Re: [Freeipa-users] Problem installing replica CA
On Tue, 2012-04-24 at 11:28 -0400, Rob Crittenden wrote: > Dan Scott wrote: > > On Tue, Apr 24, 2012 at 02:58, Ondrej Hamada wrote: > >> On 04/20/2012 09:35 PM, Dan Scott wrote: > >>> > >>> On Fri, Apr 20, 2012 at 15:26, Dmitri Palwrote: > > On 04/20/2012 12:15 PM, Dan Scott wrote: > > > > Hi, > > > > My FreeIPA servers were in a real mess recently and I think I've > > finally got them into a reasonable state by cleaning up the tombstone > > entries and fixing some broken replication agreements. > > > > I'm trying to setup a new replica and receive the following error: > > > > Configuring certificate server: Estimated time 3 minutes 30 seconds > >[1/12]: creating certificate server user > >[2/12]: creating pki-ca instance > >[3/12]: configuring certificate server instance > > root: CRITICAL failed to configure ca instance Command > > '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' > > 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' > > '/tmp/tmp-JwjkjT' '-client_certdb_pwd' '-preop_pin' > > '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' > > '-admin_email' 'root@localhost' '-admin_password' > > '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' > > '-agent_key_type' 'rsa' '-agent_cert_subject' > > 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' > > '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' > > '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' > > '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' > > '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' > > 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA > > Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP > > Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' > > 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' > > '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' > > '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' > > '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' > > '-clone_p12_password' '-sd_hostname' > > 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' > > 'admin' '-sd_admin_password' '-clone_start_tls' 'true' > > '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero > > exit status 255 > > creation of replica failed: Configuration of CA failed > > > > The /var/log/pki-ca/debug file contains: > > > > [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to > > import user certificate.org.mozilla.jss.crypto.TokenException: > > PK11_ImportDERCertForKey Unable to import certificate to its token: > > (-8054) You are attempting to import a cert with the same > > issuer/serial as an existing cert, but that is not the same cert. > > [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... > > certTag=sslserver > > [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() > > [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true > > [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true > > [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 > > [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 > > [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() > > [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true > > [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true > > [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 > > [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 > > [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 > > [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 > > [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 > > [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys > > [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 > > [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml > > [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > > org.apache.catalina.connector.ResponseFacade > > [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > > java.lang.Boolean > > [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > > org.apache.catalina.connector.RequestFacade > > > > So it looks like there's some certificate confusion going on. > > > > Can someone help? Is there anything particularly sensitive in the > > /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I > > shouldn't send them to the list? > > > Are you installing it on a new machine? > What version of the OS and tomcat
Re: [Freeipa-users] Problem installing replica CA
Dan Scott wrote: On Tue, Apr 24, 2012 at 02:58, Ondrej Hamada wrote: On 04/20/2012 09:35 PM, Dan Scott wrote: On Fri, Apr 20, 2012 at 15:26, Dmitri Palwrote: On 04/20/2012 12:15 PM, Dan Scott wrote: Hi, My FreeIPA servers were in a real mess recently and I think I've finally got them into a reasonable state by cleaning up the tombstone entries and fixing some broken replication agreements. I'm trying to setup a new replica and receive the following error: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/12]: creating certificate server user [2/12]: creating pki-ca instance [3/12]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-JwjkjT' '-client_certdb_pwd' '-preop_pin' '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed The /var/log/pki-ca/debug file contains: [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to import user certificate.org.mozilla.jss.crypto.TokenException: PK11_ImportDERCertForKey Unable to import certificate to its token: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... certTag=sslserver [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.ResponseFacade [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.RequestFacade So it looks like there's some certificate confusion going on. Can someone help? Is there anything particularly sensitive in the /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I shouldn't send them to the list? Are you installing it on a new machine? What version of the OS and tomcat is there? There have been some glitches in the tomcat package in the past. It's quite new - a VM which I installed 10 days ago. I tried to install a replica on it before I cleaned my other IPA servers. Are you sure that the CA was cleaned up on the replica? Run 'ipa-server-install --uninstall' and then check existence of /var/lib/pki-ca. if it's still there -> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/Installation_and_Configuration-Uninstalling_Certificate_System_Subsystems.html Yes, the CA was cleaned on the replica - I've also re-installed this system from scratch and the install still fails. Thanks, Dan It is a very strange error message. What this me
Re: [Freeipa-users] Problem installing replica CA
On Tue, Apr 24, 2012 at 02:58, Ondrej Hamada wrote: > On 04/20/2012 09:35 PM, Dan Scott wrote: >> >> On Fri, Apr 20, 2012 at 15:26, Dmitri Pal wrote: >>> >>> On 04/20/2012 12:15 PM, Dan Scott wrote: Hi, My FreeIPA servers were in a real mess recently and I think I've finally got them into a reasonable state by cleaning up the tombstone entries and fixing some broken replication agreements. I'm trying to setup a new replica and receive the following error: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/12]: creating certificate server user [2/12]: creating pki-ca instance [3/12]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-JwjkjT' '-client_certdb_pwd' '-preop_pin' '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed The /var/log/pki-ca/debug file contains: [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to import user certificate.org.mozilla.jss.crypto.TokenException: PK11_ImportDERCertForKey Unable to import certificate to its token: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... certTag=sslserver [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.ResponseFacade [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.RequestFacade So it looks like there's some certificate confusion going on. Can someone help? Is there anything particularly sensitive in the /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I shouldn't send them to the list? >>> Are you installing it on a new machine? >>> What version of the OS and tomcat is there? >>> There have been some glitches in the tomcat package in the past. >> >> It's quite new - a VM which I installed 10 days ago. I tried to >> install a replica on it before I cleaned my other IPA servers. > > Are you sure that the CA was cleaned up on the replica? Run > 'ipa-server-install --uninstall' and then check existence o
Re: [Freeipa-users] Problem installing replica CA
On 04/20/2012 09:35 PM, Dan Scott wrote: On Fri, Apr 20, 2012 at 15:26, Dmitri Pal wrote: On 04/20/2012 12:15 PM, Dan Scott wrote: Hi, My FreeIPA servers were in a real mess recently and I think I've finally got them into a reasonable state by cleaning up the tombstone entries and fixing some broken replication agreements. I'm trying to setup a new replica and receive the following error: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/12]: creating certificate server user [2/12]: creating pki-ca instance [3/12]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-JwjkjT' '-client_certdb_pwd' '-preop_pin' '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed The /var/log/pki-ca/debug file contains: [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to import user certificate.org.mozilla.jss.crypto.TokenException: PK11_ImportDERCertForKey Unable to import certificate to its token: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... certTag=sslserver [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.ResponseFacade [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.RequestFacade So it looks like there's some certificate confusion going on. Can someone help? Is there anything particularly sensitive in the /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I shouldn't send them to the list? Are you installing it on a new machine? What version of the OS and tomcat is there? There have been some glitches in the tomcat package in the past. It's quite new - a VM which I installed 10 days ago. I tried to install a replica on it before I cleaned my other IPA servers. Are you sure that the CA was cleaned up on the replica? Run 'ipa-server-install --uninstall' and then check existence of /var/lib/pki-ca. if it's still there -> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/Installation_and_Configuration-Uninstalling_Certificate_System_Subsystems.html It's Scientific Linux 6.2. tomcat6-6.0.24-36.el6_2 Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Regards, Ondrej Hamada FreeIPA te
Re: [Freeipa-users] Problem installing replica CA
On Fri, Apr 20, 2012 at 15:26, Dmitri Pal wrote: > On 04/20/2012 12:15 PM, Dan Scott wrote: >> Hi, >> >> My FreeIPA servers were in a real mess recently and I think I've >> finally got them into a reasonable state by cleaning up the tombstone >> entries and fixing some broken replication agreements. >> >> I'm trying to setup a new replica and receive the following error: >> >> Configuring certificate server: Estimated time 3 minutes 30 seconds >> [1/12]: creating certificate server user >> [2/12]: creating pki-ca instance >> [3/12]: configuring certificate server instance >> root : CRITICAL failed to configure ca instance Command >> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' >> '/tmp/tmp-JwjkjT' '-client_certdb_pwd' '-preop_pin' >> '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' >> '-admin_email' 'root@localhost' '-admin_password' >> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' >> '-agent_key_type' 'rsa' '-agent_cert_subject' >> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' >> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >> '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >> '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' >> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP >> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' >> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' >> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' >> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' >> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >> '-clone_p12_password' '-sd_hostname' >> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' >> 'admin' '-sd_admin_password' '-clone_start_tls' 'true' >> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero >> exit status 255 >> creation of replica failed: Configuration of CA failed >> >> The /var/log/pki-ca/debug file contains: >> >> [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to >> import user certificate.org.mozilla.jss.crypto.TokenException: >> PK11_ImportDERCertForKey Unable to import certificate to its token: >> (-8054) You are attempting to import a cert with the same >> issuer/serial as an existing cert, but that is not the same cert. >> [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... >> certTag=sslserver >> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 >> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 >> [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 >> [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys >> [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 >> [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml >> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >> org.apache.catalina.connector.ResponseFacade >> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean >> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >> org.apache.catalina.connector.RequestFacade >> >> So it looks like there's some certificate confusion going on. >> >> Can someone help? Is there anything particularly sensitive in the >> /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I >> shouldn't send them to the list? >> > > Are you installing it on a new machine? > What version of the OS and tomcat is there? > There have been some glitches in the tomcat package in the past. It's quite new - a VM which I installed 10 days ago. I tried to install a replica on it before I cleaned my other IPA servers. It's Scientific Linux 6.2. tomcat6-6.0.24-36.el6_2 Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing replica CA
On 04/20/2012 12:15 PM, Dan Scott wrote: > Hi, > > My FreeIPA servers were in a real mess recently and I think I've > finally got them into a reasonable state by cleaning up the tombstone > entries and fixing some broken replication agreements. > > I'm trying to setup a new replica and receive the following error: > > Configuring certificate server: Estimated time 3 minutes 30 seconds > [1/12]: creating certificate server user > [2/12]: creating pki-ca instance > [3/12]: configuring certificate server instance > root: CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' > 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' > '/tmp/tmp-JwjkjT' '-client_certdb_pwd' '-preop_pin' > '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' > '-admin_email' 'root@localhost' '-admin_password' > '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' > '-agent_key_type' 'rsa' '-agent_cert_subject' > 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' > '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' > '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' > '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' > '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' > 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA > Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP > Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' > 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' > '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' > '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' > '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' > '-clone_p12_password' '-sd_hostname' > 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' > 'admin' '-sd_admin_password' '-clone_start_tls' 'true' > '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero > exit status 255 > creation of replica failed: Configuration of CA failed > > The /var/log/pki-ca/debug file contains: > > [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to > import user certificate.org.mozilla.jss.crypto.TokenException: > PK11_ImportDERCertForKey Unable to import certificate to its token: > (-8054) You are attempting to import a cert with the same > issuer/serial as an existing cert, but that is not the same cert. > [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... > certTag=sslserver > [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() > [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true > [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true > [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 > [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 > [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() > [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true > [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true > [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 > [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 > [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 > [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 > [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 > [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys > [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 > [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml > [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > org.apache.catalina.connector.ResponseFacade > [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean > [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > org.apache.catalina.connector.RequestFacade > > So it looks like there's some certificate confusion going on. > > Can someone help? Is there anything particularly sensitive in the > /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I > shouldn't send them to the list? > Are you installing it on a new machine? What version of the OS and tomcat is there? There have been some glitches in the tomcat package in the past. > Thanks, > > Dan > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem installing replica CA
Hi, My FreeIPA servers were in a real mess recently and I think I've finally got them into a reasonable state by cleaning up the tombstone entries and fixing some broken replication agreements. I'm trying to setup a new replica and receive the following error: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/12]: creating certificate server user [2/12]: creating pki-ca instance [3/12]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-JwjkjT' '-client_certdb_pwd' '-preop_pin' '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed The /var/log/pki-ca/debug file contains: [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to import user certificate.org.mozilla.jss.crypto.TokenException: PK11_ImportDERCertForKey Unable to import certificate to its token: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... certTag=sslserver [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.ResponseFacade [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.RequestFacade So it looks like there's some certificate confusion going on. Can someone help? Is there anything particularly sensitive in the /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I shouldn't send them to the list? Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users