Dan Scott wrote:

On Fri, Dec 9, 2011 at 09:24, Rob Crittenden<rcrit...@redhat.com>  wrote:
Dan Scott wrote:


On Thu, Dec 8, 2011 at 13:29, Rob Crittenden<rcrit...@redhat.com>    wrote:

Dan Scott wrote:


I just tried to add a CA replica to my IPA replica (Both Fedora 15)

ipa-ca-install replica-info-ohm.gpg

It proceeds to configure the directory server for the CA, but fails
when 'configuring certificate server':

Configuring certificate server: Estimated time 3 minutes 30 seconds
   [1/11]: creating certificate server user
   [2/11]: creating pki-ca instance
   [3/11]: configuring certificate server instance
root        : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-Mbw1ut' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
'XXXXXXXXX' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
'root@localhost' '-admin_password' XXXXXXXX '-agent_name'
'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
'-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host'
'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name'
'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX
'-subsystem_name' 'pki-cad' '-token_name' 'internal'
'-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM'
'-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM'
'-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' XXXXXXXX '-sd_hostname' 'curie.example.com'
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
'https://curie.example.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed

Some errors from /var/log/ipareplica-ca-install.log

Error in DomainPanel(): updateStatus value is null
ERROR: ConfigureCA: DomainPanel() failure
ERROR: unable to create CA

   File "/usr/sbin/ipa-ca-install", line 156, in<module>

   File "/usr/sbin/ipa-ca-install", line 141, in main
     (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)

line 1136, in install_replica_ca

line 537, in configure_instance
     self.start_creation("Configuring certificate server", 210)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 248, in start_creation

line 680, in __configure_instance
     raise RuntimeError('Configuration of CA failed')

Anyone have any ideas?

/var/log/pki-ca/debug probably has more details.

This file contains the following errors:

[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating
SSL Admin HTTPS . . .
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser
failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS
no successful response for SSL Admin HTTPS
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase
getCertChainUsingSecureAdminPort start
WizardPanelBase::getCertChainUsingSecureAdminPort() -
Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
50; White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase:
getCertChainUsingSecureAdminPort: java.io.IOException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri =
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08
12:24:40 EST 2011 id=caGetStatus time=32
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0
[08/Dec/2011:12:24:40][http-9445-2]: panel no=3
[08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain
[08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19
[08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type

I'll point the dogtag guys at this to see if they notice anything.

This might also be ticket https://fedorahosted.org/freeipa/ticket/2148

The script passes the port-check, so it doesn't look like it's the
issue mentioned. Is there a workaround for this issue?

This is different from port-check. Dogtag stores the security domain
information in its LDAP database. When creating a replica (or clone, in
dogtag lingo) it compares the ports being requested with what is stored in
the security domain and will reject if they don't match. Look for invalid
clone_uri in the debug log to see if this is the problem.

There's no mention of clone_uri anywhere in the debug log.


Ok - so based on this - it looks like it fails to get the security domain from the master. We need to see the master log to see if any
interaction is happening there at the time.


Freeipa-users mailing list

Reply via email to