Hide Forgot
Description of problem: Replica installation fails with external-ca master. Found this while verify https://bugzilla.redhat.com/show_bug.cgi?id=1303059 which seems to be fixed now. Also this is regression with build ipa-server-4.2.0-15.el7_2.10.x86_64 and not occurred with 7.2. update2 build. Version-Release number of selected component (if applicable): pki-ca-10.2.5-7.el7_2.noarch ipa-server-4.2.0-15.el7_2.10.x86_64 How reproducible: Always Steps to Reproduce: 1. IPA master with external-ca 2. Replica install with step (1) IPA Master Actual results: Replica installation fails with following error message [7/23]: enable PKIX certificate path discovery and validation [8/23]: starting certificate server instance MARK-LWD-LOOP -- 2016-03-15 02:02:17 -- ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details. [9/23]: creating RA agent certificate database [10/23]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 404 ipa.ipapython.install.cli.install_tool(Replica): ERROR Unable to retrieve CA chain: request failed with HTTP status 404 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. :: [ FAIL ] :: Install replica off of the gpg file in this system. (Expected 0, got 1) Expected results: Replica installation should be successful. Additional info: [root@ibm-x3650m4-01-vm-07 ca]# cat system 0.localhost-startStop-1 - [15/Mar/2016:01:59:51 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [15/Mar/2016:01:59:51 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value [root@ibm-x3650m4-01-vm-07 ca]#
Kaleem kindly provided me with VMs where this failure occured and upon inspection I found out that after pkispawn is run, Dogtag's NSS database is missing the intermediate external CA certificate "Secondary CA - testrelm": # certutil -d /var/lib/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Primary CA - testrelm CT,c,c auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,u,u ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u although the certificate is present in the pki_clone_pkcs12_path file provided to pkispawn by IPA: # mkdir tmpdb # certutil -d tmpdb -N Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: # pk12util -i realm_info/cacert.p12 -d tmpdb Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL # certutil -d tmpdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u Primary CA - testrelm ,, caSigningCert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Secondary CA - testrelm ,, # certutil -d tmpdb -O -n 'caSigningCert cert-pki-ca' "Primary CA - testrelm" [CN=Primary CA,O=testrelm] "Secondary CA - testrelm" [CN=Secondary CA,O=testrelm] "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=TESTRELM.TEST] Therefore, changing the component to pki-core.
This may have been fixed in bug #1318302 in update 4. The new code will import all CA certificates (including 3rd-party and intermediary CA certificates) from the PKCS #12 file.
(In reply to Endi Sukma Dewata from comment #4) > This may have been fixed in bug #1318302 in update 4. The new code will > import all CA certificates (including 3rd-party and intermediary CA > certificates) from the PKCS #12 file. The comment above refers to RHEL 7.2; as this bug is a RHEL 7.3 bug, and not a RHEL 7.2 bug, it is a potential duplicate of RHEL 7.3 'Bugzilla Bug #1301546 - pkispawn ignores 3rd party CA certs in pki_clone_pkcs12_path'.
I was unable to reproduce with master and replica both RHEL 7.2 with package versions: - ipa-server-4.2.0-15.el7_2.6.x86_64 - pki-server-10.2.5-6.el7.noarch - pki-base-10.2.5-6.el7.noarch - pki-ca-10.2.5-6.el7.noarch The certification chain was: - C=AU, L=Brisbane, O=Red Hat, Inc, OU=ftweedal, CN=Test CA 201604041410 `- C=AU, L=Brisbane, O=Red Hat, Inc., OU=ftweedal, CN=Test Sub-CA 201604041620 `- O=IPA.LOCAL 201604041624, CN=Certificate Authority Procedure followed was: 1. On master: `ipa-server-install --subject "IPA.LOCAL 201604041624" --external-ca` 2. Sign certificate 3. On master: `ipa-server-install --subject "IPA.LOCAL 201604041624" --external-cert-file /path/to/ipa.crt --external-cert-file /path/to/subca.crt --external-cert-file /path/to/ca.crt` 4. On master: `ipa-replica-prepare` 5. On replica: `ipa-replica-install <replica-file> --setup-ca` Am I missing some important context on how to reproduce this issue?
Have reproduced and analysed the issue; added upstream ticket; patch imminent.
ftweedal pushed fix to master: * 970fcc3b14f3a3fd5579aaa0259d289d82cff13d
Verified. Version :: pki-ca-10.3.3-5.el7.noarch Results :: ######################################################################### ######################### ON MASTER ##################################### ######################################################################### [root@rhel7-1 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 \ > --reverse-zone=122.168.192.in-addr.arpa. --allow-zone-overlap \ > -n example.com -r EXAMPLE.COM -a Secret123 -p Secret123 -U --external-ca The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Warning: skipping DNS resolution of host rhel7-1.example.com Checking DNS domain example.com., please wait ... Checking DNS forwarders, please wait ... Using reverse zone(s) 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel7-1.example.com IP address(es): 192.168.122.71 Domain name: example.com Realm name: EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Forward policy: only Reverse zone(s): 122.168.192.in-addr.arpa. Adding [192.168.122.71 rhel7-1.example.com] to your /etc/hosts file Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/47]: creating directory server user [2/47]: creating directory server instance [3/47]: updating configuration in dse.ldif [4/47]: restarting directory server [5/47]: adding default schema [6/47]: enabling memberof plugin [7/47]: enabling winsync plugin [8/47]: configuring replication version plugin [9/47]: enabling IPA enrollment plugin [10/47]: enabling ldapi [11/47]: configuring uniqueness plugin [12/47]: configuring uuid plugin [13/47]: configuring modrdn plugin [14/47]: configuring DNS plugin [15/47]: enabling entryUSN plugin [16/47]: configuring lockout plugin [17/47]: configuring topology plugin [18/47]: creating indices [19/47]: enabling referential integrity plugin [20/47]: configuring certmap.conf [21/47]: configure autobind for root [22/47]: configure new location for managed entries [23/47]: configure dirsrv ccache [24/47]: enabling SASL mapping fallback [25/47]: restarting directory server [26/47]: adding sasl mappings to the directory [27/47]: adding default layout [28/47]: adding delegation layout [29/47]: creating container for managed entries [30/47]: configuring user private groups [31/47]: configuring netgroups from hostgroups [32/47]: creating default Sudo bind user [33/47]: creating default Auto Member layout [34/47]: adding range check plugin [35/47]: creating default HBAC rule allow_all [36/47]: adding sasl mappings to the directory [37/47]: adding entries for topology management [38/47]: initializing group membership [39/47]: adding master entry [40/47]: initializing domain level [41/47]: configuring Posix uid/gid generation [42/47]: adding replication acis [43/47]: enabling compatibility plugin [44/47]: activating sidgen plugin [45/47]: activating extdom plugin [46/47]: tuning directory server [47/47]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/8]: creating certificate server user [2/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: /usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate [root@rhel7-1 ~]# CADIR=/root/RootCA [root@rhel7-1 ~]# mkdir $CADIR [root@rhel7-1 ~]# cd $CADIR [root@rhel7-1 RootCA]# rm -f * [root@rhel7-1 RootCA]# echo Secret123 > $CADIR/mypass1 [root@rhel7-1 RootCA]# certutil -N -d $CADIR -f $CADIR/mypass1 [root@rhel7-1 RootCA]# SERNUM=$RANDOM [root@rhel7-1 RootCA]# SERNUM=$(( SERNUM += 1 )) [root@rhel7-1 RootCA]# [root@rhel7-1 RootCA]# echo -e "y\n10\ny\n" | \ > certutil -S -d $CADIR \ > -n RootCA \ > -s "CN=MyRootCA, O=fakerealm1" \ > -x \ > -t "CTu,CTu,CTu" \ > -g 2048 \ > -m $SERNUM\ > -v 60 \ > -z /etc/group \ > -2 \ > --keyUsage certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -f $CADIR/mypass1 Generating key. This may take a few moments... Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? Notice: Trust flag u is set automatically if the private key is present. [root@rhel7-1 RootCA]# certutil -R -d $CADIR \ > -s "cn=MySubCA, O=fakerealm1" \ > -g 2048 \ > -z /etc/group \ > -o /root/subca.csr \ > -f $CADIR/mypass1 \ > -a Generating key. This may take a few moments... [root@rhel7-1 RootCA]# echo -e "y\n10\ny\n" | \ > certutil -C -d $CADIR \ > -c RootCA \ > -m $SERNUM \ > -v 60 \ > -2 \ > --keyUsage digitalSignature,nonRepudiation,certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -i /root/subca.csr \ > -o /root/subca.crt \ > -f $CADIR/mypass1 \ > -a Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? [root@rhel7-1 RootCA]# certutil -A -d $CADIR \ > -n SubCA \ > -i /root/subca.crt \ > -t "CTu,Cu,Cu" \ > -f $CADIR/mypass1 Notice: Trust flag u is set automatically if the private key is present. [root@rhel7-1 RootCA]# certutil -L -d $CADIR Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI RootCA CTu,Cu,Cu SubCA CTu,Cu,Cu [root@rhel7-1 RootCA]# SERNUM=$(( SERNUM += 1 )) [root@rhel7-1 RootCA]# echo -e "y\n10\ny\n" | \ > certutil -C -d $CADIR \ > -c SubCA \ > -m $SERNUM \ > -v 60 \ > -2 \ > --keyUsage digitalSignature,nonRepudiation,certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -i /root/ipa.csr \ > -o /root/ipa.crt \ > -f $CADIR/mypass1 \ > -a Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? [root@rhel7-1 RootCA]# certutil -L -d $CADIR -n SubCA -a >> /root/subca-chain.asc [root@rhel7-1 RootCA]# certutil -L -d $CADIR -n RootCA -a >> /root/rootca-chain.asc ipa-server-install -p Secret123 --external-cert-file=/root/ipa.crt --external-cert-file=/root/subca-chain.asc --external-cert-file=/root/rootca-chain.asc The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Warning: skipping DNS resolution of host rhel7-1.example.com Checking DNS domain example.com., please wait ... Checking DNS forwarders, please wait ... Using reverse zone(s) 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel7-1.example.com IP address(es): 192.168.122.71 Domain name: example.com Realm name: EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Forward policy: only Reverse zone(s): 122.168.192.in-addr.arpa. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/31]: creating certificate server user [2/31]: configuring certificate server instance [3/31]: stopping certificate server instance to update CS.cfg [4/31]: backing up CS.cfg [5/31]: disabling nonces [6/31]: set up CRL publishing [7/31]: enable PKIX certificate path discovery and validation [8/31]: starting certificate server instance [9/31]: creating RA agent certificate database [10/31]: importing CA chain to RA certificate database [11/31]: fixing RA database permissions [12/31]: setting up signing cert profile [13/31]: setting audit signing renewal to 2 years [14/31]: restarting certificate server [15/31]: requesting RA certificate from CA [16/31]: issuing RA agent certificate [17/31]: adding RA agent as a trusted user [18/31]: authorizing RA to modify profiles [19/31]: authorizing RA to manage lightweight CAs [20/31]: Ensure lightweight CAs container exists [21/31]: configure certmonger for renewals [22/31]: configure certificate renewals [23/31]: configure RA certificate renewal [24/31]: configure Server-Cert certificate renewal [25/31]: Configure HTTP to proxy connections [26/31]: restarting certificate server [27/31]: migrating certificate profiles to LDAP [28/31]: importing IPA certificate profiles [29/31]: adding default CA ACL [30/31]: adding 'ipa' CA entry [31/31]: updating IPA configuration Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/9]: adding kerberos container to the directory [2/9]: configuring KDC [3/9]: initialize kerberos container [4/9]: adding default ACIs [5/9]: creating a keytab for the directory [6/9]: creating a keytab for the machine [7/9]: adding the password extension to the directory [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Making sure custodia container exists [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring the web interface (httpd). Estimated time: 1 minute [1/21]: setting mod_nss port to 443 [2/21]: setting mod_nss cipher suite [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/21]: setting mod_nss password file [5/21]: enabling mod_nss renegotiate [6/21]: adding URL rewriting rules [7/21]: configuring httpd [8/21]: configure certmonger for renewals [9/21]: setting up httpd keytab [10/21]: setting up ssl [11/21]: importing CA certificates from LDAP [12/21]: setting up browser autoconfig [13/21]: publish CA cert [14/21]: clean up any existing httpd ccache [15/21]: configuring SELinux for httpd [16/21]: create KDC proxy user [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: restarting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up kerberos principal [9/12]: setting up named.conf [10/12]: setting up server configuration [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Restarting the web server Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: rhel7-1.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: rhel7-1.example.com BaseDN: dc=example,dc=com Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://rhel7-1.example.com/ipa/json Forwarding 'schema' to json server 'https://rhel7-1.example.com/ipa/json' trying https://rhel7-1.example.com/ipa/session/json Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [root@rhel7-1 RootCA]# kinit admin Password for admin: ######################################################################### ######################### ON REPLICA #################################### ######################################################################### # pointed /etc/resolv.conf to master [root@rhel7-2 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -P admin -w Secret123 Configuring client side components WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Client hostname: rhel7-2.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: rhel7-1.example.com BaseDN: dc=example,dc=com Skipping synchronizing time with NTP server. Successfully retrieved CA cert Subject: CN=MyRootCA,O=fakerealm1 Issuer: CN=MyRootCA,O=fakerealm1 Valid From: Tue Aug 09 19:44:32 2016 UTC Valid Until: Mon Aug 09 19:44:32 2021 UTC Subject: CN=MySubCA,O=fakerealm1 Issuer: CN=MyRootCA,O=fakerealm1 Valid From: Tue Aug 09 19:59:37 2016 UTC Valid Until: Mon Aug 09 19:59:37 2021 UTC Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=MySubCA,O=fakerealm1 Valid From: Tue Aug 09 20:02:04 2016 UTC Valid Until: Mon Aug 09 20:02:04 2021 UTC Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying https://rhel7-1.example.com/ipa/json Forwarding 'schema' to json server 'https://rhel7-1.example.com/ipa/json' trying https://rhel7-1.example.com/ipa/session/json Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/session/json' Systemwide CA database updated. Hostname (rhel7-2.example.com) does not have A/AAAA record. Missing reverse record(s) for address(es): 192.168.122.72. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd ipa : ERROR Reverse DNS resolution of address 192.168.122.72 (rhel7-2.example.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Checking DNS forwarders, please wait ... Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/44]: creating directory server user [2/44]: creating directory server instance [3/44]: updating configuration in dse.ldif [4/44]: restarting directory server [5/44]: adding default schema [6/44]: enabling memberof plugin [7/44]: enabling winsync plugin [8/44]: configuring replication version plugin [9/44]: enabling IPA enrollment plugin [10/44]: enabling ldapi [11/44]: configuring uniqueness plugin [12/44]: configuring uuid plugin [13/44]: configuring modrdn plugin [14/44]: configuring DNS plugin [15/44]: enabling entryUSN plugin [16/44]: configuring lockout plugin [17/44]: configuring topology plugin [18/44]: creating indices [19/44]: enabling referential integrity plugin [20/44]: configuring certmap.conf [21/44]: configure autobind for root [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: creating DS keytab [27/44]: retrieving DS Certificate [28/44]: restarting directory server [29/44]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 7 seconds elapsed Update succeeded [30/44]: adding sasl mappings to the directory [31/44]: updating schema [32/44]: setting Auto Member configuration [33/44]: enabling S4U2Proxy delegation [34/44]: importing CA certificates from LDAP [35/44]: initializing group membership [36/44]: adding master entry [37/44]: initializing domain level [38/44]: configuring Posix uid/gid generation [39/44]: adding replication acis [40/44]: enabling compatibility plugin [41/44]: activating sidgen plugin [42/44]: activating extdom plugin [43/44]: tuning directory server [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Generating ipa-custodia keys [3/5]: Importing RA Key /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/4]: configuring KDC [2/4]: adding the password extension to the directory [3/4]: starting the KDC [4/4]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd). Estimated time: 1 minute [1/19]: setting mod_nss port to 443 [2/19]: setting mod_nss cipher suite [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/19]: setting mod_nss password file [5/19]: enabling mod_nss renegotiate [6/19]: adding URL rewriting rules [7/19]: configuring httpd [8/19]: configure certmonger for renewals [9/19]: setting up httpd keytab [10/19]: setting up ssl [11/19]: importing CA certificates from LDAP [12/19]: clean up any existing httpd ccache [13/19]: configuring SELinux for httpd [14/19]: create KDC proxy user [15/19]: create KDC proxy config [16/19]: enable KDC proxy [17/19]: restarting httpd [18/19]: configuring httpd to start on boot [19/19]: enabling oddjobd Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/25]: creating certificate server user [2/25]: creating certificate server db [3/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 8 seconds elapsed Update succeeded [4/25]: creating installation admin user [5/25]: setting up certificate server [6/25]: stopping instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: set up client auth to db [12/25]: destroying installation admin user [13/25]: Ensure lightweight CAs container exists [14/25]: Configure lightweight CA key retrieval [15/25]: starting instance [16/25]: importing CA chain to RA certificate database [17/25]: fixing RA database permissions [18/25]: setting up signing cert profile [19/25]: setting audit signing renewal to 2 years [20/25]: configure certificate renewals [21/25]: configure Server-Cert certificate renewal [22/25]: Configure HTTP to proxy connections [23/25]: updating IPA configuration [24/25]: Restart HTTP server to pick up changes [25/25]: enabling CA instance Done configuring certificate server (pki-tomcatd). Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files [root@rhel7-2 ~]# kinit admin Password for admin: [root@rhel7-2 ~]# certutil -d /var/lib/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert External CA #2 CT,C,C caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert External CA ,, auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u
Ok, I talked to Fraser and I didn't sign my IPA csr correctly so that it had the same serial number as the Sub CA. I'm moving back to ON_QA while I re-run my verification.
Verified correctly this time. Note that below the SubCA and IPA cert serial numbers are the same. Version :: pki-ca-10.3.3-5.el7.noarch Results :: ############################################################################ ########################## ON REPLICA ###################################### ############################################################################ [root@rhel7-1 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 \ > --reverse-zone=122.168.192.in-addr.arpa. --allow-zone-overlap \ > -n example.com -r EXAMPLE.COM -a Secret123 -p Secret123 -U --external-ca The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Warning: skipping DNS resolution of host rhel7-1.example.com Checking DNS domain example.com., please wait ... Checking DNS forwarders, please wait ... Using reverse zone(s) 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel7-1.example.com IP address(es): 192.168.122.71 Domain name: example.com Realm name: EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Forward policy: only Reverse zone(s): 122.168.192.in-addr.arpa. Adding [192.168.122.71 rhel7-1.example.com] to your /etc/hosts file Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/47]: creating directory server user [2/47]: creating directory server instance [3/47]: updating configuration in dse.ldif [4/47]: restarting directory server [5/47]: adding default schema [6/47]: enabling memberof plugin [7/47]: enabling winsync plugin [8/47]: configuring replication version plugin [9/47]: enabling IPA enrollment plugin [10/47]: enabling ldapi [11/47]: configuring uniqueness plugin [12/47]: configuring uuid plugin [13/47]: configuring modrdn plugin [14/47]: configuring DNS plugin [15/47]: enabling entryUSN plugin [16/47]: configuring lockout plugin [17/47]: configuring topology plugin [18/47]: creating indices [19/47]: enabling referential integrity plugin [20/47]: configuring certmap.conf [21/47]: configure autobind for root [22/47]: configure new location for managed entries [23/47]: configure dirsrv ccache [24/47]: enabling SASL mapping fallback [25/47]: restarting directory server [26/47]: adding sasl mappings to the directory [27/47]: adding default layout [28/47]: adding delegation layout [29/47]: creating container for managed entries [30/47]: configuring user private groups [31/47]: configuring netgroups from hostgroups [32/47]: creating default Sudo bind user [33/47]: creating default Auto Member layout [34/47]: adding range check plugin [35/47]: creating default HBAC rule allow_all [36/47]: adding sasl mappings to the directory [37/47]: adding entries for topology management [38/47]: initializing group membership [39/47]: adding master entry [40/47]: initializing domain level [41/47]: configuring Posix uid/gid generation [42/47]: adding replication acis [43/47]: enabling compatibility plugin [44/47]: activating sidgen plugin [45/47]: activating extdom plugin [46/47]: tuning directory server [47/47]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/8]: creating certificate server user [2/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: /usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate [root@rhel7-1 ~]# CADIR=/root/RootCA [root@rhel7-1 ~]# mkdir $CADIR [root@rhel7-1 ~]# cd $CADIR [root@rhel7-1 RootCA]# rm -f * [root@rhel7-1 RootCA]# echo Secret123 > $CADIR/mypass1 [root@rhel7-1 RootCA]# certutil -N -d $CADIR -f $CADIR/mypass1 [root@rhel7-1 RootCA]# SERNUM=$RANDOM [root@rhel7-1 RootCA]# SERNUM=$(( SERNUM += 1 )) [root@rhel7-1 RootCA]# echo -e "y\n10\ny\n" | \ > certutil -S -d $CADIR \ > -n RootCA \ > -s "CN=MyRootCA, O=fakerealm1" \ > -x \ > -t "CTu,CTu,CTu" \ > -g 2048 \ > -m $SERNUM\ > -v 60 \ > -z /etc/group \ > -2 \ > --keyUsage certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -f $CADIR/mypass1 Generating key. This may take a few moments... Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? Notice: Trust flag u is set automatically if the private key is present. [root@rhel7-1 RootCA]# certutil -R -d $CADIR \ > -s "cn=MySubCA, O=fakerealm1" \ > -g 2048 \ > -z /etc/group \ > -o /root/subca.csr \ > -f $CADIR/mypass1 \ > -a Generating key. This may take a few moments... [root@rhel7-1 RootCA]# [root@rhel7-1 RootCA]# SERNUM=$(( SERNUM += 1 )) [root@rhel7-1 RootCA]# echo -e "y\n10\ny\n" | \ > certutil -C -d $CADIR \ > -c RootCA \ > -m $SERNUM \ > -v 60 \ > -2 \ > --keyUsage digitalSignature,nonRepudiation,certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -i /root/subca.csr \ > -o /root/subca.crt \ > -f $CADIR/mypass1 \ > -a Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? [root@rhel7-1 RootCA]# certutil -A -d $CADIR \ > -n SubCA \ > -i /root/subca.crt \ > -t "CTu,Cu,Cu" \ > -f $CADIR/mypass1 Notice: Trust flag u is set automatically if the private key is present. [root@rhel7-1 RootCA]# echo $SERNUM 19795 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ NOTE HERE WE LEAVE SERNUM ALONE ^^^^^^^^^^^^^^^^^ [root@rhel7-1 RootCA]# echo -e "y\n10\ny\n" | \ > certutil -C -d $CADIR \ > -c SubCA \ > -m $SERNUM \ > -v 60 \ > -2 \ > --keyUsage digitalSignature,nonRepudiation,certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -i /root/ipa.csr \ > -o /root/ipa.crt \ > -f $CADIR/mypass1 \ > -a Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? [root@rhel7-1 RootCA]# certutil -L -d $CADIR -n SubCA -a >> /root/subca-chain.asc [root@rhel7-1 RootCA]# certutil -L -d $CADIR -n RootCA -a >> /root/rootca-chain.asc [root@rhel7-1 RootCA]# ipa-server-install -p Secret123 --external-cert-file=/root/ipa.crt --external-cert-file=/root/subca-chain.asc --external-cert-file=/root/rootca-chain.asc The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Warning: skipping DNS resolution of host rhel7-1.example.com Checking DNS domain example.com., please wait ... Checking DNS forwarders, please wait ... Using reverse zone(s) 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel7-1.example.com IP address(es): 192.168.122.71 Domain name: example.com Realm name: EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Forward policy: only Reverse zone(s): 122.168.192.in-addr.arpa. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/31]: creating certificate server user [2/31]: configuring certificate server instance [3/31]: stopping certificate server instance to update CS.cfg [4/31]: backing up CS.cfg [5/31]: disabling nonces [6/31]: set up CRL publishing [7/31]: enable PKIX certificate path discovery and validation [8/31]: starting certificate server instance [9/31]: creating RA agent certificate database [10/31]: importing CA chain to RA certificate database [11/31]: fixing RA database permissions [12/31]: setting up signing cert profile [13/31]: setting audit signing renewal to 2 years [14/31]: restarting certificate server [15/31]: requesting RA certificate from CA [16/31]: issuing RA agent certificate [17/31]: adding RA agent as a trusted user [18/31]: authorizing RA to modify profiles [19/31]: authorizing RA to manage lightweight CAs [20/31]: Ensure lightweight CAs container exists [21/31]: configure certmonger for renewals [22/31]: configure certificate renewals [23/31]: configure RA certificate renewal [24/31]: configure Server-Cert certificate renewal [25/31]: Configure HTTP to proxy connections [26/31]: restarting certificate server [27/31]: migrating certificate profiles to LDAP [28/31]: importing IPA certificate profiles [29/31]: adding default CA ACL [30/31]: adding 'ipa' CA entry [31/31]: updating IPA configuration Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/9]: adding kerberos container to the directory [2/9]: configuring KDC [3/9]: initialize kerberos container [4/9]: adding default ACIs [5/9]: creating a keytab for the directory [6/9]: creating a keytab for the machine [7/9]: adding the password extension to the directory [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Making sure custodia container exists [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring the web interface (httpd). Estimated time: 1 minute [1/21]: setting mod_nss port to 443 [2/21]: setting mod_nss cipher suite [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/21]: setting mod_nss password file [5/21]: enabling mod_nss renegotiate [6/21]: adding URL rewriting rules [7/21]: configuring httpd [8/21]: configure certmonger for renewals [9/21]: setting up httpd keytab [10/21]: setting up ssl [11/21]: importing CA certificates from LDAP [12/21]: setting up browser autoconfig [13/21]: publish CA cert [14/21]: clean up any existing httpd ccache [15/21]: configuring SELinux for httpd [16/21]: create KDC proxy user [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: restarting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up kerberos principal [9/12]: setting up named.conf [10/12]: setting up server configuration [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Restarting the web server Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: rhel7-1.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: rhel7-1.example.com BaseDN: dc=example,dc=com Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://rhel7-1.example.com/ipa/json Forwarding 'schema' to json server 'https://rhel7-1.example.com/ipa/json' trying https://rhel7-1.example.com/ipa/session/json Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [root@rhel7-1 RootCA]# kinit admin Password for admin: [root@rhel7-1 ~]# certutil -d /var/lib/pki/pki-tomcat/alias -O -n "caSigningCert cert-pki-ca" "caSigningCert External CA #2" [CN=MyRootCA,O=fakerealm1] "caSigningCert External CA" [CN=MySubCA,O=fakerealm1] "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=EXAMPLE.COM] [root@rhel7-1 ~]# certutil -d /var/lib/pki/pki-tomcat/alias -L -n "caSigningCert External CA #2" | grep Serial Serial Number: 19794 (0x4d52) [root@rhel7-1 ~]# certutil -d /var/lib/pki/pki-tomcat/alias -L -n "caSigningCert External CA" | grep Serial Serial Number: 19795 (0x4d53) [root@rhel7-1 ~]# certutil -d /var/lib/pki/pki-tomcat/alias -L -n "caSigningCert cert-pki-ca" | grep Serial Serial Number: 19795 (0x4d53) #### So, the IPA cert serial number is the same as the SubCA one. ############################################################################ ########################## ON REPLICA ###################################### ############################################################################ [root@rhel7-2 ~]# vi /etc/resolv.conf [root@rhel7-2 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -P admin -w Secret123 Configuring client side components WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Client hostname: rhel7-2.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: rhel7-1.example.com BaseDN: dc=example,dc=com Skipping synchronizing time with NTP server. Successfully retrieved CA cert Subject: CN=MyRootCA,O=fakerealm1 Issuer: CN=MyRootCA,O=fakerealm1 Valid From: Tue Aug 09 23:29:40 2016 UTC Valid Until: Mon Aug 09 23:29:40 2021 UTC Subject: CN=MySubCA,O=fakerealm1 Issuer: CN=MyRootCA,O=fakerealm1 Valid From: Tue Aug 09 23:29:55 2016 UTC Valid Until: Mon Aug 09 23:29:55 2021 UTC Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=MySubCA,O=fakerealm1 Valid From: Tue Aug 09 23:30:16 2016 UTC Valid Until: Mon Aug 09 23:30:16 2021 UTC Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying https://rhel7-1.example.com/ipa/json Forwarding 'schema' to json server 'https://rhel7-1.example.com/ipa/json' trying https://rhel7-1.example.com/ipa/session/json Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/session/json' Systemwide CA database updated. Hostname (rhel7-2.example.com) does not have A/AAAA record. Missing reverse record(s) for address(es): 192.168.122.72. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd ipa : ERROR Reverse DNS resolution of address 192.168.122.72 (rhel7-2.example.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Checking DNS forwarders, please wait ... Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/44]: creating directory server user [2/44]: creating directory server instance [3/44]: updating configuration in dse.ldif [4/44]: restarting directory server [5/44]: adding default schema [6/44]: enabling memberof plugin [7/44]: enabling winsync plugin [8/44]: configuring replication version plugin [9/44]: enabling IPA enrollment plugin [10/44]: enabling ldapi [11/44]: configuring uniqueness plugin [12/44]: configuring uuid plugin [13/44]: configuring modrdn plugin [14/44]: configuring DNS plugin [15/44]: enabling entryUSN plugin [16/44]: configuring lockout plugin [17/44]: configuring topology plugin [18/44]: creating indices [19/44]: enabling referential integrity plugin [20/44]: configuring certmap.conf [21/44]: configure autobind for root [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: creating DS keytab [27/44]: retrieving DS Certificate [28/44]: restarting directory server [29/44]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 7 seconds elapsed Update succeeded [30/44]: adding sasl mappings to the directory [31/44]: updating schema [32/44]: setting Auto Member configuration [33/44]: enabling S4U2Proxy delegation [34/44]: importing CA certificates from LDAP [35/44]: initializing group membership [36/44]: adding master entry [37/44]: initializing domain level [38/44]: configuring Posix uid/gid generation [39/44]: adding replication acis [40/44]: enabling compatibility plugin [41/44]: activating sidgen plugin [42/44]: activating extdom plugin [43/44]: tuning directory server [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Generating ipa-custodia keys [3/5]: Importing RA Key /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/4]: configuring KDC [2/4]: adding the password extension to the directory [3/4]: starting the KDC [4/4]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd). Estimated time: 1 minute [1/19]: setting mod_nss port to 443 [2/19]: setting mod_nss cipher suite [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/19]: setting mod_nss password file [5/19]: enabling mod_nss renegotiate [6/19]: adding URL rewriting rules [7/19]: configuring httpd [8/19]: configure certmonger for renewals [9/19]: setting up httpd keytab [10/19]: setting up ssl [11/19]: importing CA certificates from LDAP [12/19]: clean up any existing httpd ccache [13/19]: configuring SELinux for httpd [14/19]: create KDC proxy user [15/19]: create KDC proxy config [16/19]: enable KDC proxy [17/19]: restarting httpd [18/19]: configuring httpd to start on boot [19/19]: enabling oddjobd Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/25]: creating certificate server user [2/25]: creating certificate server db [3/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 10 seconds elapsed Update succeeded [4/25]: creating installation admin user [5/25]: setting up certificate server [6/25]: stopping instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: set up client auth to db [12/25]: destroying installation admin user [13/25]: Ensure lightweight CAs container exists [14/25]: Configure lightweight CA key retrieval [15/25]: starting instance [16/25]: importing CA chain to RA certificate database [17/25]: fixing RA database permissions [18/25]: setting up signing cert profile [19/25]: setting audit signing renewal to 2 years [20/25]: configure certificate renewals [21/25]: configure Server-Cert certificate renewal [22/25]: Configure HTTP to proxy connections [23/25]: updating IPA configuration [24/25]: Restart HTTP server to pick up changes [25/25]: enabling CA instance Done configuring certificate server (pki-tomcatd). Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files [root@rhel7-2 ~]# kinit admin Password for admin: [root@rhel7-2 ~]# certutil -d /var/lib/pki/pki-tomcat/alias -O -n "caSigningCert cert-pki-ca" "caSigningCert External CA #2" [CN=MyRootCA,O=fakerealm1] "caSigningCert External CA" [CN=MySubCA,O=fakerealm1] "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=EXAMPLE.COM] [root@rhel7-2 ~]# certutil -d /var/lib/pki/pki-tomcat/alias -L -n "caSigningCert External CA #2" | grep Serial Serial Number: 19794 (0x4d52) [root@rhel7-2 ~]# certutil -d /var/lib/pki/pki-tomcat/alias -L -n "caSigningCert External CA" | grep Serial Serial Number: 19795 (0x4d53) [root@rhel7-2 ~]# certutil -d /var/lib/pki/pki-tomcat/alias -L -n "caSigningCert cert-pki-ca" | grep Serial Serial Number: 19795 (0x4d53)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html