On 07/27/2017 08:29 PM, Mark Haney via FreeIPA-users wrote:
Heh. That's the EXACT SAME error I kept getting whether I ran the install-ca from an existing replica, or when adding a CA while installing a new replica. Glad I'm not the only one seeing such weird errors.


On Thu, Jul 27, 2017 at 12:28 PM, Petros Triantafyllidis via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote:



    On 07/27/2017 06:06 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
    On 07/27/2017 04:03 PM, Petros Triantafyllidis wrote:


    On 07/27/2017 04:17 PM, Florence Blanc-Renaud via FreeIPA-users
    wrote:
    On 07/27/2017 11:34 AM, Petros Triantafyllidis via
    FreeIPA-users wrote:
    On 07/27/2017 11:13 AM, Florence Blanc-Renaud via
    FreeIPA-users wrote:
    On 07/27/2017 09:17 AM, Petros Triantafyllidis via
    FreeIPA-users wrote:
    Hi all,
       I would appreciate any help on my attempt to promote an
    existing client to replica. After client installation, I
    added replica-to-be to ipaservers hostgroup and then run
    "replica-install --setup-ca" but unfortunately I end up with
    the errors below. Both master and client have
    ipa-server-4.4.0-14.el7.centos.7.x86_64
    Thanks in advance,
    Petros

    
_____________________________________________________________________________________________________________

    On replica-to-be:

    [...]
    Done configuring ipa-otpd.
    Configuring certificate server (pki-tomcatd). Estimated
    time: 3 minutes 30 seconds
       [1/26]: creating certificate server user
       [2/26]: creating certificate server db
       [3/26]: setting up initial replication
    Starting replication, please wait until this has completed.
    Update in progress, 5 seconds elapsed
    Update succeeded

       [4/26]: creating installation admin user
       [5/26]: setting up certificate server
    ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed
    to configure CA instance: Command '/usr/sbin/pkispawn -s CA
    -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1
    ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See
    the installation logs and the following files/directories
    for more information:
    ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
    /var/log/pki/pki-tomcat
       [error] RuntimeError: CA configuration failed.
    Your system may be partly configured.
    Run /usr/sbin/ipa-server-install --uninstall to clean up.

    ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA
    configuration failed.
    ipa.ipapython.install.cli.install_tool(Replica): ERROR The
    ipa-replica-install command failed. See
    /var/log/ipareplica-install.log for more information

    
_____________________________________________________________________________________________________________
    /var/log/ipareplica-install.log

    [...]
    Import complete
    ---------------
    Imported certificates in /etc/pki/pki-tomcat/alias:

    Certificate Nickname Trust Attributes
    SSL,S/MIME,JAR/XPI

    ocspSigningCert cert-pki-ca u,u,u
    subsystemCert cert-pki-ca u,u,u
    caSigningCert cert-pki-ca CTu,Cu,Cu
    auditSigningCert cert-pki-ca u,u,Pu

    Installation failed:


    Please check the CA logs in /var/log/pki/pki-tomcat/ca.

    2017-07-27T06:57:54Z DEBUG stderr=
    2017-07-27T06:57:54Z CRITICAL Failed to configure CA
    instance: Command '/usr/sbin/pkispawn -s CA -f
    /tmp/tmp6Q_ZLY' returned non-zero exit status 1
    2017-07-27T06:57:54Z CRITICAL See the installation logs and
    the following files/directories for more information:
    2017-07-27T06:57:54Z CRITICAL /var/log/pki/pki-tomcat
    2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
    line 449, in start_creation
         run_step(full_msg, method)
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
    line 439, in run_step
         method()
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
    line 586, in __spawn_instance
         DogtagInstance.spawn_instance(self, cfg_file)
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
    line 181, in spawn_instance
         self.handle_setup_error(e)
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
    line 420, in handle_setup_error
         raise RuntimeError("%s configuration failed." %
    self.subsystem)
    RuntimeError: CA configuration failed.

    2017-07-27T06:57:54Z DEBUG   [error] RuntimeError: CA
    configuration failed.
    2017-07-27T06:57:54Z DEBUG   File
    "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
    line 171, in execute
         return_value = self.run()
      File
    "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
    line 318, in run
         cfgr.run()
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 310, in run
         self.execute()
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 332, in execute
         for nothing in self._executor():
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 372, in __runner
         self._handle_exception(exc_info)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 394, in _handle_exception
         six.reraise(*exc_info)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 362, in __runner
         step()
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 359, in <lambda>
         step = lambda: next(self.__gen)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
    line 81, in run_generator_with_yield_from
         six.reraise(*exc_info)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
    line 59, in run_generator_with_yield_from
         value = gen.send(prev_value)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 586, in _configure
         next(executor)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 372, in __runner
         self._handle_exception(exc_info)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 449, in _handle_exception
         self.__parent._handle_exception(exc_info)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 394, in _handle_exception
         six.reraise(*exc_info)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 446, in _handle_exception
         super(ComponentBase, self)._handle_exception(exc_info)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 394, in _handle_exception
         six.reraise(*exc_info)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 362, in __runner
         step()
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
    line 359, in <lambda>
         step = lambda: next(self.__gen)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
    line 81, in run_generator_with_yield_from
         six.reraise(*exc_info)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
    line 59, in run_generator_with_yield_from
         value = gen.send(prev_value)
       File
    "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
    line 63, in _install
         for nothing in self._installer(self.parent):
       File
    
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
    line 1722, in main
         promote(self)
       File
    
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
    line 372, in decorated
         func(installer)
       File
    
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
    line 1519, in promote
         ca_cert_bundle=ca_data)
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
    line 1392, in configure_replica
         self.start_creation(runtime=210)
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
    line 449, in start_creation
         run_step(full_msg, method)
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
    line 439, in run_step
         method()
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
    line 586, in __spawn_instance
         DogtagInstance.spawn_instance(self, cfg_file)
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
    line 181, in spawn_instance
         self.handle_setup_error(e)
       File
    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
    line 420, in handle_setup_error
         raise RuntimeError("%s configuration failed." %
    self.subsystem)

    2017-07-27T06:57:54Z DEBUG The ipa-replica-install command
    failed, exception: RuntimeError: CA configuration failed.
    2017-07-27T06:57:54Z ERROR CA configuration failed.
    2017-07-27T06:57:54Z ERROR The ipa-replica-install command
    failed. See /var/log/ipareplica-install.log for more
    information

    
_____________________________________________________________________________________________________________


    On master server:

    [27/Jul/2017:09:53:19.624201120 +0300] NSMMReplicationPlugin
    - agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389): Replication
    bind with GSSAPI auth failed: LDAP error 49 (Invalid
    credentials) ()
    [27/Jul/2017:09:53:19.910732845 +0300] NSMMReplicationPlugin
    - agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389): Replication
    bind with GSSAPI auth resumed
    [27/Jul/2017:09:53:21.525459152 +0300] NSMMReplicationPlugin
    - Beginning total update of replica
    "agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389)".
    [27/Jul/2017:09:53:26.923911503 +0300] NSMMReplicationPlugin
    - Finished total update of replica
    "agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389)". Sent 719 entries.
    [27/Jul/2017:09:53:29.398775963 +0300] NSMMReplicationPlugin
    - agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389): Unable to
    acquire replica: permission denied. The bind dn "" does not
    have permission to supply replication updates to the
    replica. Will retry later.
    [27/Jul/2017:09:53:32.746503539 +0300] NSMMReplicationPlugin
    - agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389): Unable to
    acquire replica: permission denied. The bind dn "" does not
    have permission to supply replication updates to the
    replica. Will retry later.
    [27/Jul/2017:09:53:38.862288126 +0300] NSMMReplicationPlugin
    - agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389): Unable to
    receive the response for a startReplication extended
    operation to consumer (Can't contact LDAP server). Will
    retry later.
    [27/Jul/2017:09:53:51.238616755 +0300] NSMMReplicationPlugin
    - agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389): Replication
    bind with GSSAPI auth resumed
    [27/Jul/2017:09:54:30.937398919 +0300] NSMMReplicationPlugin
    - agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389): Unable to
    receive the response for a startReplication extended
    operation to consumer (Can't contact LDAP server). Will
    retry later.
    [27/Jul/2017:09:56:03.537114454 +0300] NSMMReplicationPlugin
    - agmt="cn=meTomedea.geo.auth.gr
    <http://meTomedea.geo.auth.gr>" (medea:389): Replication
    bind with GSSAPI auth resumed
    [27/Jul/2017:09:56:04.495965497 +0300] NSMMReplicationPlugin
    - agmt="cn=caTomedea.geo.auth.gr
    <http://caTomedea.geo.auth.gr>" (medea:389): The remote
    replica has a different database generation ID than the
    local database. You may have to reinitialize the remote
    replica, or the local replica.
    [27/Jul/2017:09:56:06.236968406 +0300] NSMMReplicationPlugin
    - Beginning total update of replica
    "agmt="cn=caTomedea.geo.auth.gr
    <http://caTomedea.geo.auth.gr>" (medea:389)".
    [27/Jul/2017:09:56:10.494727689 +0300] NSMMReplicationPlugin
    - Finished total update of replica
    "agmt="cn=caTomedea.geo.auth.gr
    <http://caTomedea.geo.auth.gr>" (medea:389)". Sent 159 entries.



    _______________________________________________
    FreeIPA-users mailing list --
    freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>

    Hi Petros,

    there is no need to add the replica-to-be to the ipaservers
    hostgroup as it will be done automatically during
    ipa-replica-install.

    To diagnose the install issue, can you post the logs relevant
    to the CA installation? They are:
        /var/log/pki/pki-ca-spawn.$TIME_OF_INSTALLATION.log
        /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log
        /var/log/pki/pki-tomcat/ca/system
        /var/log/pki/pki-tomcat/ca/debug

    Flo
    _______________________________________________
    FreeIPA-users mailing list --
    freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>

    Hi Flo,
       Thanks for responding. I attach the files as requested.
    /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log was
    empty and therefore excluded.

    Regards,
    Petros



    _______________________________________________
    FreeIPA-users mailing list --
    freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>

    Hi,

    the /var/log/pki-tomcat/ca/debug log shows that the replica
    Dogtag instance failed to POST
    https://fidias.geo.auth.gr:443/ca/admin/ca/updateNumberRange
    <https://fidias.geo.auth.gr:443/ca/admin/ca/updateNumberRange>

    You may find more info on the master's Dogtag log (same file
    but on the host fidias.geo.auth.gr
    <http://fidias.geo.auth.gr>). The relevant logs would start with
        UpdateNumberRange: initializing...
    or
        CMSServlet:service() uri = /ca/admin/ca/updateNumberRange

    HTH,
    Flo
    _______________________________________________
    FreeIPA-users mailing list --
    freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>

    I am not sure I understand this and how I am supposed to resolve
    it. Indeed, master's apache reports:
    "POST /ca/admin/ca/updateNumberRange HTTP/1.1" 500 5478

    while the /var/log/pki-tomcat/ca/debug shows the following:

    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    CMSServlet:service() uri = /ca/admin/ca/updateNumberRange
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    CMSServlet::service() param name='xmlOutput' value='true'
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    CMSServlet::service() param name='sessionID'
    value='1129328291888586443'
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    CMSServlet::service() param name='type' value='request'
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    CMSServlet: caUpdateNumberRange start to service.
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    UpdateNumberRange: processing...
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    UpdateNumberRange process: authentication starts
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: IP:
    155.207.61.84
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    AuthMgrName: TokenAuth
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    CMSServlet: no client certificate found
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    TokenAuthentication: start
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    TokenAuthentication: content={hostname=[155.207.61.84],
    sessionID=[1129328291888586443]}
    [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]:
    ConfigurationUtils: POST
    https://fidias.geo.auth.gr:443/ca/admin/ca/tokenAuthenticate
    <https://fidias.geo.auth.gr:443/ca/admin/ca/tokenAuthenticate>

    What is so obvious that I can't see? Any hint?

    Petros
    Hi,

    I was looking for any error message between
    UpdateNumberRange: processing...
    and
    UpdateNumberRange: Sending response
    or
    UpdateNumberRange: Failed to update number range


    If I recall well, this is related to assigning ranges of serial
    Ids for certificates delivered by the replica (each CA instance
    uses its own range to avoid delivering certificates with the same
    serial id on a master or replica).

    Flo
    _______________________________________________
    FreeIPA-users mailing list --
    freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>

    Hi again,
      Sorry, but I am not sure that I can follow. I can't recognize
    anything erroneous related to UpdateNumberRange apart the entries
    I listed before. From a previous attempt though, there is also an
    extra line which might be helpful:

    [26/Jul/2017:12:48:04][ajp-bio-127.0.0.1-8009-exec-11]:
    UpdateNumberRange: initializing...
    [26/Jul/2017:12:48:04][ajp-bio-127.0.0.1-8009-exec-11]: according
    to ccMode, authorization for servlet: caUpdateNumberRange is LDAP
    based, not XML {1}, use default authz mgr: {2}.
    [26/Jul/2017:12:48:04][ajp-bio-127.0.0.1-8009-exec-11]:
    UpdateNumberRange: done initializing...

    Petros


    _______________________________________________
    FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>




--
photo   
Mark Haney
Network Engineer at NeoNova

919-460-3330 <tel:%28919%29%20460-3330> (opt 1) • mark.ha...@neonova.net <mailto:mark.ha...@neonova.net> www.neonova.net <https://neonova.net/> <https://www.facebook.com/NeoNovaNNS/> <https://twitter.com/NeoNova_NNS> <http://www.linkedin.com/company/neonova-network-services>



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi,
  An update to the issue above:
Flo's latest reply gave me an idea and after I disenrolled the replica-to-be, I also revoked all of it's certificates that have been created during my previous replica-install attempts. I have no clue whether this action changed anything, but the next replica-install --ca-setup completed without errors.

Thanks anyway,
Petros

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to