[Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.

Rob Crittenden rcritten at redhat.com
Tue Feb 17 01:18:06 UTC 2015 

Steven Jones wrote:
> =====
> cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX........8><---

Now you need to replace the contents of this double-encoded value with
an actual binary value.

First create the necessary file:

$ openssl x509 -inform pem -outform der -in /etc/ipa/ca.crt -out /tmp/ca.der

Now replace what is there with the contents of the file, replacing
dc=example,dc=com with your basedn:

$ kinit admin
$ ldapmodify -Y GSSAPI
dn: cn=CACert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacertificate;binary
cacertificate;binary:< file:///tmp/ca.der
<hit return to signal you are done>
modifying entry "cn=CACert,cn=ipa,cn=etc,dc=example,dc=com"

ctrl-D to quit

This is assuming that you have a single CA certificate in
/etc/ipa/ca.crt. This is *not* the best assumption to make. Be careful.

rob

> =====
> 
> :(
> 
> So now what?
> 
> regards
> 
> Steven
> ________________________________________
> From: Rob Crittenden <rcritten at redhat.com>
> Sent: Tuesday, 17 February 2015 12:08 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
> 
> Steven Jones wrote:
>> ?
>>
>> ====
>> [root at xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>> SASL/GSSAPI authentication started
>> SASL username:   xxxx
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=CAcert,cn=ipa,cn=etc,> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 4
>> result: 32 No such object
>>
>> # numResponses: 1
> 
> Did you literally use $SUFFIX? You need to use dc=example,dc=com,
> whatever is appropriate for your install.
> 
> rob
> 
>>
>> ====
>>
>> regards
>>
>> Steven
>> ________________________________________
>> From: Rob Crittenden <rcritten at redhat.com>
>> Sent: Tuesday, 17 February 2015 10:59 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
>>
>> Steven Jones wrote:
>>> Hi,
>>>
>>> I have no idea how.
>>
>> $ kinit admin
>> $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>>
>> It should have an attribuete cACertificate;binary likely beginning with
>> MII. If it begins with TU then it is likely double-encoded.
>>
>> And remember, this may be a red herring.
>>
>> rob
>>
>>>
>>> regards
>>>
>>> Steven
>>> ________________________________________
>>> From: Rob Crittenden <rcritten at redhat.com>
>>> Sent: Tuesday, 17 February 2015 10:40 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
>>>
>>> Steven Jones wrote:
>>>> While attempting to initialise the new server I am getting,
>>>>
>>>>
>>>> [root at xx <mailto:root at vuwunicoipam001> replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug
>>>>
>>>>
>>>> =====8><----
>>>> packages/ipaserver/install/plugins/update_uniqueness.py'
>>>> ipa         : DEBUG    importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py'
>>>> ipa         : DEBUG    importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py'
>>>> ipa.ipaserver.install.installutils: DEBUG    group dirsrv exists
>>>> ipa.ipaserver.install.installutils: DEBUG    user dirsrv exists
>>>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection context.ldap2_59928528
>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG    flushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache
>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG    retrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0>
>>>> error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>>>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Destroyed connection context.ldap2_59928528
>>>> ipa         : DEBUG      File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
>>>>     return_value = main_function()
>>>>
>>>>   File "/sbin/ipa-replica-install", line 658, in main
>>>>     install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
>>>>
>>>>   File "/sbin/ipa-replica-install", line 227, in install_ca_cert
>>>>     sys.exit(1)
>>>>
>>>> ipa         : DEBUG    The ipa-replica-install command failed, exception: SystemExit: 1
>>>>
>>>> ========
>>>>
>>>>
>>>> Any idea what is wrong please?
>>>
>>> What a strange error. My initial thought was that it couldn't read or
>>> parse the CA cert from the 3.0 master, but this security library error
>>> is unexpected.
>>>
>>> I might be sending you on a wild goose chase but take a look at the CA
>>> cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>>>
>>> There was a bug quite a while back where the cert value was
>>> double-base64-encoded. I wouldn't expect this error from this problem
>>> but who knows.
>>>
>>> rob
>>>
>>
>>
> 
>

More information about the Freeipa-users mailing list