On Thu, 2017-07-20 at 01:11 -0400, Endi Sukma Dewata wrote:
> ----- Original Message -----
> > David Hendén via FreeIPA-users wrote:
> > > Hi all,
> > > 
> > > I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to
> > > RHEL7.3 RHEL
> > > 4.4.0.
> > > 
> > > What I'm trying to achieve is an isolated FreeIPA 4.4 server that
> > > we could
> > > replace the original FreeIPA 3.0 infrastrcuture with. The way I'm
> > > doing
> > > this is:
> > > 
> > >  1) prepare replica file on production ipa01 and copy to ipasync
> > >  2) install replica with CA on ipasync and then remove all
> > > connections to
> > >  ipa01, ipa02 and ipa03 (which is the entire production
> > > infrastructure)
> > >  3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL
> > > 6.7)
> > >  4) Prepare replica file on ipasync and copy to ipa01 (a new
> > > clean
> > >  installation in test that should later replace ipa01 in prod)
> > >  5) install replica with CA on ipa01 and then remove all
> > > connections to
> > >  ipasync
> > > 
> > > * Right now I'm failing at the create CA phase in step 5 with:
> > > 
> > >   [2/27]: configuring certificate server instance
> > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> > > configure
> > > CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr'
> > > returned
> > > non-zero exit status 1
> > > 
> > > * I can see that it fails on the subsystem Clone URI in
> > > /var/log/ipareplica-install.log
> > > 
> > > Installation failed:
> > > com.netscape.certsrv.base.BadRequestException: Clone URI does not
> > > match
> > > available subsystems: https://ipasync.xxx.com:443
> > > Please check the CA logs in /var/log/pki/pki-tomcat/ca.
> > > 2017-07-11T15:24:52Z DEBUG stderr=pkispawn    : WARNING  .......
> > > unable to
> > > validate security domain user/password through REST interface.
> > > Interface
> > > not available
> > > 
> > > * To get more details I check the debug log for tomcat and find
> > > that it
> > > still tries to match against the old infrastructure and not the
> > > ipasync
> > > server:
> > > 
> > > # cat /var/log/pki/pki-tomcat/ca/debug
> > > ...
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname:
> > > <ipa01.xxx.com>
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname:
> > > <ipa02.xxx.com>
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname:
> > > <ipa03.xxx.com>
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem
> > > Configuration
> > > ===
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]:
> > > SystemConfigService: validate
> > > clone URI: https://ipasync.xxx.com:443
> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not
> > > match
> > > available subsystems: https://ipasync.xxx.com:443
> > > 
> > > * I validate this by checking the calist in getDomainXML:
> > > 
> > > # wget --no-check-certificate
> > > https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML
> > > # cat getDomainXML | xmllint --format -
> > > ...
> > >   <CAList>
> > >     <CA>
> > >       <DomainManager>TRUE</DomainManager>
> > >       <SubsystemName>pki-cad</SubsystemName>
> > >       <Clone>FALSE</Clone>
> > >       <UnSecurePort>80</UnSecurePort>
> > >       <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
> > >       <SecureAdminPort>443</SecureAdminPort>
> > >       <SecureAgentPort>443</SecureAgentPort>
> > >       <SecurePort>443</SecurePort>
> > >       <Host>ipa01.xxx.com</Host>
> > >     </CA>
> > >     <CA>
> > >       <SubsystemName>pki-cad</SubsystemName>
> > >       <Clone>TRUE</Clone>
> > >       <DomainManager>TRUE</DomainManager>
> > >       <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
> > >       <UnSecurePort>80</UnSecurePort>
> > >       <SecureAdminPort>443</SecureAdminPort>
> > >       <SecureAgentPort>443</SecureAgentPort>
> > >       <SecurePort>443</SecurePort>
> > >       <Host>ipa02.xxx.com</Host>
> > >     </CA>
> > >     <CA>
> > >       <SubsystemName>pki-cad</SubsystemName>
> > >       <Clone>TRUE</Clone>
> > >       <DomainManager>TRUE</DomainManager>
> > >       <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
> > >       <UnSecurePort>80</UnSecurePort>
> > >       <SecureAdminPort>443</SecureAdminPort>
> > >       <SecureAgentPort>443</SecureAgentPort>
> > >       <SecurePort>443</SecurePort>
> > >       <Host>ipa03.xxx.com</Host>
> > >     </CA>
> > >     <SubsystemCount>3</SubsystemCount>
> > >   </CAList>
> > > ...
> > > 
> > > Why does it still have the old ipa servers and why is not ipasync
> > > included?
> > > Am I doing something wrong here, for example do I need to
> > > manually add
> > > ipasync to the pki-cad list of CAs?
> > 
> > I don't believe uninstalling an IPA master will update this list as
> > it
> > is maintained by dogtag and other than removing the replication
> > agreements I'm not aware of any other notification that a server is
> > going away.
> > 

Nice detective work!

It seems that the problem here is that ipasync should have been added
to the security domain during the replication in step 2, just as ipa02
and ipa03 were also added during previous replications.

I'm not sure why that did not happen - but it would be useful to get
Dogtag logs for step 2 to try to figure that out.  I recall that in the
past, there was a bug where the Dogtag replication installation code
silently swallowed an exception at the end of the setup, resulting in
the security domain not being updated.  Maybe this is what is happening
here.

To proceed further, you need to manually add the entry for ipasync into
the security domain.  It will look the same as the other entries.  Make
sure also to update SubsystemCount.
  
> > Endi, do you know what needs to happen here?
> > 
> > rob
> 
> Sorry, I'm not that familiar with this area.
> 
> Ade, could you take a look? Thanks.
> 
> --
> Endi S. Dewata
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to