[Freeipa-users] bug in pki during install of CA replica and workaround/solution - RESOLVED
Les Stott
Less at imagine-sw.com
Wed Feb 25 02:14:41 UTC 2015
Have resolved the issues below by completely removing FreeIPA and starting from scratch.
Here is the procedure to completely remove FreeIPA so you can start again.
ipa-server-install --uninstall
certutil -d /etc/httpd/alias -D -n "Server-Cert"
certutil -d /etc/httpd/alias -D -n "MYDOMAIN.COM IPA CA"
certutil -d /etc/httpd/alias -D -n ipaCert
certutil -d /etc/httpd/alias -D -n Signing-Cert
yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 389-ds-base-libs
userdel pkisrv
userdel pkiuser
rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger /etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid /usr/share/pki /etc/ipa /var/log/ipa*
reboot
Now you have a clean slate.
Then install works as normal for IPA Server, Replica and CA Replica installations.
Hope this saves someone else time in the future.
Regards,
Les
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Les Stott
> Sent: Wednesday, 18 February 2015 6:27 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
> workaround/solution
>
> Has anyone got any ideas on the below errors I am now receiving?
>
> Thanks in advance,
>
> Les
>
> > >
> > > I will test this out (update to 3.7.19-260) next week as I've got a
> > > few more CA replicas to setup.
> > >
> >
> > I'm still having issues. Different one this time.
> >
> > As I have previously worked around the install of CA replicas in my
> > production Production environment as above, I went to setup CA
> > replication in DR (both environments are completely separate).
> >
> > Make sure I did a yum update for all packages, including
> > selinux-policy, and also making sure all needed modules were loaded in
> > httpd.conf I proceeded to retry installation of CA replication. However, it
> failed with the following:
> >
> > Note: sb2sys01.domain.com is the replica I am trying to install....
> >
> > (abbreviated below)
> >
> > #############################################
> > Attempting to connect to: sb2sys01.domain.com:9445 Connected.
> > Posting Query =
> >
> https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&
> > op=next&xml=true&__password=XXXXXXXX&path=ca.p12
> > RESPONSE STATUS: HTTP/1.1 200 OK
> > RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER:
> > Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date:
> > Fri,
> > 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close <?xml
> > version="1.0" encoding="UTF-8"?>
> > <!-- BEGIN COPYRIGHT BLOCK
> >
> > END COPYRIGHT BLOCK -->
> > <response>
> > <panel>admin/console/config/restorekeycertpanel.vm</panel>
> > <res/>
> > <updateStatus>failure</updateStatus>
> > <password/>
> > <errorString>The pkcs12 file is not correct.</errorString>
> > <size>19</size>
> > Error in RestoreKeyCertPanel(): updateStatus returns failure
> > ERROR: ConfigureCA: RestoreKeyCertPanel() failure
> > ERROR: unable to create CA
> >
> > ############################################
> >
> > In /var/log/pki-ca/catalina.out I see...
> >
> > CMS Warning: FAILURE: Cannot build CA chain. Error
> > java.security.cert.CertificateException: Certificate is not a PKCS #11
> > certificate|FAILURE: authz instance DirAclAuthz initialization failed
> > certificate|and
> > skipped, error=Property internaldb.ldapconn.port missing value| Server
> > is started.
> >
> > Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with
> > a working system).
> >
> > grep DirAclAuthz /etc/pki-ca/CS.cfg
> > authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuth
> > z authz.instance.DirAclAuthz.ldap=internaldb
> > authz.instance.DirAclAuthz.pluginName=DirAclAuthz
> > authz.instance.DirAclAuthz.ldap._000=##
> > authz.instance.DirAclAuthz.ldap._001=## Internal Database
> > authz.instance.DirAclAuthz.ldap._002=##
> > authz.instance.DirAclAuthz.ldap.basedn=
> > authz.instance.DirAclAuthz.ldap.maxConns=15
> > authz.instance.DirAclAuthz.ldap.minConns=3
> > authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
> > authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
> > authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP
> > Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
> > authz.instance.DirAclAuthz.ldap.ldapconn.host=
> > authz.instance.DirAclAuthz.ldap.ldapconn.port=
> > authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false
> > authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false
> >
> > The CA cert looks ok to me on the master. It does get copied to the
> > replica in /usr/share/ipa/html/ca.crt
> >
> > I don't see any errors in httpd error or access logs on the master or
> > the intended replica.
> >
> > The ipa-pki-proxy.conf config has the profilesubmit section.
> >
> > # matches for ee port
> > <LocationMatch
> >
> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI
> >
> nfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberR
> > ange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
> >
> > I can confirm that pki-cad does start (but is unconfigured) and that
> > it does listen on port 9445.
> >
> > # netstat -apn |grep 9445
> > tcp 0 0 :::9445 :::* LISTEN 31264/java
> > # service pki-cad status
> > pki-ca (pid 31264) is running... [ OK ]
> > 'pki-ca' must still be CONFIGURED!
> > (see /var/log/pki-ca-install.log)
> >
> > I am not sure what to try next.
> >
> > Appreciate any help to get over this error.
> >
> > Thanks,
> >
> > Les
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list