Re: [Freeipa-users] CA Replication Installation Failing
Actually, it looks like it fails even earlier than getting the domain info - that is, when the replica contacts the master and tries to get its cert chain. I think that you have modified the logs slightly? There are a couple of things that don't make sense. See annotated log below -- On Wed, 2015-02-04 at 09:19 -0500, Ade Lee wrote: From the snippet of log below, it looks like the replica CA is trying to contact the master CA to obtain the security domain information and is failing to get a valid response. The message about spaces and parsing is basically the replica saying that it cannot understand the response -- or lack of one from the master CA. As this is an old version of IPA and Dogtag, it is trying to contact the master CA on port 9443. Things to look into: 1) Is the CA on the master up? Is port 9443 open on the master (firewalls on master or replica)? You could test this by using a browser/curl on the replica to go to https://master_host:9443/ca/admin/ca/getDomainXML 2) Is selinux preventing the access? You might want to set it in permissive mode on either master or replica. 3) Do you see activity in the master's debug log? This looks to me like a different error from what was described before. Its failing much earlier now. Ade On Fri, 2015-01-30 at 05:48 +, Les Stott wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Wednesday, 10 December 2014 6:22 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: Ade Lee [mailto:a...@redhat.com] Sent: Wednesday, 10 December 2014 5:05 AM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On Tue, 2014-12-09 at 07:48 +, Les Stott wrote: __ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. I think that this is a safe bet to be the problem. The error in the log snippet you posted says: errorStringThe pkcs12 file is not correct./errorString This indicates that the clone CA was unable to decode the pkcs12 file in the replica. Perhaps the certs changed -- or the DM password changed? Ade I regenerated the replica file and retired the CA replica setup, but it failed at the same point with the same error. I am thinking that the next step is to uninstall the ipa replica to cleanup, remove all traces and re-add as a replica on serverb. I wonder if the cert that its having an issue with is the one on serverB under /etc/ipa/ca.crt which is from Dec 2013. I will try that in a couple of days as I have to schedule this work in as its in production. Regards, Les May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. I actually do have serverc and serverd. I planned to have CA replication on at least 2 other servers, but held off on trying on serverc due to issues with serverb. I'll report back what i find after regenerating the replica file and re-trying to setup CA replication. After a bit of a hiatus I have revisited this issue and I still have it. Just
Re: [Freeipa-users] CA Replication Installation Failing
From the snippet of log below, it looks like the replica CA is trying to contact the master CA to obtain the security domain information and is failing to get a valid response. The message about spaces and parsing is basically the replica saying that it cannot understand the response -- or lack of one from the master CA. As this is an old version of IPA and Dogtag, it is trying to contact the master CA on port 9443. Things to look into: 1) Is the CA on the master up? Is port 9443 open on the master (firewalls on master or replica)? You could test this by using a browser/curl on the replica to go to https://master_host:9443/ca/admin/ca/getDomainXML 2) Is selinux preventing the access? You might want to set it in permissive mode on either master or replica. 3) Do you see activity in the master's debug log? This looks to me like a different error from what was described before. Its failing much earlier now. Ade On Fri, 2015-01-30 at 05:48 +, Les Stott wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Wednesday, 10 December 2014 6:22 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: Ade Lee [mailto:a...@redhat.com] Sent: Wednesday, 10 December 2014 5:05 AM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On Tue, 2014-12-09 at 07:48 +, Les Stott wrote: __ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. I think that this is a safe bet to be the problem. The error in the log snippet you posted says: errorStringThe pkcs12 file is not correct./errorString This indicates that the clone CA was unable to decode the pkcs12 file in the replica. Perhaps the certs changed -- or the DM password changed? Ade I regenerated the replica file and retired the CA replica setup, but it failed at the same point with the same error. I am thinking that the next step is to uninstall the ipa replica to cleanup, remove all traces and re-add as a replica on serverb. I wonder if the cert that its having an issue with is the one on serverB under /etc/ipa/ca.crt which is from Dec 2013. I will try that in a couple of days as I have to schedule this work in as its in production. Regards, Les May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. I actually do have serverc and serverd. I planned to have CA replication on at least 2 other servers, but held off on trying on serverc due to issues with serverb. I'll report back what i find after regenerating the replica file and re-trying to setup CA replication. After a bit of a hiatus I have revisited this issue and I still have it. Just to re-iterate the problem... Trying to setup a ca replica on an already installed replica fails in rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38. /usr/sbin/ipa-ca-install -p xx -w xx -U /var/lib/ipa/replica-info-myhost.mydomain.com.gpg It fails showing CRITICAL failed to configure ca instance Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring
Re: [Freeipa-users] CA Replication Installation Failing
Les Stott wrote: Has anyone got any ideas on this? I am stuck with not being able to deploy a CA Replica and this is halting rollout of the project. Help please... Regards, What is the version of IPA on the master you are connecting to? Can you confirm on the existing master that /etc/httpd/conf.d/ipa-pki-proxy.conf has /ca/ee/ca/profileSubmit in it: # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit rob Les -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Friday, 30 January 2015 4:48 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Wednesday, 10 December 2014 6:22 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: Ade Lee [mailto:a...@redhat.com] Sent: Wednesday, 10 December 2014 5:05 AM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On Tue, 2014-12-09 at 07:48 +, Les Stott wrote: __ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. I think that this is a safe bet to be the problem. The error in the log snippet you posted says: errorStringThe pkcs12 file is not correct./errorString This indicates that the clone CA was unable to decode the pkcs12 file in the replica. Perhaps the certs changed -- or the DM password changed? Ade I regenerated the replica file and retired the CA replica setup, but it failed at the same point with the same error. I am thinking that the next step is to uninstall the ipa replica to cleanup, remove all traces and re-add as a replica on serverb. I wonder if the cert that its having an issue with is the one on serverB under /etc/ipa/ca.crt which is from Dec 2013. I will try that in a couple of days as I have to schedule this work in as its in production. Regards, Les May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. I actually do have serverc and serverd. I planned to have CA replication on at least 2 other servers, but held off on trying on serverc due to issues with serverb. I'll report back what i find after regenerating the replica file and re-trying to setup CA replication. After a bit of a hiatus I have revisited this issue and I still have it. Just to re-iterate the problem... Trying to setup a ca replica on an already installed replica fails in rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38. /usr/sbin/ipa-ca-install -p xx -w xx -U /var/lib/ipa/replica-info- myhost.mydomain.com.gpg It fails showing CRITICAL failed to configure ca instance Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. It doesn't matter if I run it interactively or unattended. I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0- 37 without any issue. The /var/log/ipareplica-ca-install.log shows the following error about White Spaces
Re: [Freeipa-users] CA Replication Installation Failing - SOLVED!
Guys, Thanks for your help. You pointed me in the right direction (checking the apache logs). In the end, it was missing modules in httpd.conf on the Master. I saw this error in /var/log/httpd/error_log [Wed Feb 04 21:26:00 2015] [warn] proxy: No protocol handler was valid for the URL /ca/admin/ca/getStatus. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Wed Feb 04 21:26:00 2015] [warn] proxy: No protocol handler was valid for the URL /ca/admin/ca/getCertChain. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. These modules were not being loaded... LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_connect_module modules/mod_proxy_connect.so Now it works. (well I have a different issue now with setting up a second replica ca, but that's another story and better in a new thread) Thanks, Les -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, 5 February 2015 2:24 AM To: Les Stott; freeipa-users@redhat.com Cc: Ade Lee Subject: Re: [Freeipa-users] CA Replication Installation Failing Les Stott wrote: Has anyone got any ideas on this? I am stuck with not being able to deploy a CA Replica and this is halting rollout of the project. Help please... Regards, What is the version of IPA on the master you are connecting to? Can you confirm on the existing master that /etc/httpd/conf.d/ipa-pki- proxy.conf has /ca/ee/ca/profileSubmit in it: # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/ updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit rob Les -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Friday, 30 January 2015 4:48 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Wednesday, 10 December 2014 6:22 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: Ade Lee [mailto:a...@redhat.com] Sent: Wednesday, 10 December 2014 5:05 AM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On Tue, 2014-12-09 at 07:48 +, Les Stott wrote: __ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. I think that this is a safe bet to be the problem. The error in the log snippet you posted says: errorStringThe pkcs12 file is not correct./errorString This indicates that the clone CA was unable to decode the pkcs12 file in the replica. Perhaps the certs changed -- or the DM password changed? Ade I regenerated the replica file and retired the CA replica setup, but it failed at the same point with the same error. I am thinking that the next step is to uninstall the ipa replica to cleanup, remove all traces and re-add as a replica on serverb. I wonder if the cert that its having an issue with is the one on serverB under /etc/ipa/ca.crt which is from Dec 2013. I will try that in a couple of days as I have to schedule this work in as its in production. Regards, Les May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would
Re: [Freeipa-users] CA Replication Installation Failing
Has anyone got any ideas on this? I am stuck with not being able to deploy a CA Replica and this is halting rollout of the project. Help please... Regards, Les -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Friday, 30 January 2015 4:48 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Wednesday, 10 December 2014 6:22 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: Ade Lee [mailto:a...@redhat.com] Sent: Wednesday, 10 December 2014 5:05 AM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On Tue, 2014-12-09 at 07:48 +, Les Stott wrote: __ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. I think that this is a safe bet to be the problem. The error in the log snippet you posted says: errorStringThe pkcs12 file is not correct./errorString This indicates that the clone CA was unable to decode the pkcs12 file in the replica. Perhaps the certs changed -- or the DM password changed? Ade I regenerated the replica file and retired the CA replica setup, but it failed at the same point with the same error. I am thinking that the next step is to uninstall the ipa replica to cleanup, remove all traces and re-add as a replica on serverb. I wonder if the cert that its having an issue with is the one on serverB under /etc/ipa/ca.crt which is from Dec 2013. I will try that in a couple of days as I have to schedule this work in as its in production. Regards, Les May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. I actually do have serverc and serverd. I planned to have CA replication on at least 2 other servers, but held off on trying on serverc due to issues with serverb. I'll report back what i find after regenerating the replica file and re-trying to setup CA replication. After a bit of a hiatus I have revisited this issue and I still have it. Just to re-iterate the problem... Trying to setup a ca replica on an already installed replica fails in rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38. /usr/sbin/ipa-ca-install -p xx -w xx -U /var/lib/ipa/replica-info- myhost.mydomain.com.gpg It fails showing CRITICAL failed to configure ca instance Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. It doesn't matter if I run it interactively or unattended. I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0- 37 without any issue. The /var/log/ipareplica-ca-install.log shows the following error about White Spaces: # Attempting to connect to: mymaster.mydomain.com:9445 Connected. Posting Query = https:// mymaster.mydomain.com:9445//ca/admin/console
Re: [Freeipa-users] CA Replication Installation Failing
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Wednesday, 10 December 2014 6:22 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: Ade Lee [mailto:a...@redhat.com] Sent: Wednesday, 10 December 2014 5:05 AM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On Tue, 2014-12-09 at 07:48 +, Les Stott wrote: __ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. I think that this is a safe bet to be the problem. The error in the log snippet you posted says: errorStringThe pkcs12 file is not correct./errorString This indicates that the clone CA was unable to decode the pkcs12 file in the replica. Perhaps the certs changed -- or the DM password changed? Ade I regenerated the replica file and retired the CA replica setup, but it failed at the same point with the same error. I am thinking that the next step is to uninstall the ipa replica to cleanup, remove all traces and re-add as a replica on serverb. I wonder if the cert that its having an issue with is the one on serverB under /etc/ipa/ca.crt which is from Dec 2013. I will try that in a couple of days as I have to schedule this work in as its in production. Regards, Les May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. I actually do have serverc and serverd. I planned to have CA replication on at least 2 other servers, but held off on trying on serverc due to issues with serverb. I'll report back what i find after regenerating the replica file and re-trying to setup CA replication. After a bit of a hiatus I have revisited this issue and I still have it. Just to re-iterate the problem... Trying to setup a ca replica on an already installed replica fails in rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38. /usr/sbin/ipa-ca-install -p xx -w xx -U /var/lib/ipa/replica-info-myhost.mydomain.com.gpg It fails showing CRITICAL failed to configure ca instance Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. It doesn't matter if I run it interactively or unattended. I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0-37 without any issue. The /var/log/ipareplica-ca-install.log shows the following error about White Spaces: # Attempting to connect to: mymaster.mydomain.com:9445 Connected. Posting Query = https:// mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomainURL=https%3A%2F%2Fmymaster.mydomain.com%3A443sdomainName=choice=existingdomainp=3op=nextxml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, 30 Jan 2015 05:05:04 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? response paneladmin/console/config/securitydomainpanel.vm/panel https_agent_port443/https_agent_port machineNamemymaster.mydomain.com/machineName res/ cstypeCA/cstype initCommand
Re: [Freeipa-users] CA Replication Installation Failing
On Tue, 2014-12-09 at 07:48 +, Les Stott wrote: __ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. I think that this is a safe bet to be the problem. The error in the log snippet you posted says: errorStringThe pkcs12 file is not correct./errorString This indicates that the clone CA was unable to decode the pkcs12 file in the replica. Perhaps the certs changed -- or the DM password changed? Ade May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. I actually do have serverc and serverd. I planned to have CA replication on at least 2 other servers, but held off on trying on serverc due to issues with serverb. I'll report back what i find after regenerating the replica file and re-trying to setup CA replication. Thanks, Les Thanks in advance, Les From:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Tuesday, 2 December 2014 6:17 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] CA Replication Installation Failing Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38. Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get….(for the sake of brevity, I am excluding the lines for connection check which were all OK) = /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN
Re: [Freeipa-users] CA Replication Installation Failing
Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? Thanks in advance, Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Tuesday, 2 December 2014 6:17 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] CA Replication Installation Failing Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38. Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get(for the sake of brevity, I am excluding the lines for connection check which were all OK) = /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.commailto:ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed = Additional excerpt from the log file /var/log/ipareplica-ca-install.log at the point of failure = # Attempting to connect to: serverb.mydomain.com:9445 Connected. Posting Query = https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12https://serverb.mydomain.com:9445/ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Copyright (C) 2007 Red Hat, Inc. All rights reserved. END COPYRIGHT BLOCK -- response paneladmin/console/config/restorekeycertpanel.vm/panel res/ updateStatusfailure/updateStatus password/ errorStringThe pkcs12 file
Re: [Freeipa-users] CA Replication Installation Failing
On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? Did you generate a new replica package or use the original one? May be the problem is that the cert that is in that package already expired? Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. Thanks in advance, Les *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Les Stott *Sent:* Tuesday, 2 December 2014 6:17 PM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] CA Replication Installation Failing Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38. Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get(for the sake of brevity, I am excluding the lines for connection check which were all OK) = /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.com mailto:ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed = Additional excerpt from the log file /var/log/ipareplica-ca-install.log at the point of failure = # Attempting to connect to: serverb.mydomain.com:9445 Connected. Posting Query = https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12 https://serverb.mydomain.com:9445/ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY
Re: [Freeipa-users] CA Replication Installation Failing
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. I actually do have serverc and serverd. I planned to have CA replication on at least 2 other servers, but held off on trying on serverc due to issues with serverb. I'll report back what i find after regenerating the replica file and re-trying to setup CA replication. Thanks, Les Thanks in advance, Les From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Tuesday, 2 December 2014 6:17 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] CA Replication Installation Failing Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38. Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get….(for the sake of brevity, I am excluding the lines for connection check which were all OK) = /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.commailto:ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed
[Freeipa-users] CA Replication Installation Failing
Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38. Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get(for the sake of brevity, I am excluding the lines for connection check which were all OK) = /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed = Additional excerpt from the log file /var/log/ipareplica-ca-install.log at the point of failure = # Attempting to connect to: serverb.mydomain.com:9445 Connected. Posting Query = https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Copyright (C) 2007 Red Hat, Inc. All rights reserved. END COPYRIGHT BLOCK -- response paneladmin/console/config/restorekeycertpanel.vm/panel res/ updateStatusfailure/updateStatus password/ errorStringThe pkcs12 file is not correct./errorString size19/size titleImport Keys and Certificates/title panels Vector Panel Idwelcome/Id NameWelcome/Name /Panel Panel Idmodule/Id NameKey Store/Name /Panel Panel Idconfighsmlogin/Id NameConfigHSMLogin/Name /Panel Panel Idsecuritydomain/Id NameSecurity Domain/Name /Panel Panel Idsecuritydomain/Id NameDisplay Certificate Chain/Name
[Freeipa-users] CA replication
hi All, I'm trying to replicate the CA server: $ ipa-replica-install -p XXX --setup-ca -d --mkhomedir replica-info-ipa11.bpo.cxn.gpg Without --setup-ca it works correctly. The output of the above command: [...] ipa : DEBUGStarting external process ipa : DEBUGargs=/bin/systemctl is-enabled dirsrv.target ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=disabled ipa : DEBUGstderr= ipa : DEBUGSaving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUGStarting external process ipa : DEBUGargs=/bin/systemctl disable dirsrv.target ipa : DEBUGProcess finished, return code=0 ipa : DEBUGstdout= ipa : DEBUGstderr= ipa : DEBUG duration: 0 seconds ipa : DEBUGDone configuring directory server (dirsrv). Done configuring directory server (dirsrv). ipa : DEBUGLoading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUGLoading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUGConfiguring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds ipa : DEBUG [1/19]: creating certificate server user [1/19]: creating certificate server user ipa : DEBUGca user pkiuser exists ipa : DEBUG duration: 0 seconds ipa : DEBUG [2/19]: configuring certificate server instance [2/19]: configuring certificate server instance ipa : DEBUGContents of pkispawn configuration file (/tmp/tmpoRxk1S): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = pki_client_database_dir = /tmp/tmp-XPC2YR pki_client_database_password = pki_client_database_purge = False pki_client_pkcs12_password = pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=CXN pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject_dn = cn=CA Subsystem,O=CXN pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=CXN pki_ssl_server_subject_dn = cn=ipa11.bpo.cxn,O=CXN pki_audit_signing_subject_dn = cn=CA Audit,O=CXN pki_ca_signing_subject_dn = cn=Certificate Authority,O=CXN pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_security_domain_hostname = ipa12.bpo.cxn pki_security_domain_https_port = 443 pki_security_domain_user = admin pki_security_domain_password = pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://ipa12.bpo.cxn:443 ipa : DEBUGStarting external process ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpoRxk1S And it's waiting here forever, not even timeout. strace output of pkispawn shows up it's trying to get data from the local ldap service: open(/etc/hosts, O_RDONLY|O_CLOEXEC) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=281, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f46307e2000 read(4, 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4\n::1 localhost localhost.localdomain localhost6 localhost6.localdomain6\n\n10.0.0.73\tipa12.bpo.cxn ipa12\n10.128.0.5\tipa31.bph.cxn ipa31\n10.128.0.6\tipa32.bph.cxn ipa32\n10.0.0.12\tipa11.bpo.cxn ipa11\n, 4096) = 281 read(4, , 4096) = 0 close(4)= 0 munmap(0x7f46307e2000, 4096)= 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0 connect(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr(10.0.0.12)}, 16) = 0 write(4, 0%\2\1\1c \4\0\n\1\0\n\1\0\2\1\0\2\1\0\1\1\0\207\vobjectClass0\0, 39) = 39 poll([{fd=4, events=POLLIN|POLLPRI}], 1, 4294967295 If I run ldapsearch -x -h ipa11, then indeed, I can see the same behaviour. strace output of ns-slapd: [pid 2028] accept(6, {sa_family=AF_INET6, sin6_port=htons(59587), inet_pton(AF_INET6, :::10.0.0.12, sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 24 [pid 2028] fcntl(24, F_GETFL) = 0x2 (flags O_RDWR) [pid 2028] fcntl(24, F_SETFL,
Re: [Freeipa-users] CA replication
Dan Scott wrote: Hi, On Fri, Dec 9, 2011 at 09:24, Rob Crittendenrcrit...@redhat.com wrote: Dan Scott wrote: Hi, On Thu, Dec 8, 2011 at 13:29, Rob Crittendenrcrit...@redhat.comwrote: Dan Scott wrote: Hi, I just tried to add a CA replica to my IPA replica (Both Fedora 15) using: ipa-ca-install replica-info-ohm.gpg It proceeds to configure the directory server for the CA, but fails when 'configuring certificate server': Configuring certificate server: Estimated time 3 minutes 30 seconds [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin' 'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'curie.example.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://curie.example.com:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Some errors from /var/log/ipareplica-ca-install.log Error in DomainPanel(): updateStatus value is null ERROR: ConfigureCA: DomainPanel() failure ERROR: unable to create CA File /usr/sbin/ipa-ca-install, line 156, inmodule main() File /usr/sbin/ipa-ca-install, line 141, in main (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1136, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 537, in configure_instance self.start_creation(Configuring certificate server, 210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 680, in __configure_instance raise RuntimeError('Configuration of CA failed') Anyone have any ideas? /var/log/pki-ca/debug probably has more details. This file contains the following errors: [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to service. [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08 12:24:40 EST 2011 id=caGetStatus time=32 [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML parsed [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0 [08/Dec/2011:12:24:40][http-9445-2]: panel no=3 [08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain [08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19 [08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
Re: [Freeipa-users] CA replication
Dan Scott wrote: Hi, On Thu, Dec 8, 2011 at 13:29, Rob Crittendenrcrit...@redhat.com wrote: Dan Scott wrote: Hi, I just tried to add a CA replica to my IPA replica (Both Fedora 15) using: ipa-ca-install replica-info-ohm.gpg It proceeds to configure the directory server for the CA, but fails when 'configuring certificate server': Configuring certificate server: Estimated time 3 minutes 30 seconds [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin' 'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'curie.example.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://curie.example.com:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Some errors from /var/log/ipareplica-ca-install.log Error in DomainPanel(): updateStatus value is null ERROR: ConfigureCA: DomainPanel() failure ERROR: unable to create CA File /usr/sbin/ipa-ca-install, line 156, inmodule main() File /usr/sbin/ipa-ca-install, line 141, in main (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1136, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 537, in configure_instance self.start_creation(Configuring certificate server, 210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 680, in __configure_instance raise RuntimeError('Configuration of CA failed') Anyone have any ideas? /var/log/pki-ca/debug probably has more details. This file contains the following errors: [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to service. [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08 12:24:40 EST 2011 id=caGetStatus time=32 [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML parsed [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0 [08/Dec/2011:12:24:40][http-9445-2]: panel no=3 [08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain [08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19 [08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type org.apache.catalina.connector.ResponseFacade
Re: [Freeipa-users] CA replication
Hi, On Fri, Dec 9, 2011 at 09:24, Rob Crittenden rcrit...@redhat.com wrote: Dan Scott wrote: Hi, On Thu, Dec 8, 2011 at 13:29, Rob Crittendenrcrit...@redhat.com wrote: Dan Scott wrote: Hi, I just tried to add a CA replica to my IPA replica (Both Fedora 15) using: ipa-ca-install replica-info-ohm.gpg It proceeds to configure the directory server for the CA, but fails when 'configuring certificate server': Configuring certificate server: Estimated time 3 minutes 30 seconds [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin' 'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'curie.example.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://curie.example.com:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Some errors from /var/log/ipareplica-ca-install.log Error in DomainPanel(): updateStatus value is null ERROR: ConfigureCA: DomainPanel() failure ERROR: unable to create CA File /usr/sbin/ipa-ca-install, line 156, inmodule main() File /usr/sbin/ipa-ca-install, line 141, in main (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1136, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 537, in configure_instance self.start_creation(Configuring certificate server, 210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 680, in __configure_instance raise RuntimeError('Configuration of CA failed') Anyone have any ideas? /var/log/pki-ca/debug probably has more details. This file contains the following errors: [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to service. [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08 12:24:40 EST 2011 id=caGetStatus time=32 [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML parsed [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0 [08/Dec/2011:12:24:40][http-9445-2]: panel no=3 [08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain [08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19 [08/Dec/2011:12:24:40][http-9445-2]:
Re: [Freeipa-users] CA replication
Dan Scott wrote: Hi, On Fri, Dec 9, 2011 at 09:24, Rob Crittendenrcrit...@redhat.com wrote: Dan Scott wrote: Hi, On Thu, Dec 8, 2011 at 13:29, Rob Crittendenrcrit...@redhat.comwrote: Dan Scott wrote: Hi, I just tried to add a CA replica to my IPA replica (Both Fedora 15) using: ipa-ca-install replica-info-ohm.gpg It proceeds to configure the directory server for the CA, but fails when 'configuring certificate server': Configuring certificate server: Estimated time 3 minutes 30 seconds [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin' 'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'curie.example.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://curie.example.com:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Some errors from /var/log/ipareplica-ca-install.log Error in DomainPanel(): updateStatus value is null ERROR: ConfigureCA: DomainPanel() failure ERROR: unable to create CA File /usr/sbin/ipa-ca-install, line 156, inmodule main() File /usr/sbin/ipa-ca-install, line 141, in main (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1136, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 537, in configure_instance self.start_creation(Configuring certificate server, 210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 680, in __configure_instance raise RuntimeError('Configuration of CA failed') Anyone have any ideas? /var/log/pki-ca/debug probably has more details. This file contains the following errors: [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to service. [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08 12:24:40 EST 2011 id=caGetStatus time=32 [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML parsed [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0 [08/Dec/2011:12:24:40][http-9445-2]: panel no=3 [08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain [08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19 [08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
[Freeipa-users] CA replication
Hi, I just tried to add a CA replica to my IPA replica (Both Fedora 15) using: ipa-ca-install replica-info-ohm.gpg It proceeds to configure the directory server for the CA, but fails when 'configuring certificate server': Configuring certificate server: Estimated time 3 minutes 30 seconds [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin' 'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'curie.example.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://curie.example.com:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Some errors from /var/log/ipareplica-ca-install.log Error in DomainPanel(): updateStatus value is null ERROR: ConfigureCA: DomainPanel() failure ERROR: unable to create CA File /usr/sbin/ipa-ca-install, line 156, in module main() File /usr/sbin/ipa-ca-install, line 141, in main (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1136, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 537, in configure_instance self.start_creation(Configuring certificate server, 210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 680, in __configure_instance raise RuntimeError('Configuration of CA failed') Anyone have any ideas? Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CA replication
Dan Scott wrote: Hi, I just tried to add a CA replica to my IPA replica (Both Fedora 15) using: ipa-ca-install replica-info-ohm.gpg It proceeds to configure the directory server for the CA, but fails when 'configuring certificate server': Configuring certificate server: Estimated time 3 minutes 30 seconds [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin' 'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'curie.example.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://curie.example.com:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Some errors from /var/log/ipareplica-ca-install.log Error in DomainPanel(): updateStatus value is null ERROR: ConfigureCA: DomainPanel() failure ERROR: unable to create CA File /usr/sbin/ipa-ca-install, line 156, inmodule main() File /usr/sbin/ipa-ca-install, line 141, in main (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1136, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 537, in configure_instance self.start_creation(Configuring certificate server, 210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 680, in __configure_instance raise RuntimeError('Configuration of CA failed') Anyone have any ideas? /var/log/pki-ca/debug probably has more details. This might also be ticket https://fedorahosted.org/freeipa/ticket/2148 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CA replication
Hi, On Thu, Dec 8, 2011 at 13:29, Rob Crittenden rcrit...@redhat.com wrote: Dan Scott wrote: Hi, I just tried to add a CA replica to my IPA replica (Both Fedora 15) using: ipa-ca-install replica-info-ohm.gpg It proceeds to configure the directory server for the CA, but fails when 'configuring certificate server': Configuring certificate server: Estimated time 3 minutes 30 seconds [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin' 'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'curie.example.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://curie.example.com:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Some errors from /var/log/ipareplica-ca-install.log Error in DomainPanel(): updateStatus value is null ERROR: ConfigureCA: DomainPanel() failure ERROR: unable to create CA File /usr/sbin/ipa-ca-install, line 156, inmodule main() File /usr/sbin/ipa-ca-install, line 141, in main (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1136, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 537, in configure_instance self.start_creation(Configuring certificate server, 210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 680, in __configure_instance raise RuntimeError('Configuration of CA failed') Anyone have any ideas? /var/log/pki-ca/debug probably has more details. This file contains the following errors: [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to service. [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08 12:24:40 EST 2011 id=caGetStatus time=32 [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML parsed [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0 [08/Dec/2011:12:24:40][http-9445-2]: panel no=3 [08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain [08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19 [08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type org.apache.catalina.connector.ResponseFacade