Skip to content

Instantly share code, notes, and snippets.

@kvaps

kvaps/freeipa-migration-tricks.sh

Created July 4, 2024 11:13
Show Gist options
  • Save kvaps/d16fe862da99909d78030443916a0a4a to your computer and use it in GitHub Desktop.
Save kvaps/d16fe862da99909d78030443916a0a4a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
freeipa-migration-tricks.sh
------
lxc
------
fix centos EOL repos
https://stackoverflow.com/a/70930049/2931267
fix old systemd in lxc container
https://forum.proxmox.com/threads/how-to-proxmox-7-cgroupv2-centos-7-upgrade-systemd-without-systemd-unified_cgroup_hierarchy-0.94253/
# ipa-backup
Preparing backup on freeipa.example.org
Stopping IPA services
Backing up ipaca in EXAMPLE-ORG to LDIF
Backing up userRoot in EXAMPLE-ORG to LDIF
Backing up EXAMPLE-ORG
Backing up files
Starting IPA service
Command '/usr/sbin/ipactl start' returned non-zero exit status 1
The ipa-backup command failed. See /var/log/ipabackup.log for more information
# systemctl status ipa
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: enabled)
Active: activating (start) since Mon 2024-07-01 17:28:01 CEST; 3min 18s ago
Main PID: 299 (ipactl)
Tasks: 2 (limit: 629145)
CGroup: /system.slice/ipa.service
├─299 /usr/bin/python2 /usr/sbin/ipactl start
└─673 /usr/bin/python2 /usr/sbin/ipa-server-upgrade
Jul 01 17:28:01 freeipa.example.org systemd[1]: Starting Identity, Policy, Audit...
Jul 01 17:28:06 freeipa.example.org ipactl[299]: IPA version error: data needs to be upgraded (expected version '4.6.8-5.el7.centos.17', current version '4.6.8-5.el7.centos.10')
Jul 01 17:28:06 freeipa.example.org ipactl[299]: Automatically running upgrade, for details see /var/log/ipaupgrade.log
Jul 01 17:28:06 freeipa.example.org ipactl[299]: Be patient, this may take a few minutes.
# getcert list | grep -E "Request ID|status|certificate|expires"
Number of certificates and requests being tracked: 7.
Request ID '20180730085204':
status: CA_UNREACHABLE
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
expires: 2024-05-04 13:35:31 UTC
Request ID '20180730085237':
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-04 13:36:01 UTC
Request ID '20180730085238':
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-04 13:37:01 UTC
Request ID '20180730085239':
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-04 13:35:51 UTC
Request ID '20180730085240':
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2038-07-30 08:51:36 UTC
Request ID '20180730085241':
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-04 13:36:31 UTC
Request ID '20180730085358':
status: CA_UNREACHABLE
certificate: type=FILE,location='/va
sudo timedatectl set-ntp 0
date -s "2024-01-01 13:35:31 UTC"
root@freeipa:~# ipa-backup
Preparing backup on freeipa.example.org
Stopping IPA services
Backing up ipaca in EXAMPLE-ORG to LDIF
Backing up userRoot in EXAMPLE-ORG to LDIF
Backing up EXAMPLE-ORG
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2024-01-01-14-38-03
The ipa-backup command was successful
root@freeipa:~# ls -alh /var/lib/ipa/backup/ipa-full-2024-01-01-14-38-03/ipa-full.tar
-rw-r--r-- 1 root root 30M Jan 1 14:38 /var/lib/ipa/backup/ipa-full-2024-01-01-14-38-03/ipa-full.tar
sudo timedatectl set-ntp 1
# pct exec 137 -- cat /var/lib/ipa/backup/ipa-full-2024-01-01-14-38-03/ipa-full.tar > /tmp/1
scp /tmp/1 [email protected]:/tmp/1
retore also
/var/lib/ipa/backup/ipa-full-2024-01-01-14-38-03/header
------
vm
------
change hostname from freeipa-01.example.org to freeipa.example.org
remove freeipa
ipa-server-install --uninstall
ipa-server-install
https://www.freeipa.org/page/Backup_and_Restore#something-is-left-other-than-the-snapshot
[root@freeipa ~]# ipa-restore /var/lib/ipa/backup/ipa-full-2024-01-01-14-38-03/
Preparing restore from /var/lib/ipa/backup/ipa-full-2024-01-01-14-38-03/ on freeipa.example.org
Performing FULL restore from FULL backup
Restoring data from a different release of IPA.
Data is version 4.6.8.
Server is running 4.12.1.
Continue to restore? [no]: yes
Temporary setting umask to 022
Restoring data will overwrite existing live data. Continue to restore? [no]: yes
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Unable to get connection, skipping disabling agreements: directory server instance is not running/configured
Stopping IPA services
Restoring files
Restoring umask to 18
NSS is built without support of the legacy database(DBM) directory '/etc/ipa/nssdb'
convert db:
https://github.com/freeipa/freeipa/blob/master/ipapython/certdb.py#L447-L495
https://github.com/freeipa/freeipa/blob/58003600089f1262971c392ca43a9d0767e57c8c/ipapython/certdb.py#L49-L50
certutil -d sql:/etc/ipa/nssdb -N -p /etc/ipa/nssdb/pwdfile.txt -@ /etc/ipa/nssdb/pwdfile.txt
rm -f /etc/ipa/nssdb/cert8.db /etc/ipa/nssdb/key3.db /etc/ipa/nssdb/secmod.db
pct exec 137 -- tar -czf- /var/lib/ipa/backup/ipa-full-2024-01-02-14-36-02 > /tmp/1
scp /tmp/1 [email protected]:/tmp/1
ssh [email protected]
tar -C / -xvf /tmp/1
sed -i 's|freeipa-01|freeipa|g' /etc/hosts /etc/hostname
reboot
ipa-restore -v /var/lib/ipa/backup/ipa-full-2024-01-02-14-36-02
authselect select sssd with-mkhomedir --force
https://github.com/freeipa/freeipa/blame/58003600089f1262971c392ca43a9d0767e57c8c/ipaplatform/redhat/authconfig.py#L193C24-L193C54
https://github.com/freeipa/freeipa/blob/58003600089f1262971c392ca43a9d0767e57c8c/ipaplatform/redhat/authconfig.py#L78
authselect current --raw > /var/lib/ipa/auth_backup/authselect.backup
# Profile ID: sssd
# Enabled features: None
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again
Aborting ipactl
ipaserver.install.ipa_restore: INFO: Restoring umask to 18
ipapython.admintool: DEBUG: File "/usr/lib/python3.12/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/ipaserver/install/ipa_restore.py", line 503, in run
run([paths.IPACTL, 'start'])
File "/usr/lib/python3.12/site-packages/ipapython/ipautil.py", line 594, in run
raise CalledProcessError(
ipapython.admintool: DEBUG: The ipa-restore command failed, exception: CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipactl', 'start'] returned non-zero exit status 1: 'IPA
version error: platform mismatch (expected \'rhel\', current \'fedora\')\nAutomatically running upgrade, for details see /var/log/ipaupgrade.log\nBe patient, this may take a few minutes.
\nAutomatic upgrade failed: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.\n("Unable to execute IPA upgrade: platform mismatch (e
xpected \'rhel\', current \'fedora\')", 1)\nThe ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information\n\nSee the upgrade log for more details and/or run /us
r/sbin/ipa-server-upgrade again\nAborting ipactl\n')
ipapython.admintool: ERROR: CalledProcessError(Command ['/usr/sbin/ipactl', 'start'] returned non-zero exit status 1: 'IPA version error: platform mismatch (expected \'rhel\', current \'
fedora\')\nAutomatically running upgrade, for details see /var/log/ipaupgrade.log\nBe patient, this may take a few minutes.\nAutomatic upgrade failed: IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.\n("Unable to execute IPA upgrade: platform mismatch (expected \'rhel\', current \'fedora\')", 1)\nThe ipa-server-upgr
ade command failed. See /var/log/ipaupgrade.log for more information\n\nSee the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again\nAborting ipactl\n')
ipapython.admintool: ERROR: The ipa-restore command failed. See /var/log/iparestore.log for more information
sed -i 's|platform = rhel|platform = fedora|g' /var/lib/ipa/sysupgrade/sysupgrade.state
sudo chown pkiuser:pkiuser /var/lib/pki/pki-tomcat/alias/*
sudo chmod 640 /var/lib/pki/pki-tomcat/alias/*
ipa-cacert-manage install AAACertificateServices.crt
ipa-cacert-manage install USERTrustRSAAAACA.crt
ipa-cacert-manage install COMODORSAAAACA.crt
ipa-cacert-manage install STAR.example.org.ca-bundle
ipa-certupdate
ipa-server-certinstall -d -w -p <cn=Directory Manager PASS> --pin=<PPIN> /root/enc-key.key STAR.example.org.crt --log-file=/tmp/ipa-server-certinstall.log
...
2024-03-23T16:58:29Z DEBUG stderr=
2024-03-23T16:58:29Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_certinstall.py", line 129, in run
self.install_dirsrv_cert()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_certinstall.py", line 166, in install_dirsrv_cert
'restart_dirsrv %s' % serverid)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_certinstall.py", line 323, in import_cert
server_cert = server_certs[0][0]
2024-03-23T16:58:29Z DEBUG The ipa-server-certinstall command failed, exception: IndexError: list index out of range
2024-03-23T16:58:29Z ERROR list index out of range
2024-03-23T16:58:29Z ERROR The ipa-server-certinstall command failed.
https://stackoverflow.com/a/53123685/2931267
mv /var/lib/pki/pki-tomcat/cert8.db{,.bak}
mv /var/lib/pki/pki-tomcat/key3.db{,.bak}
mv /var/lib/pki/pki-tomcat/secmod.db{,.bak}
getcert list | grep -E "Request ID|status|certificate|expires"
HOSTS SUKA!!!
/usr/bin/certutil -d sql:/etc/dirsrv/slapd-EXAMPLE-ORG -L -f /etc/dirsrv/slapd-EXAMPLE-ORG/pwdfile.txt
/usr/bin/certutil -d sql:/etc/dirsrv/slapd-EXAMPLE-ORG -D -n 'CN=*.example.org' -f /etc/dirsrv/slapd-EXAMPLE-ORG/pwdfile.txt
ipa-server-certinstall -d -w -p <password> /root/enc-key.key STAR.example.org.crt --log-file=/tmp/ipa-server-certinstall.log
===============
sed -i 's|freeipa-01|freeipa|g' /etc/hosts /etc/hostname
ipa-server-install --uninstall
reboot
ipa-restore -v /var/lib/ipa/backup/ipa-full-2024-02-27-13-38-37
sed -i 's|freeipa-01|freeipa|g' /etc/pki/pki-tomcat/server.xml
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
ipa-cacert-manage renew -v
# https://www.freeipa.org/page/IPA_2x_Certificate_Renewal
#### ipa-getcert resubmit -i 20240227134249 -P "$(cat /etc/pki/pki-tomcat/alias/pwdfile.txt)"
ipa-getcert resubmit -i 20240227134251
ipa-getcert resubmit -i 20240227134247 -P "$(cat /etc/pki/pki-tomcat/alias/pwdfile.txt)"
ipa-getcert resubmit -i 20240227134250 -P "$(cat /etc/pki/pki-tomcat/alias/pwdfile.txt)"
ipa-getcert resubmit -i 20240227134246 -P "$(cat /etc/pki/pki-tomcat/alias/pwdfile.txt)"
ipa-getcert resubmit -i 20240227134248 -P "$(cat /etc/pki/pki-tomcat/alias/pwdfile.txt)"
[email protected]
https://lists.fedorahosted.org/archives/list/[email protected]/thread/ECURP2WRMR4SGSYGWK5QPSUTLQHPAPFR/
ipa config-show| grep "IPA CA renewal master"
# set pin
certutil -W -d sql:/etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/alias/pwdfile.txt -@ /etc/pki/pki-tomcat/alias/pwdfile.txt
vim /etc/systemd/system/[email protected]/ipa.conf
#ExecStartPost=/usr/libexec/ipa/ipa-pki-wait-running
systemctl daemon-reload
### Restore certs
(tomcat fails to start due to missing certs)
/var/log/pki/pki-tomcat/ca/debug.2024-05-03.log
pk12util -o output.p12 -n "auditSigningCert cert-pki-ca" -d sql:/var/lib/ipa/backup/ipa-full-2024-02-27-13-38-37/etc/pki/pki-tomcat/alias/ -k /var/lib/ipa/backup/ipa-full-2024-02-27-13-38-37/etc/pki/pki-tomcat/alias/pwdfile.txt
pk12util -i output.p12 -d sql:/etc/pki/pki-tomcat/alias/ -k /etc/pki/pki-tomcat/alias/pwdfile.txt
systemctl restart pki-tomcatd.target
https://access.redhat.com/solutions/3019521
# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -c dogtag-ipa-ca-renew-agent -P 142233808236 -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert
# Unable to start CA engine: Unable to connect to LDAP server: Authentication failed
https://lists.fedoraproject.org/archives/list/[email protected]/thread/JYQU7PJGY4QV7C6S34Q7VOAAGU7FGLWF/
# Automated CA certificate renewal
https://www.freeipa.org/page/V4/CA_certificate_renewal#id1
sudo tail -f /var/log/pki/pki-tomcat/ca/debug
=========
find / -name cert9.db
509 certutil -d sql:/etc/ipa/nssdb/ -N -f /etc/ipa/nssdb/pwdfile.txt -@ /etc/ipa/nssdb/pwdfile.txt
511 certutil -d sql:/etc/httpd/alias -N -f /etc/httpd/alias/pwdfile.txt -@ /etc/httpd/alias/pwdfile.txt
512 certutil -d sql:/etc/pki/pki-tomcat/alias -N -f /etc/pki/pki-tomcat/alias/pwdfile.txt -@ /etc/pki/pki-tomcat/alias/pwdfile.txt
513 certutil -d sql:/etc/pki/nssdb/alias -N -f /etc/pki/nssdb/pwdfile.txt -@ /etc/pki/nssdb/pwdfile.txt
certutil -d sql:/etc/openldap/certs -N -f /etc/openldap/certs/password -@ /etc/openldap/certs/password
certutil -d sql:/etc/dirsrv/slapd-EXAMPLE-ORG -N -f /etc/dirsrv/slapd-EXAMPLE-ORG/pwdfile.txt -@ /etc/dirsrv/slapd-EXAMPLE-ORG/pwdfile.txt
cd /etc/pki/pki-tomcat/alias/
rm -f cert8.db* key3.db* secmod.db*
getcert list | grep -E "Request ID|status|certificate|expires"
# getcert list | grep -E "Request ID|status|certificate|expires"
Number of certificates and requests being tracked: 7.
Request ID '20180730085358':
status: CA_UNREACHABLE
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
expires: 2024-06-06 13:35:30 UTC
Request ID '20240102133627':
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-04 13:36:01 UTC
Request ID '20240102133628':
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-04 13:37:01 UTC
Request ID '20240102133629':
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-04 13:35:51 UTC
Request ID '20240102133630':
status: MONITORING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2038-07-30 08:51:36 UTC
Request ID '20240102133631':
status: CA_UNREACHABLE
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
expires: 2024-05-04 13:35:31 UTC
Request ID '20240102133632':
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-04 13:36:31 UTC
=============
systemctl restart [email protected]
tail -f /var/log/pki/pki-tomcat/ca/debug
Internal Database Error encountered: Could not connect to LDAP server host freeipa.example.org port 636 Error netscape.ldap.LDAPException: Unable to create socket: java.net.ConnectException: C
onnection refused (Connection refused) (-1)
===============
https://access.redhat.com/solutions/6994251
#certificate
certutil -L -d /etc/pki/pki-tomcat/alias/ -n "subsystemCert cert-pki-ca" -a | tail -n +2 | head -n -1 | sed -e "s/\r//g" | tr -d '\n'
#serial
certutil -L -d /etc/pki/pki-tomcat/alias/ -n "subsystemCert cert-pki-ca" -a | openssl x509 -text | grep -i serial
https://access.redhat.com/solutions/3614001
==================
sed -i 's|freeipa-01|freeipa|g' /etc/hosts /etc/hostname
tar -xzvf /tmp/4.tgz -C /var/lib/ipa/backup ipa-full-2024-07-03-23-24-04/
ipa-restore /var/lib/ipa/backup/ipa-full-2024-07-03-23-24-04/
authselect current --raw > /var/lib/ipa/auth_backup/authselect.backup
sudo chown pkiuser:pkiuser /etc/sysconfig/pki-tomcat
sudo chown -R pkiuser:pkiuser /etc/pki/pki-tomcat/alias/
subsystemCert cert-pki-ca
===================
https://lists.fedoraproject.org/archives/list/[email protected]/thread/ZM2JHPP64COO5OLC4M5DNYASOJSCA27I/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment