On 05/02/2013 07:51 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Nathaniel McCallum wrote: >>> When installing beta1, I encountered a bug where the CA install would >>> fail. This may have already been fixed in dogtag or elsewhere, but if >>> not, this patch WorksForMe. I have no idea if it is the "right" fix. >> >> Good catch. This change apparently was added during the last week of >> 10.0.2 development and I'm not sure how I missed it. I did at least one >> successful install using those bits. Maybe either my test was bogus or I >> had left-over kruft. >> >> In any case, we can specify the location directly to pkispawn and not >> have to move the file. > > BTW, My patch 1098 bumps up the minimum version of dogtag to 10.0.2. > > rob
I tested 1100 and it works great on master server. However when I am on replica, it always fails: # ipa-ca-install replica-info-vm-024.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: ... Connection check OK Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpRR0ic3' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed CA installation log including pkispawn error attached. Martin
2013-05-03T10:16:56Z DEBUG /sbin/ipa-ca-install was invoked with argument "replica-info-vm-024.idm.lab.bos.redhat.com.gpg" and options: {'debug': False, 'skip_conncheck': False, 'unattended': False, 'skip_schema_check': False, 'no_host_dns': False} 2013-05-03T10:16:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2013-05-03T10:16:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2013-05-03T10:16:56Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2013-05-03T10:16:56Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' 2013-05-03T10:16:56Z DEBUG Starting external process 2013-05-03T10:16:56Z DEBUG args=klist -V 2013-05-03T10:16:56Z DEBUG Process finished, return code=0 2013-05-03T10:16:56Z DEBUG stdout=Kerberos 5 version 1.10.3 2013-05-03T10:16:56Z DEBUG stderr= 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' 2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/xmlclient.py' 2013-05-03T10:17:00Z DEBUG Starting external process 2013-05-03T10:17:00Z DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpXGivBVipa/ipa-CI9BRU/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpXGivBVipa/files.tar -d replica-info-vm-024.idm.lab.bos.redhat.com.gpg 2013-05-03T10:17:00Z DEBUG Process finished, return code=0 2013-05-03T10:17:00Z DEBUG stdout= 2013-05-03T10:17:00Z DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpXGivBVipa/ipa-CI9BRU/.gnupg' gpg: keyring `/tmp/tmpXGivBVipa/ipa-CI9BRU/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpXGivBVipa/ipa-CI9BRU/.gnupg/pubring.gpg' created gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected 2013-05-03T10:17:00Z DEBUG Starting external process 2013-05-03T10:17:00Z DEBUG args=tar xf /tmp/tmpXGivBVipa/files.tar -C /tmp/tmpXGivBVipa 2013-05-03T10:17:00Z DEBUG Process finished, return code=0 2013-05-03T10:17:00Z DEBUG stdout= 2013-05-03T10:17:00Z DEBUG stderr= 2013-05-03T10:17:00Z DEBUG Check if vm-024.idm.lab.bos.redhat.com is a primary hostname for localhost 2013-05-03T10:17:00Z DEBUG Primary hostname for localhost: vm-024.idm.lab.bos.redhat.com 2013-05-03T10:17:00Z DEBUG Search DNS for vm-024.idm.lab.bos.redhat.com 2013-05-03T10:17:00Z DEBUG Check if vm-024.idm.lab.bos.redhat.com is not a CNAME 2013-05-03T10:17:00Z DEBUG Check reverse address of 10.16.78.24 2013-05-03T10:17:00Z DEBUG Found reverse name: vm-024.idm.lab.bos.redhat.com 2013-05-03T10:17:00Z DEBUG Starting external process 2013-05-03T10:17:00Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master vm-037.idm.lab.bos.redhat.com --auto-master-check --realm IDM.LAB.BOS.REDHAT.COM --principal admin --hostname vm-024.idm.lab.bos.redhat.com 2013-05-03T10:17:14Z DEBUG Process finished, return code=0 2013-05-03T10:17:14Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2013-05-03T10:17:14Z DEBUG Installing CA Replica from master with a merged database 2013-05-03T10:17:14Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2013-05-03T10:17:14Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2013-05-03T10:17:14Z DEBUG Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds 2013-05-03T10:17:14Z DEBUG [1/16]: creating certificate server user 2013-05-03T10:17:14Z DEBUG ca user pkiuser exists 2013-05-03T10:17:14Z DEBUG duration: 0 seconds 2013-05-03T10:17:14Z DEBUG [2/16]: configuring certificate server instance 2013-05-03T10:17:14Z DEBUG Contents of pkispawn configuration file (/tmp/tmpWKzhTa): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_client_database_dir = /tmp/tmp-bq39Dh pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject_dn = cn=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM pki_ssl_server_subject_dn = cn=vm-024.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM pki_audit_signing_subject_dn = cn=CA Audit,O=IDM.LAB.BOS.REDHAT.COM pki_ca_signing_subject_dn = cn=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_security_domain_hostname = vm-037.idm.lab.bos.redhat.com pki_security_domain_https_port = 443 pki_security_domain_user = admin pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://vm-037.idm.lab.bos.redhat.com:443 2013-05-03T10:17:14Z DEBUG Starting external process 2013-05-03T10:17:14Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpWKzhTa 2013-05-03T10:17:15Z DEBUG Process finished, return code=1 2013-05-03T10:17:15Z DEBUG stdout=Loading deployment configuration from /tmp/tmpWKzhTa. ERROR: Unable to access security domain: 404 Client Error: Not Found 2013-05-03T10:17:15Z DEBUG stderr= 2013-05-03T10:17:15Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpWKzhTa' returned non-zero exit status 1 2013-05-03T10:17:15Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 615, in run_script return_value = main_function() File "/sbin/ipa-ca-install", line 182, in main config, dogtag_master_ds_port, postinstall=True) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1805, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 362, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 736, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2013-05-03T10:17:15Z INFO The ipa-ca-install command failed, exception: RuntimeError: Configuration of CA failed
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel