[Freeipa-users] CA cert issues

Orion Poplawski orion at cora.nwra.com
Thu Jan 17 16:49:19 UTC 2013 

On 01/17/2013 09:27 AM, Rob Crittenden wrote:
> Orion Poplawski wrote:
>> But then on ipa-replica-install, problems as predicted:
>>
>> ipa-replica-install --setup-ca
>> /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
>> ...
>>    [16/30]: configuring ssl for ds instance
>> creation of replica failed: Could not find a CA cert in
>> /tmp/tmpPAtailipa/realm_info/dscert.p12
>>
>
> Ok, I think what I would recommend is preparing a replica w/o replacing the
> certs (e.g. let the CA issue certs for all the services).
>
> Install the replica.
>
> Then replace with the wildcard certs once the install is up and functioning.
>
> rob

That gets to:

   [21/30]: setting up initial replication
Starting replication, please wait until this has completed.
[ipa.cora.nwra.com] reports: Update failed! Status: [-11  - System error]
creation of replica failed: Failed to start replication

Because on ipa.cora :
[17/Jan/2013:09:31:42 -0700] NSMMReplicationPlugin - 
agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Replication bind with SIMPLE 
auth failed: LDAP error -11 (Connect error) (TLS error -8172:Peer's 
certificate issuer has been marked as not trusted by the user.)

because the new cert install wiped out the old slapd-NWRA-COM certs. 
Installed the NWRA.COM IPA CA there.

It seems like a most of the problems would be alleviated if instead of wiping 
out the old NSS dbs, it simply added the new certs.  I don't know if there are 
any other security implications of this or not.

I'm also tempted to start over and do the --dirsrv-cert options on the initial 
ipa-server-install to see if that helps.

Anyway, tried again and now:

Configuring Kerberos KDC: Estimated time 30 seconds
   [1/9]: adding sasl mappings to the directory
   [2/9]: writing stash file from DS
   [3/9]: configuring KDC
   [4/9]: creating a keytab for the directory
   [5/9]: creating a keytab for the machine
   [6/9]: adding the password extension to the directory
   [7/9]: enable GSSAPI for replication
creation of replica failed: list index out of range


2013-01-17T16:41:33Z DEBUG   [7/9]: enable GSSAPI for replication
2013-01-17T16:41:33Z INFO Setting agreement 
cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping 
tree,cn=config schedule to 2358-2359 0 to force synch
2013-01-17T16:41:34Z INFO Deleting schedule 2358-2359 0 from agreement 
cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping 
tree,cn=config
2013-01-17T16:41:35Z INFO Replication Update in progress: FALSE: status: -11 
- System error: start: 0: end: 0
2013-01-17T16:41:35Z INFO Setting agreement 
cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping 
tree,cn=config schedule to 2358-2359 0 to force synch
2013-01-17T16:41:36Z INFO Deleting schedule 2358-2359 0 from agreement 
cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping 
tree,cn=config
2013-01-17T16:41:37Z INFO Replication Update in progress: FALSE: status: 0 
Replica acquired successfully: Incremental update succeeded: start: 
20130117164126Z: end: 20130117164127Z
2013-01-17T16:41:37Z DEBUG list index out of range
   File "/usr/sbin/ipa-replica-install", line 496, in <module>
     main()

   File "/usr/sbin/ipa-replica-install", line 441, in main
     krb = install_krb(config, setup_pkinit=options.setup_pkinit)

   File "/usr/sbin/ipa-replica-install", line 163, in install_krb
     setup_pkinit, pkcs12_info)

   File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", 
line 207, in create_replica
     self.start_creation("Configuring Kerberos KDC", 30)

   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 
257, in start_creation
     method()

   File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", 
line 442, in __convert_to_gssapi_replication
     r_bindpw=self.dm_password)

   File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", 
line 833, in convert_to_gssapi_replication
     self.gssapi_update_agreements(self.conn, r_conn)

   File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", 
line 557, in gssapi_update_agreements
     self.setup_krb_princs_as_replica_binddns(a, b)

   File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", 
line 550, in setup_krb_princs_as_replica_binddns
     mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]



I also see this in /var/log/dirsrv/slapd-NWRA-COM/errors on the master:

[17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin - 
agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Schema replication update 
failed: Type or value exists
[17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin - 
agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Warning: unable to replicate 
schema: rc=1

Which is probably due to some schema modifications I've made, but these don't 
really seem related to the error above.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the Freeipa-users mailing list