipa : DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py'
>> ipa : DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py'
>> ipa.ipaserver.install.installutils: DEBUG group dirsrv exists
>> ipa.ipaserver.install.installutils: DEBUG user dirsrv exists
>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_59928528
>> ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache
>> ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0>
>> error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection context.ldap2_59928528
>> ipa : DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
>> return_value = main_function()
>>
>> File "/sbin/ipa-replica-install", line 658, in main
>> install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
>>
>> File "/sbin/ipa-replica-install", line 227, in install_ca_cert
>> sys.exit(1)
>>
>> ipa : DEBUG The ipa-replica-install command failed, exception: SystemExit: 1
>>
>> ========
>>
>>
>> Any idea what is wrong please?
>
> What a strange error. My initial thought was that it couldn't read or
> parse the CA cert from the 3.0 master, but this security library error
> is unexpected.
>
> I might be sending you on a wild goose chase but take a look at the CA
> cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>
> There was a bug quite a while back where the cert value was
> double-base64-encoded. I wouldn't expect this error from this problem
> but who knows.
>
> rob
>
More information about the Freeipa-users
mailing list