Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting up CA clone fails on non-ssl ports when Master CA has its internal ldap set with SSL #3268

Open
pki-bot opened this issue Oct 3, 2020 · 2 comments
Open

Setting up CA clone fails on non-ssl ports when Master CA has its internal ldap set with SSL #3268

pki-bot opened this issue Oct 3, 2020 · 2 comments

Comments

@pki-bot
Copy link

pki-bot commented Oct 3, 2020

This issue was migrated from Pagure Issue #3151. Originally filed by cipherboy (@cipherboy) on 2020-03-16 09:43:18:

Description of problem:

I am trying to setup CA clone with replication ports(master and clone) on non ssl port. But this fails as Clone CA seems to try the SSL port of master.

Setup:

I have 2 hosts.

pki3.example.org [Master CA]->connected to it's LDAP instance over ssl port

pki2.example.org [Clone CA] -> Connected to it's LDAP instance over non-ssl port
I am trying to configure Clone CA (pki2.example.org) to configure replication over non-ssl ports

Below the clone's pkispawn configuration file being used:

[DEFAULT]
pki_instance_name = FoobarCloneCA
pki_https_port = 8443
pki_http_port = 8080
pki_token_password = Secret123
pki_admin_password = Secret123
pki_client_pkcs12_password = Secret123
pki_hostname = pki2.example.org
pki_security_domain_hostname = pki3.example.org
pki_security_domain_user = caadmin
pki_security_domain_password = Secret123
pki_security_domain_https_port = 8443

[Tomcat]
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_clone = True
pki_clone_pkcs12_path = /opt/rhqa_pki/ca_backup_keys.p12
pki_clone_pkcs12_password = Secret123
pki_clone_replicate_schema = True
pki_clone_uri = https://pki3.example.org:8443
pki_clone_replication_master_port = 30389
pki_clone_replication_clone_port = 30389

[CA]
pki_ds_hostname = pki2.example.org
pki_ds_remove_data = True
pki_ds_ldap_port = 30389
pki_ds_base_dn = o=FoobarCA-CA
pki_ds_password = Secret123

pkispawn fails below error:

pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in populating database: java.io.IOException: Failed to set up replication: No connection to master"}
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror

Version-Release number of selected component (if applicable):
pki-ca-10.2.6-9.el7pki.noarch

How reproducible:

Steps to Reproduce:
1.Need 2 hosts
2.On host1 configure Directory Server with SSL (Example ports 30389, 30636)
3.Configure CA on host1 connecting to it LDAP over ssl
Example config:

[DEFAULT]
pki_instance_name = FoobarCA
pki_https_port = 8443
pki_http_port = 8080
pki_token_password = Secret123
pki_admin_password = Secret123
pki_hostname = pki3.example.org
pki_security_domain_name = Foobar Org
pki_security_domain_password = Secret123
pki_client_dir = /opt/FoobarCA
pki_client_pkcs12_password = Secret123
pki_backup_keys = True
pki_backup_password = Secret123

[Tomcat]
pki_ajp_port = 8009
pki_tomcat_server_port = 8005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki3.example.org
pki_ds_ldap_port = 30389
pki_ds_password = Secret123
pki_ds_secure_connection_ca_pem_file = /opt/rhqa_pki/cacert.pem
pki_ds_secure_connection = True
pki_ds_ldaps_port = 30636

Actual results:

3.On host2, configure DS using ports 30389 and 30636

4.On host2 configure Clone CA to use only non-ssl port to connect to it's ldap server and also use non-ssl ports for replication with Master CA.

[DEFAULT]
pki_instance_name = FoobarCloneCA
pki_https_port = 8443
pki_http_port = 8080
pki_token_password = Secret123
pki_admin_password = Secret123
pki_client_pkcs12_password = Secret123
pki_hostname = pki2.example.org
pki_security_domain_hostname = pki3.example.org
pki_security_domain_user = caadmin
pki_security_domain_password = Secret123
pki_security_domain_https_port = 8443

[Tomcat]
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_clone = True
pki_clone_pkcs12_path = /opt/rhqa_pki/ca_backup_keys.p12
pki_clone_pkcs12_password = Secret123
pki_clone_replicate_schema = True
pki_clone_uri = https://pki3.example.org:8443
pki_clone_replication_master_port = 30389
pki_clone_replication_clone_port = 30389

[CA]
pki_ds_hostname = pki2.example.org
pki_ds_remove_data = True
pki_ds_ldap_port = 30389
pki_ds_base_dn = o=FoobarCA-CA
pki_ds_password = Secret123

Expected results:
pkispawn fails with below error:

pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in populating database: java.io.IOException: Failed to set up replication: No connection to master"}

Additional info:
@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from cipherboy (@cipherboy) at 2020-03-16 09:43:29

https://bugzilla.redhat.com/show_bug.cgi?id=1276217

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from cipherboy (@cipherboy) at 2020-03-16 09:43:31

Metadata Update from @cipherboy:

  • Custom field component adjusted to None
  • Custom field feature adjusted to None
  • Custom field origin adjusted to None
  • Custom field proposedmilestone adjusted to None
  • Custom field proposedpriority adjusted to None
  • Custom field reviewer adjusted to None
  • Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1276217
  • Custom field type adjusted to None
  • Custom field version adjusted to None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pki-bot