dan.finkelst...@high5games.com wrote:
A further update: when I try to install the CA component, it erroneously
says that the CA is installed:

root@ipa ~]# ipa-ca-install --skip-conncheck --debug

[ snip ]

ipa         : DEBUG    The ipa-ca-install command failed, exception:
SystemExit: CA is already installed.

CA is already installed.

Try:

# pkidestroy -i pki-tomcat -s CA

Yet:

[root@ipa ~]# ipa-csreplica-manage list

Directory Manager password:

ipa.example.com: CA not configured

Two different methods are used to determine whether a CA is installed. I'll open a ticket to look into that.

rob


<http://www.high5games.com/>

*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com <mailto:dan.finkelst...@h5g.com>_| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com <http://www.high5games.com/>

Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
the Sky <https://apps.facebook.com/shakethesky/>

Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>

//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *<freeipa-users-boun...@redhat.com> on behalf of Daniel
Finkestein <dan.finkelst...@high5games.com>
*Date: *Thursday, June 2, 2016 at 17:42
*To: *"freeipa-users@redhat.com" <freeipa-users@redhat.com>
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master

Hi Rob,

There's a few logs in there, I'm not sure which is most informative.
Here are some sections from what I think are relevant logs:

/var/log/pki/pki-tomcat/localhost.log:

Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve
invoke

SEVERE: Servlet.service() for servlet [Resteasy] in context with path
[/ca] threw exception

org.jboss.resteasy.spi.UnhandledException:
org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find
MessageBodyWriter for response object of type:
com.netscape.certsrv.base.PKIException$Data of media type:
application/x-www-form-urlencoded

         at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)

         at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)

         at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)

         at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)

         at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

         at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

         at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)

         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

         at java.lang.reflect.Method.invoke(Method.java:498)

         at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)

         at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)

         at java.security.AccessController.doPrivileged(Native Method)

         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)

         at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)

         at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)

         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)

         at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)

         at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)

         at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)

         at java.security.AccessController.doPrivileged(Native Method)

         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)

         at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

         at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)

         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

         at java.lang.reflect.Method.invoke(Method.java:498)

         at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)

         at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)

         at java.security.AccessController.doPrivileged(Native Method)

         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)

         at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)

         at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)

         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)

         at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)

         at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)

         at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)

         at java.security.AccessController.doPrivileged(Native Method)

         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)

         at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

         at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

         at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)

         at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

         at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

         at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

         at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

         at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

         at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)

         at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)

         at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

...skipping...

         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)

         at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)

         at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)

         at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)

         at java.security.AccessController.doPrivileged(Native Method)

         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)

         at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

         at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)

         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

         at java.lang.reflect.Method.invoke(Method.java:498)

         at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)

         at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)

         at java.security.AccessController.doPrivileged(Native Method)

         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)

         at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)

         at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)

         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)

         at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)

         at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)

         at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)

         at java.security.AccessController.doPrivileged(Native Method)

         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)

         at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

         at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

         at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)

         at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

         at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

         at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

         at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

         at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

         at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)

         at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)

         at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

         at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

         at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

         at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

         at java.lang.Thread.run(Thread.java:745)

Caused by: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure:
Could not find MessageBodyWriter for response object of type:
com.netscape.certsrv.base.PKIException$Data of media type:
application/x-www-form-urlencoded

         at
org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67)

         at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153)

         ... 52 more

/var/log/pki/pki-tomcat/catalina.out:

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'ssl2Ciphers' to
'-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5'
did not find a matching property.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'ssl3Ciphers' to
'-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'
did not find a matching property.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'tlsCiphers' to
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA'
did not find a matching property.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a
matching property.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a
matching property.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'sslRangeCiphers' to
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,!
-TLS_ECDHE
_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256'
did not find a matching property.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'serverCertNickFile' to
'/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
matching property.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf'
did not find a matching property.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'passwordClass' to
'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a
matching property.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a
matching property.

WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting
property 'xmlValidation' to 'false' did not find a matching property.

WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting
property 'xmlNamespaceAware' to 'false' did not find a matching property.

/var/log/pki/pki-tomcat/ca/system:

0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [3] [3] Cannot
build CA chain. Error java.security.cert.CertificateException:
Certificate is not a PKCS #11 certificate

0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [13] [3] authz
instance DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value

0.http-bio-8443-exec-3 - [01/Jun/2016:12:15:55 EDT] [3] [3] Cannot build
CA chain. Error java.security.cert.CertificateException: Certificate is
not a PKCS #11 certificate

0.Thread-14 - [01/Jun/2016:12:16:17 EDT] [8] [3] Publishing: Could not
publish certificate serial number 0x7. Error Failed to publish using
rule: No rules enabled

0.Thread-13 - [01/Jun/2016:12:16:45 EDT] [8] [3] Publishing: Could not
publish certificate serial number 0x8. Error Failed to publish using
rule: No rules enabled

0.Thread-13 - [01/Jun/2016:12:20:22 EDT] [8] [3] Publishing: Could not
publish certificate serial number 0x9. Error Failed to publish using
rule: No rules enabled

0.Thread-14 - [01/Jun/2016:12:20:23 EDT] [8] [3] Publishing: Could not
publish certificate serial number 0xa. Error Failed to publish using
rule: No rules enabled

0.profileChangeMonitor - [01/Jun/2016:12:20:28 EDT] [8] [3] In Ldap
(bound) connection pool to host ipa.example.com port 636, Cannot connect
to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating
JSS SSL Socket (-1)

(repeats)

0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap
(bound) connection pool to host ipa.h5c.local port 636, Cannot connect
to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating
JSS SSL Socket (-1)

0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [5] [3] Failed
to get a connection to the LDAP server. Error Could not connect to LDAP
server host ipa.example.com port 636 Error netscape.ldap.LDAPException:
IO Error creating JSS SSL Socket (-1)

0.profileChangeMonitor - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap
(bound) connection pool to host ipa.example.com port 636, Cannot connect
to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating
JSS SSL Socket (-1)

Thanks,

Dan

<http://www.high5games.com/>

*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com <mailto:dan.finkelst...@h5g.com>_| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com <http://www.high5games.com/>

Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
the Sky <https://apps.facebook.com/shakethesky/>

Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>

//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *Rob Crittenden <rcrit...@redhat.com>
*Date: *Thursday, June 2, 2016 at 17:29
*To: *Daniel Finkestein <dan.finkelst...@high5games.com>,
"freeipa-users@redhat.com" <freeipa-users@redhat.com>
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master

dan.finkelst...@high5games.com <mailto:dan.finkelst...@high5games.com>
wrote:

    Hi Sebastian,

    Unfortunately, that doesn't seem to be it and reinstalling the replica

    with —setup-ca failed again with the same errors. I've included relevant

    sections of the logs.

    /var/log/ipareplica-install.log:

    016-06-02T10:43:16Z DEBUG Starting external process

    2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'

    '/tmp/tmpl8RqSM'

    2016-06-02T10:43:16Z DEBUG Process finished, return code=1

    2016-06-02T10:43:16Z DEBUG stdout=Log file:

    /var/log/pki/pki-ca-spawn.20160602064316.log

    Loading deployment configuration from /tmp/tmpl8RqSM.

    2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last):

         File "/usr/sbin/pkispawn", line 717, in <module>

           main(sys.argv)

         File "/usr/sbin/pkispawn", line 523, in main

           parser.compose_pki_master_dictionary()

         File

    "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",

    line 573, in compose_pki_master_dictionary

           instance.load()

         File "/usr/lib/python2.7/site-packages/pki/server/__init__.py",
    line

    454, in load

           subsystem.load()

         File "/usr/lib/python2.7/site-packages/pki/server/__init__.py",
    line

    118, in load

           lines = open(self.cs_conf).read().splitlines()

    IOError: [Errno 2] No such file or directory:

    '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'

    2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command

    ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero

    exit status 1

    2016-06-02T10:43:16Z CRITICAL See the installation logs and the

    following files/directories for more information:

    2016-06-02T10:43:16Z CRITICAL   /var/log/pki-ca-install.log

    2016-06-02T10:43:16Z CRITICAL   /var/log/pki/pki-tomcat

    2016-06-02T10:43:16Z DEBUG Traceback (most recent call last):

         File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",

    line 418, in start_creation

           run_step(full_msg, method)

         File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",

    line 408, in run_step

           method()

         File

    "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line

    620, in __spawn_instance

           DogtagInstance.spawn_instance(self, cfg_file)

         File

    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",

    line 201, in spawn_instance

           self.handle_setup_error(e)

         File

    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",

    line 465, in handle_setup_error

           raise RuntimeError("%s configuration failed." % self.subsystem)

    RuntimeError: CA configuration failed.

    2016-06-02T10:43:16Z DEBUG   [error] RuntimeError: CA configuration
    failed.

    2016-06-02T10:43:16Z DEBUG   File

    "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in

    execute

           return_value = self.run()

         File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",

    line 311, in run

           cfgr.run()

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 281, in run

           self.execute()

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 303, in execute

           for nothing in self._executor():

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 343, in __runner

           self._handle_exception(exc_info)

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 365, in _handle_exception

           util.raise_exc_info(exc_info)

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 333, in __runner

           step()

         File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",

    line 87, in run_generator_with_yield_from

           raise_exc_info(exc_info)

         File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",

    line 65, in run_generator_with_yield_from

           value = gen.send(prev_value)

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 524, in _configure

           executor.next()

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 343, in __runner

           self._handle_exception(exc_info)

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 421, in _handle_exception

           self.__parent._handle_exception(exc_info)

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 365, in _handle_exception

           util.raise_exc_info(exc_info)

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 418, in _handle_exception

           super(ComponentBase, self)._handle_exception(exc_info)

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 365, in _handle_exception

           util.raise_exc_info(exc_info)

         File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

    line 333, in __runner

           step()

         File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",

    line 87, in run_generator_with_yield_from

           raise_exc_info(exc_info)

         File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",

    line 65, in run_generator_with_yield_from

           value = gen.send(prev_value)

         File
    "/usr/lib/python2.7/site-packages/ipapython/install/common.py",

    line 63, in _install

           for nothing in self._installer(self.parent):

         File

    
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",

    line 879, in main

           install(self)

         File

    
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",

    line 295, in decorated

           func(installer)

         File

    
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",

    line 584, in install

           ca.install(False, config, options)

         File
    "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line

    106, in install

           install_step_0(standalone, replica_config, options)

         File
    "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line

    130, in install_step_0

           ra_p12=getattr(options, 'ra_p12', None))

         File

    "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line

    1543, in install_replica_ca

           subject_base=config.subject_base)

         File

    "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line

    486, in configure_instance

           self.start_creation(runtime=210)

         File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",

    line 418, in start_creation

           run_step(full_msg, method)

         File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",

    line 408, in run_step

           method()

         File

    "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line

    620, in __spawn_instance

           DogtagInstance.spawn_instance(self, cfg_file)

         File

    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",

    line 201, in spawn_instance

           self.handle_setup_error(e)

         File

    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",

    line 465, in handle_setup_error

           raise RuntimeError("%s configuration failed." % self.subsystem)

    2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed,

    exception: RuntimeError: CA configuration failed.

    2016-06-02T10:43:16Z ERROR CA configuration failed.

    Of note, there is no /var/log/pki-ca-install.log file nor (as the error

    above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.

    Best regards,

    Dan

    cid:image001.jpg@01D1BC9A.CBB33580
    <mailto:image001.jpg@01D1BC9A.CBB33580> <http://www.high5games.com/>

    *Daniel Alex Finkelstein*| Senior Dev Ops Engineer

    dan.finkelst...@h5g.com <mailto:dan.finkelst...@h5g.com>
    <mailto:dan.finkelst...@h5g.com>|
    <mailto:dan.finkelst...@h5g.com%3E|> 212.604.3447

    One World Trade Center, New York, NY 10007

    www.high5games.com <http://www.high5games.com/>

    Play High 5 Casino <https://apps.facebook.com/highfivecasino/>and
    <https://apps.facebook.com/highfivecasino/%3Eand> Shake

    the Sky <https://apps.facebook.com/shakethesky/>

    Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter

    <https://twitter.com/High5Games>, YouTube

    <http://www.youtube.com/High5Games>, Linkedin

    <http://www.linkedin.com/company/1072533?trk=tyah>

    //

    /This message and any attachments may contain confidential or privileged

    information and are only for the use of the intended recipient of this

    message. If you are not the intended recipient, please notify the sender

    by return email, and delete or destroy this and all copies of this

    message and all attachments. Any unauthorized disclosure, use,

    distribution, or reproduction of this message or any attachments is

    prohibited and may be unlawful./

    *From: *Sebastian Schäfer <sebastian.schae...@dlr.de
    <mailto:sebastian.schae...@dlr.de>>

    *Date: *Thursday, June 2, 2016 at 02:59

    *To: *"freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>"
    <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>, Daniel

    Finkestein <dan.finkelst...@high5games.com
    <mailto:dan.finkelst...@high5games.com>>

    *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of

    FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,

    cannot promote to master

    Hi Dan,

    I had a similar problem when updating my FreeIPA. In my case it turned

    out that the certificates that get bundled with the replica preparation

    file were expired. This is due to the /root/cacert.p12 file not being

    updated during the preparation process until FreeIPA 3.2.2

    The file can be recreated with the commands from step 2 of

    http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

    If that does not solve the problem, it would be good to see (part of)

    the actual logfiles of your replica installation attempt.

    Best regards

    --

    Sebastian Schäfer, M. A.

    -------------------------------

    Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)

    Institute of Space Operations and Astronaut Training

    Microgravity User Support Center (MUSC)

    Linder Höhe | 51147 Köln

    Telefon 02203 601-30 01 | Telefax: 02203 61471 |

    sebastian.schae...@dlr.de <mailto:sebastian.schae...@dlr.de>
    <mailto:sebastian.schae...@dlr.de>

    www.DLR.de

    On 06/01/2016 06:45 PM, dan.finkelst...@high5games.com
    <mailto:dan.finkelst...@high5games.com>

    <mailto:dan.finkelst...@high5games.com> wrote:

          Hi folks,

          As the subject suggests, we're converting from FreeIPA 3.0.0
    on CentOS 6

          to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA

          replicas in CentOS 7 and then hope to promote one of them to
    the CA

          master. I'm running into two problems:

          The first is that when we create a replica in FreeIPA 4.2.0
    with the

          —setup-ca option, that portion fails. Here's a snippet of the
    output:

          Configuring certificate server (pki-tomcatd). Estimated time:
    3 minutes

          30 seconds

              [1/23]: creating certificate server user

              [2/23]: configuring certificate server instance

          ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to

          configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA'
    '-f'

          '/tmp/tmpqPeYOW'' returned non-zero exit status 1

          ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the

          installation logs and the following files/directories for more

          information:

          ipa.ipaserver.install.cainstance.CAInstance: CRITICAL

          /var/log/pki-ca-install.log

          ipa.ipaserver.install.cainstance.CAInstance: CRITICAL

          /var/log/pki/pki-tomcat

              [error] RuntimeError: CA configuration failed.

          Your system may be partly configured.

          Run /usr/sbin/ipa-server-install --uninstall to clean up.

You need to find the CA logs. All IPA gets is "the install failed" and

no details why. Lok in /var/log/pki/pki-tomcat for the relevant logs.

rob




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to