[Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Guillermo Fuentes
guillermo.fuentes at modernizingmedicine.com
Tue Jul 28 23:47:36 UTC 2015
Hi all,
We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1).
Starting with FreeIPA 3.0 and to avoid the SSL certificate warning
when accessing the GUI, we installed a 3rd part certificate for https:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
We're ready to migrate to FreeIPA 4.1 and we already have two 4.1
replicas but we're having problems cloning the CA from the 3.0 master.
This is our current environment:
master1 and master2:
CentOS 6.6 (up to date)
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-1.11.6-30.el6_6.4.x86_64
device-mapper-multipath-0.4.9-80.el6_6.3.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
ipa-python-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
sssd-ipa-1.11.6-30.el6_6.4.x86_64
pki-selinux-9.0.3-39.el6_6.noarch
pki-common-9.0.3-39.el6_6.noarch
pki-native-tools-9.0.3-39.el6_6.x86_64
pki-setup-9.0.3-39.el6_6.noarch
pki-util-9.0.3-39.el6_6.noarch
pki-symkey-9.0.3-39.el6_6.x86_64
pki-ca-9.0.3-39.el6_6.noarch
pki-java-tools-9.0.3-39.el6_6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-silent-9.0.3-39.el6_6.noarch
replica1 and replica2:
CentOS 7.1 (up to date)
ipa-client-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-1.12.2-58.el7_1.6.x86_64
pki-server-10.1.2-7.el7.noarch
krb5-pkinit-1.12.2-14.el7.x86_64
pki-base-10.1.2-7.el7.noarch
pki-ca-10.1.2-7.el7.noarch
pki-symkey-10.1.2-7.el7.x86_64
pki-tools-10.1.2-7.el7.x86_64
# ipa-replica-manage list
master1.example.com: master
master2.example.com: master
replica1.example.com: master
replica2.example.com.com: master
# ipa-csreplica-manage list
Directory Manager password:
replica1.example.com: CA not configured
master1.example.com: master
master2.example.com: master
replica2.example.com: CA not configured
When trying to install the CA on replica1 to do the migration:
ipa-ca-install --skip-conncheck --skip-schema-check
/var/lib/ipa/replica-info-replica1.example.com.gpg
we're getting the following error in the
/var/log/ipareplica-ca-install.log file:
...
2015-07-28T21:25:14Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-07-28T21:25:14Z DEBUG Starting external process
2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmp2ON_ql'
2015-07-28T21:25:51Z DEBUG Process finished, return code=1
2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration
from /tmp/tmp2ON_ql.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2015-07-28T21:25:51Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn : ERROR ....... Exception from Java Configuration
Servlet: Failed to obtain configuration entries from the master for
cloning java.io.IOException: Error: Not authorized
2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned
non-zero exit status 1
2015-07-28T21:25:51Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
...
>From /var/log/pki/pki-ca-spawn.20150728172515.log:
...
2015-07-28 17:25:16 pkispawn : INFO ....... executing 'certutil
-N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf'
2015-07-28 17:25:16 pkispawn : INFO ....... executing
'systemctl daemon-reload'
2015-07-28 17:25:16 pkispawn : INFO ....... executing
'systemctl start pki-tomcatd at pki-tomcat.service'
2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection -
server may still be down
2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection -
server may still be down
2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection -
server may still be down
2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection -
server may still be down
2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2015-07-28 17:25:46 pkispawn : DEBUG ........... <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.1.2-7.el7</Version></XMLResponse>
2015-07-28 17:25:47 pkispawn : INFO ....... constructing PKI
configuration data.
2015-07-28 17:25:47 pkispawn : INFO ....... configuring PKI
configuration data.
2015-07-28 17:25:51 pkispawn : ERROR ....... Exception from Java
Configuration Servlet: Failed to obtain configuration entries from the
master for cloning java.io.IOException: Error: Not authorized
2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Type: HTTPError
2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Message: 500
Server Error: Internal Server Error
2015-07-28 17:25:51 pkispawn : DEBUG ....... File
"/usr/sbin/pkispawn", line 463, in main
rv = instance.spawn(deployer)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 126, in spawn
json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3211, in configure_pki_data
response = client.configure(data)
File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in configure
r = self.connection.post('/rest/installer/configure', data, headers)
File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line
834, in raise_for_status
raise HTTPError(http_error_msg, response=self)
...
>From /var/log/pki/pki-tomcat/ca/debug:
...
[28/Jul/2015:17:56:25][http-bio-8443-exec-3]: SystemConfigService():
configure() called
[28/Jul/2015:17:56:25][http-bio-8443-exec-3]: ConfigurationRequest
[pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX,
securityDomainType=existingdomain,
securityDomainUri=https://master1.example.com:443,
securityDomainName=null, securityDomainUser=admin,
securityDomainPassword=XXXX, isClone=true,
cloneUri=https://master1.example.com:443, subsystemName=CA
replica1.example.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX,
hierarchy=root, dsHost=replica1.example.com, dsPort=389,
baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX,
database=ipaca, secureConn=false, removeData=true,
replicateSchema=False, masterReplicationPort=7389,
cloneReplicationPort=389, replicationSecurity=TLS,
systemCerts=[com.netscape.certsrv.system.SystemCertData at ac5b61d],
issuingCA=https://master1.example.com:443, backupKeys=true,
backupPassword=XXXX,
backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12,
adminUID=null, adminPassword=XXXX, adminEmail=null,
adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null,
adminName=null, adminProfileID=null, adminCert=null,
importAdminCert=false, generateServerCert=true, standAlone=false,
stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null,
authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null,
enableServerSideKeyGen=null, importSharedSecret=null]
[28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Token Panel ===
[28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Security Domain Panel ===
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML start
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: status=0
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML:
domainInfo=<?xml version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>master1.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>master2.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len is 2
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: hostname: <master1.example.com>
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: admin_port: <443>
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: === Subsystem Panel ===
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len: 2
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_host master1.example.com
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_port 443
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: http
content=type=request&xmlOutput=true&sessionID=4266586385374846691
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange start
host=master1.example.com adminPort=443 eePort=443
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
content is null.
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
Failed to contact master using admin portjava.io.IOException: The
server you want to contact is not available
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
Attempting to contact master using EE port
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: content from ee
interface =<?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><Status>1</Status><Error>Error: Not
authorized</Error></XMLResponse>
[28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange(): status=1
...
Related logs from master1 (/var/log/pki-ca/debug):
...
[28/Jul/2015:17:25:50][TP-Processor2]: according to ccMode,
authorization for servlet: caUpdateNumberRange is LDAP based, not XML
{1}, use default authz mgr: {2}.
[28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: done initializing...
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet:service() uri =
/ca/ee/ca/updateNumberRange
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
name='type' value='request'
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
name='xmlOutput' value='true'
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
name='sessionID' value='-5799572006108726179'
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: caUpdateNumberRange
start to service.
[28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: processing...
[28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange process:
authentication starts
[28/Jul/2015:17:25:50][TP-Processor2]: IP: 10.10.2.45
[28/Jul/2015:17:25:50][TP-Processor2]: AuthMgrName: TokenAuth
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: no client certificate found
[28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: start
[28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication:
content=sessionID=-5799572006108726179&hostname=10.10.2.45
[28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication
authenticate Exception=org.mozilla.jss.ssl.SSLSocketException:
SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been
marked as not trusted by the user.
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: userid=null
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID
auditContext {locale=en_US, ipAddress=10.10.2.45,
authManagerId=TokenAuth}
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID:
subjectID: null
[28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][AuthMgr=TokenAuth]
authentication success
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID
auditContext {locale=en_US, ipAddress=10.10.2.45,
authManagerId=TokenAuth}
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID:
subjectID: null
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditGroupID
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditGroupID
auditContext {locale=en_US, ipAddress=10.10.2.45,
authManagerId=TokenAuth}
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditGroupID: groupID: null
[28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in authorize...
TokenAuth auditSubjectID unavailable, changing to auditGroupID
[28/Jul/2015:17:25:50][TP-Processor2]: checkACLS(): ACLEntry
expressions= group="Enterprise CA Administrators" || group="Enterprise
KRA Administrators" || group="Enterprise RA Administrators" ||
group="Enterprise OCSP Administrators" || group="Enterprise TKS
Administrators"
[28/Jul/2015:17:25:50][TP-Processor2]: evaluating expressions:
group="Enterprise CA Administrators" || group="Enterprise KRA
Administrators" || group="Enterprise RA Administrators" ||
group="Enterprise OCSP Administrators" || group="Enterprise TKS
Administrators"
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise CA Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise KRA Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise RA Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise OCSP Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
[28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
group="Enterprise TKS Administrators" to be false
[28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failure][aclResource=certServer.clone.configuration.UpdateNumberRange][Op=modify]
authorization failure
...
Do you guys know which certificate is the one that's failing and where
else to look at to fix this problem?
Thanks so much for any help you can provide!
Guillermo
More information about the Freeipa-users
mailing list