[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

Martin Kosek mkosek at redhat.com
Thu Feb 19 16:22:13 UTC 2015 

On 02/19/2015 05:14 PM, Dmitri Pal wrote:
> On 02/19/2015 10:07 AM, Jani West wrote:
>> Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with
>> FreeIPA 3.3.3-28 by using replication.
>>
>> I have prepared replication file and moved it to the new replica server.
>> Configured the firewalld and installed Ipa and other needed packages via yum.
>>
>> When running "ipa-replica-install --setup-ca -d" installation will always
>> stuck on:
>>
>> ----------------------------------------------------------------------
>> "Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
>> seconds
>> [2/19]: configuring certificate server instance
>> ipa         : DEBUG    Starting external process
>> ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
>> ipa         : DEBUG    Process finished, return code=1
>> ipa         : DEBUG    stdout=Loading deployment configuration from
>> /tmp/tmpHJBhR5.
>> Installing CA into /var/lib/pki/pki-tomcat.
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>> Installation failed.
>>
>>
>> ipa         : DEBUG    stderr=pkispawn    : WARNING  ....... unable to
>> validate security domain user/password through REST interface. Interface not
>> available
>> pkispawn    : ERROR    ....... Exception from Java Configuration Servlet:
>> Error while updating security domain: java.io.IOException:
>> java.io.IOException: SocketException cannot read on socket
>>
>> ipa         : CRITICAL failed to configure ca instance Command
>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1
>> ----------------------------------------------------------------------
>>
>> Betwee the attempts I have cleaned yu ipa and pki configurations and
>> deleteted the old replication agreement.
>>
>>
>> Apache logs on old CentOS 6 server have these errors.
>> ----------------------------------------------------------------------
>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>> /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 -
>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>> /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
>> [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
>> [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
>> expired
>> [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not
>> accepted by client!?
>> ----------------------------------------------------------------------
>>
>> What certificate this means? ca.crt have more than five years left.
>>
>> Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
>> ipa-pki-proxy.conf and there are no obvious reason. Any hints?
> 
> Are CA ports accessible on your master? Can you check your FW please?
> 

This line makes me think that expired certs may be involved:

[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
expired

CCing JanCh who have the best context in this area.

More information about the Freeipa-users mailing list