Hi, On Thu, Dec 8, 2011 at 13:29, Rob Crittenden <[email protected]> wrote: > Dan Scott wrote: >> >> Hi, >> >> I just tried to add a CA replica to my IPA replica (Both Fedora 15) using: >> >> ipa-ca-install replica-info-ohm.gpg >> >> It proceeds to configure the directory server for the CA, but fails >> when 'configuring certificate server': >> >> Configuring certificate server: Estimated time 3 minutes 30 seconds >> [1/11]: creating certificate server user >> [2/11]: creating pki-ca instance >> [3/11]: configuring certificate server instance >> root : CRITICAL failed to configure ca instance Command >> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >> 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir' >> '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' XXXXXXXX '-preop_pin' >> 'XXXXXXXXX' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' >> 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' >> 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' >> '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' >> 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory >> Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' >> 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' >> 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX >> '-subsystem_name' 'pki-cad' '-token_name' 'internal' >> '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' >> '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' >> '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM' >> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' >> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' >> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >> '-clone_p12_password' XXXXXXXX '-sd_hostname' 'curie.example.com' >> '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' >> XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' >> 'https://curie.example.com:443'' returned non-zero exit status 255 >> creation of replica failed: Configuration of CA failed >> >> Some errors from /var/log/ipareplica-ca-install.log >> >> Error in DomainPanel(): updateStatus value is null >> ERROR: ConfigureCA: DomainPanel() failure >> ERROR: unable to create CA >> >> File "/usr/sbin/ipa-ca-install", line 156, in<module> >> main() >> >> File "/usr/sbin/ipa-ca-install", line 141, in main >> (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 1136, in install_replica_ca >> subject_base=config.subject_base) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 537, in configure_instance >> self.start_creation("Configuring certificate server", 210) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 248, in start_creation >> method() >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 680, in __configure_instance >> raise RuntimeError('Configuration of CA failed') >> >> Anyone have any ideas? > > > /var/log/pki-ca/debug probably has more details.
This file contains the following errors: [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to service. [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08 12:24:40 EST 2011 id=caGetStatus time=32 [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML parsed [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0 [08/Dec/2011:12:24:40][http-9445-2]: panel no=3 [08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain [08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19 [08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type org.apache.catalina.connector.ResponseFacade [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type org.apache.catalina.connector.RequestFacade > This might also be ticket https://fedorahosted.org/freeipa/ticket/2148 The script passes the port-check, so it doesn't look like it's the issue mentioned. Is there a workaround for this issue? Thanks, Dan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
