Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1419735 - ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted)
ipa-replica-install fails promotecustodia.create_replica with cert errors (un...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Michal Reznik
: ZStream
Depends On:
Blocks: 1429872
  Show dependency treegraph
 
Reported: 2017-02-06 17:40 EST by Amy Farley
Modified: 2017-08-01 05:44 EDT (History)
10 users (show)

See Also:
Fixed In Version: ipa-4.4.0-14.el7.7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1429872 (view as bug list)
Environment:
Last Closed: 2017-08-01 05:44:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2953241 None None None 2017-03-03 07:15 EST
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Comment 11 Petr Vobornik 2017-02-17 12:06:45 EST 
Just public recap: we need to retest workflow:

1. install ipa-server as self-signed CA
2. issue CA cert signed by
   a) dogtag CA
   b) AD CA
3. use "Self-signed CA certificate → externally-signed CA certificate" method for both types (a and b) of CA cert.
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html

4. Run ipa-certupdate
5. Attempt to install replica

It fails in step "[3/5]: Importing RA Key" with: 


    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 97, in fetch_key
    params={'type': 'kem', 'value': request})
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)

2017-01-26T16:49:04Z DEBUG The ipa-replica-install command failed, exception: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
2017-01-26T16:49:04Z ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)


Workflow where first IPA server is installed with --external-ca right away works for CA cert issued by DogTag CA. We need to retest and fix issuing with AD CA - bug 1322963 or upstream #5799
Comment 12 Petr Vobornik 2017-02-17 12:09:47 EST 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6686
Comment 34 Michal Reznik 2017-05-18 05:20:36 EDT 
Verified on:

ipa-server-4.5.0-9.el7.x86_64

Steps as per BZ 1429872 comment #6.

1. Install CA-less ipa-server

root@master ~]# ipa-server-install --ip-address $(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin XXX --http-pin XXX --no-pkinit

<snip>
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: master.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: master.testrelm.test
BaseDN: dc=testrelm,dc=test

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://master.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
trying https://master.testrelm.test/ipa/session/json
Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
 1. You must make sure these network ports are open:
  TCP Ports:
    * 80, 443: HTTP/HTTPS
    * 389, 636: LDAP/LDAPS
    * 88, 464: kerberos
    * 53: bind
  UDP Ports:
    * 88, 464: kerberos
    * 53: bind
    * 123: ntp

 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
    This ticket will allow you to use the IPA tools (e.g., ipa user-add)
    and the web user interface.

In order for Firefox autoconfiguration to work you will need to
use a SSL signing certificate. See the IPA documentation for more details.
[root@master ~]# 

2. Install CA-less replica

[root@replica1 ~]# ipa-client-install -U --domain testrelm.test --realm TESTRELM.TEST -p admin -w XXX --server master.testrelm.test
[root@replica1 ~]# ipa-replica-install -U --dirsrv-cert-file=./replica.p12 --http-cert-file=./replica.p12 --dirsrv-pin XXX --http-pin XXX -P admin -w XXX --no-pkinit

<snip>
  [4/5]: starting the KDC
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: importing CA certificates from LDAP
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
  [1/20]: stopping httpd
  [2/20]: setting mod_nss port to 443
  [3/20]: setting mod_nss cipher suite
  [4/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/20]: setting mod_nss password file
  [6/20]: enabling mod_nss renegotiate
  [7/20]: adding URL rewriting rules
  [8/20]: configuring httpd
  [9/20]: setting up httpd keytab
  [10/20]: configuring Gssproxy
  [11/20]: setting up ssl
  [12/20]: importing CA certificates from LDAP
  [13/20]: publish CA cert
  [14/20]: clean up any existing httpd ccaches
  [15/20]: configuring SELinux for httpd
  [16/20]: create KDC proxy config
  [17/20]: enable KDC proxy
  [18/20]: starting httpd
  [19/20]: configuring httpd to start on boot
  [20/20]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the KDC
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning

3. Check ipactl status

[root@master ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@replica1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
Comment 35 errata-xmlrpc 2017-08-01 05:44:33 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.