Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38.
Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get....(for the sake of brevity, I am excluding the lines for connection check which were all OK) ================= /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd XXXXXXXX -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed ================= Additional excerpt from the log file /var/log/ipareplica-ca-install.log at the point of failure.... ================= ############################################# Attempting to connect to: serverb.mydomain.com:9445 Connected. Posting Query = https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT RESPONSE HEADER: Connection: close <?xml version="1.0" encoding="UTF-8"?> <!-- BEGIN COPYRIGHT BLOCK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Copyright (C) 2007 Red Hat, Inc. All rights reserved. END COPYRIGHT BLOCK --> <response> <panel>admin/console/config/restorekeycertpanel.vm</panel> <res/> <updateStatus>failure</updateStatus> <password/> <errorString>The pkcs12 file is not correct.</errorString> <size>19</size> <title>Import Keys and Certificates</title> <panels> <Vector> <Panel> <Id>welcome</Id> <Name>Welcome</Name> </Panel> <Panel> <Id>module</Id> <Name>Key Store</Name> </Panel> <Panel> <Id>confighsmlogin</Id> <Name>ConfigHSMLogin</Name> </Panel> <Panel> <Id>securitydomain</Id> <Name>Security Domain</Name> </Panel> <Panel> <Id>securitydomain</Id> <Name>Display Certificate Chain</Name> </Panel> <Panel> <Id>subsystem</Id> <Name>Subsystem Type</Name> </Panel> <Panel> <Id>clone</Id> <Name>Display Certificate Chain</Name> </Panel> <Panel> <Id>restorekeys</Id> <Name>Import Keys and Certificates</Name> </Panel> <Panel> <Id>cahierarchy</Id> <Name>PKI Hierarchy</Name> </Panel> <Panel> <Id>database</Id> <Name>Internal Database</Name> </Panel> <Panel> <Id>size</Id> <Name>Key Pairs</Name> </Panel> <Panel> <Id>subjectname</Id> <Name>Subject Names</Name> </Panel> <Panel> <Id>certrequest</Id> <Name>Requests and Certificates</Name> </Panel> <Panel> <Id>backupkeys</Id> <Name>Export Keys and Certificates</Name> </Panel> <Panel> <Id>savepk12</Id> <Name>Save Keys and Certificates</Name> </Panel> <Panel> <Id>importcachain</Id> <Name>Import CA's Certificate Chain</Name> </Panel> <Panel> <Id>admin</Id> <Name>Administrator</Name> </Panel> <Panel> <Id>importadmincert</Id> <Name>Import Administrator's Certificate</Name> </Panel> <Panel> <Id>done</Id> <Name>Done</Name> </Panel> </Vector> </panels> <name>CA Setup Wizard</name> <p>7</p> <path/> <req/> <panelname>restorekeys</panelname> </response> Error in RestoreKeyCertPanel(): updateStatus returns failure ERROR: ConfigureCA: RestoreKeyCertPanel() failure ERROR: unable to create CA ####################################################################### 2014-12-02T05:44:19Z DEBUG stderr= 2014-12-02T05:44:19Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1Tqws5 -client_certdb_pwd XXXXXXXX -preop_pin rdkE0y2CiGMKNcRRPKKc -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 2014-12-02T05:44:19Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-ca-install", line 149, in main (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1626, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 888, in __configure_instance raise RuntimeError('Configuration of CA failed') 2014-12-02T05:44:19Z INFO The ipa-ca-install command failed, exception: RuntimeError: Configuration of CA failed ================= I am not sure why this is happening. Certutil shows that the setup isn't complete on serverb when comparing against the CA replica in my test servers which were successful. # certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Certificate Authority - MYDOMAIN.COM CT,c, Server-Cert cert-pki-ca CTu,Cu,Cu # certutil -K -d /var/lib/pki-ca/alias certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa ef25de4fb656a27e297899509bc3dad582bcd643 NSS Certificate DB:Server-Cert cert-pki-ca As yet, I have not tried "/usr/sbin/ipa-server-install -uninstall" in an attempt to cleanup as this is a production server and apart from CA replication, it is running fine. I have tried multiple times manually removing pki instances and reinstalling but it still won't get past the above error. Can anyone shed any light on this? Thanks in advance, Les
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project