Hi,

I need some information from you. Which versions of the PKI packages that you are using on the CentOS 6.6 and 7.0 machines? Could you email me the PKI CA debug logs (/var/log/pki-ca/debug or /var/log/pki/pki-tomcat/ca/debug) from both machines?

There's a possibility it may be related to this ticket:
https://fedorahosted.org/pki/ticket/1235

Thanks.

--
Endi S. Dewata

On 1/13/2015 7:59 PM, Jim Richard wrote:
Carefully following the instructions here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

I have split one of my Centis 6.6 based replicas from the main cluster
of 4 IDM servers, fully disconnected it from current IDM infrastructure,
converted it to a master CA, double checked that I have no
dangling/tombstone entries pointing back to other cluster members,
ipa-replica-manage list and ipa-replica-manage list-ruv both show no
other masters, in short, made absolutely sure that this replica is now a
standalone.

I then applied the schema updates via the python script per the above
referenced instructions, did “ipa-replica-prepare”, deployed a new
Centos 7 vm, yum install ipa-server there, scp’d over the replica file.

Next up, "ipa-replica-install --setup-ca”.

And that’s where the story ends…..

Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
   [1/19]: creating certificate server user
   [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpM9BzPz' returned non-zero exit status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


I tried the workaround mentioned here:

https://fedorahosted.org/pki/ticket/816

updated /usr/share/pki/ca/conf/CS.cfg before running ipa-replica-install

But not luck.

Anybody have a clue where I should look?

From pki-ca-spawn.20150114014019.log:
2015-01-14 01:40:32 pkispawn    : ERROR    ....... Exception from Java
Configuration Servlet: Failed to obtain installation token from security
domain

and in /var/log/pki/pki-tomcat/ca/server I have:

2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [3] [3] Cannot
build CA chain. Error java.security.cert.CertificateException:
Certificate is not a PKCS #11 certificate
2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [13] [3] authz
instance DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value


more info that might help…….


[root@sso-centos7 pki]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname                                         Trust
Attributes

  SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca                                      CTu,Cu,Cu
Certificate Authority - PLACEIQ.NET <http://PLACEIQ.NET>
          CT,c,

My CS.cfg is attached.



Maybe the fact that my new server is looking at the same DNS and can see
the SRV records for the current Centos 6.6/IDM 3.0 cluster is causing a
problem ??

Of course I have uninstalled and done this a zillion times:

pkidestroy -s CA -i pki-tomcat
rm -rf /var/log/pki/pki-tomcat
rm -rf /etc/sysconfig/pki-tomcat
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
rm -rf /var/lib/pki/pki-tomcat
rm -rf /etc/pki/pki-tomcat


I’m at a loss, no idea even where to look at this point.


Thanks in advance for any clues you can provide.




                                                                                
                                                                                
                                                                                
                                        
Jim Richard  | PlaceIQ
<http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2F&sa=D&sntz=1&usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw>
  |
  Systems Administrator  |  jrich...@placeiq.com
<mailto:n...@placeiq.com>  | +1 (646) 338-8905







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to