[Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

Petr Vobornik pvoborni at redhat.com
Fri Sep 9 13:09:25 UTC 2016 

On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote:
> 
>>> Yes, I have followed
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>>>
>>> to the letter.
>>> The only reason I had to recreate the cacert.p12 file is because it
>>> is not
>>> renewed automatically in v3, so the cacert.p12 was outdated and the
>>> CA was
>>> throwing an "p12 invalid digest" error.
>>>
>>>    * I opened all necessary ports
>>>    * I checked all certs and they are valid for another year
>>>
>>>
>>> /Run connection check to master//
>>> //Check connection from replica to remote master 'ipa-server.nelios'://
>>> //   Directory Service: Unsecure port (389): OK//
>>> //   Directory Service: Secure port (636): OK//
>>> //   Kerberos KDC: TCP (88): OK//
>>> //   Kerberos Kpasswd: TCP (464): OK//
>>> //   HTTP Server: Unsecure port (80): OK//
>>> //   HTTP Server: Secure port (443): OK//
>>> //   PKI-CA: Directory Service port (7389): OK//
>>> //
>>> //The following list of ports use UDP protocol and would need to be//
>>> //checked manually://
>>> //   Kerberos KDC: UDP (88): SKIPPED//
>>> //   Kerberos Kpasswd: UDP (464): SKIPPED//
>>> //
>>> //Connection from replica to master is OK.//
>>> //Start listening on required ports for remote master check//
>>> //Get credentials to log in to remote master//
>>> //Check SSH connection to remote master//
>>> //Execute check on remote master//
>>> //Check connection from master to remote replica
>>> 'ipa2-server2.nelios'://
>>> //   Directory Service: Unsecure port (389): OK//
>>> //   Directory Service: Secure port (636): OK//
>>> //   Kerberos KDC: TCP (88): OK//
>>> //   Kerberos KDC: UDP (88): OK//
>>> //   Kerberos Kpasswd: TCP (464): OK//
>>> //   Kerberos Kpasswd: UDP (464): OK//
>>> //   HTTP Server: Unsecure port (80): OK//
>>> //   HTTP Server: Secure port (443): OK//
>>> //
>>> //Connection from master to replica is OK.//
>>> //
>>> //Connection check OK/
>>>
>>> *Even with a fresh install of centos 7 with different hostname and ip
>>> and I
>>> still get the  the error below*
>>>
>>> Configuring certificate server (pki-tomcatd). Estimated time: 3
>>> minutes 30 seconds
>>>     [1/24]: creating certificate server user
>>>     [2/24]: configuring certificate server instance
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
>>> configure CA
>>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_''
>>> returned non-zero exit status 1
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>>> installation logs
>>> and the following files/directories for more information:
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki-ca-install.log
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki/pki-tomcat
>>>     [error] RuntimeError: CA configuration failed.
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA
>>> configuration failed.
>>>
>>> *
>>> **With debug enabled I get: *
>>>
>>> pa         : DEBUG    Starting external process
>>> ipa         : DEBUG    args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>>> '/tmp/tmpwY8XjR'
>>> ipa         : DEBUG    Process finished, return code=1
>>> ipa         : DEBUG    stdout=Log file:
>>> /var/log/pki/pki-ca-spawn.20160909044214.log
>>> Loading deployment configuration from /tmp/tmpwY8XjR.
>>> Installing CA into /var/lib/pki/pki-tomcat.
>>> Storing deployment configuration into
>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>>
>>> Installation failed.
>>>
>>>
>>> ipa         : DEBUG
>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
>>> certificate verification is strongly advised. See:
>>> https://urllib3.readthedocs.org/en/latest/security.html
>>>     InsecureRequestWarning)
>>> pkispawn    : WARNING  ....... unable to validate security domain
>>> user/password
>>> through REST interface. Interface not available
>>> pkispawn    : ERROR    ....... Exception from Java Configuration
>>> Servlet: 500
>>> Server Error: Internal Server Error
>>> pkispawn    : ERROR    ....... ParseError: not well-formed (invalid
>>> token): line
>>> 1, column 0:
>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed
>>>
>>> to obtain installation token from security domain"}
>>>
>>>
>>> Is there a way to validate the repilca .gpg file from a v3
>>> installation against
>>> a v4.2 freeipa installation to check for any errors before going
>>> through the
>>> ipa-replica-install?
>>> The ipa-replica-install completes if I don't include the --setup-ca
>>> flag but I
>>> don't want that
>>>
>> There is no automatic method to verify the replica file.
>>
>> Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
>> couple lines before and after?
>>
>>
> 
> Contents  of /var/log/pki/pki-tomcat/ca/debug:
> 
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
> SystemConfigResource.configure()
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
> content-type: application/json
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
> accept: [application/json]
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
> request format: application/json
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
> response format: application/json
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: SystemConfigService:
> configure()
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: SystemConfigService:
> request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage
> Token, tokenPassword=XXXX, securityDomainType=existingdomain,
> securityDomainUri=https://ipa-server.nelios:443,
> securityDomainName=null, securityDomainUser=admin,
> securityDomainPassword=XXXX, isClone=true,
> cloneUri=https://ipa-server.nelios:443, subsystemName=CA
> ipa2-server2.nelios 8443, p12File=/tmp/ca.p12, p12Password=XXXX,
> hierarchy=root, dsHost=ipa2-server2.nelios, dsPort=389, baseDN=o=ipaca,
> bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca,
> secureConn=false, removeData=true, replicateSchema=false,
> masterReplicationPort=7389, cloneReplicationPort=389,
> replicationSecurity=TLS,
> systemCerts=[com.netscape.certsrv.system.SystemCertData at 434a841],
> issuingCA=https://ipa-server.nelios:443, backupKeys=true,
> backupPassword=XXXX,
> backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null,
> adminPassword=XXXX, adminEmail=null, adminCertRequest=null,
> adminCertRequestType=null, adminSubjectDN=null, adminName=null,
> adminProfileID=null, adminCert=null, importAdminCert=false,
> generateServerCert=true, external=false, standAlone=false,
> stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null,
> authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null,
> enableServerSideKeyGen=null, importSharedSecret=null,
> generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null,
> createNewDB=true, setupReplication=True, subordinateSecurityDomainNamenull]
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: === Token Panel ===
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: === Security Domain Panel ===
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: Joining existing security
> domain
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: Resolving security domain
> URLhttps://ipa-server.nelios:443
> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: Getting security domain
> cert chain
> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Getting install token
> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Getting install token
> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Getting old cookie
> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Token: null
> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Install token is null
> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Failed to obtain
> installation token from security domain
> 
> I assume it is the null token the perpetrator ? if yes what should I fix
> on master?
> 

I don't know this part much. Therefore CCing PKI experts - in addition
to figure out if there is anything to fix on IPA or PKI side.

Endi, Matthew,

do I understand it correctly that for obtaining the token, it contacts
master server with
   pki_security_domain_user == admin
   pki_security_domain_password == whatever provided in ipa-replica-install

pki_security_domain_user matches uid=admin,ou=people,o=ipaca which has a
password which was set during ipa-server-install(and thus pkisilent) on
original 6.x server.

Therefore if admin password changed between these two installations then
it will fail obtain the cookie? (guessing that wrong credential might be
the reason)
-- 
Petr Vobornik

More information about the Freeipa-users mailing list