[Freeipa-users] Configuring IPA replicas
Hi, I have successfully configured one IPA replica, now I'm trying to configure a second replica, but I'm not having much success. I've attached the output of ipa-replica-install -d. I get as far as [4/11]: configuring certificate server instance. The machine is configured in the same way as the 2 first machines. They are all F15, updated with all available packages from the official repos. The installation fails when it's trying to connect to the dogtag server on the ipa replica it's just configured, with a Invalid clone_uri message. (See the attached file for details). I'm not sure where to start looking. The only difference from the 2 first IPA servers, is that this server is located at another subnet, over a site-to-site VPN connection. Any suggestions to what might be wrong? Rgds, Siggi root: DEBUG [4/11]: configuring certificate server instance [4/11]: configuring certificate server instance root: DEBUGargs=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa03.ix.test.com -cs_port 9445 -client_certdb_dir /tmp/tmp-wAosPS -client_certdb_pwd '' -preop_pin AuVgVftQywtXPkiYKppu -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IX.test.COM -ldap_host ipa03.ix.test.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IX.test.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IX.test.COM -ca_server_cert_subject_name CN=ipa03.ix.test.com,O=IX.test.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=IX.test.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=IX.test.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password '' -sd_hostname ipa01.ix.test.com -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' -clone_start_tls true -clone_uri https://ipa01.ix.test.com:9444 root: DEBUGstdout=libpath=/usr/lib64 ### CRYPTO INIT WITH CERTDB:/tmp/tmp-wAosPS tokenpwd: # Attempting to connect to: ipa03.ix.test.com:9445 in TestCertApprovalCallback.approve() Peer cert details: subject: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29 issuer: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29 serial: 0 item 1 reason=-8156 depth=1 cert details: subject: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29 issuer: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29 serial: 0 item 2 reason=-8172 depth=1 cert details: subject: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29 issuer: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29 serial: 0 importing certificate. Connected. Posting Query = https://ipa03.ix.test.com:9445//ca/admin/console/config/login?pin=AuVgVftQywtXPkiYKppuxml=true RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Set-Cookie: JSESSIONID=5437708C678FDD32C9ED6B488D9236CC; Path=/ca; Secure RESPONSE HEADER: Location: https://ipa03.ix.test.com:9445/ca/admin/console/config/wizard RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Content-Length: 0 RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:22 GMT RESPONSE HEADER: Connection: keep-alive xml returned: cookie list: JSESSIONID=5437708C678FDD32C9ED6B488D9236CC; Path=/ca; Secure # Attempting to connect to: ipa03.ix.test.com:9445 Connected. Posting Query = https://ipa03.ix.test.com:9445//ca/admin/console/config/wizard?p=0op=nextxml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:22 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Copyright (C) 2007 Red Hat, Inc. All rights reserved. END COPYRIGHT BLOCK
Re: [Freeipa-users] Configuring IPA replicas
On Mon, 2011-06-13 at 15:23 +0200, Sigbjorn Lie wrote: Hi, I have successfully configured one IPA replica, now I'm trying to configure a second replica, but I'm not having much success. I've attached the output of ipa-replica-install -d. I get as far as [4/11]: configuring certificate server instance. The machine is configured in the same way as the 2 first machines. They are all F15, updated with all available packages from the official repos. The installation fails when it's trying to connect to the dogtag server on the ipa replica it's just configured, with a Invalid clone_uri message. (See the attached file for details). I'm not sure where to start looking. The only difference from the 2 first IPA servers, is that this server is located at another subnet, over a site-to-site VPN connection. Any suggestions to what might be wrong? I have never seen this error, have you created a new replica package with ipa-replica-prepare to create the second replica ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring IPA replicas
On 06/13/2011 04:12 PM, Simo Sorce wrote: On Mon, 2011-06-13 at 15:23 +0200, Sigbjorn Lie wrote: Hi, I have successfully configured one IPA replica, now I'm trying to configure a second replica, but I'm not having much success. I've attached the output of ipa-replica-install -d. I get as far as [4/11]: configuring certificate server instance. The machine is configured in the same way as the 2 first machines. They are all F15, updated with all available packages from the official repos. The installation fails when it's trying to connect to the dogtag server on the ipa replica it's just configured, with a Invalid clone_uri message. (See the attached file for details). I'm not sure where to start looking. The only difference from the 2 first IPA servers, is that this server is located at another subnet, over a site-to-site VPN connection. Any suggestions to what might be wrong? I have never seen this error, have you created a new replica package with ipa-replica-prepare to create the second replica ? Yes, a fresh package was created using ipa-replica-prepare and scp'ed to the new ipa server. I've even tried re-creating the package. Still the same error message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring IPA replicas
Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01.ix.test.com:9445 Can the master be resolved and reached from the replica? Can port 9445 be reached (as well as ports 9444 and 9443?) You can also check the master's /var/log/pki-ca/debug log to see if any communication was received from the replica. Ade On Mon, 2011-06-13 at 16:17 +0200, Sigbjorn Lie wrote: On 06/13/2011 04:12 PM, Simo Sorce wrote: On Mon, 2011-06-13 at 15:23 +0200, Sigbjorn Lie wrote: Hi, I have successfully configured one IPA replica, now I'm trying to configure a second replica, but I'm not having much success. I've attached the output of ipa-replica-install -d. I get as far as [4/11]: configuring certificate server instance. The machine is configured in the same way as the 2 first machines. They are all F15, updated with all available packages from the official repos. The installation fails when it's trying to connect to the dogtag server on the ipa replica it's just configured, with a Invalid clone_uri message. (See the attached file for details). I'm not sure where to start looking. The only difference from the 2 first IPA servers, is that this server is located at another subnet, over a site-to-site VPN connection. Any suggestions to what might be wrong? I have never seen this error, have you created a new replica package with ipa-replica-prepare to create the second replica ? Yes, a fresh package was created using ipa-replica-prepare and scp'ed to the new ipa server. I've even tried re-creating the package. Still the same error message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring IPA replicas
On 06/13/2011 04:41 PM, Ade Lee wrote: Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01.ix.test.com:9445 Can the master be resolved and reached from the replica? Can port 9445 be reached (as well as ports 9444 and 9443?) You can also check the master's /var/log/pki-ca/debug log to see if any communication was received from the replica. There was an additional DNS A record added to the existing IPA server hostname! This additional DNS A record pointed at the IP address of the replica IPA server I'm attempting to configure! I removed this A record and the replica installed successfully. When I initially ran the ipa-replica-prepare command, I added the --ip-address option to get the DNS records for this host created. (I have a seperate dns domain for the IPA environment.) In this process ipa-replica-prepare created an additional reverse zone on the server. (The new ipa replica resides on a subnet which sits at a AD DNS server, but it's still resolvable from the IPA dns servers). After the replica finished I tried to run the ipa-replica-prepare command again with a new hostname, and adding an IP address using --ip-address on a subnet not known to the IPA DNS. The same error was re-produced, the DNS A record was added to the master IPA server. I would also like to note that I cannot see the second DNS entry using the web gui, only using ipa dnsrecord-find. Bug opened in bugzilla for ipa-replica-prepare: https://bugzilla.redhat.com/show_bug.cgi?id=712920 Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring IPA replicas
On Mon, 2011-06-13 at 17:29 +0200, Sigbjorn Lie wrote: On 06/13/2011 04:41 PM, Ade Lee wrote: Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01.ix.test.com:9445 Can the master be resolved and reached from the replica? Can port 9445 be reached (as well as ports 9444 and 9443?) You can also check the master's /var/log/pki-ca/debug log to see if any communication was received from the replica. There was an additional DNS A record added to the existing IPA server hostname! This additional DNS A record pointed at the IP address of the replica IPA server I'm attempting to configure! I removed this A record and the replica installed successfully. When I initially ran the ipa-replica-prepare command, I added the --ip-address option to get the DNS records for this host created. (I have a seperate dns domain for the IPA environment.) In this process ipa-replica-prepare created an additional reverse zone on the server. (The new ipa replica resides on a subnet which sits at a AD DNS server, but it's still resolvable from the IPA dns servers). After the replica finished I tried to run the ipa-replica-prepare command again with a new hostname, and adding an IP address using --ip-address on a subnet not known to the IPA DNS. The same error was re-produced, the DNS A record was added to the master IPA server. I would also like to note that I cannot see the second DNS entry using the web gui, only using ipa dnsrecord-find. Bug opened in bugzilla for ipa-replica-prepare: https://bugzilla.redhat.com/show_bug.cgi?id=712920 This looks like it's probably related to https://fedorahosted.org/freeipa/ticket/1223 Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring IPA replicas
Sigbjorn Lie wrote: On 06/13/2011 04:41 PM, Ade Lee wrote: Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01.ix.test.com:9445 Can the master be resolved and reached from the replica? Can port 9445 be reached (as well as ports 9444 and 9443?) You can also check the master's /var/log/pki-ca/debug log to see if any communication was received from the replica. There was an additional DNS A record added to the existing IPA server hostname! This additional DNS A record pointed at the IP address of the replica IPA server I'm attempting to configure! I removed this A record and the replica installed successfully. When I initially ran the ipa-replica-prepare command, I added the --ip-address option to get the DNS records for this host created. (I have a seperate dns domain for the IPA environment.) In this process ipa-replica-prepare created an additional reverse zone on the server. (The new ipa replica resides on a subnet which sits at a AD DNS server, but it's still resolvable from the IPA dns servers). After the replica finished I tried to run the ipa-replica-prepare command again with a new hostname, and adding an IP address using --ip-address on a subnet not known to the IPA DNS. The same error was re-produced, the DNS A record was added to the master IPA server. I would also like to note that I cannot see the second DNS entry using the web gui, only using ipa dnsrecord-find. Bug opened in bugzilla for ipa-replica-prepare: https://bugzilla.redhat.com/show_bug.cgi?id=712920 Adding the record has already been fixed upstream, https://bugzilla.redhat.com/show_bug.cgi?id=704012 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring IPA replicas
On 06/13/2011 07:24 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 06/13/2011 04:41 PM, Ade Lee wrote: Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01.ix.test.com:9445 Can the master be resolved and reached from the replica? Can port 9445 be reached (as well as ports 9444 and 9443?) You can also check the master's /var/log/pki-ca/debug log to see if any communication was received from the replica. There was an additional DNS A record added to the existing IPA server hostname! This additional DNS A record pointed at the IP address of the replica IPA server I'm attempting to configure! I removed this A record and the replica installed successfully. When I initially ran the ipa-replica-prepare command, I added the --ip-address option to get the DNS records for this host created. (I have a seperate dns domain for the IPA environment.) In this process ipa-replica-prepare created an additional reverse zone on the server. (The new ipa replica resides on a subnet which sits at a AD DNS server, but it's still resolvable from the IPA dns servers). After the replica finished I tried to run the ipa-replica-prepare command again with a new hostname, and adding an IP address using --ip-address on a subnet not known to the IPA DNS. The same error was re-produced, the DNS A record was added to the master IPA server. I would also like to note that I cannot see the second DNS entry using the web gui, only using ipa dnsrecord-find. Bug opened in bugzilla for ipa-replica-prepare: https://bugzilla.redhat.com/show_bug.cgi?id=712920 Adding the record has already been fixed upstream, https://bugzilla.redhat.com/show_bug.cgi?id=704012 Excellent, Thanks. I assume this is coming to freeipa in F15 as well at some point? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring IPA replicas
On 06/13/2011 06:55 PM, Stephen Gallagher wrote: On Mon, 2011-06-13 at 17:29 +0200, Sigbjorn Lie wrote: On 06/13/2011 04:41 PM, Ade Lee wrote: Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01.ix.test.com:9445 Can the master be resolved and reached from the replica? Can port 9445 be reached (as well as ports 9444 and 9443?) You can also check the master's /var/log/pki-ca/debug log to see if any communication was received from the replica. There was an additional DNS A record added to the existing IPA server hostname! This additional DNS A record pointed at the IP address of the replica IPA server I'm attempting to configure! I removed this A record and the replica installed successfully. When I initially ran the ipa-replica-prepare command, I added the --ip-address option to get the DNS records for this host created. (I have a seperate dns domain for the IPA environment.) In this process ipa-replica-prepare created an additional reverse zone on the server. (The new ipa replica resides on a subnet which sits at a AD DNS server, but it's still resolvable from the IPA dns servers). After the replica finished I tried to run the ipa-replica-prepare command again with a new hostname, and adding an IP address using --ip-address on a subnet not known to the IPA DNS. The same error was re-produced, the DNS A record was added to the master IPA server. I would also like to note that I cannot see the second DNS entry using the web gui, only using ipa dnsrecord-find. Bug opened in bugzilla for ipa-replica-prepare: https://bugzilla.redhat.com/show_bug.cgi?id=712920 This looks like it's probably related to https://fedorahosted.org/freeipa/ticket/1223 Yes. :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring IPA replicas
Sigbjorn Lie wrote: On 06/13/2011 07:24 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 06/13/2011 04:41 PM, Ade Lee wrote: Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01.ix.test.com:9445 Can the master be resolved and reached from the replica? Can port 9445 be reached (as well as ports 9444 and 9443?) You can also check the master's /var/log/pki-ca/debug log to see if any communication was received from the replica. There was an additional DNS A record added to the existing IPA server hostname! This additional DNS A record pointed at the IP address of the replica IPA server I'm attempting to configure! I removed this A record and the replica installed successfully. When I initially ran the ipa-replica-prepare command, I added the --ip-address option to get the DNS records for this host created. (I have a seperate dns domain for the IPA environment.) In this process ipa-replica-prepare created an additional reverse zone on the server. (The new ipa replica resides on a subnet which sits at a AD DNS server, but it's still resolvable from the IPA dns servers). After the replica finished I tried to run the ipa-replica-prepare command again with a new hostname, and adding an IP address using --ip-address on a subnet not known to the IPA DNS. The same error was re-produced, the DNS A record was added to the master IPA server. I would also like to note that I cannot see the second DNS entry using the web gui, only using ipa dnsrecord-find. Bug opened in bugzilla for ipa-replica-prepare: https://bugzilla.redhat.com/show_bug.cgi?id=712920 Adding the record has already been fixed upstream, https://bugzilla.redhat.com/show_bug.cgi?id=704012 Excellent, Thanks. I assume this is coming to freeipa in F15 as well at some point? I'm hoping to do another 2.0 bug fux release in the next couple of weeks. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
