Re: [Freeipa-devel] Possible fix for CA install bug?
On 05/03/2013 12:43 PM, Martin Kosek wrote: On 05/02/2013 07:51 PM, Rob Crittenden wrote: Rob Crittenden wrote: Nathaniel McCallum wrote: When installing beta1, I encountered a bug where the CA install would fail. This may have already been fixed in dogtag or elsewhere, but if not, this patch WorksForMe. I have no idea if it is the right fix. Good catch. This change apparently was added during the last week of 10.0.2 development and I'm not sure how I missed it. I did at least one successful install using those bits. Maybe either my test was bogus or I had left-over kruft. In any case, we can specify the location directly to pkispawn and not have to move the file. BTW, My patch 1098 bumps up the minimum version of dogtag to 10.0.2. rob I tested 1100 and it works great on master server. However when I am on replica, it always fails: # ipa-ca-install replica-info-vm-024.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: ... Connection check OK Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpRR0ic3' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed CA installation log including pkispawn error attached. Martin The bug Martin found was unrelated, and will be fixed with https://fedorahosted.org/freeipa/ticket/3601. ACK for rcrit-1100. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Possible fix for CA install bug?
On 05/06/2013 01:05 PM, Petr Viktorin wrote: On 05/03/2013 12:43 PM, Martin Kosek wrote: On 05/02/2013 07:51 PM, Rob Crittenden wrote: Rob Crittenden wrote: Nathaniel McCallum wrote: When installing beta1, I encountered a bug where the CA install would fail. This may have already been fixed in dogtag or elsewhere, but if not, this patch WorksForMe. I have no idea if it is the right fix. Good catch. This change apparently was added during the last week of 10.0.2 development and I'm not sure how I missed it. I did at least one successful install using those bits. Maybe either my test was bogus or I had left-over kruft. In any case, we can specify the location directly to pkispawn and not have to move the file. BTW, My patch 1098 bumps up the minimum version of dogtag to 10.0.2. rob I tested 1100 and it works great on master server. However when I am on replica, it always fails: # ipa-ca-install replica-info-vm-024.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: ... Connection check OK Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpRR0ic3' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed CA installation log including pkispawn error attached. Martin The bug Martin found was unrelated, and will be fixed with https://fedorahosted.org/freeipa/ticket/3601. Right. ACK for rcrit-1100. Pushed to master, ipa-3-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Possible fix for CA install bug?
On 05/02/2013 07:51 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Nathaniel McCallum wrote:
When installing beta1, I encountered a bug where the CA install would
fail. This may have already been fixed in dogtag or elsewhere, but if
not, this patch WorksForMe. I have no idea if it is the right fix.
Good catch. This change apparently was added during the last week of
10.0.2 development and I'm not sure how I missed it. I did at least one
successful install using those bits. Maybe either my test was bogus or I
had left-over kruft.
In any case, we can specify the location directly to pkispawn and not
have to move the file.
BTW, My patch 1098 bumps up the minimum version of dogtag to 10.0.2.
rob
I tested 1100 and it works great on master server. However when I am on
replica, it always fails:
# ipa-ca-install replica-info-vm-024.idm.lab.bos.redhat.com.gpg
Directory Manager (existing master) password:
...
Connection check OK
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
seconds
[1/16]: creating certificate server user
[2/16]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpRR0ic3' returned non-zero exit status 1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Configuration of CA failed
CA installation log including pkispawn error attached.
Martin
2013-05-03T10:16:56Z DEBUG /sbin/ipa-ca-install was invoked with argument replica-info-vm-024.idm.lab.bos.redhat.com.gpg and options: {'debug': False, 'skip_conncheck': False, 'unattended': False, 'skip_schema_check': False, 'no_host_dns': False}
2013-05-03T10:16:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2013-05-03T10:16:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2013-05-03T10:16:56Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2013-05-03T10:16:56Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
2013-05-03T10:16:56Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
2013-05-03T10:16:56Z DEBUG importing plugin module
[Freeipa-devel] Possible fix for CA install bug?
When installing beta1, I encountered a bug where the CA install would fail. This may have already been fixed in dogtag or elsewhere, but if not, this patch WorksForMe. I have no idea if it is the right fix. Nathaniel From 087a7c7b45c691a31c9ccbcdbf9b77967551015c Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Tue, 30 Apr 2013 16:48:15 -0400 Subject: [PATCH 7/7] Fix incorrect path breaking CA install --- ipaserver/install/cainstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2bb6cb4..76236cb 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -742,7 +742,7 @@ class CAInstance(service.Service): sys.exit(0) else: if not self.clone: -shutil.move(/root/.pki/pki-tomcat/ca_admin_cert.p12, \ +shutil.move(/root/.dogtag/pki-tomcat/ca_admin_cert.p12, \ /root/ca-agent.p12) shutil.move(/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12, \ /root/cacert.p12) -- 1.8.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
