Hi Team,
Need help from freeipa,
Free IPA Replica server retrieving two certificates from the IPA master server while
installing IPA replica and installation fails
please check the below issue and let us know the fix and please let us know if any more
details required
Master server: aaa01
Replica server1: dir01 (currently installing replica server )
Replica server2: dirus02 (which was a replica server previously that has been removed from
replication)
As noticed while installing ipa replica server, replica server retrieving two certificates
from the master server, and saving it in /etc/ipa/ca.crt in this process at the stage
Configuring the web interface (httpd) we got the below error i.e.
ipa-replica-install command failed, exception: CalledProcessError: Command
'/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f
/etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
===============================================
While installing Replica /var/log/ipaclient-install.log
---------------------------------------------------
2022-08-15T13:52:08Z DEBUG stderr=
2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from
aaa01.ipa.subdomain.com
2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache
url=ldap://aaa01.ipa.subdomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance
at 0x7f17fe812440>
2022-08-15T13:52:11Z INFO Successfully retrieved CA cert
Subject: CN=Certificate
Authority,O=IPA.SUBDOMAIN.COM
Issuer: CN=Certificate
Authority,O=IPA.SUBDOMAIN.COM
Valid From: 2018-04-12 14:15:30
Valid Until: 2038-04-12 14:15:30
Subject:
CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
Issuer: CN=Certificate
Authority,O=IPA.SUBDOMAIN.COM
Valid From: 2019-01-21 11:54:13
Valid Until: 2021-01-21 11:54:13
2022-08-15T13:52:11Z DEBUG Starting external process
2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s
aaa01.ipa.subdomain.com -b
dc=ipa,dc=example,dc=com -h
dirpav01-tfln-mdr1-omes.ipa.subdomain.com
2022-08-15T13:52:15Z DEBUG Process finished, return code=0
2022-08-15T13:52:15Z DEBUG stdout=
2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and stored in:
/etc/krb5.keytab
Certificate subject base is:
O=IPA.SUBDOMAIN.COM
2022-08-15T13:52:15Z INFO Enrolled in IPA realm
IPA.SUBDOMAIN.COM
2022-08-15T13:52:15Z DEBUG Starting external process
2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy
2022-08-15T13:52:15Z DEBUG Process finished, return code=0
2022-08-15T13:52:15Z DEBUG stdout=
==================================
While installing replica /var/log/ipareplica-install.log
--------------------------------------------------
2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP
2022-08-15T15:07:11Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2022-08-15T15:07:11Z DEBUG Starting external process
2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n
IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
2022-08-15T15:07:11Z DEBUG Process finished, return code=0
2022-08-15T15:07:11Z DEBUG stdout=
2022-08-15T15:07:11Z DEBUG stderr=
2022-08-15T15:07:11Z DEBUG Starting external process
2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n
Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt
2022-08-15T15:07:12Z DEBUG Process finished, return code=255
2022-08-15T15:07:12Z DEBUG stdout=
2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to token or
database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.
2022-08-15T15:07:12Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
567, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
557, in run_step
Observation in Master server(aaa01) ldap database :
=======================================
[root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | grep
"ipaCertSubject"
ipaCertSubject: CN=Certificate
Authority,O=IPA.SUBDOMAIN.COM
ipaCertSubject:
CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
[root@aaa01~]#
====================
We could see this certificate "CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM"
in IPA master server GUI as well we have revoked it too , but still it retrieves the same
and installation got fails everytime
=================
In ideal case while installing replica it has to retrieve only one certificate i.e.
CN=Certificate
Authority,O=IPA.SUBDOMAIN.COM but this case it retrieves
Please let us know if any more details required and let us know how can we fix this issue,
without impact on whole setup
ipaCertIssuerSerial
ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 [which is a valid
certificate]
ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ invalid
certificate retrieves from ipa master while installing ipa replica]
[root@aaa01]# ipa cert-show
Serial number: 32
Issuing CA: ipa
Certificate:
MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQ
DDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT
05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5
jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ
1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCT
BEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNp
aAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbx
q1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w==
Subject:
CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
Subject DNS name:
dirus02.ipa.subdomain.com
Subject UPN: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM
Subject Kerberos principal name: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM
Issuer: CN=Certificate
Authority,O=IPA.SUBDOMAIN.COM
Not Before: Mon Jan 21 11:54:13 2019 UTC
Not After: Thu Jan 21 11:54:13 2021 UTC
Serial number: 32
Serial number (hex): 0x20
Revoked: True
Revocation reason: 2
[root@aaa01~]#
Regards
ManideepSai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this message by anyone else is
unauthorized. If you are not the intended recipient, any disclosure, copying, or
distribution of the message, or any action or omission taken by you in reliance on it, is
prohibited and may be unlawful. Please immediately contact the sender if you have received
this message in error. Further, this e-mail may contain viruses and all reasonable
precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not
liable for any damage sustained by you as a result of any virus in this e-mail. All
applicable virus checks should be carried out by you before opening this e-mail or any
attachment thereto.
Thank you - OnMobile Global Limited.