Re: [Freeipa-users] Replica Setup Issue
Hi Matt, I ran into this a couple of months ago. I ended up creating the replica without --setup-ca which first appeared to work, but then it turned out that replication is (at least for me) broken, cf. Ticket #4807 (https://fedorahosted.org/freeipa/ticket/4807). On Fri, 12 Dec 2014, Matt Chesler wrote: 1. Create replica ipa-1 from old-ipa-1 2. Followed procedure documented at http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master to make ipa-1 the node responsible for CRL generation and CA renewal 3. Prepare ipa-2 to be a replica by running 'ipa-replica-prepare ipa-2.example.com' on ipa-1 and copying over the resulting gpg 4. Ran ipa-replica-install on ipa-2 and received the following output/failure: === [root@ipa-2 ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa-2.example.com.gpg [...] [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa-2.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-ATedaS -client_certdb_pwd -preop_pin SAW89xQS4ICFy5zYWv0m -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host ipa-2.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM -ca_server_cert_subject_name CN=ipa-2.example.com,O=EXAMPLE.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname ipa-1.example.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://ipa-1.example.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed === [...] Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Replica Setup Issue
1. Create replica ipa-1 from old-ipa-1 2. Followed procedure documented at http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master to make ipa-1 the node responsible for CRL generation and CA renewal 3. Prepare ipa-2 to be a replica by running 'ipa-replica-prepare ipa-2.example.com' on ipa-1 and copying over the resulting gpg 4. Ran ipa-replica-install on ipa-2 and received the following output/failure: === [root@ipa-2 ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa-2.example.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipa-1.example.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@example.com password: Execute check on remote master Check connection from master to remote replica 'ipa-2.example.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa-2.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-ATedaS -client_certdb_pwd -preop_pin SAW89xQS4ICFy5zYWv0m -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host ipa-2.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM -ca_server_cert_subject_name CN=ipa-2.example.com,O=EXAMPLE.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname ipa-1.example.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://ipa-1.example.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed === Found the following in /var/log/ipareplica-install.log: --snip-- # Attempting to connect to: ipa-2.example.com:9445 Connected. Posting Query = https://ipa-2.example.com:9445//ca/admin/console/config/wizard?p=5subsystem=CAsession_id=4306304501997072616xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Date: Fri, 12 Dec 2014 20:47:08 GMT RESPONSE HEADER: Connection: close Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid clone_uri ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure ERROR: unable to create CA ### 2014-12-12T20:47:08Z DEBUG stderr=java.lang.Exception: Invalid clone_uri at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:392) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1188) at ConfigureCA.main(ConfigureCA.java:1672) 2014-12-12T20:47:08Z CRITICAL