Dan Scott wrote:
Hi,

On Fri, Dec 9, 2011 at 09:24, Rob Crittenden<rcrit...@redhat.com>  wrote:
Dan Scott wrote:

Hi,

On Thu, Dec 8, 2011 at 13:29, Rob Crittenden<rcrit...@redhat.com>    wrote:

Dan Scott wrote:


Hi,

I just tried to add a CA replica to my IPA replica (Both Fedora 15)
using:

ipa-ca-install replica-info-ohm.gpg

It proceeds to configure the directory server for the CA, but fails
when 'configuring certificate server':

Configuring certificate server: Estimated time 3 minutes 30 seconds
   [1/11]: creating certificate server user
   [2/11]: creating pki-ca instance
   [3/11]: configuring certificate server instance
root        : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-Mbw1ut' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
'XXXXXXXXX' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
'root@localhost' '-admin_password' XXXXXXXX '-agent_name'
'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
'-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host'
'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name'
'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX
'-subsystem_name' 'pki-cad' '-token_name' 'internal'
'-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM'
'-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM'
'-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' XXXXXXXX '-sd_hostname' 'curie.example.com'
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
'https://curie.example.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed

Some errors from /var/log/ipareplica-ca-install.log

Error in DomainPanel(): updateStatus value is null
ERROR: ConfigureCA: DomainPanel() failure
ERROR: unable to create CA

   File "/usr/sbin/ipa-ca-install", line 156, in<module>
     main()

   File "/usr/sbin/ipa-ca-install", line 141, in main
     (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1136, in install_replica_ca
     subject_base=config.subject_base)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 537, in configure_instance
     self.start_creation("Configuring certificate server", 210)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 248, in start_creation
     method()

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 680, in __configure_instance
     raise RuntimeError('Configuration of CA failed')

Anyone have any ideas?



/var/log/pki-ca/debug probably has more details.


This file contains the following errors:

[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating
SSL Admin HTTPS . . .
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser
failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS
no successful response for SSL Admin HTTPS
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase
getCertChainUsingSecureAdminPort start
[08/Dec/2011:12:24:40][http-9445-2]:
WizardPanelBase::getCertChainUsingSecureAdminPort() -
Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
50; White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase:
getCertChainUsingSecureAdminPort: java.io.IOException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri =
/ca/admin/ca/getStatus
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to
service.
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08
12:24:40 EST 2011 id=caGetStatus time=32
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML
parsed
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0
[08/Dec/2011:12:24:40][http-9445-2]: panel no=3
[08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain
[08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19
[08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
org.apache.catalina.connector.ResponseFacade
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
org.apache.catalina.connector.RequestFacade


I'll point the dogtag guys at this to see if they notice anything.


This might also be ticket https://fedorahosted.org/freeipa/ticket/2148


The script passes the port-check, so it doesn't look like it's the
issue mentioned. Is there a workaround for this issue?


This is different from port-check. Dogtag stores the security domain
information in its LDAP database. When creating a replica (or clone, in
dogtag lingo) it compares the ports being requested with what is stored in
the security domain and will reject if they don't match. Look for invalid
clone_uri in the debug log to see if this is the problem.

There's no mention of clone_uri anywhere in the debug log.

Dan

Ok - so based on this - it looks like it fails to get the security domain from the master. We need to see the master log to see if any
interaction is happening there at the time.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to