Actually, it looks like it fails even earlier than getting the domain
info - that is, when the replica contacts the master and tries to get
its cert chain.

I think that you have modified the logs slightly?  There are a couple of
things that don't make sense. See annotated log below --


On Wed, 2015-02-04 at 09:19 -0500, Ade Lee wrote:
> >From the snippet of log below, it looks like the replica CA is trying to
> contact the master CA to obtain the security domain information and is
> failing to get a valid response.
> 
> The message about "spaces and parsing" is basically the replica saying
> that it cannot understand the response -- or lack of one from the master
> CA.  As this is an old version of IPA and Dogtag, it is trying to
> contact the master CA on port 9443.
> 
> Things to look into:
> 1) Is the CA on the master up?  Is port 9443 open on the master 
>    (firewalls on master or replica)?  You could test this by using a 
>    browser/curl on the replica to go to
>    https://<master_host>:9443/ca/admin/ca/getDomainXML
> 
> 2) Is selinux preventing the access?  You might want to set it in 
>    permissive mode on either master or replica.
> 
> 3) Do you see activity in the master's debug log?
> 
> This looks to me like a different error from what was described before.
> Its failing much earlier now.
> 
> Ade
> 
> On Fri, 2015-01-30 at 05:48 +0000, Les Stott wrote:
> > 
> > > -----Original Message-----
> > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > > boun...@redhat.com] On Behalf Of Les Stott
> > > Sent: Wednesday, 10 December 2014 6:22 PM
> > > To: freeipa-users@redhat.com
> > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > 
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: Ade Lee [mailto:a...@redhat.com]
> > > > Sent: Wednesday, 10 December 2014 5:05 AM
> > > > To: Les Stott
> > > > Cc: freeipa-users@redhat.com
> > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > >
> > > > On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote:
> > > > >
> > > > >
> > > > >
> > > >
> > > __________________________________________________________
> > > > ____________
> > > > > From: freeipa-users-boun...@redhat.com
> > > > > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
> > > > > [d...@redhat.com]
> > > > > Sent: Tuesday, December 09, 2014 3:49 PM
> > > > > To: freeipa-users@redhat.com
> > > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > > >
> > > > >
> > > > >
> > > > > On 12/08/2014 11:04 PM, Les Stott wrote:
> > > > >
> > > > > > Does anyone have any ideas on the below errors when trying to add
> > > > > > CA replication to an existing replica?
> > > > > >
> > > > > >
> > > > >
> > > > > > People who might be able to help are or PTO right now.
> > > > > >
> > > > > > Is your installation older than 2 years?
> > > > >
> > > > > No, December 2013 was when it was originally built.
> > > > >
> > > > > > Did you generate a new replica package or use the original one?
> > > > >
> > > > > I used the original replica file for serverb, based on instructions
> > > > > i came across. I can try regenerating the replica file.
> > > > >
> > > > > Interestingly, now that you mention it, servera had to be restored a
> > > > > couple of months back. Perhaps this is an issue and regenerating the
> > > > > replica file for serverb will be required.
> > > > >
> > > > > I will try this.
> > > > >
> > > >
> > > > I think that this is a safe bet to be the problem.
> > > >
> > > > The error in the log snippet you posted says:
> > > >
> > > >  <errorString>The pkcs12 file is not correct.</errorString>
> > > >
> > > > This indicates that the clone CA was unable to decode the pkcs12 file
> > > > in the replica.  Perhaps the certs changed -- or the DM password 
> > > > changed?
> > > >
> > > > Ade
> > > 
> > > I regenerated the replica file and retired the CA replica setup, but it 
> > > failed at
> > > the same point with the same error.
> > > 
> > > I am thinking that the next step is to uninstall the ipa replica to 
> > > cleanup,
> > > remove all traces and re-add as a replica on serverb.
> > > 
> > > I wonder if the cert that its having an issue with is the one on serverB 
> > > under
> > > /etc/ipa/ca.crt which is from Dec 2013.
> > > 
> > > I will try that in a couple of days as I have to schedule this work in as 
> > > its in
> > > production.
> > > 
> > > Regards,
> > > 
> > > Les
> > > 
> > > 
> > > > > > May be the problem is that the cert that is in that package
> > > > > > already
> > > > > expired?
> > > > >
> > > > > original replica file was created on Dec 16 2013. Cert is not set to
> > > > > expire until 2015-12-17.
> > > > >
> > > > > > Just a thought...
> > > > > >
> > > > > > The simplest workaround IMO would be to prepare Server C, install
> > > > > > it
> > > > > with CA and then decommission replica B.
> > > > > > Do not forget to clean replication agreements on master.
> > > > > >
> > > > > > But that would be work around, would not solve this specific
> > > > > problem, it will kill it.
> > > > >
> > > > > I actually do have serverc and serverd. I planned to have CA
> > > > > replication on at least 2 other servers, but held off on trying on
> > > > > serverc due to issues with serverb.
> > > > >
> > > > > I'll report back what i find after regenerating the replica file and
> > > > > re-trying to setup CA replication.
> > > > >
> > 
> > After a bit of a hiatus I have revisited this issue and I still have it.
> > 
> > Just to re-iterate the problem...
> > 
> > Trying to setup a ca replica on an already installed replica fails in rhel 
> > 6.6, ipa-3.0.0.42, pki 9.0.3-38.
> > 
> > /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U 
> > /var/lib/ipa/replica-info-myhost.mydomain.com.gpg
> > 
> > It fails showing.... "CRITICAL failed to configure ca instance"
> > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 
> > seconds
> >   [1/16]: creating certificate server user
> >   [2/16]: creating pki-ca instance
> >   [3/16]: configuring certificate server instance
> > 
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > 
> > It doesn't matter if I run it interactively or unattended.
> > 
> > I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 
> > 3.0.0-37 without any issue.
> > 
> > The /var/log/ipareplica-ca-install.log shows the following error about 
> > White Spaces:
> > 
> > #############################################
> > Attempting to connect to: mymaster.mydomain.com:9445

^^ I assume mymaster.mydomain.com is the replica

> > Connected.
> > Posting Query = https:// 
> > mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomainURL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=&choice=existingdomain&p=3&op=next&xml=true

^^ sdomainURL is myhost.mydomain.com:9445 ?  This is supposed to be the
URL for the original master.

> > RESPONSE STATUS:  HTTP/1.1 200 OK
> > RESPONSE HEADER:  Server: Apache-Coyote/1.1
> > RESPONSE HEADER:  Content-Type: application/xml;charset=UTF-8
> > RESPONSE HEADER:  Date: Fri, 30 Jan 2015 05:05:04 GMT
> > RESPONSE HEADER:  Connection: close
> > <?xml version="1.0" encoding="UTF-8"?>
> > <response>
> >   <panel>admin/console/config/securitydomainpanel.vm</panel>
> >   <https_agent_port>443</https_agent_port>
> >   <machineName>mymaster.mydomain.com</machineName>
> >   <res/>
> >   <cstype>CA</cstype>
> >   <initCommand>/sbin/service pki-cad</initCommand>
> >   <instanceId>&lt;security_domain_instance_name&gt;</instanceId>
> >   <sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL>

^^ as above - I assume this is the original master URL?

> >   <sdomainName/>
> >   <http_ee_port>80</http_ee_port>
> >   <errorString>org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 
> > 50; White spaces are required between publicId and systemId.</errorString>
> > 
> > The /var/log/pki-ca/debug also shows....
> > 
> > [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating SSL 
> > Admin HTTPS . . .
> > [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started
> > [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser 
> > failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White 
> > spaces are required between publicId and systemId.
> > [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS no 
> > successful response for SSL Admin HTTPS
> > [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase 
> > getCertChainUsingSecureAdminPort start
> > [30/Jan/2015:00:05:05][http-9445-1]: 
> > WizardPanelBase::getCertChainUsingSecureAdminPort() - 
> > Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; 
> > White spaces are required between publicId and systemId.
> > [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase: 
> > getCertChainUsingSecureAdminPort: java.io.IOException: 
> > org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White 
> > spaces are required between publicId and systemId.

its calling https://<original_master_ca>:9445/ca/admin/ca/getCertChain
and not getting a good response.

OR it might be calling
https://<original_master_ca>:443/ca/admin/ca/getCertChain

It would be whatever is indicated in the log for sdomainURL.  If its
going to port 443, then you should check that the httpd server is
running on the master - and check the access log.


> > 
> > When I compare those logs to the logs from the server I installed a 
> > ca-replica on successfully, the above is the point where the logs differ 
> > and it must be the source of the error.
> > 
> > In the log of the server that was successful it shows what should have 
> > happened...
> > 
> > [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating SSL 
> > Admin HTTPS . . .
> > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started
> > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML parsed
> > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1
> > [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS 
> > returns: 1
> > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase 
> > getCertChainUsingSecureAdminPort start
> > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase 
> > getCertChainUsingSecureAdminPort: status=0
> > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase 
> > getCertChainUsingSecureAdminPort: certchain=<certstring>
> > 
> > I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped.
> > 
> > Note, also, I am trying this on new servers, not the same ones used in 
> > December.
> > 
> > I have searched high and low on google to try and find a resolution for the 
> > White Space issue but haven't found anything that worked.
> > 
> > This seems like a bug to me.
> > 
> > Can anyone help with this please?
> > 
> > Thanks in advance,
> > 
> > Regards,
> > 
> > Les
> > 
> > 
> > 
> > 
> > 
> > 
> 
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to