On 07/27/2017 04:17 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote:
On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote:
Hi all,
I would appreciate any help on my attempt to promote an existing client to replica. After client installation, I added replica-to-be to ipaservers hostgroup and then run "replica-install --setup-ca" but unfortunately I end up with the errors below. Both master and client have ipa-server-4.4.0-14.el7.centos.7.x86_64
Thanks in advance,
Petros

_____________________________________________________________________________________________________________
On replica-to-be:

[...]
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
   [1/26]: creating certificate server user
   [2/26]: creating certificate server db
   [3/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

   [4/26]: creating installation admin user
   [5/26]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

_____________________________________________________________________________________________________________ /var/log/ipareplica-install.log

[...]
Import complete
---------------
Imported certificates in /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu

Installation failed:


Please check the CA logs in /var/log/pki/pki-tomcat/ca.

2017-07-27T06:57:54Z DEBUG stderr=
2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1 2017-07-27T06:57:54Z CRITICAL See the installation logs and the following files/directories for more information:
2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
     run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
     method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 586, in __spawn_instance
     DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
     self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
     raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-07-27T06:57:54Z DEBUG [error] RuntimeError: CA configuration failed. 2017-07-27T06:57:54Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
     return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
     cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
     self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
     for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
     self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
     step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
     step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
     value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
     next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
     self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
     self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
     super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
     step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
     step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
     value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
     for nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main
     promote(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated
     func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1519, in promote
     ca_cert_bundle=ca_data)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1392, in configure_replica
     self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
     run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
     method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 586, in __spawn_instance
     DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
     self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
     raise RuntimeError("%s configuration failed." % self.subsystem)

2017-07-27T06:57:54Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed.
2017-07-27T06:57:54Z ERROR CA configuration failed.
2017-07-27T06:57:54Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

_____________________________________________________________________________________________________________

On master server:

[27/Jul/2017:09:53:19.624201120 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [27/Jul/2017:09:53:19.910732845 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:53:21.525459152 +0300] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTomedea.geo.auth.gr" (medea:389)". [27/Jul/2017:09:53:26.923911503 +0300] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTomedea.geo.auth.gr" (medea:389)". Sent 719 entries. [27/Jul/2017:09:53:29.398775963 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [27/Jul/2017:09:53:32.746503539 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [27/Jul/2017:09:53:38.862288126 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [27/Jul/2017:09:53:51.238616755 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:54:30.937398919 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [27/Jul/2017:09:56:03.537114454 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:56:04.495965497 +0300] NSMMReplicationPlugin - agmt="cn=caTomedea.geo.auth.gr" (medea:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [27/Jul/2017:09:56:06.236968406 +0300] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=caTomedea.geo.auth.gr" (medea:389)". [27/Jul/2017:09:56:10.494727689 +0300] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=caTomedea.geo.auth.gr" (medea:389)". Sent 159 entries.



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi Petros,

there is no need to add the replica-to-be to the ipaservers hostgroup as it will be done automatically during ipa-replica-install.

To diagnose the install issue, can you post the logs relevant to the CA installation? They are:
    /var/log/pki/pki-ca-spawn.$TIME_OF_INSTALLATION.log
    /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log
    /var/log/pki/pki-tomcat/ca/system
    /var/log/pki/pki-tomcat/ca/debug

Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi Flo,
Thanks for responding. I attach the files as requested. /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log was empty and therefore excluded.

Regards,
Petros



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

the /var/log/pki-tomcat/ca/debug log shows that the replica Dogtag instance failed to POST https://fidias.geo.auth.gr:443/ca/admin/ca/updateNumberRange

You may find more info on the master's Dogtag log (same file but on the host fidias.geo.auth.gr). The relevant logs would start with
    UpdateNumberRange: initializing...
or
    CMSServlet:service() uri = /ca/admin/ca/updateNumberRange

HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

I am not sure I understand this and how I am supposed to resolve it. Indeed, master's apache reports:
"POST /ca/admin/ca/updateNumberRange HTTP/1.1" 500 5478

while the /var/log/pki-tomcat/ca/debug shows the following:

[27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet:service() uri = /ca/admin/ca/updateNumberRange [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet::service() param name='xmlOutput' value='true' [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet::service() param name='sessionID' value='1129328291888586443' [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet::service() param name='type' value='request' [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet: caUpdateNumberRange start to service. [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: UpdateNumberRange: processing... [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: UpdateNumberRange process: authentication starts
[27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: IP: 155.207.61.84
[27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: AuthMgrName: TokenAuth [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet: no client certificate found [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: TokenAuthentication: start [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: TokenAuthentication: content={hostname=[155.207.61.84], sessionID=[1129328291888586443]} [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: ConfigurationUtils: POST https://fidias.geo.auth.gr:443/ca/admin/ca/tokenAuthenticate

What is so obvious that I can't see? Any hint?

Petros

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to