Hi,

On Thu, Dec 8, 2011 at 13:29, Rob Crittenden <rcrit...@redhat.com> wrote:
> Dan Scott wrote:
>>
>> Hi,
>>
>> I just tried to add a CA replica to my IPA replica (Both Fedora 15) using:
>>
>> ipa-ca-install replica-info-ohm.gpg
>>
>> It proceeds to configure the directory server for the CA, but fails
>> when 'configuring certificate server':
>>
>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>>   [1/11]: creating certificate server user
>>   [2/11]: creating pki-ca instance
>>   [3/11]: configuring certificate server instance
>> root        : CRITICAL failed to configure ca instance Command
>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
>> 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir'
>> '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
>> 'XXXXXXXXX' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
>> 'root@localhost' '-admin_password' XXXXXXXX '-agent_name'
>> 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
>> '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host'
>> 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
>> Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name'
>> 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
>> 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX
>> '-subsystem_name' 'pki-cad' '-token_name' 'internal'
>> '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM'
>> '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM'
>> '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM'
>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
>> '-clone_p12_password' XXXXXXXX '-sd_hostname' 'curie.example.com'
>> '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
>> XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
>> 'https://curie.example.com:443'' returned non-zero exit status 255
>> creation of replica failed: Configuration of CA failed
>>
>> Some errors from /var/log/ipareplica-ca-install.log
>>
>> Error in DomainPanel(): updateStatus value is null
>> ERROR: ConfigureCA: DomainPanel() failure
>> ERROR: unable to create CA
>>
>>   File "/usr/sbin/ipa-ca-install", line 156, in<module>
>>     main()
>>
>>   File "/usr/sbin/ipa-ca-install", line 141, in main
>>     (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
>>
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 1136, in install_replica_ca
>>     subject_base=config.subject_base)
>>
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 537, in configure_instance
>>     self.start_creation("Configuring certificate server", 210)
>>
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 248, in start_creation
>>     method()
>>
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 680, in __configure_instance
>>     raise RuntimeError('Configuration of CA failed')
>>
>> Anyone have any ideas?
>
>
> /var/log/pki-ca/debug probably has more details.

This file contains the following errors:

[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating
SSL Admin HTTPS . . .
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser
failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS
no successful response for SSL Admin HTTPS
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase
getCertChainUsingSecureAdminPort start
[08/Dec/2011:12:24:40][http-9445-2]:
WizardPanelBase::getCertChainUsingSecureAdminPort() -
Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
50; White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase:
getCertChainUsingSecureAdminPort: java.io.IOException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri =
/ca/admin/ca/getStatus
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to service.
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08
12:24:40 EST 2011 id=caGetStatus time=32
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML parsed
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0
[08/Dec/2011:12:24:40][http-9445-2]: panel no=3
[08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain
[08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19
[08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
org.apache.catalina.connector.ResponseFacade
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
org.apache.catalina.connector.RequestFacade

> This might also be ticket https://fedorahosted.org/freeipa/ticket/2148

The script passes the port-check, so it doesn't look like it's the
issue mentioned. Is there a workaround for this issue?

Thanks,

Dan

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to