On Mon, Nov 25, 2019 at 02:47:46PM -0000, Alexander Skobeltsin via FreeIPA-users wrote: > Several days ago my freeipa (4.4) server was broken due to expiration of all > certificates ( except ca of course). Because of in 4.4 was no such handy > tool, as ipa-cert-fix, but lots of recovery methods, that I found in Google > were using it, I decided to upgrade my broken freeipa to 4.5 ( by packages > upgrade). Packages were installed succesfully, but automatic > ipa-server-upgrade script after installation failed ( because of > certificates, obviously). Then, I ran ipa-cert-fix and almost all freeipa > certificates were succesfully resubmited and updated. Then, I tried to > manually run ipa-server-upgrade, but it failed in the same place, as before > updating certificates - on trying to communicate with dogtag. As well as I > can't just start ipa (via "ipactl start"), but it works with "--force" > option, and works well, except those part of ui, that shows certificates. > > There is part of ipaupgrade.log, where upgrade fails: > > 2019-11-25T14:44:35Z DEBUG request GET > https://ipa-vis.tis.rk:8443/ca/rest/account/login > 2019-11-25T14:44:35Z DEBUG request body '' > 2019-11-25T14:44:35Z DEBUG response status 401 > 2019-11-25T14:44:35Z DEBUG response headers Server: Apache-Coyote/1.1 > Cache-Control: private > Expires: Thu, 01 Jan 1970 03:00:00 MSK > WWW-Authenticate: Basic realm="Certificate Authority" > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 951 > Date: Mon, 25 Nov 2019 14:44:35 GMT > > 2019-11-25T14:44:35Z DEBUG response body '<html><head><title>Apache > Tomcat/7.0.76 - Error report</title><style><!--H1 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} > H2 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} > H3 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} > BODY > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A > {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> > </head><body><h1>HTTP Status 401 - </h1><HR size="1" > noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> > <u></u></p><p><b>description</b> <u>This request requires HTTP > authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache > Tomcat/7.0.76</h3></body></html>' > 2019-11-25T14:44:35Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2019-11-25T14:44:35Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 54, in run > server.upgrade() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line > 2146, in upgrade > upgrade_configuration() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line > 2018, in upgrade_configuration > ca_enable_ldap_profile_subsystem(ca) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line > 406, in ca_enable_ldap_profile_subsystem > cainstance.migrate_profiles_to_ldap() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 2027, in migrate_profiles_to_ldap > _create_dogtag_profile(profile_id, profile_data, overwrite=False) > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 2033, in _create_dogtag_profile > with api.Backend.ra_certprofile as profile_api: > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line > 1315, in __enter__ > raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA > REST API')) > > 2019-11-25T14:44:35Z DEBUG The ipa-server-upgrade command failed, exception: > RemoteRetrieveError: Failed to authenticate to CA REST API > > > > After some searching, I found that such behaviour could be caused by > incompatibility of newly generated ra-agent certificate in location > "/var/lib/ipa/ra-agent.pem" and LDAP database in location > "uid=ipara,ou=people,o=ipaca"(userCertificate,SeeAlso,description fields), > and really, there was old certificates data there. I modified these 3 fields > with corresponding new values from new certificate, including correct serial > number in description. Here how it looks like now: > > dn: uid=ipara,ou=people,o=ipaca > userCertificate: MIIDXD...NX7U3S > description: 2;16;CN=Certificate Authority,O=TIS.RK;CN=IPA RA,O=TIS.RK > > pkidbuser LDAP entry contained old "CA Subsystem" also, so I modified it too > with new "CA Subsystem" certificate data. > > dn: uid=pkidbuser,ou=people,o=ipaca > userCertificate:: MIIDYj...+M7J8bmRc > description: 2;14;CN=Certificate Authority,O=TIS.RK;CN=CA Subsystem,O=TIS.RK > > But none helped. > > Here what I see in /var/log/pki/pki-tomcat/ca/debug, when trying to show > certificate detail in freeipa's ui: > > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet:service() > uri = /ca/agent/ca/displayBySerial > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet::service() > param name='xml' value='true' > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet::service() > param name='serialNumber' value='20' > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: > caDisplayBySerial start to service. > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: IP: 172.19.4.2 > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: AuthMgrName: > certUserDBAuthMgr > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: retrieving > SSL certificate > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: > certUID=CN=IPA RA,O=TIS.RK > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: started > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: > Retrieving client certificate > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: Got > client certificate > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: In > LdapBoundConnFactory::getConn() > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: masterConn is > connected: true > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: getConn: conn is > connected true > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: getConn: mNumConns now > 4 > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: returnConn: mNumConns > now 5 > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: Authentication: client > certificate found > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: In > LdapBoundConnFactory::getConn() > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: masterConn is > connected: true > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: getConn: conn is > connected true > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: getConn: mNumConns now > 5 > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: returnConn: mNumConns > now 6 > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: > CertUserDBAuthentication: cannot map certificate to any userServer Internal > Error > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: SignedAuditLogger: > event AUTH > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet.java: > renderTemplate > [25/Nov/2019:17:24:38][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet.java: xml > parameter detected, returning xml > > Before I Updated IPA RA LDAP Entry, it showed "User not found" instead of > "Server Internal Error". > > And in dirsrv log I see such entries, when navigating to certificate detail > page: > > [25/Nov/2019:17:29:41.095869943 +0300] conn=40148 fd=206 slot=206 connection > from 172.19.4.2 to 172.19.4.2 > [25/Nov/2019:17:29:41.098585286 +0300] conn=40148 op=0 BIND dn="" method=sasl > version=3 mech=GSS-SPNEGO > [25/Nov/2019:17:29:41.103760424 +0300] conn=40148 op=0 RESULT err=0 tag=97 > nentries=0 etime=0.0005409737 dn="uid=admin,cn=users,cn=accounts,dc=tis,dc=rk" > [25/Nov/2019:17:29:41.105906742 +0300] conn=40148 op=1 SRCH > base="cn=ipaconfig,cn=etc,dc=tis,dc=rk" scope=0 filter="(objectClass=*)" > attrs=ALL > [25/Nov/2019:17:29:41.106795977 +0300] conn=40148 op=1 RESULT err=0 tag=101 > nentries=1 etime=0.0000976075 > [25/Nov/2019:17:29:41.108348488 +0300] conn=40148 op=2 SRCH > base="cn=masters,cn=ipa,cn=etc,dc=tis,dc=rk" scope=2 > filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL > [25/Nov/2019:17:29:41.108921046 +0300] conn=40148 op=2 RESULT err=0 tag=101 > nentries=1 etime=0.0000658341 > [25/Nov/2019:17:29:41.135945117 +0300] conn=27 op=13 SRCH > base="ou=People,o=ipaca" scope=2 filter="(description=2;16;CN=Certificate > Authority,O=TIS.RK;CN=IPA RA,O=TIS.RK)" attrs=ALL > [25/Nov/2019:17:29:41.136203891 +0300] conn=27 op=13 RESULT err=0 tag=101 > nentries=1 etime=0.0000356148 > [25/Nov/2019:17:29:41.142786310 +0300] conn=40148 op=3 UNBIND > [25/Nov/2019:17:29:41.142807994 +0300] conn=40148 op=3 fd=206 closed - U1 > > Now I am stuck at this point. I don't understand, what is wrong with dogtag, > is it LDAP entry trouble or dogtags itself. > > There are some errors in "getcert list" output,
Hi Alexander, Could you please provide the entire LDAP entry uid=ipara,ou=people,o=ipaca, and the IPA RA certificate. Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
