On Thu, 22 Dec 2016 09:25:52 +0100 Florence wrote: FBR> you can find more information about backup and restore procedure in this FBR> guide [1]. But, as stated in the documentation, the safest method would FBR> rather be to install a replica [2]. FBR> [...] FBR> [2] FBR> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-replica.html
I tried to create a replica. It went well for the directory server, but
then:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds [1/27]: creating certificate server user
[2/27]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ' returned
non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance:
CRITICAL See the installation logs and the following files/directories for
more information: ipa.ipaserver.install.cainstance.CAInstance:
CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration
failed.
from ipa-replica-install.log:
2016-12-22T21:00:53Z DEBUG Starting external process
2016-12-22T21:00:53Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ
2016-12-22T21:10:08Z DEBUG Process finished, return code=1
2016-12-22T21:10:08Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20161222160055.log
Loading deployment configuration from /tmp/tmpqYyqJJ.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Importing certificates from /tmp/ca.p12:
...
Import complete
---------------
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Installation failed:
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2016-12-22T21:10:08Z DEBUG stderr=
2016-12-22T21:10:08Z CRITICAL Failed to configure CA instance: Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ' returned non-zero exit status 1
2016-12-22T21:10:08Z CRITICAL See the installation logs and the following
files/directories for more information:
2016-12-22T21:10:08Z CRITICAL /var/log/pki/pki-tomcat
2016-12-22T21:10:08Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
448, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
438, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
590, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 181, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 420, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2016-12-22T21:10:08Z DEBUG [error] RuntimeError: CA configuration failed.
2016-12-22T21:10:08Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318,
in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310,
in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332,
in execute
for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372,
in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362,
in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586,
in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372,
in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362,
in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63,
in _install
for nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1718, in main
install(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 364, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 822, in install
ca.install_step_0(False, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 140, in
install_step_0
ra_p12=getattr(options, 'ra_p12', None))
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1562, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
437, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
448, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
438, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
590, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 181, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 420, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2016-12-22T21:10:08Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: CA configuration failed.
2016-12-22T21:10:08Z ERROR CA configuration failed.
2016-12-22T21:10:08Z ERROR The ipa-replica-install command failed.
See /var/log/ipareplica-install.log for more information
/var/log/pki/pki-tomcat/ca/system:
0.localhost-startStop-1 - [22/Dec/2016:16:02:38 EST] [13] [3] authz instance
DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value
/var/log/pki/pki-tomcat/ca/debug:
22/Dec/2016:16:05:47][http-bio-8443-exec-3]: === Subsystem Configuration ===
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: SystemConfigService: validate
clone URI: https://auth-1.example:443
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: SystemConfigService: import
certificate chain from master
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: Searching for
SecureAdminPort in CA hosts
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: host:
auth-1.example
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: SecurePort
port: 443
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils:
SecureAdminPort port found: 443
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]:
ConfigurationUtils.importCertChain()
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: GET
https://auth-1.example:443/ca/admin/ca/getCertChain
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: Server certificate:
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: - subject:
CN=auth-1.example,O=EXAMPLE
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: - issuer: CN=Certificate
Authority,O=EXAMPLE
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: SystemConfigService: get
configuration entries from master
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: updateNumberRange start
host=auth-1.example adminPort=443 eePort=443
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: ConfigurationUtils: POST
https://auth-1.example:443/ca/admin/ca/updateNumberRange
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: Server certificate:
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: - subject:
CN=auth-1.example,O=EXAMPLE
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: - issuer: CN=Certificate
Authority,O=EXAMPLE
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Failed to
contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP
500 Internal Server Error
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Attempting to
contact master using EE port
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: ConfigurationUtils: POST
https://auth-1.example:443/ca/ee/ca/updateNumberRange
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: Server certificate:
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: - subject:
CN=auth-1.example,O=EXAMPLE
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: - issuer: CN=Certificate
Authority,O=EXAMPLE
javax.ws.rs.NotFoundException: HTTP 404 Not Found
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:181)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:154)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:444)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.post(ClientInvocationBuilder.java:201)
at
com.netscape.certsrv.client.PKIConnection.post(PKIConnection.java:476)
...
So this looks like the culprit:
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Failed to
contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP
500 Internal Server Error
Any suggestions on how to fix this? Or do I need to switch to the
backup/restore method?
Robert
--
Senior Software Engineer @ Parsons
pgpcqswiIX9xR.pgp
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
