On 05/05/2012 09:08 PM, Chris Evich wrote:
On 05/05/2012 08:01 PM, Chris Evich wrote:
On 05/04/2012 04:17 PM, Chris Evich wrote:
That makes me think maybe there's just a missing service principal or
something I can add? I'll see if I can remove that request and try
running ipa-replica-prepare again to see if it still gives that error
(systems have been restarted since then). Though any other
suggestions/ideas of what I can try or look at are much appreciated.
Thanks.
Replying to myself again, bad-form, but maybe it'll help someone else if
they have a similar problem....
...cut...
I'm guessing there's something going on with this 'caIPAserviceCert'
thing. Granted I didn't try requesting any certs prior to the update,
however I can click the 'view' button in the web UI on some service
certs from the install, so it was generating them at some point.
Google was kind to me and I found
https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly
confirmed was a problem:
[root@<master> ~]# find /var/lib -name caIPAserviceCert.cfg
/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
[root@<master> ~]# cd /var/lib/pki-ca/profiles/ca/
[root@<master> ca]# ll
total 424
-rw-rw----. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg
-rw-rw----. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg
-rw-rw----. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg
...cut...
-rw-rw----. 1 pkiuser pkiuser 5548 Apr 22 16:42
caInternalAuthServerCert.cfg
-rw-rw----. 1 pkiuser pkiuser 5580 Apr 22 16:42
caInternalAuthSubsystemCert.cfg
-rw-rw----. 1 pkiuser pkiuser 5784 Apr 22 16:42
caInternalAuthTransportCert.cfg
-rw-rw----. 1 root root 6220 May 4 10:18 caIPAserviceCert.cfg
...cut...
[root@<master> ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg
[root@<master> ca]# fixfiles restore *
[root@<master> ~]# systemctl restart pki-cad@pki-ca.service
certmonger.service ipa.service
(Probably only needed to restart ipa.service) Now generating the cert
works like a champ! with a whole boat-load more stuff showing up in the
debug log:
[root@<replica> ~]# ipa cert-request --principal=imap/<replica
fqdn>@<domain> dovecot.pem.csr
Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE
...blahblahblah...
fXlqt7LmHUSbfg==
Subject: CN=<replica fqdn>,O=<domain>
Issuer: CN=Certificate Authority,O=<domain>
Not Before: Sun May 06 01:20:26 2012 UTC
Not After: Wed May 07 01:20:26 2014 UTC
Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82
Fingerprint (SHA1):
e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b
Feeling confident, I tried ipa-replica-prepare and it worked!
[root@<master> ca]# ipa-replica-prepare king.yewess.us
Directory Manager (existing master) password:
Preparing replica for <replica fqdn> from <master fqdn>
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-<replica
fqdn>.gpg
I'm guessing what happened was I got bit by BZ 675742 or similar before
or after the upgrade but never noticed b/c I haven't used the cert
system until now. Maybe whatever the fix for this bug was should be
revisited, or the upgrade process should make sure this file gets reset
with the correct ownership. Otherwise, hopefully this exercise will be
helpful to someone else, and thanks Rob for responding so quickly the
other day.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
