VERSION: 4.6.90.pre1+git20180411, API_VERSION: 2.229
I'm having issues setting up upgrading and/or setting up replication for my
freeipa-server running on ubuntu 18.04. The same problem exists on three
separate installations, making me quite sure it's not a random user error
causing it. All the installations are single-node, with DNS-services and a
CA installed, although the CA isn't (yet) used to generate any certificates
for use outside the FreeIPA servers' own mesh of services.
The problem I consistently get essentially boils down to this:
IPA Error 4016: RemoteRetrieveError
Failed to authenticate to CA REST API
No matter if I try to upgrade, create a replica or just click my way to
"Authentication -> Certificate Authorities -> ipa" (strangely enough, just
clicking "Certificate Authorities" also throws up an error, but after
clicking "ok" the list populates and the only entry, "ipa" is clickable but
never gets me anywhere). I'm confident that fixing this problem would at
least get me along to the next step of the road.
Insofar as I understand it, there was a bug (is, in the version I'm
running) causing renewal of client certificates for the CMS to somehow
fail. That's consistent with what I see when running the following (output
last, for those interested):
getcert list | grep -B1 -A11 CA_REJECTED
The number of certificates listed varies from server to server, with the
oldest installation sporting four rejected certificates.
I've been attempting to work around the issue for several days, using every
trick of every link I've found when searching for others with similar
problems, the most promising of which seemed to be to allow the CMS to
connect to ldap using username and password instead of a client
certificate. That didn't work. Neither did "ipa-backup" followed by
"ipa-restore" on a fresh container installed with identical IP and system
configuration as the original one, so I'm currently at a loss.
Does anyone have any idea how I can get things working again? Pointers to
related issues would also be very helpful, or shortcuts to where I can at
least get the system upgraded to a version that has some sort of proper
documentation.
Unsurprisingly, doing a fresh install and then immediately upgrading to
4.7.1 from the ubuntu freeipa staging ppa works flawlessly, while my
systems fails.
Request ID '20190321175220':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190321175221':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190321175222':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
--
Request ID '20190321175225':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes