[Freeipa-users] Replica and CA mess

Rob Crittenden rcritten at redhat.com
Mon Nov 28 14:26:15 UTC 2011 

Sigbjorn Lie wrote:
> I had an odd performing IPA replica server, it had no knowledge to any
> other services besides dirsrv, DNS and CA, lots of GSSAPI errors in the
> dirsrv logs, etc, so I decided to re-configure the IPA replica.
>
> # ipactl status
> Directory Service: RUNNING
> DNS Service: RUNNING
> CA Service: RUNNING
>
>
> I removed the IPA instance on the host as per the document below.
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Uninstalling_IPA_Servers.html
>
>
>
> I prepared a new replica package for the host using ipa-replica-prepare
> on ipa01. And started ipa-replica-install on ipa03. This gave unexpected
> results.
>
> # ipa-replica-install --setup-dns --forwarder=192.168.1.1
> --forwarder=192.168.1.2 /var/lib/ipa/replica-info-ipa03.ix.test.com.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'ipa01.ix.test.com':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos KDC: UDP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> Kerberos Kpasswd: UDP (464): OK
> HTTP Server: port 80 (80): OK
> HTTP Server: port 443(https) (443): OK
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> admin at IX.TEST.COM password:
>
> Execute check on remote master
> Check connection from master to remote replica 'ipa03.ix.test.com':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos KDC: UDP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> Kerberos Kpasswd: UDP (464): OK
> HTTP Server: port 80 (80): OK
> HTTP Server: port 443(https) (443): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> The host ipa03.ix.test.com already exists on the master server.
> Depending on your configuration, you may perform the following:
>
> Remove the replication agreement, if any:
> % ipa-replica-manage del ipa03.ix.test.com
> Remove the host entry:
> % ipa host-del ipa03.ix.test.com
>
> So I went back to ipa01 to remove the replica:
>
> # ipa-replica-manage del ipa03.ix.test.com
> Unable to delete replica ipa03.ix.test.com: {'desc': "Can't contact LDAP
> server"}
>
> Hm, ok, I tried to force removal.
>
> ]# ipa-replica-manage del -f ipa03.ix.test.com
> Unable to connect to replica ipa03.ix.test.com, forcing removal
> Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact
> LDAP server"}
> Forcing removal on 'ipa01.ix.test.com'
> Failed to get data from 'ipa02.ix.test.com': {'info': 'SASL(-1): generic
> failure: GSSAPI Error: An invalid name was supplied (Cannot determine
> realm for numeric host address)', 'desc': 'Local error'}
> Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact
> LDAP server"}
>
>
> Not a complete success? However I was now able to install my replica.
> But I no now longer have a CA instance on the replica:
>
> # ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> DNS Service: RUNNING
> HTTP Service: RUNNING
>
>
> Perhaps an opertunity for improvements here? My suggestions:
>
> * First off, add to the documentation to remove the replica on another
> IPA server before uninstalling the IPA replica?
> * Why not automatically delete the replication agreement when
> uninstalling the replica?
> * Where did the CA instance go? I see nothing in the documentation about
> this, but I found a ipa-ca-install command. ipa-ca-install yelded the
> error below. Same error occour if I attempt to --setup-ca while doing
> the ipa-replica-install:
>
> Configuring certificate server: Estimated time 3 minutes 30 seconds
> [1/11]: creating certificate server user
> [2/11]: creating pki-ca instance
> [3/11]: configuring certificate server instance
> root : CRITICAL failed to configure ca instance Command '/usr/bin/perl
> /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa03.ix.test.com'
> '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-GyGkkW'
> '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'BZiIPv9BeXIPIKs7hJrv'
> '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
> 'root at localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent'
> '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject'
> 'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host' 'ipa03.ix.test.com'
> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
> Subsystem,O=IX.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP
> Subsystem,O=IX.TEST.COM' '-ca_server_cert_subject_name'
> 'CN=ipa03.ix.test.com,O=IX.TEST.COM'
> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM'
> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM'
> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
> '-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com'
> '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
> XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
> 'https://ipa01.ix.test.com:443'' returned non-zero exit status 255
> creation of replica failed: Configuration of CA failed

More details on the install failure may be in 
/var/log/ipareplica-ca-install.log and /var/log/pki-ca/debug. I wonder 
if they are related to the DNS errors you are seeing.

>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
> Running ipa-ca-install on a IPv6 enabled host is even worse off:
>
> root : DEBUG stderr=gpg: WARNING: unsafe permissions on homedir
> `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg'
> gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created
> gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created
> gpg: CAST5 encrypted data
> gpg: encrypted with 1 passphrase
> gpg: WARNING: message was not integrity protected
>
> root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C /tmp/tmpQ_4Prsipa
> root : DEBUG stdout=
> root : DEBUG stderr=
> creation of replica failed: The network address 2001:db8:abab:2::21 does
> not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
> 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
> root : DEBUG The network address 2001:db8:abab:2::21 does not match the
> DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
> 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
> File "/usr/sbin/ipa-ca-install", line 156, in <module>

Are these IPs pointing to the right hostnames?

rob

More information about the Freeipa-users mailing list