Howdy! Trying to figure out how to get past the error: Clone URI does not match available subsystems when running ipa-ca-install on new ipa server.
A little background. We have 3 FreeIPA 3.0.0 servers running on RHEL 6.7. We just recently (within the last month) added a new FreeIPA 4.2 server replica running on RHEL 7.2 at a new location which will hopefully be the start of replacing all the 3.0.0 instances. Unfortunately during the 4.2 install the --setup-ca was failing so we decided to install without it to make sure everything else worked. And it did everything seems to be replicating properly and all is good. Now its time to add the ca replication to the new server but its failing with that error. Command output: # ipa-ca-install --skip-conncheck /var/lib/ipa/replica-info-new- server.example.com.gpg Directory Manager (existing master) password: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. ipareplica-ca-install.log output: 2016-08-17T15:25:52Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn. 20160817092533.log Loading deployment configuration from /tmp/tmp7cBK9P. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- tomcat/ca/deployment.cfg. Installation failed. 2016-08-17T15:25:52Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTT PS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.h tml InsecureRequestWarning) pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName" :"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone URI does not match available subsystems: https://master.idm.example.com:443 <https://master.idm.example.com/>"} 2016-08-17T15:25:52Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' returned n on-zero exit status 1 2016-08-17T15:25:52Z CRITICAL See the installation logs and the following files/directories for more information: 2016-08-17T15:25:52Z CRITICAL /var/log/pki-ca-install.log 2016-08-17T15:25:52Z CRITICAL /var/log/pki/pki-tomcat 2016-08-17T15:25:52Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 622, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-08-17T15:25:52Z DEBUG [error] RuntimeError: CA configuration failed. 2016-08-17T15:25:52Z DEBUG File "/usr/lib/python2.7/site- packages/ipaserver/install/installutils.py", line 732, in run_script return_value = main_function() File "/sbin/ipa-ca-install", line 202, in main install_replica(safe_options, options, filename) File "/sbin/ipa-ca-install", line 150, in install_replica ca.install(True, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 114, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 138, in install_step_0 ra_p12=getattr(options, 'ra_p12', None)) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1545, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 488, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 622, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2016-08-17T15:25:52Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA configuration failed. **** I've tried running the pkispawn command manually by using the deployment.cfg file but it gives the same error: # pkidestroy -s CA -i pki-tomcat Log file: /var/log/pki/pki-ca-destroy.20160817093402.log Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/ registry/ca/deployment.cfg. Uninstalling CA from /var/lib/pki/pki-tomcat. pkidestroy : WARNING ....... this 'CA' entry will NOT be deleted from security domain 'unknown'! pkidestroy : ERROR ....... No security domain defined. If this is an unconfigured instance, then that is OK. Otherwise, manually delete the entry from the security domain master. Uninstallation complete. # /usr/sbin/pkispawn -s CA -f /tmp/replica_file Log file: /var/log/pki/pki-ca-spawn.20160817093444.log Loading deployment configuration from /tmp/replica_file. /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- tomcat/ca/deployment.cfg. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape. certsrv.base.BadRequestException","Code":400,"Message":"Clone URI does not match available subsystems: https://master.idm.example.com:443 <https://master.idm.example.com/>"} Installation failed. Any ideas on how to proceed would be much appreciated! Thanks! -John
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project