[Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
David Kupka
dkupka at redhat.com
Wed Jul 29 13:13:48 UTC 2015
On 29/07/15 01:47, Guillermo Fuentes wrote:
> Hi all,
>
> We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1).
>
> Starting with FreeIPA 3.0 and to avoid the SSL certificate warning
> when accessing the GUI, we installed a 3rd part certificate for https:
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> We're ready to migrate to FreeIPA 4.1 and we already have two 4.1
> replicas but we're having problems cloning the CA from the 3.0 master.
>
> This is our current environment:
> master1 and master2:
> CentOS 6.6 (up to date)
> ipa-admintools-3.0.0-42.el6.centos.x86_64
> ipa-server-3.0.0-42.el6.centos.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-1.11.6-30.el6_6.4.x86_64
> device-mapper-multipath-0.4.9-80.el6_6.3.x86_64
> ipa-client-3.0.0-42.el6.centos.x86_64
> ipa-server-selinux-3.0.0-42.el6.centos.x86_64
> ipa-python-3.0.0-42.el6.centos.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> sssd-ipa-1.11.6-30.el6_6.4.x86_64
> pki-selinux-9.0.3-39.el6_6.noarch
> pki-common-9.0.3-39.el6_6.noarch
> pki-native-tools-9.0.3-39.el6_6.x86_64
> pki-setup-9.0.3-39.el6_6.noarch
> pki-util-9.0.3-39.el6_6.noarch
> pki-symkey-9.0.3-39.el6_6.x86_64
> pki-ca-9.0.3-39.el6_6.noarch
> pki-java-tools-9.0.3-39.el6_6.noarch
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> pki-silent-9.0.3-39.el6_6.noarch
>
>
> replica1 and replica2:
> CentOS 7.1 (up to date)
> ipa-client-4.1.0-18.el7.centos.3.x86_64
> libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
> sssd-ipa-1.12.2-58.el7_1.6.x86_64
> python-iniparse-0.4-9.el7.noarch
> ipa-admintools-4.1.0-18.el7.centos.3.x86_64
> ipa-server-4.1.0-18.el7.centos.3.x86_64
> ipa-python-4.1.0-18.el7.centos.3.x86_64
> libipa_hbac-1.12.2-58.el7_1.6.x86_64
> pki-server-10.1.2-7.el7.noarch
> krb5-pkinit-1.12.2-14.el7.x86_64
> pki-base-10.1.2-7.el7.noarch
> pki-ca-10.1.2-7.el7.noarch
> pki-symkey-10.1.2-7.el7.x86_64
> pki-tools-10.1.2-7.el7.x86_64
>
>
> # ipa-replica-manage list
> master1.example.com: master
> master2.example.com: master
> replica1.example.com: master
> replica2.example.com.com: master
>
> # ipa-csreplica-manage list
> Directory Manager password:
>
> replica1.example.com: CA not configured
> master1.example.com: master
> master2.example.com: master
> replica2.example.com: CA not configured
>
>
> When trying to install the CA on replica1 to do the migration:
> ipa-ca-install --skip-conncheck --skip-schema-check
> /var/lib/ipa/replica-info-replica1.example.com.gpg
>
> we're getting the following error in the
> /var/log/ipareplica-ca-install.log file:
> ...
> 2015-07-28T21:25:14Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2015-07-28T21:25:14Z DEBUG Starting external process
> 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmp2ON_ql'
> 2015-07-28T21:25:51Z DEBUG Process finished, return code=1
> 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration
> from /tmp/tmp2ON_ql.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2015-07-28T21:25:51Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
> InsecureRequestWarning)
> pkispawn : WARNING ....... unable to validate security domain
> user/password through REST interface. Interface not available
> pkispawn : ERROR ....... Exception from Java Configuration
> Servlet: Failed to obtain configuration entries from the master for
> cloning java.io.IOException: Error: Not authorized
>
> 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned
> non-zero exit status 1
> 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 382, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 372, in run_step
> method()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 673, in __spawn_instance
> raise RuntimeError('Configuration of CA failed')
> RuntimeError: Configuration of CA failed
> ...
>
>
>>From /var/log/pki/pki-ca-spawn.20150728172515.log:
> ...
> 2015-07-28 17:25:16 pkispawn : INFO ....... executing 'certutil
> -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf'
> 2015-07-28 17:25:16 pkispawn : INFO ....... executing
> 'systemctl daemon-reload'
> 2015-07-28 17:25:16 pkispawn : INFO ....... executing
> 'systemctl start pki-tomcatd at pki-tomcat.service'
> 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection -
> server may still be down
> 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection -
> exception thrown: ('Connection aborted.', error(111, 'Connection
> refused'))
> 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection -
> server may still be down
> 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection -
> exception thrown: ('Connection aborted.', error(111, 'Connection
> refused'))
> 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection -
> server may still be down
> 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection -
> exception thrown: ('Connection aborted.', error(111, 'Connection
> refused'))
> 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection -
> server may still be down
> 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection -
> exception thrown: ('Connection aborted.', error(111, 'Connection
> refused'))
> 2015-07-28 17:25:46 pkispawn : DEBUG ........... <?xml
> version="1.0" encoding="UTF-8"
> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.1.2-7.el7</Version></XMLResponse>
> 2015-07-28 17:25:47 pkispawn : INFO ....... constructing PKI
> configuration data.
> 2015-07-28 17:25:47 pkispawn : INFO ....... configuring PKI
> configuration data.
> 2015-07-28 17:25:51 pkispawn : ERROR ....... Exception from Java
> Configuration Servlet: Failed to obtain configuration entries from the
> master for cloning java.io.IOException: Error: Not authorized
> 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Type: HTTPError
> 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Message: 500
> Server Error: Internal Server Error
> 2015-07-28 17:25:51 pkispawn : DEBUG ....... File
> "/usr/sbin/pkispawn", line 463, in main
> rv = instance.spawn(deployer)
> File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
> line 126, in spawn
> json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
> File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
> line 3211, in configure_pki_data
> response = client.configure(data)
> File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in configure
> r = self.connection.post('/rest/installer/configure', data, headers)
> File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post
> r.raise_for_status()
> File "/usr/lib/python2.7/site-packages/requests/models.py", line
> 834, in raise_for_status
> raise HTTPError(http_error_msg, response=self)
> ...
>
>>From /var/log/pki/pki-tomcat/ca/debug:
> ...
> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: SystemConfigService():
> configure() called
> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: ConfigurationRequest
> [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX,
> securityDomainType=existingdomain,
> securityDomainUri=https://master1.example.com:443,
> securityDomainName=null, securityDomainUser=admin,
> securityDomainPassword=XXXX, isClone=true,
> cloneUri=https://master1.example.com:443, subsystemName=CA
> replica1.example.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX,
> hierarchy=root, dsHost=replica1.example.com, dsPort=389,
> baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX,
> database=ipaca, secureConn=false, removeData=true,
> replicateSchema=False, masterReplicationPort=7389,
> cloneReplicationPort=389, replicationSecurity=TLS,
> systemCerts=[com.netscape.certsrv.system.SystemCertData at ac5b61d],
> issuingCA=https://master1.example.com:443, backupKeys=true,
> backupPassword=XXXX,
> backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12,
> adminUID=null, adminPassword=XXXX, adminEmail=null,
> adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null,
> adminName=null, adminProfileID=null, adminCert=null,
> importAdminCert=false, generateServerCert=true, standAlone=false,
> stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null,
> authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null,
> enableServerSideKeyGen=null, importSharedSecret=null]
> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Token Panel ===
> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Security Domain Panel ===
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML start
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: status=0
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML:
> domainInfo=<?xml version="1.0" encoding="UTF-8"
> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>master1.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>master2.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemC!
ou!
> nt></TPSList></DomainInfo>
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len is 2
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: hostname: <master1.example.com>
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: admin_port: <443>
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: === Subsystem Panel ===
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len: 2
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_host master1.example.com
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_port 443
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: http
> content=type=request&xmlOutput=true&sessionID=4266586385374846691
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange start
> host=master1.example.com adminPort=443 eePort=443
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
> content is null.
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
> Failed to contact master using admin portjava.io.IOException: The
> server you want to contact is not available
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange:
> Attempting to contact master using EE port
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: content from ee
> interface =<?xml version="1.0" encoding="UTF-8"
> standalone="no"?><XMLResponse><Status>1</Status><Error>Error: Not
> authorized</Error></XMLResponse>
> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange(): status=1
> ...
>
>
>
> Related logs from master1 (/var/log/pki-ca/debug):
> ...
> [28/Jul/2015:17:25:50][TP-Processor2]: according to ccMode,
> authorization for servlet: caUpdateNumberRange is LDAP based, not XML
> {1}, use default authz mgr: {2}.
> [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: done initializing...
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet:service() uri =
> /ca/ee/ca/updateNumberRange
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
> name='type' value='request'
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
> name='xmlOutput' value='true'
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param
> name='sessionID' value='-5799572006108726179'
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: caUpdateNumberRange
> start to service.
> [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: processing...
> [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange process:
> authentication starts
> [28/Jul/2015:17:25:50][TP-Processor2]: IP: 10.10.2.45
> [28/Jul/2015:17:25:50][TP-Processor2]: AuthMgrName: TokenAuth
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: no client certificate found
> [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: start
> [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication:
> content=sessionID=-5799572006108726179&hostname=10.10.2.45
> [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication
> authenticate Exception=org.mozilla.jss.ssl.SSLSocketException:
> SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been
> marked as not trusted by the user.
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: userid=null
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID
> auditContext {locale=en_US, ipAddress=10.10.2.45,
> authManagerId=TokenAuth}
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID:
> subjectID: null
> [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory:
> create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][AuthMgr=TokenAuth]
> authentication success
>
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID
> auditContext {locale=en_US, ipAddress=10.10.2.45,
> authManagerId=TokenAuth}
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID:
> subjectID: null
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditGroupID
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditGroupID
> auditContext {locale=en_US, ipAddress=10.10.2.45,
> authManagerId=TokenAuth}
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditGroupID: groupID: null
> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in authorize...
> TokenAuth auditSubjectID unavailable, changing to auditGroupID
> [28/Jul/2015:17:25:50][TP-Processor2]: checkACLS(): ACLEntry
> expressions= group="Enterprise CA Administrators" || group="Enterprise
> KRA Administrators" || group="Enterprise RA Administrators" ||
> group="Enterprise OCSP Administrators" || group="Enterprise TKS
> Administrators"
> [28/Jul/2015:17:25:50][TP-Processor2]: evaluating expressions:
> group="Enterprise CA Administrators" || group="Enterprise KRA
> Administrators" || group="Enterprise RA Administrators" ||
> group="Enterprise OCSP Administrators" || group="Enterprise TKS
> Administrators"
> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
> group="Enterprise CA Administrators" to be false
> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
> group="Enterprise KRA Administrators" to be false
> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
> group="Enterprise RA Administrators" to be false
> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
> group="Enterprise OCSP Administrators" to be false
> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null
> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression:
> group="Enterprise TKS Administrators" to be false
> [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory:
> create() message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failure][aclResource=certServer.clone.configuration.UpdateNumberRange][Op=modify]
> authorization failure
> ...
>
> Do you guys know which certificate is the one that's failing and where
> else to look at to fix this problem?
>
> Thanks so much for any help you can provide!
>
> Guillermo
>
Hello!
The problem is in pki-* packages. The old version that is used with
freeipa-3.0 does not have REST API and the one that is used in
freeipa-4.1 does not expect that.
The issue is fixed in pki 10.2.6 but I'm not sure if it is available in
CentOS, yet.
--
David Kupka
More information about the Freeipa-users
mailing list