Rejoining to domain but getting error - You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
2:22 p.m.
Hi FreeIPA team,
I'm verifying FreeIPA backup/restore process.
In our lab environment, FreeIPA 4.5.0 was running fine with single instance. I took the
backup. Shutdown the VM.
Created Fresh CentOS 7 VM and install IPA server 4.6.8 and did restore "data
only" backup. FQDN and IP address is same as old VM.
After little troubleshooting all services are working fine. I can see all users & host
- All good.
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Now from existing client side, I did ipa-client-install --uninstall. but when i do
ipa-client-install --domain example.com --realm EXAMPLE.COM; but getting below error:
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining:
You are attempting to import a cert with the same issuer/serial as an existing cert, but
that is not the same cert.
I tried on fresh client but still domain joining is failing with same error.
Any suggestion?
Also someone can share good document for backup/restore process where backup is restored
on completely new & Fresh system... it will be highly appreciated.
Regards,
Anand
3:34 p.m.
New subject: Rejoining to domain but getting error - You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
sharmaji a via FreeIPA-users wrote:
Hi FreeIPA team,
I'm verifying FreeIPA backup/restore process.
In our lab environment, FreeIPA 4.5.0 was running fine with single instance. I took the
backup. Shutdown the VM.
Created Fresh CentOS 7 VM and install IPA server 4.6.8 and did restore "data
only" backup. FQDN and IP address is same as old VM.
After little troubleshooting all services are working fine. I can see all users &
host - All good.
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Now from existing client side, I did ipa-client-install --uninstall. but when i do
ipa-client-install --domain example.com --realm EXAMPLE.COM; but getting below error:
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining:
You are attempting to import a cert with the same issuer/serial as an existing cert, but
that is not the same cert.
I tried on fresh client but still domain joining is failing with same error.
Any suggestion?
Also someone can share good document for backup/restore process where backup is restored
on completely new & Fresh system... it will be highly appreciated.
You don't want to use data-only on a fresh install. You want to do a
full ipa-restore. The underlying installation is going to have certs,
keytabs, etc issued now with a different backend.
It is technically possible but involves stripping out any Kerberos key
material and certificates.
What is the purpose of doing this?
I'll also add that restore should be strictly reserved for catastrophic
failures. It is itself a destructive act.
rob
12:24 p.m.
New subject: Rejoining to domain but getting error - You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Thanks Rob for your reply.
In our situations, we have only left with data-only backup of our IPA server. (For some
reason, both our IPA Master and Replica server got corrupted and are not in recoverable
state.)
So we attempted, data-only restore on Fresh Install of IPA server. We faced issue with
Kerberos and RA key miss match which we fixed. Now we stuck with CA miss match issue.
We suspect CA cert in local files likes NSS db, SLAPd & HTTP alias folder are NOT
matching with CA keys in LDAP, as this KEY came from data-only restore.
So, can we remove entire exiting CA and re-create it again?
Regards,
Anand
1:17 p.m.
New subject: Rejoining to domain but getting error - You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
sharmaji a via FreeIPA-users wrote:
Thanks Rob for your reply.
In our situations, we have only left with data-only backup of our IPA server. (For some
reason, both our IPA Master and Replica server got corrupted and are not in recoverable
state.)
So we attempted, data-only restore on Fresh Install of IPA server. We faced issue with
Kerberos and RA key miss match which we fixed. Now we stuck with CA miss match issue.
We suspect CA cert in local files likes NSS db, SLAPd & HTTP alias folder are NOT
matching with CA keys in LDAP, as this KEY came from data-only restore.
So, can we remove entire exiting CA and re-create it again?
Not easily. I'm sure it's theoretically possible but given the rest of
the state probably not the best approach.
At this point you're in disaster recovery and it's going to be painful.
To say "there be dragons" doesn't do things justice.
This is likely to be a manual and iterative process until you get the
data massaged just right.
Whatever you do make a copy of the backup some place safe. I would not
use ipa-restore to restore the data. Instead I'd extract the tarball and
use dsconf ldif2db on userRoot.ldif.
You'll have to make a *lot* of manual edits to the ldif before loading.
I haven't attempted such a thing in many years and there is no document
on what to do, how or what pitfalls you'll run into. Like I said,
iterative with lots and lots of re-installs until you get it just right.
Your "new" IPA install has a different Kerberos master key and CA than
before. If you do the restore then you'll get the original master key.
This can be good since it will preserve all the user passwords, etc.
But this will break all the current keytabs. You can use kadmin to
procure new ones, I think. Assuming you can get dirsrv and the KDC to start.
You'll want to remove any userCertificate values from the userRoot ldif.
These don't exist in the current CA. I'd run through all the certmonger
requests and re-issue them all so that the latest values are stored.
For any non-IPA-server certificates you'll need to re-issue them.
On the new install you'll want to request the same POSIX range as used
by the original server.
I'm sure there's more to do, this is just a small flavor of what you're
looking at.
rob
802
days inactive
807
days old
freeipa-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Rob Crittenden -
sharmaji a