On 07/27/2017 04:03 PM, Petros Triantafyllidis wrote:



On 07/27/2017 04:17 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote:
On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote:
Hi all,
I would appreciate any help on my attempt to promote an existing client to replica. After client installation, I added replica-to-be to ipaservers hostgroup and then run "replica-install --setup-ca" but unfortunately I end up with the errors below. Both master and client have ipa-server-4.4.0-14.el7.centos.7.x86_64
Thanks in advance,
Petros

_____________________________________________________________________________________________________________
On replica-to-be:

[...]
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
   [1/26]: creating certificate server user
   [2/26]: creating certificate server db
   [3/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

   [4/26]: creating installation admin user
   [5/26]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

_____________________________________________________________________________________________________________ /var/log/ipareplica-install.log

[...]
Import complete
---------------
Imported certificates in /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu

Installation failed:


Please check the CA logs in /var/log/pki/pki-tomcat/ca.

2017-07-27T06:57:54Z DEBUG stderr=
2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1 2017-07-27T06:57:54Z CRITICAL See the installation logs and the following files/directories for more information:
2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
     run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
     method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 586, in __spawn_instance
     DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
     self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
     raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-07-27T06:57:54Z DEBUG [error] RuntimeError: CA configuration failed. 2017-07-27T06:57:54Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
     return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
     cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
     self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
     for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
     self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
     step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
     step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
     value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
     next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
     self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
     self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
     super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
     step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
     step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
     six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
     value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
     for nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main
     promote(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated
     func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1519, in promote
     ca_cert_bundle=ca_data)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1392, in configure_replica
     self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
     run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
     method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 586, in __spawn_instance
     DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
     self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
     raise RuntimeError("%s configuration failed." % self.subsystem)

2017-07-27T06:57:54Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed.
2017-07-27T06:57:54Z ERROR CA configuration failed.
2017-07-27T06:57:54Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

_____________________________________________________________________________________________________________

On master server:

[27/Jul/2017:09:53:19.624201120 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [27/Jul/2017:09:53:19.910732845 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:53:21.525459152 +0300] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTomedea.geo.auth.gr" (medea:389)". [27/Jul/2017:09:53:26.923911503 +0300] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTomedea.geo.auth.gr" (medea:389)". Sent 719 entries. [27/Jul/2017:09:53:29.398775963 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [27/Jul/2017:09:53:32.746503539 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [27/Jul/2017:09:53:38.862288126 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [27/Jul/2017:09:53:51.238616755 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:54:30.937398919 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [27/Jul/2017:09:56:03.537114454 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:56:04.495965497 +0300] NSMMReplicationPlugin - agmt="cn=caTomedea.geo.auth.gr" (medea:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [27/Jul/2017:09:56:06.236968406 +0300] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=caTomedea.geo.auth.gr" (medea:389)". [27/Jul/2017:09:56:10.494727689 +0300] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=caTomedea.geo.auth.gr" (medea:389)". Sent 159 entries.



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi Petros,

there is no need to add the replica-to-be to the ipaservers hostgroup as it will be done automatically during ipa-replica-install.

To diagnose the install issue, can you post the logs relevant to the CA installation? They are:
    /var/log/pki/pki-ca-spawn.$TIME_OF_INSTALLATION.log
    /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log
    /var/log/pki/pki-tomcat/ca/system
    /var/log/pki/pki-tomcat/ca/debug

Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi Flo,
Thanks for responding. I attach the files as requested. /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log was empty and therefore excluded.

Regards,
Petros



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

the /var/log/pki-tomcat/ca/debug log shows that the replica Dogtag instance failed to POST https://fidias.geo.auth.gr:443/ca/admin/ca/updateNumberRange

You may find more info on the master's Dogtag log (same file but on the host fidias.geo.auth.gr). The relevant logs would start with
    UpdateNumberRange: initializing...
or
    CMSServlet:service() uri = /ca/admin/ca/updateNumberRange

HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

I am not sure I understand this and how I am supposed to resolve it. Indeed, master's apache reports:
"POST /ca/admin/ca/updateNumberRange HTTP/1.1" 500 5478

while the /var/log/pki-tomcat/ca/debug shows the following:

[27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet:service() uri = /ca/admin/ca/updateNumberRange [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet::service() param name='xmlOutput' value='true' [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet::service() param name='sessionID' value='1129328291888586443' [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet::service() param name='type' value='request' [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet: caUpdateNumberRange start to service. [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: UpdateNumberRange: processing... [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: UpdateNumberRange process: authentication starts
[27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: IP: 155.207.61.84
[27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: AuthMgrName: TokenAuth [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet: no client certificate found [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: TokenAuthentication: start [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: TokenAuthentication: content={hostname=[155.207.61.84], sessionID=[1129328291888586443]} [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: ConfigurationUtils: POST https://fidias.geo.auth.gr:443/ca/admin/ca/tokenAuthenticate

What is so obvious that I can't see? Any hint?

Petros
Hi,

I was looking for any error message between
UpdateNumberRange: processing...
and
UpdateNumberRange: Sending response
or
UpdateNumberRange: Failed to update number range


If I recall well, this is related to assigning ranges of serial Ids for certificates delivered by the replica (each CA instance uses its own range to avoid delivering certificates with the same serial id on a master or replica).

Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to