On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote:
> john.bowman--- via FreeIPA-users wrote:
> > Since taking over our FreeIPA environment I've been unable to create a new 
> > CA replica.  A bunch of failed attempts and upgrades over the last year and 
> > I keep running in to issues.   After my latest attempt I noticed something 
> > that I had not seen before (likely a result of an recent upgrade) and I was 
> > wondering if this would cause a CA install to fail.
> > 
> > Our env:
> > 3 x ipa-server-3.0.0-51.el6.x86_64
> > 3 x ipa-server-4.4.0-14.el7_3.7.x86_64
> > 
> > 2 of the 3.x IPA servers are currently acting as CAs and I've been trying 
> > to create a new 4.x CA replica in order to start removing the 3.x IPA 
> > servers.   I've been able to do a simple test with vanilla CentOS 6.9 and 
> > 7.3 and it seems to work fine as far as I can tell but when I try it in our 
> > environment it fails.  I noticed this error in one of the logs and 
> > something jumped out at me that I had never seen before:
> > 
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization ===
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security 
> > domain
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): 
> > Getting domain.xml from CA...
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting 
> > domain info
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET 
> > https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain 
> > info: <?xml version="1.0" encoding="UTF-8" 
> > standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA
> >> <Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec
> > ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld
> > </Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S
> > ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se
> > curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom
> > ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst
> > emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL
> > ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using 
> > admin interface
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: 
> > updateDomainXML start hostname=ipa-master.domain.tld port=443
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST 
> > https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin 
> > interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using 
> > agent interface
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: 
> > updateDomainXML start hostname=ipa-master.domain.tld port=443
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() 
> > nickname=subsystemCert cert-pki-ca
> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST 
> > https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML
> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate:
> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]:  - subject: 
> > CN=ipa-master.domain.tld,O=DOMAIN.US
> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]:  - issuer: CN=Certificate 
> > Authority,O=DOMAIN.US
> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: 
> > updateDomainXML: status=1
> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security 
> > domain: 2
> > java.io.IOException: Unable to update security domain: 2
> > 
> > 
> > The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x 
> > servers but the other two listed in that domainxml file one does not exist 
> > (it may have at some point been renamed) and the other server is not a CA 
> > replica but it is a replica.
> > 
> > Is it possible this bad info would cause a failure when trying to create a 
> > new CA replica?  If so is it something I can try cleaning up?
> > 
> > Any info would be appreciated.  Thanks!
> 
> I think one of the dogtag devs will need to look at it. It may take a
> few days, things get a bit slow around here in the summer.
> 
> rob
> 
This went off my radar, but now it back on my radar.  Looks like
it could be another case of [1]?

[1] 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/TJGJZANRCIYTGXCUEAZ3XLISNEO7QOIN/#A54XHWAG4Z6BVX62YRUQXYO5QKW4OXAZ

Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to