[Freeipa-users] Re: Can't create new CA replica
Running in debug mode definitely shows a recently expired cert and running it again this time only shows the correct hostname now unlike before. Is this cert something that I can regenerate/renew? I'll find out about getting a new host to test with as well. [root@ipa1 ~]# ipa-replica-prepare --debug ipa2.domain.tld ipa : DEBUGimporting all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa : DEBUGargs=klist -V ipa : DEBUGstdout=Kerberos 5 version 1.10.3 ipa : DEBUGstderr= ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' Directory Manager (existing master) password: ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_61017104 ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_61017
[Freeipa-users] Re: Can't create new CA replica
On Thu, Nov 16, 2017 at 02:04:24PM -0500, Rob Crittenden wrote: > john.bowman--- via FreeIPA-users wrote: > > Still looking for any ideas on this one so giving it a bump. > > Next time please don't wipe out all the context. > > Fraser, it seems to be having a problem connecting to the security domain. > > The full thread is at > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/7CMTT25MZKFDUW26XYLHAEV73DIYW7IV/ > > rob > For the security domain connection problems, a fix was released in Dogtag 10.5.1 (pki commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3). As for the expired certificates problem, I'm not sure about that. More logs would be helpful. But perhaps start over again with a fresh host for the replica, and run the latest pki builds (Fedora 27 was just released and it has Dogtag 10.5.1). Cheers, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't create new CA replica
Apologies, I hit reply from the list's web page instead of replying from email and it did not include the history automatically. On Thu, Nov 16, 2017 at 1:04 PM, Rob Crittenden wrote: > john.bowman--- via FreeIPA-users wrote: > > Still looking for any ideas on this one so giving it a bump. > > Next time please don't wipe out all the context. > > Fraser, it seems to be having a problem connecting to the security domain. > > The full thread is at > https://lists.fedoraproject.org/archives/list/freeipa- > us...@lists.fedorahosted.org/thread/7CMTT25MZKFDUW26XYLHAEV73DIYW7IV/ > > rob > -- John Bowman System Engineer 4500 S 129th East Avenue, Suite 132 Tulsa, OK 74134 (c) 918.633.4191 (o) 918.295.7043 john.bow...@zayo.com ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't create new CA replica
john.bowman--- via FreeIPA-users wrote: > Still looking for any ideas on this one so giving it a bump. Next time please don't wipe out all the context. Fraser, it seems to be having a problem connecting to the security domain. The full thread is at https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/7CMTT25MZKFDUW26XYLHAEV73DIYW7IV/ rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't create new CA replica
Still looking for any ideas on this one so giving it a bump. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't create new CA replica
I've finally had a chance to make this attempt and after running the clean up: # python /usr/share/pki/scripts/restore-subsystem-user.py -v Subsystem certificate: 2;4;CN=Certificate Authority,O=DOMAIN.TLD;CN=CA Subsystem,O=DOMAIN.TLD -BEGIN CERTIFICATE- *snip* -END CERTIFICATE- User CA-ipa4.domain.tld-9443 has subsystem certificate User already in Subsystem Group User has the correct certificate mapping Subsystem user CA-ipa4.domain.tld-9443 is OK It was strange that it listed ipa4 since that is not one of our current CAs just a normal replica. I'm guessing that it was likely a CA at one point but was converted. Perhaps incorrectly? # ipa-replica-prepare ipa5.domain.tld Directory Manager (existing master) password: Preparing replica for ipa5.domain.tld from ipa1.domain.tld Creating SSL certificate for the Directory Server ipa : ERRORcert validation failed for "CN=ipa1.domain.tld,O=DOMAIN.TLD" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) preparation of replica failed: cannot connect to 'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. cannot connect to 'https://ipa1.domain.tld:9444/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. File "/usr/sbin/ipa-replica-prepare", line 529, in main() File "/usr/sbin/ipa-replica-prepare", line 400, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb I know the cert wasn't expired prior to running these two commands. When I look at ipa-getcert list all the expiry dates for requests in MONITORING status show 2019 unless I'm looking in the wrong area. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't create new CA replica
On Tue, Aug 15, 2017 at 7:57 PM, john.bowman--- via FreeIPA-users wrote: > Looks like I missed your answers. > > Question: Do I need to run that command on all RHEL6 CA servers or just one > of them? (We currently have 2 RHEL 6 CA servers.) Which command? Pasting previsous text, now with host where to run it So run on RHEL 6 master - this can be run on all RHEL 6 masters but especially on the one where you then run ipa-replica-prepare # python /usr/share/pki/scripts/restore-subsystem-user.py -v Following is ok to run only on one master. After running it ipa-(cs)replica-manage list commands should no longer list the replica Then remove previous installation attempt by: * ipa-replica-manage del $replica * ipa-csreplica-manage del $replica Try again * generate new replica file by ipa-replica-prepare (on the orinal master) * run replica installation again with the new replica file > > Thank you for the reply! -- Petr Vobornik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't create new CA replica
Looks like I missed your answers. Question: Do I need to run that command on all RHEL6 CA servers or just one of them? (We currently have 2 RHEL 6 CA servers.) Thank you for the reply! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't create new CA replica
On Wed, Aug 2, 2017 at 1:31 PM, Fraser Tweedale via FreeIPA-users wrote: > On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote: >> john.bowman--- via FreeIPA-users wrote: >> > Since taking over our FreeIPA environment I've been unable to create a new >> > CA replica. A bunch of failed attempts and upgrades over the last year >> > and I keep running in to issues. After my latest attempt I noticed >> > something that I had not seen before (likely a result of an recent >> > upgrade) and I was wondering if this would cause a CA install to fail. >> > >> > Our env: >> > 3 x ipa-server-3.0.0-51.el6.x86_64 >> > 3 x ipa-server-4.4.0-14.el7_3.7.x86_64 >> > >> > 2 of the 3.x IPA servers are currently acting as CAs and I've been trying >> > to create a new 4.x CA replica in order to start removing the 3.x IPA >> > servers. I've been able to do a simple test with vanilla CentOS 6.9 and >> > 7.3 and it seems to work fine as far as I can tell but when I try it in >> > our environment it fails. I noticed this error in one of the logs and >> > something jumped out at me that I had never seen before: >> > >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization === >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security >> > domain >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): >> > Getting domain.xml from CA... >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting >> > domain info >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET >> > https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain >> > info: > > standalone="no"?>IPA> >> ipa-master.domain.tld44344344380> > ureEEClientAuthPort>443TRUETRUEpki-cadipa-replica1.domain.tld >> > 44344344380443> > ecureEEClientAuthPort>TRUETRUEpki-cadipa-replica2.domain.tld443> > curePort>44344380443> > ainManager>TRUETRUEpki-cad30> > emCount>000> > ist>0 >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using >> > admin interface >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: >> > updateDomainXML start hostname=ipa-master.domain.tld port=443 >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST >> > https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin >> > interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using >> > agent interface >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: >> > updateDomainXML start hostname=ipa-master.domain.tld port=443 >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() >> > nickname=subsystemCert cert-pki-ca >> > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST >> > https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML >> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate: >> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject: >> > CN=ipa-master.domain.tld,O=DOMAIN.US >> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate >> > Authority,O=DOMAIN.US >> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: >> > updateDomainXML: status=1 >> > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security >> > domain: 2 >> > java.io.IOException: Unable to update security domain: 2 This error message means that pkispawn cannot authenticate to Dogtag on master by a certificate. Usually cert doesn't match the one in Dogtag user db in LDAP or cert serial number mapping is wrong. More info is in: * https://www.freeipa.org/page/Troubleshooting#Migrating_from_RHEL_6.2FCentOS_6 resp. * https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html But Dogtag team made an utility which should do the steps described in the above post automatically So run on RHEL 6 master: # python /usr/share/pki/scripts/restore-subsystem-user.py -v Then remove previous installation attempt by * ipa-replica-manage del $replica * ipa-csreplica-manage del $replica Try again * generate new replica file by ipa-replica-prepare * run replica installation again with the new replica file >> > >> > >> > The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x >> > servers but the other two listed in that domainxml file one does not exist >> > (it may have at some point been renamed) and the other server is not a CA >> > replica but it is a replica. >> > >> > Is it possible this bad info would cause a failure when trying to create a >> > new CA replica? If so is it something I can try cleaning up? >> > >> > Any info
[Freeipa-users] Re: Can't create new CA replica
On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote: > john.bowman--- via FreeIPA-users wrote: > > Since taking over our FreeIPA environment I've been unable to create a new > > CA replica. A bunch of failed attempts and upgrades over the last year and > > I keep running in to issues. After my latest attempt I noticed something > > that I had not seen before (likely a result of an recent upgrade) and I was > > wondering if this would cause a CA install to fail. > > > > Our env: > > 3 x ipa-server-3.0.0-51.el6.x86_64 > > 3 x ipa-server-4.4.0-14.el7_3.7.x86_64 > > > > 2 of the 3.x IPA servers are currently acting as CAs and I've been trying > > to create a new 4.x CA replica in order to start removing the 3.x IPA > > servers. I've been able to do a simple test with vanilla CentOS 6.9 and > > 7.3 and it seems to work fine as far as I can tell but when I try it in our > > environment it fails. I noticed this error in one of the logs and > > something jumped out at me that I had never seen before: > > > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization === > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security > > domain > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): > > Getting domain.xml from CA... > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting > > domain info > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET > > https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain > > info: > standalone="no"?>IPA >> ipa-master.domain.tld44344344380 > ureEEClientAuthPort>443TRUETRUEpki-cadipa-replica1.domain.tld > > 44344344380443 > ecureEEClientAuthPort>TRUETRUEpki-cadipa-replica2.domain.tld443 > curePort>44344380443 > ainManager>TRUETRUEpki-cad30 > emCount>000 > ist>0 > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using > > admin interface > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: > > updateDomainXML start hostname=ipa-master.domain.tld port=443 > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST > > https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin > > interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using > > agent interface > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: > > updateDomainXML start hostname=ipa-master.domain.tld port=443 > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() > > nickname=subsystemCert cert-pki-ca > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST > > https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML > > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate: > > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject: > > CN=ipa-master.domain.tld,O=DOMAIN.US > > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate > > Authority,O=DOMAIN.US > > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: > > updateDomainXML: status=1 > > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security > > domain: 2 > > java.io.IOException: Unable to update security domain: 2 > > > > > > The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x > > servers but the other two listed in that domainxml file one does not exist > > (it may have at some point been renamed) and the other server is not a CA > > replica but it is a replica. > > > > Is it possible this bad info would cause a failure when trying to create a > > new CA replica? If so is it something I can try cleaning up? > > > > Any info would be appreciated. Thanks! > > I think one of the dogtag devs will need to look at it. It may take a > few days, things get a bit slow around here in the summer. > > rob > This went off my radar, but now it back on my radar. Looks like it could be another case of [1]? [1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/TJGJZANRCIYTGXCUEAZ3XLISNEO7QOIN/#A54XHWAG4Z6BVX62YRUQXYO5QKW4OXAZ Cheers, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't create new CA replica
john.bowman--- via FreeIPA-users wrote: > Since taking over our FreeIPA environment I've been unable to create a new CA > replica. A bunch of failed attempts and upgrades over the last year and I > keep running in to issues. After my latest attempt I noticed something that > I had not seen before (likely a result of an recent upgrade) and I was > wondering if this would cause a CA install to fail. > > Our env: > 3 x ipa-server-3.0.0-51.el6.x86_64 > 3 x ipa-server-4.4.0-14.el7_3.7.x86_64 > > 2 of the 3.x IPA servers are currently acting as CAs and I've been trying to > create a new 4.x CA replica in order to start removing the 3.x IPA servers. > I've been able to do a simple test with vanilla CentOS 6.9 and 7.3 and it > seems to work fine as far as I can tell but when I try it in our environment > it fails. I noticed this error in one of the logs and something jumped out > at me that I had never seen before: > > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization === > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security > domain > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting > domain.xml from CA... > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting > domain info > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET > https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain > info: standalone="no"?>IPA> ipa-master.domain.tld44344344380 ureEEClientAuthPort>443TRUETRUEpki-cadipa-replica1.domain.tld > 44344344380443 ecureEEClientAuthPort>TRUETRUEpki-cadipa-replica2.domain.tld443 curePort>44344380443 ainManager>TRUETRUEpki-cad30 emCount>000 ist>0 > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using > admin interface > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: > updateDomainXML start hostname=ipa-master.domain.tld port=443 > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST > https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin > interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using > agent interface > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: > updateDomainXML start hostname=ipa-master.domain.tld port=443 > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() > nickname=subsystemCert cert-pki-ca > [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST > https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate: > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject: > CN=ipa-master.domain.tld,O=DOMAIN.US > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate > Authority,O=DOMAIN.US > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: > updateDomainXML: status=1 > [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security > domain: 2 > java.io.IOException: Unable to update security domain: 2 > > > The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x servers > but the other two listed in that domainxml file one does not exist (it may > have at some point been renamed) and the other server is not a CA replica but > it is a replica. > > Is it possible this bad info would cause a failure when trying to create a > new CA replica? If so is it something I can try cleaning up? > > Any info would be appreciated. Thanks! I think one of the dogtag devs will need to look at it. It may take a few days, things get a bit slow around here in the summer. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org