On 05/02/2013 07:51 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Nathaniel McCallum wrote:
>>> When installing beta1, I encountered a bug where the CA install would
>>> fail. This may have already been fixed in dogtag or elsewhere, but if
>>> not, this patch WorksForMe. I have no idea if it is the "right" fix.
>>
>> Good catch. This change apparently was added during the last week of
>> 10.0.2 development and I'm not sure how I missed it. I did at least one
>> successful install using those bits. Maybe either my test was bogus or I
>> had left-over kruft.
>>
>> In any case, we can specify the location directly to pkispawn and not
>> have to move the file.
> 
> BTW, My patch 1098 bumps up the minimum version of dogtag to 10.0.2.
> 
> rob

I tested 1100 and it works great on master server. However when I am on
replica, it always fails:

# ipa-ca-install replica-info-vm-024.idm.lab.bos.redhat.com.gpg
Directory Manager (existing master) password:
...
Connection check OK
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 
seconds
  [1/16]: creating certificate server user
  [2/16]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpRR0ic3' returned non-zero exit status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed

CA installation log including pkispawn error attached.

Martin
2013-05-03T10:16:56Z DEBUG /sbin/ipa-ca-install was invoked with argument "replica-info-vm-024.idm.lab.bos.redhat.com.gpg" and options: {'debug': False, 'skip_conncheck': False, 'unattended': False, 'skip_schema_check': False, 'no_host_dns': False}
2013-05-03T10:16:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2013-05-03T10:16:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2013-05-03T10:16:56Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2013-05-03T10:16:56Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
2013-05-03T10:16:56Z DEBUG Starting external process
2013-05-03T10:16:56Z DEBUG args=klist -V
2013-05-03T10:16:56Z DEBUG Process finished, return code=0
2013-05-03T10:16:56Z DEBUG stdout=Kerberos 5 version 1.10.3

2013-05-03T10:16:56Z DEBUG stderr=
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/xmlclient.py'
2013-05-03T10:17:00Z DEBUG Starting external process
2013-05-03T10:17:00Z DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpXGivBVipa/ipa-CI9BRU/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpXGivBVipa/files.tar -d replica-info-vm-024.idm.lab.bos.redhat.com.gpg
2013-05-03T10:17:00Z DEBUG Process finished, return code=0
2013-05-03T10:17:00Z DEBUG stdout=
2013-05-03T10:17:00Z DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpXGivBVipa/ipa-CI9BRU/.gnupg'
gpg: keyring `/tmp/tmpXGivBVipa/ipa-CI9BRU/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpXGivBVipa/ipa-CI9BRU/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

2013-05-03T10:17:00Z DEBUG Starting external process
2013-05-03T10:17:00Z DEBUG args=tar xf /tmp/tmpXGivBVipa/files.tar -C /tmp/tmpXGivBVipa
2013-05-03T10:17:00Z DEBUG Process finished, return code=0
2013-05-03T10:17:00Z DEBUG stdout=
2013-05-03T10:17:00Z DEBUG stderr=
2013-05-03T10:17:00Z DEBUG Check if vm-024.idm.lab.bos.redhat.com is a primary hostname for localhost
2013-05-03T10:17:00Z DEBUG Primary hostname for localhost: vm-024.idm.lab.bos.redhat.com
2013-05-03T10:17:00Z DEBUG Search DNS for vm-024.idm.lab.bos.redhat.com
2013-05-03T10:17:00Z DEBUG Check if vm-024.idm.lab.bos.redhat.com is not a CNAME
2013-05-03T10:17:00Z DEBUG Check reverse address of 10.16.78.24
2013-05-03T10:17:00Z DEBUG Found reverse name: vm-024.idm.lab.bos.redhat.com
2013-05-03T10:17:00Z DEBUG Starting external process
2013-05-03T10:17:00Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master vm-037.idm.lab.bos.redhat.com --auto-master-check --realm IDM.LAB.BOS.REDHAT.COM --principal admin --hostname vm-024.idm.lab.bos.redhat.com
2013-05-03T10:17:14Z DEBUG Process finished, return code=0
2013-05-03T10:17:14Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2013-05-03T10:17:14Z DEBUG Installing CA Replica from master with a merged database
2013-05-03T10:17:14Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2013-05-03T10:17:14Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2013-05-03T10:17:14Z DEBUG Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
2013-05-03T10:17:14Z DEBUG   [1/16]: creating certificate server user
2013-05-03T10:17:14Z DEBUG ca user pkiuser exists
2013-05-03T10:17:14Z DEBUG   duration: 0 seconds
2013-05-03T10:17:14Z DEBUG   [2/16]: configuring certificate server instance
2013-05-03T10:17:14Z DEBUG Contents of pkispawn configuration file (/tmp/tmpWKzhTa):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_client_database_dir = /tmp/tmp-bq39Dh
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject_dn = cn=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM
pki_ssl_server_subject_dn = cn=vm-024.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
pki_audit_signing_subject_dn = cn=CA Audit,O=IDM.LAB.BOS.REDHAT.COM
pki_ca_signing_subject_dn = cn=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_security_domain_hostname = vm-037.idm.lab.bos.redhat.com
pki_security_domain_https_port = 443
pki_security_domain_user = admin
pki_security_domain_password = XXXXXXXX
pki_clone = True
pki_clone_pkcs12_path = /tmp/ca.p12
pki_clone_pkcs12_password = XXXXXXXX
pki_clone_replication_security = TLS
pki_clone_replication_master_port = 389
	
pki_clone_replication_clone_port = 389
pki_clone_replicate_schema = False
pki_clone_uri = https://vm-037.idm.lab.bos.redhat.com:443


2013-05-03T10:17:14Z DEBUG Starting external process
2013-05-03T10:17:14Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpWKzhTa
2013-05-03T10:17:15Z DEBUG Process finished, return code=1
2013-05-03T10:17:15Z DEBUG stdout=Loading deployment configuration from /tmp/tmpWKzhTa.
ERROR:  Unable to access security domain: 404 Client Error: Not Found

2013-05-03T10:17:15Z DEBUG stderr=
2013-05-03T10:17:15Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpWKzhTa' returned non-zero exit status 1
2013-05-03T10:17:15Z INFO   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 615, in run_script
    return_value = main_function()

  File "/sbin/ipa-ca-install", line 182, in main
    config, dogtag_master_ds_port, postinstall=True)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1805, in install_replica_ca
    subject_base=config.subject_base)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 362, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 736, in __spawn_instance
    raise RuntimeError('Configuration of CA failed')

2013-05-03T10:17:15Z INFO The ipa-ca-install command failed, exception: RuntimeError: Configuration of CA failed
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to