Polavarapu Manideep Sai via FreeIPA-users wrote: > Hi Team, > > > > Need help from freeipa, > > > > Free IPA Replica server retrieving two certificates from the IPA master > server while installing IPA replica and installation fails > > > > please check the below issue and let us know the fix and please let us > know if any more details required > > > > Master server: aaa01 > > Replica server1: dir01 (currently installing replica server ) > > Replica server2: dirus02 (which was a replica server previously that has > been removed from replication) > > > > > > As noticed while installing ipa replica server, replica server > retrieving two certificates from the master server, and saving it in > /etc/ipa/ca.crt in this process at the stage Configuring the web > interface (httpd) we got the below error i.e. > > > > ipa-replica-install command failed, exception: CalledProcessError: > Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t > ,, -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 > > > > =============================================== > > > > While installing Replica /var/log/ipaclient-install.log > > --------------------------------------------------- > > > > 2022-08-15T13:52:08Z DEBUG stderr= > > 2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from > aaa01.ipa.subdomain.com > > 2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache > url=ldap://aaa01.ipa.subdomain.com:389 > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17fe812440> > > 2022-08-15T13:52:11Z INFO Successfully retrieved CA cert > > > > Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > Valid From: 2018-04-12 14:15:30 > > Valid Until: 2038-04-12 14:15:30 > > > > Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM > > Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > Valid From: 2019-01-21 11:54:13 > > Valid Until: 2021-01-21 11:54:13 > > > > 2022-08-15T13:52:11Z DEBUG Starting external process > > 2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s > aaa01.ipa.subdomain.com -b dc=ipa,dc=example,dc=com -h > dirpav01-tfln-mdr1-omes.ipa.subdomain.com > > 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 > > 2022-08-15T13:52:15Z DEBUG stdout= > > 2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and > stored in: /etc/krb5.keytab > > Certificate subject base is: O=IPA.SUBDOMAIN.COM > > > > 2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM > > 2022-08-15T13:52:15Z DEBUG Starting external process > > 2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy > > 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 > > 2022-08-15T13:52:15Z DEBUG stdout= > > > > ================================== > > > > > > > > While installing replica /var/log/ipareplica-install.log > > -------------------------------------------------- > > > > 2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP > > 2022-08-15T15:07:11Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > > 2022-08-15T15:07:11Z DEBUG Starting external process > > 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d > dbm:/etc/httpd/alias -A -n IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f > /etc/httpd/alias/pwdfile.txt > > 2022-08-15T15:07:11Z DEBUG Process finished, return code=0 > > 2022-08-15T15:07:11Z DEBUG stdout= > > 2022-08-15T15:07:11Z DEBUG stderr= > > 2022-08-15T15:07:11Z DEBUG Starting external process > > 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d > dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f > /etc/httpd/alias/pwdfile.txt > > 2022-08-15T15:07:12Z DEBUG Process finished, return code=255 > > 2022-08-15T15:07:12Z DEBUG stdout= > > 2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to > token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to > database. > > > > 2022-08-15T15:07:12Z DEBUG Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 567, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 557, in run_step > > > > > > Observation in Master server(aaa01) ldap database : > > ======================================= > > > > [root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | > grep "ipaCertSubject" > > ipaCertSubject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > ipaCertSubject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM > > [root@aaa01~]# > > > > ==================== > > We could see this certificate > "CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM" in IPA master server > GUI as well we have revoked it too , but still it retrieves the same > and installation got fails everytime > > > > ================= > > > > In ideal case while installing replica it has to retrieve only one > certificate i.e. CN=Certificate Authority,O=IPA.SUBDOMAIN.COM but this > case it retrieves > > > > > > Please let us know if any more details required and let us know how can > we fix this issue, without impact on whole setup > > > > > > ipaCertIssuerSerial > > > > ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 > [which is a valid certificate] > > ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ > invalid certificate retrieves from ipa master while installing ipa replica] > > > > > > > > [root@aaa01]# ipa cert-show > > > > Serial number: 32 > > Issuing CA: ipa > > Certificate: > MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQ > > DDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT > > 05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQE > > BBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5 > > jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ > > 1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCT > > BEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNp > > aAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbx > > q1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w== > > > > Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM > > Subject DNS name: dirus02.ipa.subdomain.com > > Subject UPN: HTTP/[email protected] > > Subject Kerberos principal name: > HTTP/[email protected] > > Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > Not Before: Mon Jan 21 11:54:13 2019 UTC > > Not After: Thu Jan 21 11:54:13 2021 UTC > > Serial number: 32 > > Serial number (hex): 0x20 > > Revoked: True > > Revocation reason: 2 > > [root@aaa01~]#
The CA certificates are stored in LDAP under cn=certificates,cn=ipa,cn=etc,dc=example,dc=test (substitute your own basedn). Find the incorrect entry and use ldapdelete to remove it. If you aren't very familiar with LDAP command-line tools then something like Apache Directory Studio may be a better choice. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
