[Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

Georgios Kafataridis g.kafataridis at nelios.com
Fri Sep 9 19:46:57 UTC 2016 

I've tried that but still the same result.

[root at ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object


On Fri, Sep 9, 2016 at 6:04 PM, Petr Vobornik <pvoborni at redhat.com> wrote:

> On 09/09/2016 04:24 PM, Giorgos Kafataridis wrote:
> >
> >
> > On 09/09/2016 04:09 PM, Petr Vobornik wrote:
> >> On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote:
> >>>>> Yes, I have followed
> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> Guide/upgrading.html
> >>>>>
> >>>>> to the letter.
> >>>>> The only reason I had to recreate the cacert.p12 file is because it
> >>>>> is not
> >>>>> renewed automatically in v3, so the cacert.p12 was outdated and the
> >>>>> CA was
> >>>>> throwing an "p12 invalid digest" error.
> >>>>>
> >>>>>     * I opened all necessary ports
> >>>>>     * I checked all certs and they are valid for another year
> >>>>>
> >>>>>
> >>>>> /Run connection check to master//
> >>>>> //Check connection from replica to remote master
> 'ipa-server.nelios'://
> >>>>> //   Directory Service: Unsecure port (389): OK//
> >>>>> //   Directory Service: Secure port (636): OK//
> >>>>> //   Kerberos KDC: TCP (88): OK//
> >>>>> //   Kerberos Kpasswd: TCP (464): OK//
> >>>>> //   HTTP Server: Unsecure port (80): OK//
> >>>>> //   HTTP Server: Secure port (443): OK//
> >>>>> //   PKI-CA: Directory Service port (7389): OK//
> >>>>> //
> >>>>> //The following list of ports use UDP protocol and would need to be//
> >>>>> //checked manually://
> >>>>> //   Kerberos KDC: UDP (88): SKIPPED//
> >>>>> //   Kerberos Kpasswd: UDP (464): SKIPPED//
> >>>>> //
> >>>>> //Connection from replica to master is OK.//
> >>>>> //Start listening on required ports for remote master check//
> >>>>> //Get credentials to log in to remote master//
> >>>>> //Check SSH connection to remote master//
> >>>>> //Execute check on remote master//
> >>>>> //Check connection from master to remote replica
> >>>>> 'ipa2-server2.nelios'://
> >>>>> //   Directory Service: Unsecure port (389): OK//
> >>>>> //   Directory Service: Secure port (636): OK//
> >>>>> //   Kerberos KDC: TCP (88): OK//
> >>>>> //   Kerberos KDC: UDP (88): OK//
> >>>>> //   Kerberos Kpasswd: TCP (464): OK//
> >>>>> //   Kerberos Kpasswd: UDP (464): OK//
> >>>>> //   HTTP Server: Unsecure port (80): OK//
> >>>>> //   HTTP Server: Secure port (443): OK//
> >>>>> //
> >>>>> //Connection from master to replica is OK.//
> >>>>> //
> >>>>> //Connection check OK/
> >>>>>
> >>>>> *Even with a fresh install of centos 7 with different hostname and ip
> >>>>> and I
> >>>>> still get the  the error below*
> >>>>>
> >>>>> Configuring certificate server (pki-tomcatd). Estimated time: 3
> >>>>> minutes 30 seconds
> >>>>>      [1/24]: creating certificate server user
> >>>>>      [2/24]: configuring certificate server instance
> >>>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> >>>>> configure CA
> >>>>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpbMwmp_''
> >>>>> returned non-zero exit status 1
> >>>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> >>>>> installation logs
> >>>>> and the following files/directories for more information:
> >>>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> >>>>> /var/log/pki-ca-install.log
> >>>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> >>>>> /var/log/pki/pki-tomcat
> >>>>>      [error] RuntimeError: CA configuration failed.
> >>>>> Your system may be partly configured.
> >>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >>>>>
> >>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA
> >>>>> configuration failed.
> >>>>>
> >>>>> *
> >>>>> **With debug enabled I get: *
> >>>>>
> >>>>> pa         : DEBUG    Starting external process
> >>>>> ipa         : DEBUG    args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> >>>>> '/tmp/tmpwY8XjR'
> >>>>> ipa         : DEBUG    Process finished, return code=1
> >>>>> ipa         : DEBUG    stdout=Log file:
> >>>>> /var/log/pki/pki-ca-spawn.20160909044214.log
> >>>>> Loading deployment configuration from /tmp/tmpwY8XjR.
> >>>>> Installing CA into /var/lib/pki/pki-tomcat.
> >>>>> Storing deployment configuration into
> >>>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> >>>>>
> >>>>> Installation failed.
> >>>>>
> >>>>>
> >>>>> ipa         : DEBUG
> >>>>> stderr=/usr/lib/python2.7/site-packages/urllib3/
> connectionpool.py:769:
> >>>>> InsecureRequestWarning: Unverified HTTPS request is being made.
> Adding
> >>>>> certificate verification is strongly advised. See:
> >>>>> https://urllib3.readthedocs.org/en/latest/security.html
> >>>>>      InsecureRequestWarning)
> >>>>> pkispawn    : WARNING  ....... unable to validate security domain
> >>>>> user/password
> >>>>> through REST interface. Interface not available
> >>>>> pkispawn    : ERROR    ....... Exception from Java Configuration
> >>>>> Servlet: 500
> >>>>> Server Error: Internal Server Error
> >>>>> pkispawn    : ERROR    ....... ParseError: not well-formed (invalid
> >>>>> token): line
> >>>>> 1, column 0:
> >>>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.
> certsrv.base.PKIException","Code":500,"Message":"Failed
> >>>>>
> >>>>> to obtain installation token from security domain"}
> >>>>>
> >>>>>
> >>>>> Is there a way to validate the repilca .gpg file from a v3
> >>>>> installation against
> >>>>> a v4.2 freeipa installation to check for any errors before going
> >>>>> through the
> >>>>> ipa-replica-install?
> >>>>> The ipa-replica-install completes if I don't include the --setup-ca
> >>>>> flag but I
> >>>>> don't want that
> >>>>>
> >>>> There is no automatic method to verify the replica file.
> >>>>
> >>>> Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug
> +
> >>>> couple lines before and after?
> >>>>
> >>>>
> >>> Contents  of /var/log/pki/pki-tomcat/ca/debug:
> >>>
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]:
> MessageFormatInterceptor:
> >>> SystemConfigResource.configure()
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]:
> MessageFormatInterceptor:
> >>> content-type: application/json
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]:
> MessageFormatInterceptor:
> >>> accept: [application/json]
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]:
> MessageFormatInterceptor:
> >>> request format: application/json
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]:
> MessageFormatInterceptor:
> >>> response format: application/json
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: SystemConfigService:
> >>> configure()
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: SystemConfigService:
> >>> request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage
> >>> Token, tokenPassword=XXXX, securityDomainType=existingdomain,
> >>> securityDomainUri=https://ipa-server.nelios:443,
> >>> securityDomainName=null, securityDomainUser=admin,
> >>> securityDomainPassword=XXXX, isClone=true,
> >>> cloneUri=https://ipa-server.nelios:443, subsystemName=CA
> >>> ipa2-server2.nelios 8443, p12File=/tmp/ca.p12, p12Password=XXXX,
> >>> hierarchy=root, dsHost=ipa2-server2.nelios, dsPort=389, baseDN=o=ipaca,
> >>> bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca,
> >>> secureConn=false, removeData=true, replicateSchema=false,
> >>> masterReplicationPort=7389, cloneReplicationPort=389,
> >>> replicationSecurity=TLS,
> >>> systemCerts=[com.netscape.certsrv.system.SystemCertData at 434a841],
> >>> issuingCA=https://ipa-server.nelios:443, backupKeys=true,
> >>> backupPassword=XXXX,
> >>> backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12,
> adminUID=null,
> >>> adminPassword=XXXX, adminEmail=null, adminCertRequest=null,
> >>> adminCertRequestType=null, adminSubjectDN=null, adminName=null,
> >>> adminProfileID=null, adminCert=null, importAdminCert=false,
> >>> generateServerCert=true, external=false, standAlone=false,
> >>> stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null,
> >>> authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null,
> >>> enableServerSideKeyGen=null, importSharedSecret=null,
> >>> generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null,
> >>> createNewDB=true, setupReplication=True, subordinateSecurityDomainNamen
> ull]
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: === Token Panel ===
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: === Security Domain
> Panel ===
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: Joining existing
> security
> >>> domain
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: Resolving security
> domain
> >>> URLhttps://ipa-server.nelios:443
> >>> [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: Getting security domain
> >>> cert chain
> >>> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Getting install token
> >>> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Getting install token
> >>> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Getting old cookie
> >>> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Token: null
> >>> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Install token is null
> >>> [09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Failed to obtain
> >>> installation token from security domain
> >>>
> >>> I assume it is the null token the perpetrator ? if yes what should I
> fix
> >>> on master?
> >>>
> >> I don't know this part much. Therefore CCing PKI experts - in addition
> >> to figure out if there is anything to fix on IPA or PKI side.
> >>
> >> Endi, Matthew,
> >>
> >> do I understand it correctly that for obtaining the token, it contacts
> >> master server with
> >>     pki_security_domain_user == admin
> >>     pki_security_domain_password == whatever provided in
> ipa-replica-install
> >>
> >> pki_security_domain_user matches uid=admin,ou=people,o=ipaca which has a
> >> password which was set during ipa-server-install(and thus pkisilent) on
> >> original 6.x server.
> >>
> >> Therefore if admin password changed between these two installations then
> >> it will fail obtain the cookie? (guessing that wrong credential might be
> >> the reason)
> >
> >
> > If I look for uid=admin,ou=people,o=ipaca on  master (ipa v3, centos
> 6.x) this
> > is what I get:
> >
> > [root at ipa-server ~]# ldapsearch -D "cn=directory manager" -W -p 389 -h
> localhost
> > -b "uid=admin,ou=people,o=ipaca,dc=nelios"
> >
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <uid=admin,ou=people,o=ipaca,dc=nelios> with scope subtree
> > # filter: (objectclass=*)
> > # requesting: ALL
> > #
> >
> > # search result
> > search: 2
> > result: 32 No such object
> > matchedDN: dc=nelios
> >
> > # numResponses: 1
> >
> > LDAP manager password seems to be correct as I used it more than once in
> the
> > last few days  to remove the failing replicas.
> >
>
> You search for wrong dn:
>   uid=admin,ou=people,o=ipaca,dc=nelios
> instead of:
>   uid=admin,ou=people,o=ipaca
>
> --
> Petr Vobornik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160909/a7375fa7/attachment.htm>

More information about the Freeipa-users mailing list