Hi Rob, Can you please help me on this
Regards ManideepSai -----Original Message----- From: Rob Crittenden <[email protected]> Sent: Tuesday, August 30, 2022 11:36 PM To: FreeIPA users list <[email protected]> Cc: Polavarapu Manideep Sai <[email protected]> Subject: Re: [Freeipa-users] Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Polavarapu Manideep Sai via FreeIPA-users wrote: > Hi Team, > > > > Need help from freeipa, > > > > Free IPA Replica server retrieving two certificates from the IPA master > server while installing IPA replica and installation fails > > > > please check the below issue and let us know the fix and please let us > know if any more details required > > > > Master server: aaa01 > > Replica server1: dir01 (currently installing replica server ) > > Replica server2: dirus02 (which was a replica server previously that has > been removed from replication) > > > > > > As noticed while installing ipa replica server, replica server > retrieving two certificates from the master server, and saving it in > /etc/ipa/ca.crt in this process at the stage Configuring the web > interface (httpd) we got the below error i.e. > > > > ipa-replica-install command failed, exception: CalledProcessError: > Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t > ,, -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 > > > > =============================================== > > > > While installing Replica /var/log/ipaclient-install.log > > --------------------------------------------------- > > > > 2022-08-15T13:52:08Z DEBUG stderr= > > 2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from > aaa01.ipa.subdomain.com > > 2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache > url=ldap://aaa01.ipa.subdomain.com:389 > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17fe812440> > > 2022-08-15T13:52:11Z INFO Successfully retrieved CA cert > > > > Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > Valid From: 2018-04-12 14:15:30 > > Valid Until: 2038-04-12 14:15:30 > > > > Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM > > Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > Valid From: 2019-01-21 11:54:13 > > Valid Until: 2021-01-21 11:54:13 > > > > 2022-08-15T13:52:11Z DEBUG Starting external process > > 2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s > aaa01.ipa.subdomain.com -b dc=ipa,dc=example,dc=com -h > dirpav01-tfln-mdr1-omes.ipa.subdomain.com > > 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 > > 2022-08-15T13:52:15Z DEBUG stdout= > > 2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and > stored in: /etc/krb5.keytab > > Certificate subject base is: O=IPA.SUBDOMAIN.COM > > > > 2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM > > 2022-08-15T13:52:15Z DEBUG Starting external process > > 2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy > > 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 > > 2022-08-15T13:52:15Z DEBUG stdout= > > > > ================================== > > > > > > > > While installing replica /var/log/ipareplica-install.log > > -------------------------------------------------- > > > > 2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP > > 2022-08-15T15:07:11Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > > 2022-08-15T15:07:11Z DEBUG Starting external process > > 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d > dbm:/etc/httpd/alias -A -n IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f > /etc/httpd/alias/pwdfile.txt > > 2022-08-15T15:07:11Z DEBUG Process finished, return code=0 > > 2022-08-15T15:07:11Z DEBUG stdout= > > 2022-08-15T15:07:11Z DEBUG stderr= > > 2022-08-15T15:07:11Z DEBUG Starting external process > > 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d > dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f > /etc/httpd/alias/pwdfile.txt > > 2022-08-15T15:07:12Z DEBUG Process finished, return code=255 > > 2022-08-15T15:07:12Z DEBUG stdout= > > 2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to > token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to > database. > > > > 2022-08-15T15:07:12Z DEBUG Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 567, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 557, in run_step > > > > > > Observation in Master server(aaa01) ldap database : > > ======================================= > > > > [root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | > grep "ipaCertSubject" > > ipaCertSubject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > ipaCertSubject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM > > [root@aaa01~]# > > > > ==================== > > We could see this certificate > "CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM" in IPA master server > GUI as well we have revoked it too , but still it retrieves the same > and installation got fails everytime > > > > ================= > > > > In ideal case while installing replica it has to retrieve only one > certificate i.e. CN=Certificate Authority,O=IPA.SUBDOMAIN.COM but this > case it retrieves > > > > > > Please let us know if any more details required and let us know how can > we fix this issue, without impact on whole setup > > > > > > ipaCertIssuerSerial > > > > ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 > [which is a valid certificate] > > ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ > invalid certificate retrieves from ipa master while installing ipa replica] > > > > > > > > [root@aaa01]# ipa cert-show > > > > Serial number: 32 > > Issuing CA: ipa > > Certificate: > MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQ > > DDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT > > 05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQE > > BBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5 > > jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ > > 1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCT > > BEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNp > > aAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbx > > q1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w== > > > > Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM > > Subject DNS name: dirus02.ipa.subdomain.com > > Subject UPN: HTTP/[email protected] > > Subject Kerberos principal name: > HTTP/[email protected] > > Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM > > Not Before: Mon Jan 21 11:54:13 2019 UTC > > Not After: Thu Jan 21 11:54:13 2021 UTC > > Serial number: 32 > > Serial number (hex): 0x20 > > Revoked: True > > Revocation reason: 2 > > [root@aaa01~]# The CA certificates are stored in LDAP under cn=certificates,cn=ipa,cn=etc,dc=example,dc=test (substitute your own basedn). Find the incorrect entry and use ldapdelete to remove it. If you aren't very familiar with LDAP command-line tools then something like Apache Directory Studio may be a better choice. rob ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
