Re: [Freeipa-users] *SOLVED* Re: ipa-replica-prepare Certificate issuance failed
On 05/08/2012 09:10 AM, Simo Sorce wrote: On Sat, 2012-05-05 at 21:47 -0400, Chris Evich wrote: On 05/05/2012 09:08 PM, Chris Evich wrote: On 05/05/2012 08:01 PM, Chris Evich wrote: On 05/04/2012 04:17 PM, Chris Evich wrote: That makes me think maybe there's just a missing service principal or something I can add? I'll see if I can remove that request and try running ipa-replica-prepare again to see if it still gives that error (systems have been restarted since then). Though any other suggestions/ideas of what I can try or look at are much appreciated. Thanks. Replying to myself again, bad-form, but maybe it'll help someone else if they have a similar problem ...cut... I'm guessing there's something going on with this 'caIPAserviceCert' thing. Granted I didn't try requesting any certs prior to the update, however I can click the 'view' button in the web UI on some service certs from the install, so it was generating them at some point. Google was kind to me and I found https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly confirmed was a problem: [root@ ~]# find /var/lib -name caIPAserviceCert.cfg /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg [root@ ~]# cd /var/lib/pki-ca/profiles/ca/ [root@ ca]# ll total 424 -rw-rw. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg -rw-rw. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg -rw-rw. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg ...cut... -rw-rw. 1 pkiuser pkiuser 5548 Apr 22 16:42 caInternalAuthServerCert.cfg -rw-rw. 1 pkiuser pkiuser 5580 Apr 22 16:42 caInternalAuthSubsystemCert.cfg -rw-rw. 1 pkiuser pkiuser 5784 Apr 22 16:42 caInternalAuthTransportCert.cfg -rw-rw. 1 rootroot 6220 May 4 10:18 caIPAserviceCert.cfg ...cut... [root@ ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg [root@ ca]# fixfiles restore * [root@ ~]# systemctl restart pki-cad@pki-ca.service certmonger.service ipa.service (Probably only needed to restart ipa.service) Now generating the cert works like a champ! with a whole boat-load more stuff showing up in the debug log: [root@ ~]# ipa cert-request --principal=imap/@ dovecot.pem.csr Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE ...blahblahblah... fXlqt7LmHUSbfg== Subject: CN=,O= Issuer: CN=Certificate Authority,O= Not Before: Sun May 06 01:20:26 2012 UTC Not After: Wed May 07 01:20:26 2014 UTC Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82 Fingerprint (SHA1): e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b Feeling confident, I tried ipa-replica-prepare and it worked! [root@ ca]# ipa-replica-prepare Directory Manager (existing master) password: Preparing replica for from Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-.gpg I'm guessing what happened was I got bit by BZ 675742 or similar before or after the upgrade but never noticed b/c I haven't used the cert system until now. Maybe whatever the fix for this bug was should be revisited, or the upgrade process should make sure this file gets reset with the correct ownership. Otherwise, hopefully this exercise will be helpful to someone else, and thanks Rob for responding so quickly the other day. Chris, thanks a lot for getting back with your solution, it is very valuable for all users that may end up in the same weird situation. Simo. Sure thing. If y'all think of it, it might be good to put some more error reporting into the ipa-replica-prepare tool. The debug log didn't seem to be much help (to my n00b eyes). Ultimately it was the error message from "ipa cert-request", "Profile caIPAserviceCert Not Found" which lead me to the solution. If it's hard to add it to the tool, then tossing stuff like that into the logs would help too. Just a suggestion, since with such awesome tooling (graphical and CLI) on a project like this, it's bound to attract more n00bs like me. The DNS/Kerberos stuff is straight forward because there's lots of deployments and a long history of mailing list posts to find answers on. The cert. system seems to be a different story entirely, it's (arguably) as powerful as kerberos but doesn't get nearly as much "press" coverage :D ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] *SOLVED* Re: ipa-replica-prepare Certificate issuance failed
On Sat, 2012-05-05 at 21:47 -0400, Chris Evich wrote: > On 05/05/2012 09:08 PM, Chris Evich wrote: > > On 05/05/2012 08:01 PM, Chris Evich wrote: > >> On 05/04/2012 04:17 PM, Chris Evich wrote: > >> That makes me think maybe there's just a missing service principal or > >> something I can add? I'll see if I can remove that request and try > >> running ipa-replica-prepare again to see if it still gives that error > >> (systems have been restarted since then). Though any other > >> suggestions/ideas of what I can try or look at are much appreciated. > >> Thanks. > >> > > > > Replying to myself again, bad-form, but maybe it'll help someone else if > > they have a similar problem > > ...cut... > > I'm guessing there's something going on with this 'caIPAserviceCert' > > thing. Granted I didn't try requesting any certs prior to the update, > > however I can click the 'view' button in the web UI on some service > > certs from the install, so it was generating them at some point. > > Google was kind to me and I found > https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly > confirmed was a problem: > > [root@ ~]# find /var/lib -name caIPAserviceCert.cfg > /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg > [root@ ~]# cd /var/lib/pki-ca/profiles/ca/ > [root@ ca]# ll > total 424 > -rw-rw. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg > -rw-rw. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg > -rw-rw. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg > ...cut... > -rw-rw. 1 pkiuser pkiuser 5548 Apr 22 16:42 > caInternalAuthServerCert.cfg > -rw-rw. 1 pkiuser pkiuser 5580 Apr 22 16:42 > caInternalAuthSubsystemCert.cfg > -rw-rw. 1 pkiuser pkiuser 5784 Apr 22 16:42 > caInternalAuthTransportCert.cfg > -rw-rw. 1 rootroot 6220 May 4 10:18 caIPAserviceCert.cfg > ...cut... > [root@ ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg > [root@ ca]# fixfiles restore * > [root@ ~]# systemctl restart pki-cad@pki-ca.service > certmonger.service ipa.service > > (Probably only needed to restart ipa.service) Now generating the cert > works like a champ! with a whole boat-load more stuff showing up in the > debug log: > > [root@ ~]# ipa cert-request --principal=imap/ fqdn>@ dovecot.pem.csr >Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE > ...blahblahblah... > fXlqt7LmHUSbfg== >Subject: CN=,O= >Issuer: CN=Certificate Authority,O= >Not Before: Sun May 06 01:20:26 2012 UTC >Not After: Wed May 07 01:20:26 2014 UTC >Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82 >Fingerprint (SHA1): > e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b > > Feeling confident, I tried ipa-replica-prepare and it worked! > [root@ ca]# ipa-replica-prepare king.yewess.us > Directory Manager (existing master) password: > > Preparing replica for from > Creating SSL certificate for the Directory Server > Creating SSL certificate for the dogtag Directory Server > Creating SSL certificate for the Web Server > Exporting RA certificate > Copying additional files > Finalizing configuration > Packaging replica information into /var/lib/ipa/replica-info- fqdn>.gpg > > I'm guessing what happened was I got bit by BZ 675742 or similar before > or after the upgrade but never noticed b/c I haven't used the cert > system until now. Maybe whatever the fix for this bug was should be > revisited, or the upgrade process should make sure this file gets reset > with the correct ownership. Otherwise, hopefully this exercise will be > helpful to someone else, and thanks Rob for responding so quickly the > other day. Chris, thanks a lot for getting back with your solution, it is very valuable for all users that may end up in the same weird situation. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] *SOLVED* Re: ipa-replica-prepare Certificate issuance failed
On 05/05/2012 09:08 PM, Chris Evich wrote: On 05/05/2012 08:01 PM, Chris Evich wrote: On 05/04/2012 04:17 PM, Chris Evich wrote: That makes me think maybe there's just a missing service principal or something I can add? I'll see if I can remove that request and try running ipa-replica-prepare again to see if it still gives that error (systems have been restarted since then). Though any other suggestions/ideas of what I can try or look at are much appreciated. Thanks. Replying to myself again, bad-form, but maybe it'll help someone else if they have a similar problem ...cut... I'm guessing there's something going on with this 'caIPAserviceCert' thing. Granted I didn't try requesting any certs prior to the update, however I can click the 'view' button in the web UI on some service certs from the install, so it was generating them at some point. Google was kind to me and I found https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly confirmed was a problem: [root@ ~]# find /var/lib -name caIPAserviceCert.cfg /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg [root@ ~]# cd /var/lib/pki-ca/profiles/ca/ [root@ ca]# ll total 424 -rw-rw. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg -rw-rw. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg -rw-rw. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg ...cut... -rw-rw. 1 pkiuser pkiuser 5548 Apr 22 16:42 caInternalAuthServerCert.cfg -rw-rw. 1 pkiuser pkiuser 5580 Apr 22 16:42 caInternalAuthSubsystemCert.cfg -rw-rw. 1 pkiuser pkiuser 5784 Apr 22 16:42 caInternalAuthTransportCert.cfg -rw-rw. 1 rootroot 6220 May 4 10:18 caIPAserviceCert.cfg ...cut... [root@ ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg [root@ ca]# fixfiles restore * [root@ ~]# systemctl restart pki-cad@pki-ca.service certmonger.service ipa.service (Probably only needed to restart ipa.service) Now generating the cert works like a champ! with a whole boat-load more stuff showing up in the debug log: [root@ ~]# ipa cert-request --principal=imap/fqdn>@ dovecot.pem.csr Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE ...blahblahblah... fXlqt7LmHUSbfg== Subject: CN=,O= Issuer: CN=Certificate Authority,O= Not Before: Sun May 06 01:20:26 2012 UTC Not After: Wed May 07 01:20:26 2014 UTC Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82 Fingerprint (SHA1): e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b Feeling confident, I tried ipa-replica-prepare and it worked! [root@ ca]# ipa-replica-prepare king.yewess.us Directory Manager (existing master) password: Preparing replica for from Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-fqdn>.gpg I'm guessing what happened was I got bit by BZ 675742 or similar before or after the upgrade but never noticed b/c I haven't used the cert system until now. Maybe whatever the fix for this bug was should be revisited, or the upgrade process should make sure this file gets reset with the correct ownership. Otherwise, hopefully this exercise will be helpful to someone else, and thanks Rob for responding so quickly the other day. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
