Les Stott wrote: > Has anyone got any ideas on this? > > I am stuck with not being able to deploy a CA Replica and this is halting > rollout of the project. > > Help please... > > Regards,
What is the version of IPA on the master you are connecting to? Can you confirm on the existing master that /etc/httpd/conf.d/ipa-pki-proxy.conf has /ca/ee/ca/profileSubmit in it: # matches for ee port <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> rob > > Les > >> -----Original Message----- >> From: [email protected] [mailto:freeipa-users- >> [email protected]] On Behalf Of Les Stott >> Sent: Friday, 30 January 2015 4:48 PM >> To: [email protected] >> Subject: Re: [Freeipa-users] CA Replication Installation Failing >> >> >> >>> -----Original Message----- >>> From: [email protected] [mailto:freeipa-users- >>> [email protected]] On Behalf Of Les Stott >>> Sent: Wednesday, 10 December 2014 6:22 PM >>> To: [email protected] >>> Subject: Re: [Freeipa-users] CA Replication Installation Failing >>> >>> >>> >>>> -----Original Message----- >>>> From: Ade Lee [mailto:[email protected]] >>>> Sent: Wednesday, 10 December 2014 5:05 AM >>>> To: Les Stott >>>> Cc: [email protected] >>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing >>>> >>>> On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote: >>>>> >>>>> >>>>> >>>> >>> __________________________________________________________ >>>> ____________ >>>>> From: [email protected] >>>>> [[email protected]] on behalf of Dmitri Pal >>>>> [[email protected]] >>>>> Sent: Tuesday, December 09, 2014 3:49 PM >>>>> To: [email protected] >>>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing >>>>> >>>>> >>>>> >>>>> On 12/08/2014 11:04 PM, Les Stott wrote: >>>>> >>>>>> Does anyone have any ideas on the below errors when trying to >>>>>> add CA replication to an existing replica? >>>>>> >>>>>> >>>>> >>>>>> People who might be able to help are or PTO right now. >>>>>> >>>>>> Is your installation older than 2 years? >>>>> >>>>> No, December 2013 was when it was originally built. >>>>> >>>>>> Did you generate a new replica package or use the original one? >>>>> >>>>> I used the original replica file for serverb, based on >>>>> instructions i came across. I can try regenerating the replica file. >>>>> >>>>> Interestingly, now that you mention it, servera had to be restored >>>>> a couple of months back. Perhaps this is an issue and regenerating >>>>> the replica file for serverb will be required. >>>>> >>>>> I will try this. >>>>> >>>> >>>> I think that this is a safe bet to be the problem. >>>> >>>> The error in the log snippet you posted says: >>>> >>>> <errorString>The pkcs12 file is not correct.</errorString> >>>> >>>> This indicates that the clone CA was unable to decode the pkcs12 >>>> file in the replica. Perhaps the certs changed -- or the DM password >> changed? >>>> >>>> Ade >>> >>> I regenerated the replica file and retired the CA replica setup, but >>> it failed at the same point with the same error. >>> >>> I am thinking that the next step is to uninstall the ipa replica to >>> cleanup, remove all traces and re-add as a replica on serverb. >>> >>> I wonder if the cert that its having an issue with is the one on >>> serverB under /etc/ipa/ca.crt which is from Dec 2013. >>> >>> I will try that in a couple of days as I have to schedule this work in >>> as its in production. >>> >>> Regards, >>> >>> Les >>> >>> >>>>>> May be the problem is that the cert that is in that package >>>>>> already >>>>> expired? >>>>> >>>>> original replica file was created on Dec 16 2013. Cert is not set >>>>> to expire until 2015-12-17. >>>>> >>>>>> Just a thought... >>>>>> >>>>>> The simplest workaround IMO would be to prepare Server C, >>>>>> install it >>>>> with CA and then decommission replica B. >>>>>> Do not forget to clean replication agreements on master. >>>>>> >>>>>> But that would be work around, would not solve this specific >>>>> problem, it will kill it. >>>>> >>>>> I actually do have serverc and serverd. I planned to have CA >>>>> replication on at least 2 other servers, but held off on trying on >>>>> serverc due to issues with serverb. >>>>> >>>>> I'll report back what i find after regenerating the replica file >>>>> and re-trying to setup CA replication. >>>>> >> >> After a bit of a hiatus I have revisited this issue and I still have it. >> >> Just to re-iterate the problem... >> >> Trying to setup a ca replica on an already installed replica fails in rhel >> 6.6, >> ipa-3.0.0.42, pki 9.0.3-38. >> >> /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U /var/lib/ipa/replica-info- >> myhost.mydomain.com.gpg >> >> It fails showing.... "CRITICAL failed to configure ca instance" >> Configuring certificate server (pki-cad): Estimated time 3 minutes 30 >> seconds >> [1/16]: creating certificate server user >> [2/16]: creating pki-ca instance >> [3/16]: configuring certificate server instance >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> It doesn't matter if I run it interactively or unattended. >> >> I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa >> 3.0.0- >> 37 without any issue. >> >> The /var/log/ipareplica-ca-install.log shows the following error about White >> Spaces: >> >> ############################################# >> Attempting to connect to: mymaster.mydomain.com:9445 Connected. >> Posting Query = https:// >> mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomain >> URL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=& >> choice=existingdomain&p=3&op=next&xml=true >> RESPONSE STATUS: HTTP/1.1 200 OK >> RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: >> Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, >> 30 Jan 2015 05:05:04 GMT RESPONSE HEADER: Connection: close <?xml >> version="1.0" encoding="UTF-8"?> <response> >> <panel>admin/console/config/securitydomainpanel.vm</panel> >> <https_agent_port>443</https_agent_port> >> <machineName>mymaster.mydomain.com</machineName> >> <res/> >> <cstype>CA</cstype> >> <initCommand>/sbin/service pki-cad</initCommand> >> <instanceId><security_domain_instance_name></instanceId> >> <sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL> >> <sdomainName/> >> <http_ee_port>80</http_ee_port> >> <errorString>org.xml.sax.SAXParseException; lineNumber: 1; >> columnNumber: 50; White spaces are required between publicId and >> systemId.</errorString> >> >> The /var/log/pki-ca/debug also shows.... >> >> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating SSL >> Admin HTTPS . . . >> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started >> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser >> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; >> White spaces are required between publicId and systemId. >> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS no >> successful response for SSL Admin HTTPS >> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase >> getCertChainUsingSecureAdminPort start >> [30/Jan/2015:00:05:05][http-9445-1]: >> WizardPanelBase::getCertChainUsingSecureAdminPort() - >> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: >> 50; White spaces are required between publicId and systemId. >> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase: >> getCertChainUsingSecureAdminPort: java.io.IOException: >> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White >> spaces are required between publicId and systemId. >> >> When I compare those logs to the logs from the server I installed a ca- >> replica on successfully, the above is the point where the logs differ and it >> must be the source of the error. >> >> In the log of the server that was successful it shows what should have >> happened... >> >> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating SSL >> Admin HTTPS . . . >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML >> parsed >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1 >> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS >> returns: 1 >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase >> getCertChainUsingSecureAdminPort start >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase >> getCertChainUsingSecureAdminPort: status=0 >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase >> getCertChainUsingSecureAdminPort: certchain=<certstring> >> >> I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped. >> >> Note, also, I am trying this on new servers, not the same ones used in >> December. >> >> I have searched high and low on google to try and find a resolution for the >> White Space issue but haven't found anything that worked. >> >> This seems like a bug to me. >> >> Can anyone help with this please? >> >> Thanks in advance, >> >> Regards, >> >> Les >> >> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
