[Freeipa-users] Re: Replica from RHEL6 7 fails to create CA with clone URI mismatch
On Thu, 2017-07-20 at 01:11 -0400, Endi Sukma Dewata wrote: > - Original Message - > > David Hendén via FreeIPA-users wrote: > > > Hi all, > > > > > > I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to > > > RHEL7.3 RHEL > > > 4.4.0. > > > > > > What I'm trying to achieve is an isolated FreeIPA 4.4 server that > > > we could > > > replace the original FreeIPA 3.0 infrastrcuture with. The way I'm > > > doing > > > this is: > > > > > > 1) prepare replica file on production ipa01 and copy to ipasync > > > 2) install replica with CA on ipasync and then remove all > > > connections to > > > ipa01, ipa02 and ipa03 (which is the entire production > > > infrastructure) > > > 3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL > > > 6.7) > > > 4) Prepare replica file on ipasync and copy to ipa01 (a new > > > clean > > > installation in test that should later replace ipa01 in prod) > > > 5) install replica with CA on ipa01 and then remove all > > > connections to > > > ipasync > > > > > > * Right now I'm failing at the create CA phase in step 5 with: > > > > > > [2/27]: configuring certificate server instance > > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > > > configure > > > CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' > > > returned > > > non-zero exit status 1 > > > > > > * I can see that it fails on the subsystem Clone URI in > > > /var/log/ipareplica-install.log > > > > > > Installation failed: > > > com.netscape.certsrv.base.BadRequestException: Clone URI does not > > > match > > > available subsystems: https://ipasync.xxx.com:443 > > > Please check the CA logs in /var/log/pki/pki-tomcat/ca. > > > 2017-07-11T15:24:52Z DEBUG stderr=pkispawn: WARNING ... > > > unable to > > > validate security domain user/password through REST interface. > > > Interface > > > not available > > > > > > * To get more details I check the debug log for tomcat and find > > > that it > > > still tries to match against the old infrastructure and not the > > > ipasync > > > server: > > > > > > # cat /var/log/pki/pki-tomcat/ca/debug > > > ... > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3 > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: > > > > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: > > > > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: > > > > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem > > > Configuration > > > === > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: > > > SystemConfigService: validate > > > clone URI: https://ipasync.xxx.com:443 > > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not > > > match > > > available subsystems: https://ipasync.xxx.com:443 > > > > > > * I validate this by checking the calist in getDomainXML: > > > > > > # wget --no-check-certificate > > > https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML > > > # cat getDomainXML | xmllint --format - > > > ... > > > > > > > > > TRUE > > > pki-cad > > > FALSE > > > 80 > > > 443 > > > 443 > > > 443 > > > 443 > > > ipa01.xxx.com > > > > > > > > > pki-cad > > > TRUE > > > TRUE > > > 443 > > > 80 > > > 443 > > > 443 > > > 443 > > > ipa02.xxx.com > > > > > > > > > pki-cad > > > TRUE > > > TRUE > > > 443 > > > 80 > > > 443 > > > 443 > > > 443 > > > ipa03.xxx.com > > > > > > 3 > > > > > > ... > > > > > > Why does it still have the old ipa servers and why is not ipasync > > > included? > > > Am I doing something wrong here, for example do I need to > > > manually add > > > ipasync to the pki-cad list of CAs? > > > > I don't believe uninstalling an IPA master will update this list as > > it > > is maintained by dogtag and other than removing the replication > > agreements I'm not aware of any other notification that a server is > > going away. > > Nice detective work! It seems that the problem here is that ipasync should have been added to the security domain during the replication in step 2, just as ipa02 and ipa03 were also added during previous replications. I'm not sure why that did not happen - but it would be useful to get Dogtag logs for step 2 to try to figure that out. I recall that in the past, there was a bug where the Dogtag replication installation code silently swallowed an exception at the end of the setup, resulting in the security domain not being updated. Maybe this is what is happening here. To proceed further, you need to manually add the entry for ipasync into the security domain. It will look the same as the other entries. Make s
[Freeipa-users] Re: Replica from RHEL6 7 fails to create CA with clone URI mismatch
- Original Message - > David Hendén via FreeIPA-users wrote: > > Hi all, > > > > I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL > > 4.4.0. > > > > What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could > > replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing > > this is: > > > > 1) prepare replica file on production ipa01 and copy to ipasync > > 2) install replica with CA on ipasync and then remove all connections to > > ipa01, ipa02 and ipa03 (which is the entire production infrastructure) > > 3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7) > > 4) Prepare replica file on ipasync and copy to ipa01 (a new clean > > installation in test that should later replace ipa01 in prod) > > 5) install replica with CA on ipa01 and then remove all connections to > > ipasync > > > > * Right now I'm failing at the create CA phase in step 5 with: > > > > [2/27]: configuring certificate server instance > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure > > CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned > > non-zero exit status 1 > > > > * I can see that it fails on the subsystem Clone URI in > > /var/log/ipareplica-install.log > > > > Installation failed: > > com.netscape.certsrv.base.BadRequestException: Clone URI does not match > > available subsystems: https://ipasync.xxx.com:443 > > Please check the CA logs in /var/log/pki/pki-tomcat/ca. > > 2017-07-11T15:24:52Z DEBUG stderr=pkispawn: WARNING ... unable to > > validate security domain user/password through REST interface. Interface > > not available > > > > * To get more details I check the debug log for tomcat and find that it > > still tries to match against the old infrastructure and not the ipasync > > server: > > > > # cat /var/log/pki/pki-tomcat/ca/debug > > ... > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3 > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration > > === > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate > > clone URI: https://ipasync.xxx.com:443 > > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match > > available subsystems: https://ipasync.xxx.com:443 > > > > * I validate this by checking the calist in getDomainXML: > > > > # wget --no-check-certificate > > https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML > > # cat getDomainXML | xmllint --format - > > ... > > > > > > TRUE > > pki-cad > > FALSE > > 80 > > 443 > > 443 > > 443 > > 443 > > ipa01.xxx.com > > > > > > pki-cad > > TRUE > > TRUE > > 443 > > 80 > > 443 > > 443 > > 443 > > ipa02.xxx.com > > > > > > pki-cad > > TRUE > > TRUE > > 443 > > 80 > > 443 > > 443 > > 443 > > ipa03.xxx.com > > > > 3 > > > > ... > > > > Why does it still have the old ipa servers and why is not ipasync included? > > Am I doing something wrong here, for example do I need to manually add > > ipasync to the pki-cad list of CAs? > > I don't believe uninstalling an IPA master will update this list as it > is maintained by dogtag and other than removing the replication > agreements I'm not aware of any other notification that a server is > going away. > > Endi, do you know what needs to happen here? > > rob Sorry, I'm not that familiar with this area. Ade, could you take a look? Thanks. -- Endi S. Dewata ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replica from RHEL6 7 fails to create CA with clone URI mismatch
David Hendén via FreeIPA-users wrote: > Hi all, > > I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL > 4.4.0. > > What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could > replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this > is: > > 1) prepare replica file on production ipa01 and copy to ipasync > 2) install replica with CA on ipasync and then remove all connections to > ipa01, ipa02 and ipa03 (which is the entire production infrastructure) > 3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7) > 4) Prepare replica file on ipasync and copy to ipa01 (a new clean > installation in test that should later replace ipa01 in prod) > 5) install replica with CA on ipa01 and then remove all connections to > ipasync > > * Right now I'm failing at the create CA phase in step 5 with: > > [2/27]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA > instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned > non-zero exit status 1 > > * I can see that it fails on the subsystem Clone URI in > /var/log/ipareplica-install.log > > Installation failed: > com.netscape.certsrv.base.BadRequestException: Clone URI does not match > available subsystems: https://ipasync.xxx.com:443 > Please check the CA logs in /var/log/pki/pki-tomcat/ca. > 2017-07-11T15:24:52Z DEBUG stderr=pkispawn: WARNING ... unable to > validate security domain user/password through REST interface. Interface not > available > > * To get more details I check the debug log for tomcat and find that it still > tries to match against the old infrastructure and not the ipasync server: > > # cat /var/log/pki/pki-tomcat/ca/debug > ... > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3 > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration === > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate > clone URI: https://ipasync.xxx.com:443 > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match > available subsystems: https://ipasync.xxx.com:443 > > * I validate this by checking the calist in getDomainXML: > > # wget --no-check-certificate > https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML > # cat getDomainXML | xmllint --format - > ... > > > TRUE > pki-cad > FALSE > 80 > 443 > 443 > 443 > 443 > ipa01.xxx.com > > > pki-cad > TRUE > TRUE > 443 > 80 > 443 > 443 > 443 > ipa02.xxx.com > > > pki-cad > TRUE > TRUE > 443 > 80 > 443 > 443 > 443 > ipa03.xxx.com > > 3 > > ... > > Why does it still have the old ipa servers and why is not ipasync included? > Am I doing something wrong here, for example do I need to manually add > ipasync to the pki-cad list of CAs? I don't believe uninstalling an IPA master will update this list as it is maintained by dogtag and other than removing the replication agreements I'm not aware of any other notification that a server is going away. Endi, do you know what needs to happen here? rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
