Hi Team, Need help from freeipa,
Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails please check the below issue and let us know the fix and please let us know if any more details required Master server: aaa01 Replica server1: dir01 (currently installing replica server ) Replica server2: dirus02 (which was a replica server previously that has been removed from replication) As noticed while installing ipa replica server, replica server retrieving two certificates from the master server, and saving it in /etc/ipa/ca.crt in this process at the stage Configuring the web interface (httpd) we got the below error i.e. ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 =============================================== While installing Replica /var/log/ipaclient-install.log --------------------------------------------------- 2022-08-15T13:52:08Z DEBUG stderr= 2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from aaa01.ipa.subdomain.com 2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache url=ldap://aaa01.ipa.subdomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17fe812440> 2022-08-15T13:52:11Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Valid From: 2018-04-12 14:15:30 Valid Until: 2038-04-12 14:15:30 Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Valid From: 2019-01-21 11:54:13 Valid Until: 2021-01-21 11:54:13 2022-08-15T13:52:11Z DEBUG Starting external process 2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s aaa01.ipa.subdomain.com -b dc=ipa,dc=example,dc=com -h dirpav01-tfln-mdr1-omes.ipa.subdomain.com 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 2022-08-15T13:52:15Z DEBUG stdout= 2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=IPA.SUBDOMAIN.COM 2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM 2022-08-15T13:52:15Z DEBUG Starting external process 2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 2022-08-15T13:52:15Z DEBUG stdout= ================================== While installing replica /var/log/ipareplica-install.log -------------------------------------------------- 2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP 2022-08-15T15:07:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-08-15T15:07:11Z DEBUG Starting external process 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt 2022-08-15T15:07:11Z DEBUG Process finished, return code=0 2022-08-15T15:07:11Z DEBUG stdout= 2022-08-15T15:07:11Z DEBUG stderr= 2022-08-15T15:07:11Z DEBUG Starting external process 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt 2022-08-15T15:07:12Z DEBUG Process finished, return code=255 2022-08-15T15:07:12Z DEBUG stdout= 2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database. 2022-08-15T15:07:12Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step Observation in Master server(aaa01) ldap database : ======================================= [root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | grep "ipaCertSubject" ipaCertSubject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM ipaCertSubject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM [root@aaa01~]# ==================== We could see this certificate "CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM" in IPA master server GUI as well we have revoked it too , but still it retrieves the same and installation got fails everytime ================= In ideal case while installing replica it has to retrieve only one certificate i.e. CN=Certificate Authority,O=IPA.SUBDOMAIN.COM but this case it retrieves Please let us know if any more details required and let us know how can we fix this issue, without impact on whole setup ipaCertIssuerSerial ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 [which is a valid certificate] ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ invalid certificate retrieves from ipa master while installing ipa replica] [root@aaa01]# ipa cert-show Serial number: 32 Issuing CA: ipa Certificate: MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQ DDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT 05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQE BBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5 jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ 1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCT BEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNp aAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbx q1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w== Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM Subject DNS name: dirus02.ipa.subdomain.com Subject UPN: HTTP/[email protected] Subject Kerberos principal name: HTTP/[email protected] Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Not Before: Mon Jan 21 11:54:13 2019 UTC Not After: Thu Jan 21 11:54:13 2021 UTC Serial number: 32 Serial number (hex): 0x20 Revoked: True Revocation reason: 2 [root@aaa01~]# Regards ManideepSai ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
