Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server [SOLVED]

[Giorgos Kafataridis]

On 09/19/2016 03:51 PM, Giorgos Kafataridis wrote:



On 09/16/2016 06:39 PM, Petr Vobornik wrote:

On 09/14/2016 07:26 PM, Giorgos Kafataridis wrote:


On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:

On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:

On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:

I've tried that but still the same result.

[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 
389 -h

localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

On 09/16/2016 06:39 PM, Petr Vobornik wrote:

On 09/14/2016 07:26 PM, Giorgos Kafataridis wrote:


On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:

On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:

On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:

I've tried that but still the same result.

[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Petr Vobornik]

On 09/14/2016 07:26 PM, Giorgos Kafataridis wrote:
> 
> 
> On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:
>> On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:
>>> On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:
 I've tried that but still the same result.

 [root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
 localhost -b "uid=admin,ou=people,o=ipaca"
 Enter LDAP Password:
 # extended LDIF
 #
 # LDAPv3
 # base 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:

On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:

On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:

I've tried that but still the same result.

[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Natxo Asenjo]

hi,

On Tue, Sep 13, 2016 at 9:36 PM, Endi Sukma Dewata 
wrote:

> On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:
>
>> On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:
>>
>>> I've tried that but still the same result.
>>>
>>> [root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
>>> localhost -b "uid=admin,ou=people,o=ipaca"
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Endi Sukma Dewata]

On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:

On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:

I've tried that but still the same result.

[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Endi Sukma Dewata]

On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:

I've tried that but still the same result.

[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Georgios Kafataridis]

So, does anyone understand something more than me from the logs ? Can I 
search for something that can help me solve it ?



On 9/9/2016 11:26 μμ, Georgios Kafataridis wrote:

These are fresh logs from a last attempt to create a replica

Centos 7

/var/log/pki/pki-tomcat/ca/debug


[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: === Token Panel ===
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: === Security Domain 
Panel ===
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Joining existing 
security domain
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Resolving security 
domain URLhttps://ipa-server.nelios:443
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting security domain 
cert chain

[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting install token
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting install token
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Getting old cookie
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Token: null
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Install token is null
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Failed to obtain 
installation token from security domain



Centos 6

/var/log/pki-ca/debug

[09/Sep/2016:22:59:42][TP-Processor3]: GetCookie before auth, url 
=https://ipa2-server2.nelios:443/ca/admin/console/config/wizard?p=5=CA

[09/Sep/2016:22:59:42][TP-Processor3]: IP: 192.168.4.175
[09/Sep/2016:22:59:42][TP-Processor3]: AuthMgrName: passwdUserDBAuthMgr
[09/Sep/2016:22:59:42][TP-Processor3]: CMSServlet: no client 
certificate found

[09/Sep/2016:22:59:42][TP-Processor3]: Authentication: UID=admin
[09/Sep/2016:22:59:42][TP-Processor3]: In LdapBoundConnFactory::getConn()
[09/Sep/2016:22:59:42][TP-Processor3]: masterConn is connected: true
[09/Sep/2016:22:59:42][TP-Processor3]: getConn: conn is connected true
[09/Sep/2016:22:59:42][TP-Processor3]: getConn: mNumConns now 2
[09/Sep/2016:22:59:42][TP-Processor3]: LdapAnonConnFactory::getConn
[09/Sep/2016:22:59:42][TP-Processor3]: LdapAnonConnFactory.getConn(): 
num avail conns now 2

[09/Sep/2016:22:59:42][TP-Processor3]: returnConn: mNumConns now 3
[09/Sep/2016:22:59:42][TP-Processor3]: returnConn: mNumConns now 2
[09/Sep/2016:22:59:42][TP-Processor3]: SignedAuditEventFactory: 
create() 
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=$Unidentified$] 
authentication failure


[09/Sep/2016:22:59:42][TP-Processor3]: GetCookie authentication failed
[09/Sep/2016:22:59:42][TP-Processor3]: 
mErrorFormPath=/admin/ca/securitydomainlogin.template
[09/Sep/2016:22:59:42][TP-Processor3]: CMSServlet: curDate=Fri Sep 09 
22:59:42 EEST 2016 id=caGetCookie time=39


/var/log/httpd/access_log

192.168.4.175 - - [09/Sep/2016:22:59:21 +0300] "GET 
/ca/rest/securityDomain/domainInfo HTTP/1.1" 404 315
192.168.4.175 - - [09/Sep/2016:22:59:22 +0300] "GET 
/ca/admin/ca/getDomainXML HTTP/1.1" 200 1148
192.168.4.175 - - [09/Sep/2016:22:59:22 +0300] "GET 
/ca/rest/account/login HTTP/1.1" 404 303
192.168.4.175 - - [09/Sep/2016:22:59:41 +0300] "POST 
/ca/admin/ca/getCertChain HTTP/1.0" 200 1398
192.168.4.175 - - [09/Sep/2016:22:59:42 +0300] "GET 
/ca/rest/account/login HTTP/1.1" 404 303
192.168.4.175 - - [09/Sep/2016:22:59:42 +0300] "POST 
/ca/admin/ca/getCookie HTTP/1.1" 200 5170


/var/log/httpd/error_log

[Fri Sep 09 22:59:22 2016] [error] [client 192.168.4.175] File does 
not exist: /var/www/html/ca
[Fri Sep 09 22:59:22 2016] [error] [client 192.168.4.175] File does 
not exist: /var/www/html/ca
[Fri Sep 09 22:59:42 2016] [error] [client 192.168.4.175] File does 
not exist: /var/www/html/ca



/var/log/pki-ca/system

5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [6] [6] Failed to 
authenticate as admin UID=admin. Error: netscape.ldap.LDAPException: 
error result (49)
5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [3] [3] Servlet 
caGetCookie: Error getting servlet output stream when rendering 
 template. Error Invalid Credential..


/var/log/pki-ca/catalina.out

Sep 08, 2016 4:17:34 PM org.apache.catalina.startup.HostConfig 
deployDirectory

INFO: Deploying web application directory ROOT
Sep 08, 2016 4:17:34 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Sep 08, 2016 4:17:34 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Sep 08, 2016 4:17:35 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447 
Sep 08, 2016 4:17:35 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/123  config=null
Sep 08, 2016 4:17:35 PM org.apache.catalina.startup.Catalina start
INFO: Server 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Georgios Kafataridis]

 These are fresh logs from a last attempt to create a replica

Centos 7

/var/log/pki/pki-tomcat/ca/debug


[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: === Token Panel ===
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: === Security Domain Panel ===
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Joining existing security
domain
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Resolving security domain
URLhttps://ipa-server.nelios:443
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting security domain cert
chain
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting install token
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting install token
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Getting old cookie
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Token: null
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Install token is null
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Failed to obtain installation
token from security domain


Centos 6

/var/log/pki-ca/debug

[09/Sep/2016:22:59:42][TP-Processor3]: GetCookie before auth, url =
https://ipa2-server2.nelios:443/ca/admin/console/config/wizard?p=5=CA
[09/Sep/2016:22:59:42][TP-Processor3]: IP: 192.168.4.175
[09/Sep/2016:22:59:42][TP-Processor3]: AuthMgrName: passwdUserDBAuthMgr
[09/Sep/2016:22:59:42][TP-Processor3]: CMSServlet: no client certificate
found
[09/Sep/2016:22:59:42][TP-Processor3]: Authentication: UID=admin
[09/Sep/2016:22:59:42][TP-Processor3]: In LdapBoundConnFactory::getConn()
[09/Sep/2016:22:59:42][TP-Processor3]: masterConn is connected: true
[09/Sep/2016:22:59:42][TP-Processor3]: getConn: conn is connected true
[09/Sep/2016:22:59:42][TP-Processor3]: getConn: mNumConns now 2
[09/Sep/2016:22:59:42][TP-Processor3]: LdapAnonConnFactory::getConn
[09/Sep/2016:22:59:42][TP-Processor3]: LdapAnonConnFactory.getConn(): num
avail conns now 2
[09/Sep/2016:22:59:42][TP-Processor3]: returnConn: mNumConns now 3
[09/Sep/2016:22:59:42][TP-Processor3]: returnConn: mNumConns now 2
[09/Sep/2016:22:59:42][TP-Processor3]: SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=$Unidentified$]
authentication failure

[09/Sep/2016:22:59:42][TP-Processor3]: GetCookie authentication failed
[09/Sep/2016:22:59:42][TP-Processor3]:
mErrorFormPath=/admin/ca/securitydomainlogin.template
[09/Sep/2016:22:59:42][TP-Processor3]: CMSServlet: curDate=Fri Sep 09
22:59:42 EEST 2016 id=caGetCookie time=39

/var/log/httpd/access_log

192.168.4.175 - - [09/Sep/2016:22:59:21 +0300] "GET
/ca/rest/securityDomain/domainInfo HTTP/1.1" 404 315
192.168.4.175 - - [09/Sep/2016:22:59:22 +0300] "GET
/ca/admin/ca/getDomainXML HTTP/1.1" 200 1148
192.168.4.175 - - [09/Sep/2016:22:59:22 +0300] "GET /ca/rest/account/login
HTTP/1.1" 404 303
192.168.4.175 - - [09/Sep/2016:22:59:41 +0300] "POST
/ca/admin/ca/getCertChain HTTP/1.0" 200 1398
192.168.4.175 - - [09/Sep/2016:22:59:42 +0300] "GET /ca/rest/account/login
HTTP/1.1" 404 303
192.168.4.175 - - [09/Sep/2016:22:59:42 +0300] "POST /ca/admin/ca/getCookie
HTTP/1.1" 200 5170

/var/log/httpd/error_log

[Fri Sep 09 22:59:22 2016] [error] [client 192.168.4.175] File does not
exist: /var/www/html/ca
[Fri Sep 09 22:59:22 2016] [error] [client 192.168.4.175] File does not
exist: /var/www/html/ca
[Fri Sep 09 22:59:42 2016] [error] [client 192.168.4.175] File does not
exist: /var/www/html/ca


/var/log/pki-ca/system

5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [6] [6] Failed to
authenticate as admin UID=admin. Error: netscape.ldap.LDAPException: error
result (49)
5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [3] [3] Servlet
caGetCookie: Error getting servlet output stream when rendering  template.
Error Invalid Credential..

/var/log/pki-ca/catalina.out

Sep 08, 2016 4:17:34 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Sep 08, 2016 4:17:34 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Sep 08, 2016 4:17:34 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Sep 08, 2016 4:17:35 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447
Sep 08, 2016 4:17:35 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/123  config=null
Sep 08, 2016 4:17:35 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 8550 ms

Catalina seems to not have logged anything from yesterday.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Georgios Kafataridis]

I've tried that but still the same result.

[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Endi Sukma Dewata]

On 9/9/2016 8:09 AM, Petr Vobornik wrote:

On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote:



Yes, I have followed
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

to the letter.
The only reason I had to recreate the cacert.p12 file is because it
is not
renewed automatically in v3, so the cacert.p12 was outdated and the
CA was
throwing an "p12 invalid digest" error.

   * I opened all necessary ports
   * I checked all certs and they are valid for another year


/Run connection check to master//
//Check connection from replica to remote master 'ipa-server.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//   PKI-CA: Directory Service port (7389): OK//
//
//The following list of ports use UDP protocol and would need to be//
//checked manually://
//   Kerberos KDC: UDP (88): SKIPPED//
//   Kerberos Kpasswd: UDP (464): SKIPPED//
//
//Connection from replica to master is OK.//
//Start listening on required ports for remote master check//
//Get credentials to log in to remote master//
//Check SSH connection to remote master//
//Execute check on remote master//
//Check connection from master to remote replica
'ipa2-server2.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos KDC: UDP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   Kerberos Kpasswd: UDP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//
//Connection from master to replica is OK.//
//
//Connection check OK/

*Even with a fresh install of centos 7 with different hostname and ip
and I
still get the  the error below*

Configuring certificate server (pki-tomcatd). Estimated time: 3
minutes 30 seconds
[1/24]: creating certificate server user
[2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
configuration failed.

*
**With debug enabled I get: *

pa : DEBUGStarting external process
ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpwY8XjR'
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Log file:
/var/log/pki/pki-ca-spawn.20160909044214.log
Loading deployment configuration from /tmp/tmpwY8XjR.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


ipa : DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain
user/password
through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration
Servlet: 500
Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid
token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed

to obtain installation token from security domain"}


Is there a way to validate the repilca .gpg file from a v3
installation against
a v4.2 freeipa installation to check for any errors before going
through the
ipa-replica-install?
The ipa-replica-install completes if I don't include the --setup-ca
flag but I
don't want that


There is no automatic method to verify the replica file.

Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
couple lines before and after?




Contents  of /var/log/pki/pki-tomcat/ca/debug:

[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
SystemConfigResource.configure()
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
content-type: application/json
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
accept: [application/json]

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

On 09/09/2016 04:09 PM, Petr Vobornik wrote:

On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote:

Yes, I have followed
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

to the letter.
The only reason I had to recreate the cacert.p12 file is because it
is not
renewed automatically in v3, so the cacert.p12 was outdated and the
CA was
throwing an "p12 invalid digest" error.

* I opened all necessary ports
* I checked all certs and they are valid for another year


/Run connection check to master//
//Check connection from replica to remote master 'ipa-server.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//   PKI-CA: Directory Service port (7389): OK//
//
//The following list of ports use UDP protocol and would need to be//
//checked manually://
//   Kerberos KDC: UDP (88): SKIPPED//
//   Kerberos Kpasswd: UDP (464): SKIPPED//
//
//Connection from replica to master is OK.//
//Start listening on required ports for remote master check//
//Get credentials to log in to remote master//
//Check SSH connection to remote master//
//Execute check on remote master//
//Check connection from master to remote replica
'ipa2-server2.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos KDC: UDP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   Kerberos Kpasswd: UDP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//
//Connection from master to replica is OK.//
//
//Connection check OK/

*Even with a fresh install of centos 7 with different hostname and ip
and I
still get the  the error below*

Configuring certificate server (pki-tomcatd). Estimated time: 3
minutes 30 seconds
 [1/24]: creating certificate server user
 [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
 [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
configuration failed.

*
**With debug enabled I get: *

pa : DEBUGStarting external process
ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpwY8XjR'
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Log file:
/var/log/pki/pki-ca-spawn.20160909044214.log
Loading deployment configuration from /tmp/tmpwY8XjR.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


ipa : DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
 InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain
user/password
through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration
Servlet: 500
Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid
token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed

to obtain installation token from security domain"}


Is there a way to validate the repilca .gpg file from a v3
installation against
a v4.2 freeipa installation to check for any errors before going
through the
ipa-replica-install?
The ipa-replica-install completes if I don't include the --setup-ca
flag but I
don't want that


There is no automatic method to verify the replica file.

Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
couple lines before and after?



Contents  of /var/log/pki/pki-tomcat/ca/debug:

[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
SystemConfigResource.configure()
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
content-type: application/json
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
accept: [application/json]

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

Yes, I have followed
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
to the letter.
The only reason I had to recreate the cacert.p12 file is because it is not
renewed automatically in v3, so the cacert.p12 was outdated and the CA was
throwing an "p12 invalid digest" error.

   * I opened all necessary ports
   * I checked all certs and they are valid for another year


/Run connection check to master//
//Check connection from replica to remote master 'ipa-server.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//   PKI-CA: Directory Service port (7389): OK//
//
//The following list of ports use UDP protocol and would need to be//
//checked manually://
//   Kerberos KDC: UDP (88): SKIPPED//
//   Kerberos Kpasswd: UDP (464): SKIPPED//
//
//Connection from replica to master is OK.//
//Start listening on required ports for remote master check//
//Get credentials to log in to remote master//
//Check SSH connection to remote master//
//Execute check on remote master//
//Check connection from master to remote replica 'ipa2-server2.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos KDC: UDP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   Kerberos Kpasswd: UDP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//
//Connection from master to replica is OK.//
//
//Connection check OK/

*Even with a fresh install of centos 7 with different hostname and ip and I
still get the  the error below*

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 
seconds
[1/24]: creating certificate server user
[2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration 
failed.

*
**With debug enabled I get: *

pa : DEBUGStarting external process
ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpwY8XjR'
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Log file: 
/var/log/pki/pki-ca-spawn.20160909044214.log
Loading deployment configuration from /tmp/tmpwY8XjR.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


ipa : DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain user/password
through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed
to obtain installation token from security domain"}


Is there a way to validate the repilca .gpg file from a v3 installation against
a v4.2 freeipa installation to check for any errors before going through the
ipa-replica-install?
The ipa-replica-install completes if I don't include the --setup-ca flag but I
don't want that


There is no automatic method to verify the replica file.

Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
couple lines before and after?




Contents  of /var/log/pki/pki-tomcat/ca/debug:

[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: 
SystemConfigResource.configure()
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: 
content-type: application/json
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: 
accept: [application/json]
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: 
request format: 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Petr Vobornik]

On 09/09/2016 12:13 PM, Giorgos Kafataridis wrote:
> Yes, I have followed 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>  
> to the letter.
> The only reason I had to recreate the cacert.p12 file is because it is not 
> renewed automatically in v3, so the cacert.p12 was outdated and the CA was 
> throwing an "p12 invalid digest" error.
> 
>   * I opened all necessary ports
>   * I checked all certs and they are valid for another year
> 
> 
> /Run connection check to master//
> //Check connection from replica to remote master 'ipa-server.nelios'://
> //   Directory Service: Unsecure port (389): OK//
> //   Directory Service: Secure port (636): OK//
> //   Kerberos KDC: TCP (88): OK//
> //   Kerberos Kpasswd: TCP (464): OK//
> //   HTTP Server: Unsecure port (80): OK//
> //   HTTP Server: Secure port (443): OK//
> //   PKI-CA: Directory Service port (7389): OK//
> //
> //The following list of ports use UDP protocol and would need to be//
> //checked manually://
> //   Kerberos KDC: UDP (88): SKIPPED//
> //   Kerberos Kpasswd: UDP (464): SKIPPED//
> //
> //Connection from replica to master is OK.//
> //Start listening on required ports for remote master check//
> //Get credentials to log in to remote master//
> //Check SSH connection to remote master//
> //Execute check on remote master//
> //Check connection from master to remote replica 'ipa2-server2.nelios'://
> //   Directory Service: Unsecure port (389): OK//
> //   Directory Service: Secure port (636): OK//
> //   Kerberos KDC: TCP (88): OK//
> //   Kerberos KDC: UDP (88): OK//
> //   Kerberos Kpasswd: TCP (464): OK//
> //   Kerberos Kpasswd: UDP (464): OK//
> //   HTTP Server: Unsecure port (80): OK//
> //   HTTP Server: Secure port (443): OK//
> //
> //Connection from master to replica is OK.//
> //
> //Connection check OK/
> 
> *Even with a fresh install of centos 7 with different hostname and ip and I 
> still get the  the error below*
> 
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 
> seconds
>[1/24]: creating certificate server user
>[2/24]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA 
> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' 
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation 
> logs 
> and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
>[error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration 
> failed.
> 
> *
> **With debug enabled I get: *
> 
> pa : DEBUGStarting external process
> ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
> '/tmp/tmpwY8XjR'
> ipa : DEBUGProcess finished, return code=1
> ipa : DEBUGstdout=Log file: 
> /var/log/pki/pki-ca-spawn.20160909044214.log
> Loading deployment configuration from /tmp/tmpwY8XjR.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into 
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> 
> Installation failed.
> 
> 
> ipa : DEBUG 
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
> certificate verification is strongly advised. See: 
> https://urllib3.readthedocs.org/en/latest/security.html
>InsecureRequestWarning)
> pkispawn: WARNING  ... unable to validate security domain 
> user/password 
> through REST interface. Interface not available
> pkispawn: ERROR... Exception from Java Configuration Servlet: 500 
> Server Error: Internal Server Error
> pkispawn: ERROR... ParseError: not well-formed (invalid token): 
> line 
> 1, column 0: 
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed
>  
> to obtain installation token from security domain"}
> 
> 
> Is there a way to validate the repilca .gpg file from a v3 installation 
> against 
> a v4.2 freeipa installation to check for any errors before going through the 
> ipa-replica-install?
> The ipa-replica-install completes if I don't include the --setup-ca flag but 
> I 
> don't want that
> 

There is no automatic method to verify the replica file.

Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
couple lines before and after?

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

Yes, I have followed 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html 
to the letter.
The only reason I had to recreate the cacert.p12 file is because it is 
not renewed automatically in v3, so the cacert.p12 was outdated and the 
CA was throwing an "p12 invalid digest" error.


 * I opened all necessary ports
 * I checked all certs and they are valid for another year


/Run connection check to master//
//Check connection from replica to remote master 'ipa-server.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//   PKI-CA: Directory Service port (7389): OK//
//
//The following list of ports use UDP protocol and would need to be//
//checked manually://
//   Kerberos KDC: UDP (88): SKIPPED//
//   Kerberos Kpasswd: UDP (464): SKIPPED//
//
//Connection from replica to master is OK.//
//Start listening on required ports for remote master check//
//Get credentials to log in to remote master//
//Check SSH connection to remote master//
//Execute check on remote master//
//Check connection from master to remote replica 'ipa2-server2.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos KDC: UDP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   Kerberos Kpasswd: UDP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//
//Connection from master to replica is OK.//
//
//Connection check OK/

*Even with a fresh install of centos 7 with different hostname and ip 
and I still get the  the error below*


Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 
30 seconds

  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpbMwmp_'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat

  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed.


*
**With debug enabled I get: *

pa : DEBUGStarting external process
ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpwY8XjR'

ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Log file: 
/var/log/pki/pki-ca-spawn.20160909044214.log

Loading deployment configuration from /tmp/tmpwY8XjR.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.


Installation failed.


ipa : DEBUG 
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
certificate verification is strongly advised. See: 
https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain 
user/password through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration 
Servlet: 500 Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid 
token): line 1, column 0: 
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed 
to obtain installation token from security domain"}



Is there a way to validate the repilca .gpg file from a v3 installation 
against a v4.2 freeipa installation to check for any errors before going 
through the ipa-replica-install?
The ipa-replica-install completes if I don't include the --setup-ca flag 
but I don't want that
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Natxo Asenjo]

Hi Giorgios,

On Thu, Sep 8, 2016 at 4:37 PM, Giorgos Kafa 
wrote:

> Hello, I am  trying to migrate and upgrade my main freeipa installation,
> so I decided to replicate it and phase it out of our intranet.
> I manage to get over some obstacles as I had to recreate my cacert.p12
> file, but now I am facing an issue that prevents me from setting up CA on
> the replicated server.
>

first off, did you follow the instructions in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

I have tested migrations several times with PKI and they all went fine.

-- 
regards,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project