john.bowman--- via FreeIPA-users wrote:
> Since taking over our FreeIPA environment I've been unable to create a new CA 
> replica.  A bunch of failed attempts and upgrades over the last year and I 
> keep running in to issues.   After my latest attempt I noticed something that 
> I had not seen before (likely a result of an recent upgrade) and I was 
> wondering if this would cause a CA install to fail.
> Our env:
> 3 x ipa-server-3.0.0-51.el6.x86_64
> 3 x ipa-server-4.4.0-14.el7_3.7.x86_64
> 2 of the 3.x IPA servers are currently acting as CAs and I've been trying to 
> create a new 4.x CA replica in order to start removing the 3.x IPA servers.   
> I've been able to do a simple test with vanilla CentOS 6.9 and 7.3 and it 
> seems to work fine as far as I can tell but when I try it in our environment 
> it fails.  I noticed this error in one of the logs and something jumped out 
> at me that I had never seen before:
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization ===
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security 
> domain
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting 
> domain.xml from CA...
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting 
> domain info
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET 
> https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain 
> info: <?xml version="1.0" encoding="UTF-8" 
> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA
>> <Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec
> ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld
> </Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S
> ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se
> curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom
> ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst
> emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL
> ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using 
> admin interface
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: 
> updateDomainXML start hostname=ipa-master.domain.tld port=443
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST 
> https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin 
> interface: HTTP 404 Not Found
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using 
> agent interface
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: 
> updateDomainXML start hostname=ipa-master.domain.tld port=443
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() 
> nickname=subsystemCert cert-pki-ca
> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST 
> https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML
> [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate:
> [14/Jun/2017:06:49:45][http-bio-8443-exec-3]:  - subject: 
> CN=ipa-master.domain.tld,O=DOMAIN.US
> [14/Jun/2017:06:49:45][http-bio-8443-exec-3]:  - issuer: CN=Certificate 
> Authority,O=DOMAIN.US
> [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: 
> updateDomainXML: status=1
> [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security 
> domain: 2
> Unable to update security domain: 2
> The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x servers 
> but the other two listed in that domainxml file one does not exist (it may 
> have at some point been renamed) and the other server is not a CA replica but 
> it is a replica.
> Is it possible this bad info would cause a failure when trying to create a 
> new CA replica?  If so is it something I can try cleaning up?
> Any info would be appreciated.  Thanks!

I think one of the dogtag devs will need to look at it. It may take a
few days, things get a bit slow around here in the summer.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to