Re: [Freeipa-users] CA: Failing to add Centos7 replica to Centos6.7 ipa server

2016-02-11 Thread Quasar 
Thank you!
Dodgig the dogtag guys, then ;-)

Il giorno Gio 11 Feb 2016 13:26 Martin Basti <mba...@redhat.com> ha scritto:

>
>
> On 11.02.2016 12:51, Quasar wrote:
>
> Martin,
>
> I've re-tested the replica with a freshly-installed CentOS 7 (1511).
> Installation still fails (damn!) and the log is a bit more verbose. I
> suppose it has something to do with certificate in my master server proably
> due to incremental updates did in the past.
>
> 2016-02-11T11:09:21Z DEBUG Starting external process
> 2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpRHosRn'
> 2016-02-11T11:10:58Z DEBUG Process finished, return code=1
> 2016-02-11T11:10:58Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160211120921.log
> Loading deployment configuration from /tmp/tmpRHosRn.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2016-02-11T11:10:58Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
>   InsecureRequestWarning)
> pkispawn: WARNING  ... unable to validate security domain
> user/password through REST interface. Interface not available
> pkispawn: ERROR... Exception from Java Configuration Servlet:
> 500 Server Error: Internal Server Error
> pkispawn: ERROR... ParseError: not well-formed (invalid
> token): line 1, column 0:
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
> while updating security domain: java.io.IOException: 2"}
>
> 2016-02-11T11:10:58Z CRITICAL Failed to configure CA instance: Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpRHosRn'' returned non-zero
> exit status 1
> 2016-02-11T11:10:58Z CRITICAL See the installation logs and the following
> files/directories for more information:
> 2016-02-11T11:10:58Z CRITICAL   /var/log/pki-ca-install.log
> 2016-02-11T11:10:58Z CRITICAL   /var/log/pki/pki-tomcat
> 2016-02-11T11:10:58Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 418, in start_creation
> run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 408, in run_step
> method()
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 620, in __spawn_instance
> DogtagInstance.spawn_instance(self, cfg_file)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 201, in spawn_instance
> self.handle_setup_error(e)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 465, in handle_setup_error
> raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
>
> I'm attaching the 3 log files, as usual:
>
>
>
> On Thu, Feb 11, 2016 at 11:28 AM, Quasar <quas...@gmail.com> wrote:
>
>> Hi Martin,
>>
>> first of all thanks for taking some time to read and provide feedback,
>> much appreciated.
>>
>> I firstly tried with CentOS 7.x (build 1511) but got the same errore
>> during CA configuration. Then I supposed I had to upgrade step-by-step,
>> from 3.0 to 3.3 (instead of 3.0 to 4.x) and used Fedora 23, 20, 19 and 18
>> but with no luck.
>> If you need the exact log from CentOS 7.x migration I can provide them to
>> you.
>>
>> About the debug log file, it was attached and these are the final lines
>> containing the error:
>>
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML:
>> domainInfo=> standalone="no"?>IPAipaserver.it.fx.lan44344344344380FALSEpki-cadTRUEipaserver-ha.it.fx.lan44344344380443TRUETRUEpki-cad2!
>> t;/Subsyst
>> emCount>0
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a domain master
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
>> updateDomainXML start hostname=ipaserver.it.fx.lan port=443
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain:
>> failed to update security domain using admin port 443:
>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
>> spaces are required between publicId and systemId.
>> [09/Feb/2016:15:31:42][http

Re: [Freeipa-users] CA: Failing to add Centos7 replica to Centos6.7 ipa server

2016-02-11 Thread Quasar 
​
Excellent news Martin! After checking the bug you shared with me, I tried
to check if pki-core-9.0.3-45.el6_7 was released for CentOS 6.7 and I was
quite lucky this time!
After a "yum update" I retried the teplica and this time everything went
smoothly!

Thanks a lot for your help and time!

Cheers!



On Thu, Feb 11, 2016 at 2:04 PM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 11.02.2016 13:33, Quasar wrote:
>
> Thank you!
> Dodgig the dogtag guys, then ;-)
>
> Do you have CA configured as external CA?
>
> It could be:
> https://bugzilla.redhat.com/show_bug.cgi?id=1291747
>
> I don't think that it is already in CentOS
>
>


-- 
Giuseppe Calignano
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

2016-02-11 Thread Quasar 
Please disregard this email, as it was duplicated.

Sorry for the incovenience

On Tue, Feb 9, 2016 at 4:26 PM,  wrote:

> Hi, I desperately need your help/advice with our ipa update process.
> Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7
> to a newer version, and I read that the way of doing it is to create a new
> replica with a newer version of IPA server.
> Before writing this post, I browsed for similar issues (there are many of
> them with similar outcome) and tried to apply the suggested solutions but
> no luck. I also tried previous versions of Fedora (18 and 19) but again no
> luck.
> It seems I'm stuck and I don't know how to proceed :(
>
> Thank you in advance to anyhow who will take the time to read my message
> :) Let's start!
>
> Right now we have a single running on Centos 6.7, and we are planning to
> create a replica with Fedora 20 which has IPA 3.3
>
> Here are the details of the master (ipaserver)
> [root@ipaserver ~]# uname -a
> Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21
> UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> pki-ca-9.0.3-43.el6.noarch
>
> And here are the details of the replica (ipaserver-ha2
> Replica server on Fedora 20:
> [root@ipaserver-ha2 ~]# uname -a
> Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12
> 17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
> pki-ca-10.1.2-7.fc20.noarch
> freeipa-server-3.3.5-1.fc20.x86_64
>
> Here are the steps I made:
>
>- Before starting the replica I updated the schema of the master with
>the copy-schema-to-ca.py script
>- I prepared the replica certificates on the server
>("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and
>transferred to the replica server on the same folder
>- The I ran the replica install and here's the output:
>
> [root@ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns
> --no-forwarders --no-ntp
> /var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'ipaserver.it.fx.lan':
>Directory Service: Unsecure port (389): OK
>Directory Service: Secure port (636): OK
>Kerberos KDC: TCP (88): OK
>Kerberos Kpasswd: TCP (464): OK
>HTTP Server: Unsecure port (80): OK
>HTTP Server: Secure port (443): OK
>PKI-CA: Directory Service port (7389): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
>Kerberos KDC: UDP (88): SKIPPED
>Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> ad...@it.fx.lan password:
>
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan':
>Directory Service: Unsecure port (389): OK
>Directory Service: Secure port (636): OK
>Kerberos KDC: TCP (88): OK
>Kerberos KDC: UDP (88): OK
>Kerberos Kpasswd: TCP (464): OK
>Kerberos Kpasswd: UDP (464): OK
>HTTP Server: Unsecure port (80): OK
>HTTP Server: Secure port (443): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring directory server (dirsrv): Estimated time 1 minute
>   [1/34]: creating directory server user
>   [2/34]: creating directory server instance
>   [3/34]: adding default schema
>   [4/34]: enabling memberof plugin
>   [5/34]: enabling winsync plugin
>   [6/34]: configuring replication version plugin
>   [7/34]: enabling IPA enrollment plugin
>   [8/34]: enabling ldapi
>   [9/34]: configuring uniqueness plugin
>   [10/34]: configuring uuid plugin
>   [11/34]: configuring modrdn plugin
>   [12/34]: configuring DNS plugin
>   [13/34]: enabling entryUSN plugin
>   [14/34]: configuring lockout plugin
>   [15/34]: creating indices
>   [16/34]: enabling referential integrity plugin
>   [17/34]: configuring ssl for ds instance
>   [18/34]: configuring certmap.conf
>   [19/34]: configure autobind for root
>   [20/34]: configure new location for managed entries
>   [21/34]: configure dirsrv ccache
>   [22/34]: enable SASL mapping fallback
>   [23/34]: restarting directory server
>   [24/34]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 3 seconds elapsed
> Update succeeded
>
>   [25/34]: updating schema
>   [26/34]: setting Auto Member configuration
>   [27/34]: enabling S4U2Proxy delegation
>   [28/34]: initializing group membership
>   [29/34]: adding master entry
>   [30/34]: configuring Posix uid/gid generation
>   [31/34]: adding replication acis
>   [32/34]:

Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

2016-02-11 Thread Quasar 
Hi Martin,

first of all thanks for taking some time to read and provide feedback, much
appreciated.

I firstly tried with CentOS 7.x (build 1511) but got the same errore during
CA configuration. Then I supposed I had to upgrade step-by-step, from 3.0
to 3.3 (instead of 3.0 to 4.x) and used Fedora 23, 20, 19 and 18 but with
no luck.
If you need the exact log from CentOS 7.x migration I can provide them to
you.

About the debug log file, it was attached and these are the final lines
containing the error:

[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML:
domainInfo=IPAipaserver.it.fx.lan44344344344380FALSEpki-cadTRUEipaserver-ha.it.fx.lan44344344380443TRUETRUEpki-cad20
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a domain master
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipaserver.it.fx.lan port=443
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: failed
to update security domain using admin port 443:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
spaces are required between publicId and systemId.
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: now
trying agent port with client auth
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipaserver.it.fx.lan port=443
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateDomainXML()
nickname=subsystemCert cert-pki-ca
[09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML: status=1



-- 
Giuseppe Calignano
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project