[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

Thu, 19 Jan 2017 22:57:05 -0800 

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Here's what I did
```
# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | 
xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
# rm -rf /var/lib/ipa/radb
# ipa-replica-install --domain abc.idm.lab.eng.brq.redhat.com --server 
vm-226.abc.idm.lab.eng.brq.redhat.com --principal admin --password blablabla
...
  [28/45]: retrieving DS Certificate
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    
Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information
# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20170120063423':
        status: CA_UNREACHABLE
        ca-error: Server at 
https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will 
retry: 907 (RPC failed at server.  cannot connect to 
'https://vm-226.abc.idm.lab.eng.brq.redhat.com:443/ca/rest/account/login': 
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, 
unsupported format.).
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert',token='NSS
 Certificate 
DB',pinfile='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert'
        CA: IPA
        issuer: 
        subject: 
        expires: unknown
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes
# certutil -d /var/lib/ipa/radb -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
database is in an old, unsupported format.
# stat /var/lib/ipa/radb
stat: cannot stat '/var/lib/ipa/radb': No such file or directory
```
Here's the full replica install log: http://pastebin.com/kwj8nFcC
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-273991634

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to