[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

Jani West jwest at iki.fi
Thu Feb 19 22:14:14 UTC 2015 

Hi,

I can also test If there is any ideas. I have fresh CentOS 7 vm with 
snapshots.

Absolutely this is related to CA / Tomcat PKI as Jim said. I have fidled 
a bit with the /etc/httpd/conf.d/ipa-pki-proxy.conf on old server to fix 
LocationMatch/Proxying

I changed this
# matches for admin port and installer
#<LocationMatch 
"^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateNumberRange>

->

<LocationMatch 
"^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken">

All the matches will be redirected to ajp://localhost:9447

No difference.


On 02/19/2015 09:54 PM, Jim Richard wrote:
> Hey guys, for what it’s worth, I spent a couple weeks working with Endi
> Sukma Dewata, edewata at redhat.com <mailto:edewata at redhat.com>, "Re:
> [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail”.
>
> Unfortunately my post subject was not accurate but in fact, I was
> attempting the exact same thing and seeing the exact same error. The
> main LDAP instance would come up ok but upon attempting to migrate the
> PKI stuff with the new ldap schema etc, it just fails…
>
>
> In the end we couldn’t figure it out, basically had to just give up.
>
> Maybe one of you could reach out to Endi and he could share some insights.
>
> I’d love to be able to make this work as well but as of now it looks
> like my only option if I want to upgrade to version 3.3/Centos 7 is
> well, there is no option….
>
> I’d be happy to share or help in any way.
>
>
>
> 																																			
> Jim Richard  | PlaceIQ
> <http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2F&sa=D&sntz=1&usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw>  |
>   Systems Administrator  |  jrichard at placeiq.com
> <mailto:name at placeiq.com>  | +1 (646) 338-8905
>
>
>
>
>> On Feb 19, 2015, at 11:37 AM, Jani West <jwest at iki.fi
>> <mailto:jwest at iki.fi>> wrote:
>>
>> Hi,
>>
>> How I can check the cert and test?
>>
>> I did curl -v -k https://xxx/ca/admin/ca/getDomainXML
>>
>> According to that the cert have plenty of time left.
>>
>> On the otherhand
>> https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but
>> also http 404.
>>
>> On 02/19/2015 06:22 PM, Martin Kosek wrote:
>>> On 02/19/2015 05:14 PM, Dmitri Pal wrote:
>>>> On 02/19/2015 10:07 AM, Jani West wrote:
>>>>> Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS
>>>>> 7.0 with
>>>>> FreeIPA 3.3.3-28 by using replication.
>>>>>
>>>>> I have prepared replication file and moved it to the new replica
>>>>> server.
>>>>> Configured the firewalld and installed Ipa and other needed
>>>>> packages via yum.
>>>>>
>>>>> When running "ipa-replica-install --setup-ca -d" installation will
>>>>> always
>>>>> stuck on:
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> "Configuring certificate server (pki-tomcatd): Estimated time 3
>>>>> minutes 30
>>>>> seconds
>>>>> [2/19]: configuring certificate server instance
>>>>> ipa         : DEBUG    Starting external process
>>>>> ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
>>>>> ipa         : DEBUG    Process finished, return code=1
>>>>> ipa         : DEBUG    stdout=Loading deployment configuration from
>>>>> /tmp/tmpHJBhR5.
>>>>> Installing CA into /var/lib/pki/pki-tomcat.
>>>>> Storing deployment configuration into
>>>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>>>> Installation failed.
>>>>>
>>>>>
>>>>> ipa         : DEBUG    stderr=pkispawn    : WARNING  ....... unable to
>>>>> validate security domain user/password through REST interface.
>>>>> Interface not
>>>>> available
>>>>> pkispawn    : ERROR    ....... Exception from Java Configuration
>>>>> Servlet:
>>>>> Error while updating security domain: java.io.IOException:
>>>>> java.io.IOException: SocketException cannot read on socket
>>>>>
>>>>> ipa         : CRITICAL failed to configure ca instance Command
>>>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit
>>>>> status 1
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>> Betwee the attempts I have cleaned yu ipa and pki configurations and
>>>>> deleteted the old replication agreement.
>>>>>
>>>>>
>>>>> Apache logs on old CentOS 6 server have these errors.
>>>>> ----------------------------------------------------------------------
>>>>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>>>>> /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
>>>>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>>>>> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 -
>>>>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>>>>> /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
>>>>> [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
>>>>> [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181
>>>>> Certificate has
>>>>> expired
>>>>> [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not
>>>>> accepted by client!?
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>> What certificate this means? ca.crt have more than five years left.
>>>>>
>>>>> Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
>>>>> ipa-pki-proxy.conf and there are no obvious reason. Any hints?
>>>>
>>>> Are CA ports accessible on your master? Can you check your FW please?
>>>>
>>>
>>> This line makes me think that expired certs may be involved:
>>>
>>> [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181
>>> Certificate has
>>> expired
>>>
>>> CCing JanCh who have the best context in this area.
>>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list