When installing replica on older master,
... Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd) [1/2]: configure certmonger for renewals [2/2]: Importing RA key Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/2]: installing X509 Certificate for PKINIT [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_REJECTED) ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
This is due to the changes in cert plugin which allow to issue certificates also for krbtgt/ principal which is not located in cn=services,cn=accounts,$SUFFIX subtree. However, this change was introduced in 4.5, so older masters still reject the PKINIT certificate request despite having access to PKINIT certificate profiles (see HTTP error log on master):
cn=services,cn=accounts,$SUFFIX
Mon Mar 27 11:17:19.974948 2017] [wsgi:error] [pid 20044] ipa: INFO: [xmlserver] host/replica1.ipa.test@IPA.TEST: cert_request(u'MIIDjjCCAnYCAQAwLzERMA8GA1UECgwISVBBLlRFU1QxGjAYBgNVBAMTEXJlcGxpY2ExLmlwYS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jJf1KiQE3gx++f9EWE9scgWEqwkuP/m8s2u1/2l0OpQNrcA4S/d58bc5tu2dOB5KNfdadJb7ZBKGelnks/AWngQ5S6xQDhK+uBJbBi/bO/5BpiDhwntkC3CxW3Jn3uBkcYE0ENol7v1Ed1W2uihUKyOpytW6vW6zqdr1noi6JWn2oAtC02zXcwnfeVEUG0gH9/wL35wgPACpiCQy+CgfGmPwKsZNH4fb7n2DBFCU+kXwNcElKZII5X7xC3TI8CKdfPkdIG3MYIJDBmM6p0SvKs61JQWgZQdwRXADZwtOlgTg/mPqXaZKKFtzhEK5RZm4UAsDFUOxuQM5KtgE2am7wIDAQABoIIBGDArBgkqhkiG9w0BCRQxHh4cADIAMAAxADcAMAAzADIANwAxADEAMQA3ADEAOTCB6AYJKoZIhvcNAQkOMYHaMIHXMG8GA1UdEQEBAARlMGOgKAYKKwYBBAGCNxQCA6AaDBhrcmJ0Z3QvSVBBLlRFU1RASVBBLlRFU1SgNwYGKwYBBQICoC0wK6AKGwhJUEEuVEVTVKEdMBugAwIBAaEUMBIbBmtyYnRndBsISVBBLlRFU1QwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUUjmPqdaPbYTC8Mk5TKlbImNIfSowNAYJKwYBBAGCNxQCAQEABCQeIgBLAEQAQwBzAF8AUABLAEkATgBJAFQAXwBDAGUAcgB0AHMwDQYJKoZIhvcNAQELBQADggEBAHrPIF4fsNC+J2Xy2Kr3IVMxmWW8j0ms/Ite31GQWIsZzVgnERDXKH0duj69GZUFVh9Dba9tgEPPypKIHgFPRbIBVcYtXA/ENO/CNZEvxU2cS8uXQcmlweau5p0LvVqrxpAtl+x8hGnoZc4W4sHpaE1y+2wiVaBC5/sybGYvNulrfGsck2SMbZFDoFBL34SAOxHoDX3gEOD7URoUP/8ATNBxW7LD9zyTUWdGpOL8w7JAPx9dHpyz6UXRFeIcQcLxdtoycmJlJSbuF59K20NlIK2NPEZDJK64dZM6AEtCUU27rt7dj9Zd6rF5uCkcfIPcEITtVnsQ1we/ZMLvRzvVT64=', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/IPA.TEST@IPA.TEST', add=True, version=u'2.51'): ACIError [Mon Mar 27 11:17:19.975001 2017] [wsgi:error] [pid 20044] ipa: DEBUG: response: ACIError: Insufficient access: Principal 'krbtgt/IPA.TEST@IPA.TEST' is not permitted to use CA 'ipa' with profile 'KDCs_PKINIT_Certs' for certificate issuance.
Metadata Update from @mbabinsk: - Issue set to the milestone: FreeIPA 4.5.1 - Issue tagged with: regression
Metadata Update from @pvoborni: - Issue priority set to: blocker
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk
master:
b1a1e104391c84cb9af7b0a7c8748c8652442ddb separate function to set ipaConfigString values on service entry fb52f7a1f328b126626525179d5250692daca2cd Allow for configuration of all three PKINIT variants when deploying KDC 86972299d937960bcb713fc73b447cddb4ea44bd API for retrieval of master's PKINIT status and publishing it in LDAP 3adb9ca875f8eb99e99a29e17a471a2b6f408a4a Use only anonymous PKINIT to fetch armor ccache 68c6a4d4e1340ce01bdc7ec5dd394604a3da7688 Stop requesting anonymous keytab and purge all references of it 2374b648d0dfd08ec4cfbcc35f7987fa8b8a6ffa Use local anchor when armoring password requests a194055c92c7ca4eba29323f990ec3b92026221b Upgrade: configure local/full PKINIT depending on the master status 960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Do not test anonymous PKINIT after install/upgrade
ipa-4-5:
31a24436592304db6e84270e4a95df34d1e0af46 separate function to set ipaConfigString values on service entry b49e075c90a7ab43e82f422aa11dc7540e2fb2c0 Allow for configuration of all three PKINIT variants when deploying KDC a0e2a09292ffa2adbf97c2e7e4facc9693dbc311 API for retrieval of master's PKINIT status and publishing it in LDAP fca378c9a65f582ac3dcda4b6201e8847ed9e512 Use only anonymous PKINIT to fetch armor ccache 9fcc794dac6ffb1f1cc6c92a588ea0911be5ba14 Stop requesting anonymous keytab and purge all references of it 5031929b6d710336f6308d7f46779c9e8e98103a Use local anchor when armoring password requests 2452e6e5f3a7e7a25eadf5243a28da75a47f9d2c Upgrade: configure local/full PKINIT depending on the master status d497c4589cc7506ef9a88b691b8b1d97ad1f1009 Do not test anonymous PKINIT after install/upgrade
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.