Red Hat Bugzilla – Bug 1385816
ipa-cacert-manage renew on replica fails
Last modified: 2017-08-01 05:42:02 EDT
Description of problem: ipa-cacert-manage renew on replica fails Version-Release number of selected component (if applicable): ipa-server-4.4.0-12.el7 How reproducible: Always Steps to Reproduce: 1.Install IPA Master/Replica 2.ipa-cacert-manage renew on Replica Actual results: Renew CA Cert on Replica fails Expected results: Renew CA Cert on Replica succeeds Additional info: On replica: [root@bkr-hv03-guest43 ~]# ipa-cacert-manage renew Renewing CA certificate, please wait Error resubmitting certmonger request '20161017145558', please check the request manually After manually resubmitting the request , it works: [root@bkr-hv03-guest43 ~]# ipa-getcert resubmit -i 20161017145558 Resubmitting "20161017145558" to "dogtag-ipa-ca-renew-agent". [root@bkr-hv03-guest43 ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w $ROOTDNPWD -b cn=CA,cn=$REPLICA,cn=masters,cn=ipa,cn=etc,$BASEDN | grep caRenewalMaster ipaConfigString: caRenewalMaster
could you attach system log(certmonger logs there) for the first attempt?
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6459
Should be fixed by patch: https://pagure.io/freeipa/c/052de43 Already part of RHEL 7.4 - went there with rebase.
Verified on: ipa-server-4.5.0-9.el7.x86_64 pki-server-10.4.1-4.el7.noarch selinux-policy-3.13.1-152.el7.noarch [root@master ~]# getenforce Enforcing [root@replica1 ~]# getenforce Enforcing 1. Install ipa-server [root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U <snip> Configuring testrelm.test as NIS domain. Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [root@master ~]# 2. Install ipa-replica [root@replica1 ~]# ipa-replica-install -U -P admin -w XXX --server master.testrelm.test -n testrelm.test --setup-ca <snip> [26/27]: enabling CA instance [27/27]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the KDC 3. Run ipa-cacert-manage renew [root@replica1 ~]# ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful [root@replica1 ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304