Heh. That's the EXACT SAME error I kept getting whether I ran the
install-ca from an existing replica, or when adding a CA while installing a
new replica. Glad I'm not the only one seeing such weird errors.

On Thu, Jul 27, 2017 at 12:28 PM, Petros Triantafyllidis via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

>
>
> On 07/27/2017 06:06 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
>
> On 07/27/2017 04:03 PM, Petros Triantafyllidis wrote:
>
>
>
> On 07/27/2017 04:17 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
>
> On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote:
>
> On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
>
> On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote:
>
> Hi all,
>    I would appreciate any help on my attempt to promote an existing client
> to replica. After client installation, I added replica-to-be to ipaservers
> hostgroup and then run "replica-install --setup-ca" but unfortunately I end
> up with the errors below. Both master and client have
> ipa-server-4.4.0-14.el7.centos.7.x86_64
> Thanks in advance,
> Petros
>
> ____________________________________________________________
> _________________________________________________
> On replica-to-be:
>
> [...]
> Done configuring ipa-otpd.
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>    [1/26]: creating certificate server user
>    [2/26]: creating certificate server db
>    [3/26]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 5 seconds elapsed
> Update succeeded
>
>    [4/26]: creating installation admin user
>    [5/26]: setting up certificate server
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
> CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned
> non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>    [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA
> configuration failed.
> ipa.ipapython.install.cli.install_tool(Replica): ERROR The
> ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information
>
> ____________________________________________________________
> _________________________________________________
> /var/log/ipareplica-install.log
>
> [...]
> Import complete
> ---------------
> Imported certificates in /etc/pki/pki-tomcat/alias:
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> caSigningCert cert-pki-ca CTu,Cu,Cu
> auditSigningCert cert-pki-ca u,u,Pu
>
> Installation failed:
>
>
> Please check the CA logs in /var/log/pki/pki-tomcat/ca.
>
> 2017-07-27T06:57:54Z DEBUG stderr=
> 2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status
> 1
> 2017-07-27T06:57:54Z CRITICAL See the installation logs and the following
> files/directories for more information:
> 2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
> 2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 449, in start_creation
>      run_step(full_msg, method)
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 439, in run_step
>      method()
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 586, in __spawn_instance
>      DogtagInstance.spawn_instance(self, cfg_file)
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 181, in spawn_instance
>      self.handle_setup_error(e)
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 420, in handle_setup_error
>      raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
>
> 2017-07-27T06:57:54Z DEBUG   [error] RuntimeError: CA configuration
> failed.
> 2017-07-27T06:57:54Z DEBUG   File "/usr/lib/python2.7/site-
> packages/ipapython/admintool.py", line 171, in execute
>      return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
> 318, in run
>      cfgr.run()
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 310, in run
>      self.execute()
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 332, in execute
>      for nothing in self._executor():
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 372, in __runner
>      self._handle_exception(exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 394, in _handle_exception
>      six.reraise(*exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 362, in __runner
>      step()
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 359, in <lambda>
>      step = lambda: next(self.__gen)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>      six.reraise(*exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>      value = gen.send(prev_value)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 586, in _configure
>      next(executor)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 372, in __runner
>      self._handle_exception(exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 449, in _handle_exception
>      self.__parent._handle_exception(exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 394, in _handle_exception
>      six.reraise(*exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 446, in _handle_exception
>      super(ComponentBase, self)._handle_exception(exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 394, in _handle_exception
>      six.reraise(*exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 362, in __runner
>      step()
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 359, in <lambda>
>      step = lambda: next(self.__gen)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>      six.reraise(*exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>      value = gen.send(prev_value)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
> line 63, in _install
>      for nothing in self._installer(self.parent):
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 1722, in main
>      promote(self)
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 372, in decorated
>      func(installer)
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 1519, in promote
>      ca_cert_bundle=ca_data)
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 1392, in configure_replica
>      self.start_creation(runtime=210)
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 449, in start_creation
>      run_step(full_msg, method)
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 439, in run_step
>      method()
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 586, in __spawn_instance
>      DogtagInstance.spawn_instance(self, cfg_file)
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 181, in spawn_instance
>      self.handle_setup_error(e)
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 420, in handle_setup_error
>      raise RuntimeError("%s configuration failed." % self.subsystem)
>
> 2017-07-27T06:57:54Z DEBUG The ipa-replica-install command failed,
> exception: RuntimeError: CA configuration failed.
> 2017-07-27T06:57:54Z ERROR CA configuration failed.
> 2017-07-27T06:57:54Z ERROR The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>
> ____________________________________________________________
> _________________________________________________
>
> On master server:
>
> [27/Jul/2017:09:53:19.624201120 +0300] NSMMReplicationPlugin - agmt="cn=
> meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth
> failed: LDAP error 49 (Invalid credentials) ()
> [27/Jul/2017:09:53:19.910732845 +0300] NSMMReplicationPlugin - agmt="cn=
> meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth
> resumed
> [27/Jul/2017:09:53:21.525459152 +0300] NSMMReplicationPlugin - Beginning
> total update of replica "agmt="cn=meTomedea.geo.auth.gr" (medea:389)".
> [27/Jul/2017:09:53:26.923911503 +0300] NSMMReplicationPlugin - Finished
> total update of replica "agmt="cn=meTomedea.geo.auth.gr" (medea:389)".
> Sent 719 entries.
> [27/Jul/2017:09:53:29.398775963 +0300] NSMMReplicationPlugin - agmt="cn=
> meTomedea.geo.auth.gr" (medea:389): Unable to acquire replica: permission
> denied. The bind dn "" does not have permission to supply replication
> updates to the replica. Will retry later.
> [27/Jul/2017:09:53:32.746503539 +0300] NSMMReplicationPlugin - agmt="cn=
> meTomedea.geo.auth.gr" (medea:389): Unable to acquire replica: permission
> denied. The bind dn "" does not have permission to supply replication
> updates to the replica. Will retry later.
> [27/Jul/2017:09:53:38.862288126 +0300] NSMMReplicationPlugin - agmt="cn=
> meTomedea.geo.auth.gr" (medea:389): Unable to receive the response for a
> startReplication extended operation to consumer (Can't contact LDAP
> server). Will retry later.
> [27/Jul/2017:09:53:51.238616755 +0300] NSMMReplicationPlugin - agmt="cn=
> meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth
> resumed
> [27/Jul/2017:09:54:30.937398919 +0300] NSMMReplicationPlugin - agmt="cn=
> meTomedea.geo.auth.gr" (medea:389): Unable to receive the response for a
> startReplication extended operation to consumer (Can't contact LDAP
> server). Will retry later.
> [27/Jul/2017:09:56:03.537114454 +0300] NSMMReplicationPlugin - agmt="cn=
> meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth
> resumed
> [27/Jul/2017:09:56:04.495965497 +0300] NSMMReplicationPlugin - agmt="cn=
> caTomedea.geo.auth.gr" (medea:389): The remote replica has a different
> database generation ID than the local database. You may have to
> reinitialize the remote replica, or the local replica.
> [27/Jul/2017:09:56:06.236968406 +0300] NSMMReplicationPlugin - Beginning
> total update of replica "agmt="cn=caTomedea.geo.auth.gr" (medea:389)".
> [27/Jul/2017:09:56:10.494727689 +0300] NSMMReplicationPlugin - Finished
> total update of replica "agmt="cn=caTomedea.geo.auth.gr" (medea:389)".
> Sent 159 entries.
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
> Hi Petros,
>
> there is no need to add the replica-to-be to the ipaservers hostgroup as
> it will be done automatically during ipa-replica-install.
>
> To diagnose the install issue, can you post the logs relevant to the CA
> installation? They are:
>     /var/log/pki/pki-ca-spawn.$TIME_OF_INSTALLATION.log
>     /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log
>     /var/log/pki/pki-tomcat/ca/system
>     /var/log/pki/pki-tomcat/ca/debug
>
> Flo
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
> Hi Flo,
>    Thanks for responding. I attach the files as requested.
> /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log was empty and
> therefore excluded.
>
> Regards,
> Petros
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
> Hi,
>
> the /var/log/pki-tomcat/ca/debug log shows that the replica Dogtag
> instance failed to POST https://fidias.geo.auth.gr:443/ca/admin/ca/
> updateNumberRange
>
> You may find more info on the master's Dogtag log (same file but on the
> host fidias.geo.auth.gr). The relevant logs would start with
>     UpdateNumberRange: initializing...
> or
>     CMSServlet:service() uri = /ca/admin/ca/updateNumberRange
>
> HTH,
> Flo
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
> I am not sure I understand this and how I am supposed to resolve it.
> Indeed, master's apache reports:
> "POST /ca/admin/ca/updateNumberRange HTTP/1.1" 500 5478
>
> while the /var/log/pki-tomcat/ca/debug shows the following:
>
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
> CMSServlet:service() uri = /ca/admin/ca/updateNumberRange
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
> CMSServlet::service() param name='xmlOutput' value='true'
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
> CMSServlet::service() param name='sessionID' value='1129328291888586443'
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
> CMSServlet::service() param name='type' value='request'
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet:
> caUpdateNumberRange start to service.
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: UpdateNumberRange:
> processing...
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: UpdateNumberRange
> process: authentication starts
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: IP: 155.207.61.84
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: AuthMgrName:
> TokenAuth
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet: no
> client certificate found
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
> TokenAuthentication: start
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
> TokenAuthentication: content={hostname=[155.207.61.84], 
> sessionID=[1129328291888586443]}
>
> [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
> ConfigurationUtils: POST https://fidias.geo.auth.gr:443/ca/admin/ca/
> tokenAuthenticate
>
> What is so obvious that I can't see? Any hint?
>
> Petros
>
> Hi,
>
> I was looking for any error message between
> UpdateNumberRange: processing...
> and
> UpdateNumberRange: Sending response
> or
> UpdateNumberRange: Failed to update number range
>
>
> If I recall well, this is related to assigning ranges of serial Ids for
> certificates delivered by the replica (each CA instance uses its own range
> to avoid delivering certificates with the same serial id on a master or
> replica).
>
> Flo
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
> Hi again,
>   Sorry, but I am not sure that I can follow. I can't recognize anything
> erroneous related to UpdateNumberRange apart the entries I listed before.
> From a previous attempt though, there is also an extra line which might be
> helpful:
>
> [26/Jul/2017:12:48:04][ajp-bio-127.0.0.1-8009-exec-11]:
> UpdateNumberRange: initializing...
> [26/Jul/2017:12:48:04][ajp-bio-127.0.0.1-8009-exec-11]: according to
> ccMode, authorization for servlet: caUpdateNumberRange is LDAP based, not
> XML {1}, use default authz mgr: {2}.
> [26/Jul/2017:12:48:04][ajp-bio-127.0.0.1-8009-exec-11]:
> UpdateNumberRange: done initializing...
>
> Petros
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 
[image: photo]
Mark Haney
Network Engineer at NeoNova
919-460-3330 <(919)%20460-3330> (opt 1) • mark.ha...@neonova.net
www.neonova.net <https://neonova.net/>
<https://www.facebook.com/NeoNovaNNS/>  <https://twitter.com/NeoNova_NNS>
<http://www.linkedin.com/company/neonova-network-services>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to