ipa replica

[rockybulwinkle]

Hello,

I'm trying to migrate away from CentOS 6. The biggest barrier right now is our ipa server which is running on CentOS 6.6. I realize that is extremely out of date, but I inherited these problems from the previous sysadmin and am working to rectify it. I am also a fairly amateur admin and am out of my depth here.

There are two systems right now: "manage.companyname.com" and "centos7test.companyname.com".

Anyway, I've installed CentOS 7.9.2009 and installed ipa-server and ipa-server-dns. I created an ipa replica file on manage:

Code: Select all

ipa-replica-prepare centos7test.companyname.com

And installed that replica installed on centos7test:

Code: Select all

ipa-replica-install --setup-dns --forwarder=<manage's ip> replica-info-centos7test.companyname.com.gpg

However, I had to do some odd things during the replication for it to succeed which I figured out by trial and error. Are these things you normally have to do?
1. manually create an HTTP service for the new ipa server
2. manually add a KDC entry for the new server to LDAP.

That initial replication succeeds. I then tried to make centos7test a CA:

Code: Select all

ipa-ca-install replica-info-centos7test.companyname.com.gpg

The ca installation fails. I see this in my ipareplica-ca-install.log some messages about importing certificates which appears to succeed, then this:

Code: Select all

Installation failed: Command failed: certutil -M -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n caSigningCert cert-pki-ca -t CTu,Cu,Cu


2021-08-19T21:23:34Z DEBUG stderr=pkispawn    : WARNING  ....... unable to validate security domain user/password through REST interface. Interface not available
certutil: could not find certificate named "caSigningCert cert-pki-ca": SEC_ERROR_BAD_DATABASE: security library: bad database.

Update: This might be useful for debug:

Code: Select all

[root@centos7test pki]# certutil -L -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
Certificate Authority - COMPANYNAME.COM                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,u

I'm not sure where to go from here, I've been stuck for weeks trying to get this replica going. All input is appreciated!

Thanks

[rockybulwinkle]

I created a new ipa replica from our 6.6 machine to a new 6.10 machine including the CA. Next I tried replicating from the 6.10 to the 7.9 machine. Reading through the error logs (sorry, I don't have them at hand, I already rolled back the 7.9 VM), I think the issue is with the 7.9 machine not trusting the 6.10 machine. I think I need to tell the 7.9 to trust 6.10's certificate, though I'm not sure how.

I noticed ipa-replica-prepare outputs a cacert.p12 file. Am I supposed to import this on the 7.9 machine? Running "pk12util -i cacert.p12" on the 7.9 machine reports that it doesn't support the format:

Code: Select all

[root@centos7test ~]# pk12util -i cacert.p12 
pk12util: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

Am I on the right track here? How do I get the cacert.p12 in a format my 7.9 machine understands?

Thanks again!

[rockybulwinkle]

Ok, I think I found the magic command for extracting the keys:

openssl pkcs12 -in cacert.p12 -nokeys -out outfile.pem

source: http://wiki.cacert.org/CertificateHandling


Then I copy the outfile.pem to /etc/pki/ca-trust/source/anchors/cert.pem and run update-ca-certs:

Code: Select all

[root@centos7test ~]# scp root@centos6test.companyname.com:/root/outfile.pem /etc/pki/ca-trust/source/anchors/cert.pem 
[root@centos7test ~]# update-ca-trust

update-ca-trust exits silently, but now I can fetch from centos6test's http server, which was failing before due to CA issues:

Code: Select all

wget https://centos6test.companyname.com:443/ca/admin/ca/getCertChain
--2021-08-20 16:40:12--  https://centos6test.companyname.com/ca/admin/ca/getCertChain
Resolving centos6test.companyname.com (centos6test.companyname.com)... 10.252.52.30
Connecting to centos6test.companyname.com (centos6test.companyname.com)|10.252.52.30|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1418 (1.4K) [application/xml]
Saving to: ‘getCertChain’

100%[==================================================================================================================>] 1,418       --.-K/s   in 0s      

2021-08-20 16:40:12 (7.48 MB/s) - ‘getCertChain’ saved [1418/1418]

I should probably go and do the same steps on my 6.10 machine so it trusts our 6.6 machine, then retry replicating to the 7.9 machine.

[rockybulwinkle]

I'm still stuck unfortunately. I think I have a misunderstanding of that the p12 file is. I though it was something generated by ipa-replica-prepare because the MTIME on it would change after running that command. I'm still not sure what that file is for.

Anyway, I am now trying to replicate from the C6.10 to the C7.9 machine. There seems to be some error with pki-tomcat, I put /var/log/pki/pki-tomcat/ca/debug in a pastebin: https://pastebin.com/E3neZHYk

The line I'm trying to understand is the last error:
[23/Aug/2021:14:16:02][http-bio-8443-exec-3]: ConfigurationUtils: GET https://centos6test.companyname.com:443 ... tCertChain
javax.ws.rs.ProcessingException: Unable to invoke request

If I wget that URL myself, it works fine. Is pki-tomcat/java using the same certificates as wget? How can I know what kind of SSL error is causing the failure to write the socket?

[TrevorH]

A p12 file is just another way of packaging an SSL certificate. This article explains the different formats pretty well I think - https://security.stackexchange.com/ques ... -all-about

[rockybulwinkle]

OK! I finally got things figured out.

First, I upgraded 6.6 to 6.10, but doing so directly caused IPA to break. So instead I upgraded to 6.6->6.7->6.8->6.9->6.10, incrementally.

Then I tried making an ipa replica to 7.9-2009, which fails at the pki-tomcat. It turns out that this was because my virtual machines were misconfigured to use the "qemu" domain instead of kvm which means they weren't getting hardware accelerated. This causes the machines to run slowly enough that pki-tomcat service can't start before the ipa-replica-install considers it timed-out and throws an error.

So now it appears I finally have a centos 7.9 replica on the network and can start looking at the steps to decommission the 6.10 server.

Is there a guide I can check to confirm that the IPA server is working correctly before I decommission the old one? I'm going to try it in a lab setup first either way--a lesson I finally learned after a very stressful day last week where I accidentally broke the live system and had to restore a backup x_x

Thanks!