> -----Original Message-----
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Monday, 23 February 2015 8:01 PM
> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata;
> Jan Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly
> 
> 
> 
> > -----Original Message-----
> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > boun...@redhat.com] On Behalf Of Les Stott
> > Sent: Monday, 23 February 2015 12:18 PM
> > To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi
> > Dewata; Jan Cholasta
> > Subject: Re: [Freeipa-users] ipa-getcert list fails to report
> > correctly
> >
> >
> >
> > > -----Original Message-----
> > > From: Rob Crittenden [mailto:rcrit...@redhat.com]
> > > Sent: Saturday, 21 February 2015 1:39 AM
> > > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata;
> > > Jan Cholasta
> > > Subject: Re: [Freeipa-users] ipa-getcert list fails to report
> > > correctly
> > >
> > > Martin Kosek wrote:
> > > > On 02/20/2015 06:56 AM, Les Stott wrote:
> > > >> Hi all,
> > > >>
> > > >> The following is blocking the ability for me to install a CA replica.
> > > >>
> > > >> Environment:
> > > >>
> > > >> RHEL 6.6
> > > >>
> > > >> IPA 3.0.0-42
> > > >>
> > > >> PKI 9.0.3-38
> > > >>
> > > >> On the master the following is happening:
> > > >>
> > > >> ipa-getcert list
> > > >>
> > > >> Number of certificates and requests being tracked: 5.
> > > >>
> > > >> (but it shows no certificate details in the output)
> > > >>
> > > >> Running "getcert list" shows complete output.
> > > >>
> > > >> Also, when trying to browse
> > > >> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed
> > > >> response. The apache error logs on the master show....
> > > >>
> > > >> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
> > > >> client cannot verify your certificate
> > > >>
> > > >> The reason I am trying to browse that address is because that's
> > > >> what the ipa-ca-install setup is failing at (it complains that
> > > >> the CA certificate is not in proper format, in fact it's not able
> > > >> to get it at all).
> > > >>
> > > >> I know from another working ipa setup that ....
> > > >>
> > > >> Browsing to the above address provides valid xml content and
> > > >> ipa-getcert list shows certificate details and not just the
> > > >> number of tracked certificates.
> > > >>
> > > >> Been trying for a long time to figure out the issues without luck.
> > > >>
> > > >> I would greatly appreciate any help to troubleshoot and resolve
> > > >> the above issues.
> > > >>
> > > >> Regards,
> > > >>
> > > >> Les
> > > >
> > > > Endi or JanC, would you have any advise for Les? To me, it looks
> > > > like the Apache does not have proper certificate installed.
> > > >
> > > > My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it
> > > > in total of 8 certs tracked:
> > > >
> > > > # ipa-getcert list
> > > > Number of certificates and requests being tracked: 8.
> > > > Request ID '20141111000002':
> > > >     status: MONITORING
> > > >     stuck: no
> > > >     key pair storage:
> > > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> > > COM',nicknam
> > > > e='Server-Cert',token='NSS
> > > > Certificate
> > > > DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
> > > >     certificate:
> > > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> > > COM',nicknam
> > > > e='Server-Cert',token='NSS
> > > > Certificate DB'
> > > >     CA: IPA
> > > >     issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > >     subject: CN=vm-086.example.com,O=EXAMPLE.COM
> > > >     expires: 2016-11-11 00:00:01 UTC
> > > >     key usage:
> > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > >     eku: id-kp-serverAuth,id-kp-clientAuth
> > > >     pre-save command:
> > > >     post-save command:
> > > >     track: yes
> > > >     auto-renew: yes
> > > > Request ID '20141111000047':
> > > >     status: MONITORING
> > > >     stuck: no
> > > >     key pair storage:
> > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-
> Cert'
> > > > ,token='NSS Certificate
> > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> > > >     certificate:
> > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-
> Cert'
> > > > ,token='NSS
> > > > Certificate DB'
> > > >     CA: IPA
> > > >     issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > >     subject: CN=vm-086.example.com,O=EXAMPLE.COM
> > > >     expires: 2016-11-11 00:00:46 UTC
> > > >     key usage:
> > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > >     eku: id-kp-serverAuth,id-kp-clientAuth
> > > >     pre-save command:
> > > >     post-save command:
> > > >     track: yes
> > > >     auto-renew: yes
> > > > Request ID '20141111000302':
> > > >     status: MONITORING
> > > >     stuck: no
> > > >     key pair storage:
> > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',toke
> > > > n= 'N SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > >     certificate:
> > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',toke
> > > > n=
> > > > 'N
> > > > SS
> > > > Certificate DB'
> > > >     CA: IPA
> > > >     issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > >     subject: CN=vm-086.example.com,O=EXAMPLE.COM
> > > >     expires: 2016-11-11 00:03:02 UTC
> > > >     key usage:
> > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > >     eku: id-kp-serverAuth,id-kp-clientAuth
> > > >     pre-save command:
> > > >     post-save command:
> > > >     track: yes
> > > >     auto-renew: yes
> > > >
> > > >
> > > > What is actually in your Apache NSS database?
> > > >
> > > > # certutil -L -d /etc/httpd/alias/
> > > >
> > > > Martin
> > > >
> > >
> > > Remember ipa-getcert is just a shortcut for certificates using the
> > > certmonger CA named IPA, so it's more a filter than anything else. I
> > > don't know why it wouldn't display any output but I'd file a bug.
> > >
> > > I think we'd need to see the getcert list output to try to figure
> > > out what is going on.
> > >
> > > As for the SSL error fetching the cert chain I think Martin may be
> > > onto something. The request is proxied through Apache. I think the
> > > client here might be the Apache proxy client.
> > >
> > > I believe this command replicates what Apache is doing, you might
> > > give it a try on the master. This will get the chain directly from
> > > dogtag, bypassing
> > > Apache:
> > >
> > > $ curl -v --cacert /etc/ipa/ca.crt
> > > https://`hostname`:9444/ca/ee/ca/getCertChain
> > >
> > > rob
> >
> > Certutil shows....
> >
> > certutil -L -d /etc/httpd/alias/
> >
> > Certificate Nickname                                         Trust 
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > MYDOMAIN.COM IPA CA                                       CT,C,C
> > ipaCert                                                      u,u,u
> > Signing-Cert                                                 u,u,u
> > Server-Cert                                                  u,u,u
> >
> > curl -v --cacert /etc/ipa/ca.crt
> > https://`hostname`:9444/ca/ee/ca/getCertChain
> > * About to connect() to `hostname` port 9444 (#0)
> > *   Trying 192.168.1.1... connected
> > * Connected to `hostname` (192.168.1.1) port 9444 (#0)
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > *   CAfile: /etc/ipa/ca.crt
> >   CApath: none
> > * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
> > * Server certificate:
> > *       subject: CN=`hostname`,O=MYDOMAIN.COM
> > *       start date: Dec 13 01:21:30 2013 GMT
> > *       expire date: Dec 03 01:21:30 2015 GMT
> > *       common name: `hostname`
> > *       issuer: CN=Certificate Authority,O=MYDOMAIN.COM
> > > GET /ca/ee/ca/getCertChain HTTP/1.1
> > > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
> > > NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > > Host: `hostname`:9444
> > > Accept: */*
> > >
> > < HTTP/1.1 200 OK
> > < Server: Apache-Coyote/1.1
> > < Content-Type: application/xml
> > < Content-Length: 1434
> > < Date: Mon, 23 Feb 2015 01:04:29 GMT
> > <
> > <?xml version="1.0" encoding="UTF-8"
> >
> standalone="no"?><XMLResponse><Status>0</Status><ChainBase64>MIID
> >
> zwYJKoZIhvcNAQcCoIIDwDCCA7wCAQExADAPBgkqhkiG9w0BBwGgAgQAoII
> >
> DoDCCA5wwggKEoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwOjEYMBYGA1U
> >
> EChMPREVSSVZBVElWRVMuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSB
> >
> BdXRob3JpdHkwHhcNMTMxMjEzMDEyMTI5WhcNMzMxMjEzMDEyMTI5Wj
> >
> A6MRgwFgYDVQQKEw9ERVJJVkFUSVZFUy5DT00xHjAcBgNVBAMTFUNlcnRp
> >
> ZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCg
> >
> gEBAMAA8EaYhmpjSA8o3/1kB/W1+0K6+FrwCS+njOgRtXhiTdmtSddXSDVxH
> >
> OafFwqN26BR+QRPZbbpJY70gP3SG8W+J6+c37PMVNshWz6UfChGt6ubgFxlS
> >
> TGUUre2Osr9I4C836MXpGJvRx2VDEuMUxv8j7B9iDRnTDglseqPqrMct2No4w
> >
> k4cLtA9puBJb0Es76SOHP9edXlf6GBnuYwR8YMc1yJLqpP8IGpHhEkVxMsRpqk
> >
> EpuuRwEFa7uBcTDhqVV24BpFlseZVubpiOdEgfb3IRBTjvI1Mum9OCJbuj9P/W
> >
> mqMnrA0sQsmF/R3WBwFdMAsN3+bQCRw73+rwoeDNcCAwEAAaOBrDCBq
> >
> TAfBgNVHSMEGDAWgBSO8J+j2jAuyg3a0yE+3oVCQJCWUTAPBgNVHRMBAf8
> >
> EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUjvCfo9owLsoN
> >
> 2tMhPt6FQkCQllEwRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHR
> > wOi8vc2I!
> >  ybW9uMDEuZGVyaXZhdGl2ZXMuY29tOjgwL2* Connection #0 to host
> `hostname`
> > left intact
> > * Closing connection #0
> >
> NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKH8YkoTAzX2xNYMkZSDK84EK3
> >
> e4FUixdXxc/EC5ehjrtaqXT1KT9Fl9DAF5/jYNKqgmEmtHnPGlfQ7/Y1ESdhEGcB
> >
> ZjU4qLe4HaFXuw5c9odDYxhtjQUd1g7ifY8SKOcHDCY+6Xx6F/rhFgzrXXMndn8
> >
> ZaYryctPoOAj/5INnLrJq8S4XyLmb2BHM4e1ORQbOhDi8xjhfK2veYXvIu55Brhp
> >
> RSS/goz5oSE8e+QE/H9afRmeV2+WkS/YDhSyoUDb7CYjklRuONzX3GopKtp1y
> >
> yLXQZnBFjCvIJvja0mo3ik3AXxSZuOwUIlV23U8CyPU/rDeiV00iUyA/fLvdkEtZkx
> > AA==</ChainBase64></XMLResponse>
> >
> >
> > In any event, I've decided to rebuilt my DR IPA environment. Late last
> > year the master in DR had to be rebuilt due to a disk issue. While IPA
> > was restored manually and appeared to be working fine, CA replication
> > hasn't worked. I finally got CA replication working in Prod after
> > enabling needed apache modules and performing a yum update to update
> > related packages, but these things didn't help in DR. It's my strong
> > suspicion that something got missed when restoring the DR master IPA
> > server and this is what is causing all my grief. Therefore, I'm going to 
> > wipe it
> out and start from scratch in DR.
> > There are other benefits for me to do this anyway.
> >
> 
> Well things have gone from bad to worse.
> 
> I removed IPA in DR. uninstalled all ipa clients, uninstalled replicas, 
> removed
> replication agreements and removed the master. Ran pki-remove to clear
> any leftover pki instances and used certutil -D to remove left behind ipa
> entries in /etc/httpd/alias.
> 
> So, clean slate to start again.
> 
> This time, in order to mirror config with prod, I began an installation for 
> the
> master on a different server, let's call it serverb. It was previously a 
> replica (in
> my prod environment, serverb is the true master, servera, serverc, and
> serverd are replicas).
> 
> So, trying to install a new fresh instance of IPA and it still fails to 
> configure a
> CA.
> 
> Attached is the relevant portion of the server install log file (ipa-server-
> install.txt). I have removed certificate and copyright info to reduce its 
> size.
> Also my server to install is serverb.mydomain.com
> 
> Apache logs at the time of the error show:
> [Mon Feb 23 03:05:31 2015] [error] SSL Library Error: -12195 Peer does not
> recognize and trust the CA that issued your certificate
> 
> Certificate databases only show the following (note that "Server-Cert cert-
> pki-ca" got installed before the installer crashed). Prior to trying 
> installation I
> had to manually remove server certs left behind from the previous
> installation via ...
> certutil -d /etc/httpd/alias -D -n "Server-Cert"
> certutil -d /etc/httpd/alias -D -n "MYDOMAIN.COM IPA CA"
> certutil -d /etc/httpd/alias -D -n ipaCert
> 
> certutil -L -d /var/lib/pki-ca/alias
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> Server-Cert cert-pki-ca                                      CTu,Cu,Cu
> 
> certutil -L -d /etc/pki/nssdb
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> 
> 
> Selinux is in permissive mode.
> Ausearch -m avc does show some selinux issues, but its permissive mode so
> it should be ok right? In any event I have previously tried installing a CA
> replica with selinux disabled and it didn't help.
> 
> I have tried removing ipa and pki rpms and reinstalling. Then rerunning the
> ipa server install script but the same error occurs.
> 
> I noticed that /etc/ipa/ca.crt was still old, and referencing the original 
> master.
> I removed that and again reran the installer but the same error occurred.
> 
> Note also that /etc/ipa/cr.crt was not recreated when ipa-python was
> reinstalled.
> 
> Other logs:
> 
> /var/log/pki-ca/system shows
> 5042.main - [23/Feb/2015:03:05:12 EST] [3] [3] Cannot build CA chain. Error
> java.security.cert.CertificateException: Certificate is not a PKCS #11
> certificate 5042.main - [23/Feb/2015:03:05:12 EST] [13] [3] authz instance
> DirAclAuthz initialization failed and skipped, error=Property
> internaldb.ldapconn.port missing value
> 5042.http-9445-1 - [23/Feb/2015:03:05:26 EST] [3] [3] Cannot build CA chain.
> Error java.security.cert.CertificateException: Certificate is not a PKCS #11
> certificate
> 5042.http-9445-1 - [23/Feb/2015:03:05:35 EST] [3] [3] CASigningUnit: Object
> certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
> 
> /var/log/pki-ca/catalina.out
> Feb 23, 2015 3:05:11 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory ca 64-bit osutil library loaded 
> 64-bit
> osutil library loaded CMS Warning: FAILURE: Cannot build CA chain. Error
> java.security.cert.CertificateException: Certificate is not a PKCS #11
> certificate|FAILURE: authz instance DirAclAuthz initialization failed and
> skipped, error=Property internaldb.ldapconn.port missing value| Server is
> started.
> Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on http-9180 Feb 23, 2015 3:05:12 AM
> org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on http-9443 Feb 23, 2015 3:05:12 AM
> org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on http-9445 Feb 23, 2015 3:05:12 AM
> org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on http-9444 Feb 23, 2015 3:05:12 AM
> org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on http-9446 Feb 23, 2015 3:05:12 AM
> org.apache.jk.common.ChannelSocket init
> INFO: JK: ajp13 listening on /0.0.0.0:9447 Feb 23, 2015 3:05:12 AM
> org.apache.jk.server.JkMain start
> INFO: Jk running ID=0 time=0/25  config=null Feb 23, 2015 3:05:12 AM
> org.apache.catalina.startup.Catalina start
> INFO: Server startup in 1655 ms
> 
> I have no idea where to look next. There must be some remnant of the old
> system hanging around screwing things up but I cannot figure it out. This will
> drive me insane!
> 
> I can provide more logs if needed.
> 
> Thanks in advance for any help.
> 

Have resolved this.

Here is the procedure to completely remove FreeIPA so you can start again. 

ipa-server-install --uninstall
certutil -d /etc/httpd/alias -D -n "Server-Cert"
certutil -d /etc/httpd/alias -D -n "DERIVATIVES.COM IPA CA"
certutil -d /etc/httpd/alias -D -n ipaCert
certutil -d /etc/httpd/alias -D -n Signing-Cert
yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools 
pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client 
ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 
389-ds-base-libs
userdel pkisrv
userdel pkiuser
rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger 
/etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid /usr/share/pki 
/etc/ipa /var/log/ipa*
reboot

Now you have a clean slate.

Then install works as normal for IPA Server, Replica and CA Replica 
installations.

Hope this saves someone else time in the future.

Regards,

Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to