[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

Thu Feb 19 19:54:44 UTC 2015

Hey guys, for what it’s worth, I spent a couple weeks working with Endi Sukma Dewata, edewata at redhat.com, "Re: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail”.

Unfortunately my post subject was not accurate but in fact, I was attempting the exact same thing and seeing the exact same error. The main LDAP instance would come up ok but upon attempting to migrate the PKI stuff with the new ldap schema etc, it just fails…

In the end we couldn’t figure it out, basically had to just give up. 

Maybe one of you could reach out to Endi and he could share some insights. 

I’d love to be able to make this work as well but as of now it looks like my only option if I want to upgrade to version 3.3/Centos 7 is well, there is no option….

I’d be happy to share or help in any way.

Jim Richard  |  PlaceIQ <http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2F&sa=D&sntz=1&usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw>  |  Systems Administrator  |  jrichard at placeiq.com <mailto:name at placeiq.com>  |  +1 (646) 338-8905 <>

> On Feb 19, 2015, at 11:37 AM, Jani West <jwest at iki.fi> wrote:
> 
> Hi,
> 
> How I can check the cert and test?
> 
> I did curl -v -k https://xxx/ca/admin/ca/getDomainXML
> 
> According to that the cert have plenty of time left.
> 
> On the otherhand
> https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but also http 404.
> 
> On 02/19/2015 06:22 PM, Martin Kosek wrote:
>> On 02/19/2015 05:14 PM, Dmitri Pal wrote:
>>> On 02/19/2015 10:07 AM, Jani West wrote:
>>>> Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with
>>>> FreeIPA 3.3.3-28 by using replication.
>>>> 
>>>> I have prepared replication file and moved it to the new replica server.
>>>> Configured the firewalld and installed Ipa and other needed packages via yum.
>>>> 
>>>> When running "ipa-replica-install --setup-ca -d" installation will always
>>>> stuck on:
>>>> 
>>>> ----------------------------------------------------------------------
>>>> "Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
>>>> seconds
>>>> [2/19]: configuring certificate server instance
>>>> ipa         : DEBUG    Starting external process
>>>> ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
>>>> ipa         : DEBUG    Process finished, return code=1
>>>> ipa         : DEBUG    stdout=Loading deployment configuration from
>>>> /tmp/tmpHJBhR5.
>>>> Installing CA into /var/lib/pki/pki-tomcat.
>>>> Storing deployment configuration into
>>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>>> Installation failed.
>>>> 
>>>> 
>>>> ipa         : DEBUG    stderr=pkispawn    : WARNING  ....... unable to
>>>> validate security domain user/password through REST interface. Interface not
>>>> available
>>>> pkispawn    : ERROR    ....... Exception from Java Configuration Servlet:
>>>> Error while updating security domain: java.io.IOException:
>>>> java.io.IOException: SocketException cannot read on socket
>>>> 
>>>> ipa         : CRITICAL failed to configure ca instance Command
>>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1
>>>> ----------------------------------------------------------------------
>>>> 
>>>> Betwee the attempts I have cleaned yu ipa and pki configurations and
>>>> deleteted the old replication agreement.
>>>> 
>>>> 
>>>> Apache logs on old CentOS 6 server have these errors.
>>>> ----------------------------------------------------------------------
>>>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>>>> /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
>>>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>>>> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 -
>>>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>>>> /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
>>>> [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
>>>> [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
>>>> expired
>>>> [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not
>>>> accepted by client!?
>>>> ----------------------------------------------------------------------
>>>> 
>>>> What certificate this means? ca.crt have more than five years left.
>>>> 
>>>> Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
>>>> ipa-pki-proxy.conf and there are no obvious reason. Any hints?
>>> 
>>> Are CA ports accessible on your master? Can you check your FW please?
>>> 
>> 
>> This line makes me think that expired certs may be involved:
>> 
>> [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
>> expired
>> 
>> CCing JanCh who have the best context in this area.
>> 
> 
> 
> -- 
> -- Jani West  --  jwest at iki.fi  -- +358 40 5010914 --
> -- Liinalahdentie 4  -- 01800 KLAUKKALA -- FINLAND --
> 
> "Haluaisin, että Suomi olisi paljon monikulttuurisempi.
> Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda
> tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana.
> On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen.
> Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me
> pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin
> lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu.
> Ei ymmärretä, että maahanmuuttajat voivat tuoda
> Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä,
> että koko kansaa kuullaan, myös eri kulttuureista
> tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän
> Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella
> maahanmuuttajia enemmän."
> 
> HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150219/2166823f/attachment.htm>