On Thu, 22 Dec 2016 09:25:52 +0100 Florence wrote: FBR> you can find more information about backup and restore procedure in this FBR> guide [1]. But, as stated in the documentation, the safest method would FBR> rather be to install a replica [2]. FBR> [...] FBR> [2] FBR> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-replica.html
I tried to create a replica. It went well for the directory server, but then: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. from ipa-replica-install.log: 2016-12-22T21:00:53Z DEBUG Starting external process 2016-12-22T21:00:53Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ 2016-12-22T21:10:08Z DEBUG Process finished, return code=1 2016-12-22T21:10:08Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20161222160055.log Loading deployment configuration from /tmp/tmpqYyqJJ. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Importing certificates from /tmp/ca.p12: ... Import complete --------------- Imported certificates in /etc/pki/pki-tomcat/alias: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Installation failed: Please check the CA logs in /var/log/pki/pki-tomcat/ca. 2016-12-22T21:10:08Z DEBUG stderr= 2016-12-22T21:10:08Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ' returned non-zero exit status 1 2016-12-22T21:10:08Z CRITICAL See the installation logs and the following files/directories for more information: 2016-12-22T21:10:08Z CRITICAL /var/log/pki/pki-tomcat 2016-12-22T21:10:08Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-12-22T21:10:08Z DEBUG [error] RuntimeError: CA configuration failed. 2016-12-22T21:10:08Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1718, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 822, in install ca.install_step_0(False, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 140, in install_step_0 ra_p12=getattr(options, 'ra_p12', None)) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1562, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 437, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2016-12-22T21:10:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. 2016-12-22T21:10:08Z ERROR CA configuration failed. 2016-12-22T21:10:08Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information /var/log/pki/pki-tomcat/ca/system: 0.localhost-startStop-1 - [22/Dec/2016:16:02:38 EST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki/pki-tomcat/ca/debug: 22/Dec/2016:16:05:47][http-bio-8443-exec-3]: === Subsystem Configuration === [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://auth-1.example:443 [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: SystemConfigService: import certificate chain from master [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: Searching for SecureAdminPort in CA hosts [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: host: auth-1.example [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: SecurePort port: 443 [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: SecureAdminPort port found: 443 [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils.importCertChain() [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: GET https://auth-1.example:443/ca/admin/ca/getCertChain [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: Server certificate: [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: - subject: CN=auth-1.example,O=EXAMPLE [22/Dec/2016:16:05:47][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=EXAMPLE [22/Dec/2016:16:06:48][http-bio-8443-exec-3]: SystemConfigService: get configuration entries from master [22/Dec/2016:16:06:48][http-bio-8443-exec-3]: updateNumberRange start host=auth-1.example adminPort=443 eePort=443 [22/Dec/2016:16:06:48][http-bio-8443-exec-3]: ConfigurationUtils: POST https://auth-1.example:443/ca/admin/ca/updateNumberRange [22/Dec/2016:16:06:48][http-bio-8443-exec-3]: Server certificate: [22/Dec/2016:16:06:48][http-bio-8443-exec-3]: - subject: CN=auth-1.example,O=EXAMPLE [22/Dec/2016:16:06:48][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=EXAMPLE [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Failed to contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Attempting to contact master using EE port [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: ConfigurationUtils: POST https://auth-1.example:443/ca/ee/ca/updateNumberRange [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: Server certificate: [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: - subject: CN=auth-1.example,O=EXAMPLE [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=EXAMPLE javax.ws.rs.NotFoundException: HTTP 404 Not Found at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:181) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:154) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:444) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.post(ClientInvocationBuilder.java:201) at com.netscape.certsrv.client.PKIConnection.post(PKIConnection.java:476) ... So this looks like the culprit: [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Failed to contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error Any suggestions on how to fix this? Or do I need to switch to the backup/restore method? Robert -- Senior Software Engineer @ Parsons
pgpcqswiIX9xR.pgp
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project