I have been following this thread with great interest, as I have
encountered similar problems with our migration from 3.0.0-37 on CentOS
6.5 to 3.3.3-28 on CentOS 7. I have been able to solve a few of them
with manual patching, but there is still something going on that will
make the CA replication to fail.

The following changes have been made to the environments:

- On the replica,
/usr/lib/python2.7/site-packages/ipaserver/install/replication.py has
been patched to handle multiple values of nsDS5ReplicaId on the master.

- /usr/share/ipa/html/ca.crt used to contain our local root certificate
as well as the IPA CA-certificate, which caused the replica installation
to fail. The root certificate was removed from this file, the replica
gpg-bundle recreated, and the installation would happily continue.

- /etc/httpd/conf.d/ipa-pki-proxy.conf has been patched to contain the
profileSubmit-patch to the ee port-line
<LocationMatch
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">

and have also tried with and without the additions to the admin port and
installer-line

<LocationMatch
"^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken">



Checking the log files on the 3.3.3 replica, there are a few error
messages, which I am not sure how to resolve.


/var/log/ipareplica-install.log ends with the following lines:

2014-08-27T14:44:15Z DEBUG Starting external process
2014-08-27T14:44:15Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpxkixl8
2014-08-27T14:45:19Z DEBUG Process finished, return code=1
2014-08-27T14:45:19Z DEBUG stdout=Loading deployment configuration from
/tmp/tmpxkixl8.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.


2014-08-27T14:45:19Z DEBUG stderr=pkispawn    : WARNING  ....... unable
to validate security domain user/password through REST interface.
Interface not available
pkispawn    : ERROR    ....... Exception from Java Configuration
Servlet: Error while updating security domain: java.io.IOException: 2

2014-08-27T14:45:19Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpxkixl8' returned non-zero exit status 1
2014-08-27T14:45:19Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 667, in main
    CA = cainstance.install_replica_ca(config)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1678, in install_replica_ca
    subject_base=config.subject_base)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
478, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
    method()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
604, in __spawn_instance
    raise RuntimeError('Configuration of CA failed')

2014-08-27T14:45:19Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Configuration of CA failed


/var/log/pki/pki-ca-spawn.20140827164415.log reveals these error messages:

2014-08-27 16:44:16 pkispawn    : INFO     ....... executing 'systemctl
start pki-tomcatd@pki-tomcat.service'
2014-08-27 16:44:18 pkispawn    : DEBUG    ........... No connection -
server may still be down
2014-08-27 16:44:18 pkispawn    : DEBUG    ........... No connection -
exception thrown: [Errno 111] Connection refused
2014-08-27 16:44:26 pkispawn    : DEBUG    ........... <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.0.5-3.el7</Version></XMLResponse>
2014-08-27 16:44:27 pkispawn    : INFO     ....... constructing PKI
configuration data.
2014-08-27 16:44:27 pkispawn    : INFO     ....... configuring PKI
configuration data.
2014-08-27 16:45:19 pkispawn    : ERROR    ....... Exception from Java
Configuration Servlet: Error while updating security domain:
java.io.IOException: 2
2014-08-27 16:45:19 pkispawn    : DEBUG    ....... Error Type: HTTPError
2014-08-27 16:45:19 pkispawn    : DEBUG    ....... Error Message: 500
Server Error: Internal Server Error
2014-08-27 16:45:19 pkispawn    : DEBUG    .......   File
"/usr/sbin/pkispawn", line 374, in main
    rv = instance.spawn()
  File
"/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line
128, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
line 2998, in configure_pki_data
    response = client.configure(data)
  File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in
configure
    r = self.connection.post('/rest/installer/configure', data, headers)
  File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post
    r.raise_for_status()
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 638,
in raise_for_status
    raise http_error


In /var/log/pki/pki-tomcat/catalina.out one can read:

Aug 27, 2014 4:44:22 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /var/lib/pki/pki-tomcat/webapps/ca
SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
SSLAuthenticatorWithFallback: Setting container
SSLAuthenticatorWithFallback: Initializing authenticators
SSLAuthenticatorWithFallback: Starting authenticators
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAuthz initializa
tion failed and skipped, error=Property internaldb.ldapconn.port missing
value|
Server is started.
Aug 27, 2014 4:44:26 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Aug 27, 2014 4:44:26 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Aug 27, 2014 4:44:26 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
Aug 27, 2014 4:44:26 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7872 ms
16:44:27,950  INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) -
Deploying javax.ws.rs.core.Application: class
com.netscape.ca.CertificateAuthorityApplication
16:44:27,967  INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) -
Adding singleton provider com.netscape.certsrv.acls.ACLInterceptor from
Application javax.ws.rs.core.Application
16:44:27,968  INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) -
Adding singleton provider
com.netscape.certsrv.authentication.AuthMethodInterceptor from
Application javax.ws.rs.core.Application
16:44:28,433 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) -
PathInfo: /installer/configure
AuthInterceptor: SystemConfigResource.configure()
AuthInterceptor: mapping name: default
AuthInterceptor: required auth methods: [*]
AuthInterceptor: anonymous access allowed
java.io.IOException: 2
        at
com.netscape.cms.servlet.csadmin.ConfigurationUtils.updateDomainXML(ConfigurationUtils.java:3415)
        at
com.netscape.cms.servlet.csadmin.ConfigurationUtils.updateSecurityDomain(ConfigurationUtils.java:3345)
        at
com.netscape.cms.servlet.csadmin.SystemConfigService.configure(SystemConfigService.java:655)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
        at
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
        at
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
        at
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:211)
        at
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:299)
        at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57)
        at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193)
        at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1024)
        at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
        at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)



/var/log/pki/pki-tomcat/ca/debug may give a clue aswell:


[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: isSDHostDomainMaster():
Getting domain.xml from CA...
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: getDomainXML start
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: getDomainXML: status=0
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: getDomainXML:
domainInfo=<?xml version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipa.skalarit.net</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: Cloning a domain master
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipa.skalarit.net port=443
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: updateSecurityDomain:
failed to update security domain using admin port 443:
java.io.IOException: Failed to get response when updating security domain
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: updateSecurityDomain: now
trying agent port with client auth
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipa.skalarit.net port=443
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: updateDomainXML()
nickname=subsystemCert cert-pki-ca
[27/Aug/2014:16:45:19][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML: status=1



/Nicklas

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to