[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

West, Jani jwest at iki.fi
Fri Feb 20 08:16:21 UTC 2015 

Hi,

Validity, status and serials seems to be fine. One interesting pick: 
While the installation is not too old it might be installed initially 
with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398.

# getcert list |grep expires
	expires: 2016-11-21 13:40:41 UTC
	expires: 2016-11-21 13:40:44 UTC
	expires: 2016-11-21 13:40:41 UTC
	expires: 2016-10-30 09:08:12 UTC
	expires: 2016-10-30 09:07:12 UTC
	expires: 2016-10-30 09:07:12 UTC
	expires: 2016-10-30 09:07:12 UTC
	expires: 2016-10-30 09:07:12 UTC
# getcert list -d /etc/httpd/alias -n ipaCert |egrep  -i 
'(status|expires)'
	status: MONITORING
	expires: 2016-10-30 09:07:12 UTC
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
         Serial Number: 31 (0x1f)
# ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca 
description
# extended LDIF
#
# LDAPv3
# base <uid=ipara,ou=People,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: description
#

# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


-- 
-- Jani West
On 20.2.2015 01:07, Dmitri Pal wrote:
> On 02/19/2015 02:54 PM, Jim Richard wrote:
> 
>> Hey guys, for what it's worth, I spent a couple weeks working with
>> Endi Sukma Dewata, edewata at redhat.com, "Re: [Freeipa-users]
>> Redhat/Centos iDM 3.0 to 3.1 upgrade fail".
>> 
>> Unfortunately my post subject was not accurate but in fact, I was
>> attempting the exact same thing and seeing the exact same error. The
>> main LDAP instance would come up ok but upon attempting to migrate
>> the PKI stuff with the new ldap schema etc, it just fails…
> 
>  If you have been gradually upgrading it might very well be that you
> are hitting some of the earlier bugs related to cert tracking.
>  The page can help you with troubleshooting
> http://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates
> [4]
>  You need to see whether the certs on the master have expired and
> whether they are now properly tracked.
>  Rob is this the right way of checking the cert validity (see previous
> mail in the thread)?
> 
>> In the end we couldn't figure it out, basically had to just give up.
>> 
>> 
>> Maybe one of you could reach out to Endi and he could share some
>> insights.
>> 
>> I'd love to be able to make this work as well but as of now it looks
>> like my only option if I want to upgrade to version 3.3/Centos 7 is
>> well, there is no option….
>> 
>> I'd be happy to share or help in any way.
>> 
>> Jim Richard | PlaceIQ [1] | Systems Administrator |
>> jrichard at placeiq.com | +1 (646) 338-8905
>> 
>> On Feb 19, 2015, at 11:37 AM, Jani West <jwest at iki.fi> wrote:
>> 
>> Hi,
>> 
>> How I can check the cert and test?
>> 
>> I did curl -v -k https://xxx/ca/admin/ca/getDomainXML [2]
>> 
>> According to that the cert have plenty of time left.
>> 
>> On the otherhand
>> https://xxx/ca/admin/ca/updateDomainXML [3] is givin the the same
>> cert but also http 404.
>> 
>> On 02/19/2015 06:22 PM, Martin Kosek wrote:
>> On 02/19/2015 05:14 PM, Dmitri Pal wrote:
>> On 02/19/2015 10:07 AM, Jani West wrote:
>> Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS
>> 7.0 with
>> FreeIPA 3.3.3-28 by using replication.
>> 
>> I have prepared replication file and moved it to the new replica
>> server.
>> Configured the firewalld and installed Ipa and other needed
>> packages via yum.
>> 
>> When running "ipa-replica-install --setup-ca -d" installation will
>> always
>> stuck on:
>> 
>> 
> ----------------------------------------------------------------------
>> "Configuring certificate server (pki-tomcatd): Estimated time 3
>> minutes 30
>> seconds
>> [2/19]: configuring certificate server instance
>> ipa : DEBUG Starting external process
>> ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
>> ipa : DEBUG Process finished, return code=1
>> ipa : DEBUG stdout=Loading deployment configuration from
>> /tmp/tmpHJBhR5.
>> Installing CA into /var/lib/pki/pki-tomcat.
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>> Installation failed.
>> 
>> ipa : DEBUG stderr=pkispawn : WARNING ....... unable to
>> validate security domain user/password through REST interface.
>> Interface not
>> available
>> pkispawn : ERROR ....... Exception from Java Configuration Servlet:
>> Error while updating security domain: java.io.IOException:
>> java.io.IOException: SocketException cannot read on socket
>> 
>> ipa : CRITICAL failed to configure ca instance Command
>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit
>> status 1
>> 
> ----------------------------------------------------------------------
>> 
>> Betwee the attempts I have cleaned yu ipa and pki configurations
>> and
>> deleteted the old replication agreement.
>> 
>> Apache logs on old CentOS 6 server have these errors.
>> 
> ----------------------------------------------------------------------
>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>> /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 -
>> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
>> /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
>> [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate:
>> -8181
>> [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181
>> Certificate has
>> expired
>> [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed:
>> Not
>> accepted by client!?
>> 
> ----------------------------------------------------------------------
>> 
>> What certificate this means? ca.crt have more than five years left.
>> 
>> Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
>> ipa-pki-proxy.conf and there are no obvious reason. Any hints?
>> 
>> Are CA ports accessible on your master? Can you check your FW
>> please?
> 
>  This line makes me think that expired certs may be involved:
> 
>  [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181
> Certificate has
>  expired
> 
>  CCing JanCh who have the best context in this area.
> 
>  --
>  -- Jani West -- jwest at iki.fi -- +358 40 5010914 --
>  -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND --
> 
>  "Haluaisin, että Suomi olisi paljon monikulttuurisempi.
>  Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda
>  tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana.
>  On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen.
>  Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me
>  pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin
>  lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu.
>  Ei ymmärretä, että maahanmuuttajat voivat tuoda
>  Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä,
>  että koko kansaa kuullaan, myös eri kulttuureista
>  tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän
>  Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella
>  maahanmuuttajia enemmän."
> 
>  HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio.
> 
>  --
>  Manage your subscription for the Freeipa-users mailing list:
>  https://www.redhat.com/mailman/listinfo/freeipa-users [5]
>  Go To http://freeipa.org [6] for more info on the project
> 
> --
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> 
> 
> Links:
> ------
> [1]
> http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2F&sa=D&sntz=1&usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw
> [2] https://xxx/ca/admin/ca/getDomainXML
> [3] https://xxx/ca/admin/ca/updateDomainXML
> [4]
> http://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates
> [5] https://www.redhat.com/mailman/listinfo/freeipa-users
> [6] http://freeipa.org

More information about the Freeipa-users mailing list