[Freeipa-users] CA cert issues

Rich Megginson rmeggins at redhat.com
Thu Jan 17 16:53:03 UTC 2013 

On 01/17/2013 09:49 AM, Orion Poplawski wrote:
> On 01/17/2013 09:27 AM, Rob Crittenden wrote:
>> Orion Poplawski wrote:
>>> But then on ipa-replica-install, problems as predicted:
>>>
>>> ipa-replica-install --setup-ca
>>> /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
>>> ...
>>>    [16/30]: configuring ssl for ds instance
>>> creation of replica failed: Could not find a CA cert in
>>> /tmp/tmpPAtailipa/realm_info/dscert.p12
>>>
>>
>> Ok, I think what I would recommend is preparing a replica w/o 
>> replacing the
>> certs (e.g. let the CA issue certs for all the services).
>>
>> Install the replica.
>>
>> Then replace with the wildcard certs once the install is up and 
>> functioning.
>>
>> rob
>
> That gets to:
>
>   [21/30]: setting up initial replication
> Starting replication, please wait until this has completed.
> [ipa.cora.nwra.com] reports: Update failed! Status: [-11  - System error]
> creation of replica failed: Failed to start replication
>
> Because on ipa.cora :
> [17/Jan/2013:09:31:42 -0700] NSMMReplicationPlugin - 
> agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Replication bind with 
> SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error 
> -8172:Peer's certificate issuer has been marked as not trusted by the 
> user.)
>
> because the new cert install wiped out the old slapd-NWRA-COM certs. 
> Installed the NWRA.COM IPA CA there.
>
> It seems like a most of the problems would be alleviated if instead of 
> wiping out the old NSS dbs, it simply added the new certs.  I don't 
> know if there are any other security implications of this or not.
>
> I'm also tempted to start over and do the --dirsrv-cert options on the 
> initial ipa-server-install to see if that helps.
>
> Anyway, tried again and now:
>
> Configuring Kerberos KDC: Estimated time 30 seconds
>   [1/9]: adding sasl mappings to the directory
>   [2/9]: writing stash file from DS
>   [3/9]: configuring KDC
>   [4/9]: creating a keytab for the directory
>   [5/9]: creating a keytab for the machine
>   [6/9]: adding the password extension to the directory
>   [7/9]: enable GSSAPI for replication
> creation of replica failed: list index out of range
>
>
> 2013-01-17T16:41:33Z DEBUG   [7/9]: enable GSSAPI for replication
> 2013-01-17T16:41:33Z INFO Setting agreement 
> cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping 
> tree,cn=config schedule to 2358-2359 0 to force synch
> 2013-01-17T16:41:34Z INFO Deleting schedule 2358-2359 0 from agreement 
> cn=meToipa.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping 
> tree,cn=config
> 2013-01-17T16:41:35Z INFO Replication Update in progress: FALSE: 
> status: -11 - System error: start: 0: end: 0
> 2013-01-17T16:41:35Z INFO Setting agreement 
> cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping 
> tree,cn=config schedule to 2358-2359 0 to force synch
> 2013-01-17T16:41:36Z INFO Deleting schedule 2358-2359 0 from agreement 
> cn=meToipapub.cora.nwra.com,cn=replica,cn=dc\3Dnwra\2Cdc\3Dcom,cn=mapping 
> tree,cn=config
> 2013-01-17T16:41:37Z INFO Replication Update in progress: FALSE: 
> status: 0 Replica acquired successfully: Incremental update succeeded: 
> start: 20130117164126Z: end: 20130117164127Z
> 2013-01-17T16:41:37Z DEBUG list index out of range
>   File "/usr/sbin/ipa-replica-install", line 496, in <module>
>     main()
>
>   File "/usr/sbin/ipa-replica-install", line 441, in main
>     krb = install_krb(config, setup_pkinit=options.setup_pkinit)
>
>   File "/usr/sbin/ipa-replica-install", line 163, in install_krb
>     setup_pkinit, pkcs12_info)
>
>   File 
> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", 
> line 207, in create_replica
>     self.start_creation("Configuring Kerberos KDC", 30)
>
>   File 
> "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 
> 257, in start_creation
>     method()
>
>   File 
> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", 
> line 442, in __convert_to_gssapi_replication
>     r_bindpw=self.dm_password)
>
>   File 
> "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", 
> line 833, in convert_to_gssapi_replication
>     self.gssapi_update_agreements(self.conn, r_conn)
>
>   File 
> "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", 
> line 557, in gssapi_update_agreements
>     self.setup_krb_princs_as_replica_binddns(a, b)
>
>   File 
> "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", 
> line 550, in setup_krb_princs_as_replica_binddns
>     mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]
>
>
>
> I also see this in /var/log/dirsrv/slapd-NWRA-COM/errors on the master:
>
> [17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin - 
> agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Schema replication 
> update failed: Type or value exists
> [17/Jan/2013:09:41:26 -0700] NSMMReplicationPlugin - 
> agmt="cn=meToipapub.cora.nwra.com" (ipapub:389): Warning: unable to 
> replicate schema: rc=1
>
> Which is probably due to some schema modifications I've made, but 
> these don't really seem related to the error above.
>
And schema replication failures do not prevent the rest of replication 
from working

More information about the Freeipa-users mailing list