subject:"\[Freeipa\-users\] Replica install fails when using \-\-setup\-ca"

Re: [Freeipa-users] Replica install fails when using --setup-ca

2016-07-26 Thread Rob Crittenden


Linov Suresh wrote:

I tried to create master replica using the option --setup-ca, it failed,
because of "Your system may be partly configured."

Please note we use different ipa package for master and replica.

master:
[root@caer ~]# rpm -q ipa-server
ipa-server-3.0.0-26.el6_4.2.x86_64

replica:

[root@neit-lab01 ~]# rpm -q ipa-server
ipa-server-3.0.0-50.el6.1.x86_64

*Is this because ipa-server-3.0.0-50 has updates feature "Proxy calls to
/ca/ee/ca/profileSubmit to PKI to enable installation of replicas with
Dogtag 10 PKI (#1083878)"*
*
*
If yes, how do we fix it? Your help is appreciated.


[root@neit-lab01 ipa]#*ipa-replica-install --setup-dns --setup-ca
--no-forwarders /var/lib/ipa/replica-info-neit-lab01.teloip.net.gpg*
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'caer.teloip.net
':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@teloip.net  password:

Execute check on remote master
Check connection from master to remote replica 'neit-lab01.teloip.net
':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
   [1/3]: creating directory server user
   [2/3]: creating directory server instance
   [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30
seconds
   [1/17]: creating certificate server user
   [2/17]: creating pki-ca instance
   [3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
neit-lab01.teloip.net  -cs_port 9445
-client_certdb_dir /tmp/tmp-t5u9YQ -client_certdb_pwd 
-preop_pin BAoCQwvMxnG4xLdxOKln -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password  -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET 
-ldap_host neit-lab01.teloip.net 
-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password 
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
-subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
 -ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TELOIP.NET  -ca_ocsp_cert_subject_name
CN=OCSP Subsystem,O=TELOIP.NET 
-ca_server_cert_subject_name CN=neit-lab01.teloip.net
,O=TELOIP.NET 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET
 -ca_sign_cert_subject_name CN=Certificate
Authority,O=TELOIP.NET  -external false -clone true
-clone_p12_file ca.p12 -clone_p12_password  -sd_hostname
caer.teloip.net  -sd_admin_port 443
-sd_admin_name admin -sd_admin_password  -clone_start_tls true
-clone_uri https://caer.teloip.net:443' returned non-zero exit status 255

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed




You need to look at the dogtag logs to see any reasonable errors. IPA 
doesn't get much back from the dogtag installer except a pass/fail 
(especially in 3.x).


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replica install fails when using --setup-ca

2016-07-26 Thread Linov Suresh

I tried to create master replica using the option --setup-ca, it failed,
because of "Your system may be partly configured."

Please note we use different ipa package for master and replica.

master:
[root@caer ~]# rpm -q ipa-server
ipa-server-3.0.0-26.el6_4.2.x86_64

replica:

[root@neit-lab01 ~]# rpm -q ipa-server
ipa-server-3.0.0-50.el6.1.x86_64

*Is this because ipa-server-3.0.0-50 has updates feature "Proxy calls to
/ca/ee/ca/profileSubmit to PKI to enable installation of replicas with
Dogtag 10 PKI (#1083878)"*

If yes, how do we fix it? Your help is appreciated.


[root@neit-lab01 ipa]#* ipa-replica-install --setup-dns --setup-ca
--no-forwarders /var/lib/ipa/replica-info-neit-lab01.teloip.net.gpg*
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'caer.teloip.net':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@teloip.net password:

Execute check on remote master
Check connection from master to remote replica 'neit-lab01.teloip.net':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30
seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
neit-lab01.teloip.net -cs_port 9445 -client_certdb_dir /tmp/tmp-t5u9YQ
-client_certdb_pwd  -preop_pin BAoCQwvMxnG4xLdxOKln -domain_name
IPA -admin_user admin -admin_email root@localhost -admin_password 
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET -ldap_host
neit-lab01.teloip.net -ldap_port 7389 -bind_dn cn=Directory Manager
-bind_password  -base_dn o=ipaca -db_name ipaca -key_size 2048
-key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd
 -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TELOIP.NET
-ca_server_cert_subject_name CN=neit-lab01.teloip.net,O=TELOIP.NET
-ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET
-ca_sign_cert_subject_name CN=Certificate Authority,O=TELOIP.NET -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password 
-sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password  -clone_start_tls true -clone_uri
https://caer.teloip.net:443' returned non-zero exit status 255

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica install fails when using --setup-ca

2015-02-27 Thread Martin Kosek


On 02/26/2015 04:07 PM, dbisc...@hrz.uni-kassel.de wrote:

Hi,

for the record: The problem was a misconfigured Apache on the IPA master, cf.

https://www.redhat.com/archives/freeipa-users/2015-February/msg00041.html

In my case, my Apache didn't load proxy_ajp_module and after this was fixed,
ipa-replica-install --setup-ca worked as expected.

Thanks to Endi Sukma Dewata and Martin Kosek for putting me on the right track.


You are welcome. This case actually got me thinking what we can do to automate 
and check this misconfiguration *before* running in such hard-to-debug problem.


I think we should simply check for all required Apache modules beforehand, in 
the past I already put together a minimal list of Apache modules that can be 
checked (ajp module is there :-)).


I filed a ticket to do it:
https://fedorahosted.org/freeipa/ticket/4928

Also Ccing Less for reference.

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica install fails when using --setup-ca

2015-02-26 Thread dbischof


Hi,

for the record: The problem was a misconfigured Apache on the IPA master, 
cf.


https://www.redhat.com/archives/freeipa-users/2015-February/msg00041.html

In my case, my Apache didn't load proxy_ajp_module and after this was 
fixed, ipa-replica-install --setup-ca worked as expected.


Thanks to Endi Sukma Dewata and Martin Kosek for putting me on the right 
track.


On Tue, 6 Jan 2015, dbisc...@hrz.uni-kassel.de wrote:

I have two small FreeIPA installations (for two different realms), both 
with CentOS 6/FreeIPA 3.0.0-42. After running them both with only one 
master server each for a while, I attempted to extend both installations 
with one replica each.


Doing a

ipa-replica-install --setup-ca /var/lib/ipa/replica-info-...

worked fine for one of the installations, but failed for the other:

---
[...]

 [3/17]: configuring certificate server instance ipa : CRITICAL failed 
to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 
ConfigureCA -cs_hostname xxx -cs_port 9445 -client_certdb_dir 
/tmp/tmp-YsXvhP -client_certdb_pwd  -preop_pin 
vJl0m3xc9Oz7b1fIgttD -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password  -agent_name ipa-ca-agent 
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
CN=ipa-ca-agent,O=YYY -ldap_host xxx -ldap_port 7389 -bind_dn 
cn=Directory Manager -bind_password  -base_dn o=ipaca -db_name 
ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA 
-save_p12 true -backup_pwd  -subsystem_name pki-cad -token_name 
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=YYY 
-ca_server_cert_subject_name CN=xxx,O=YYY 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=YYY 
-ca_sign_cert_subject_name CN=Certificate Authority,O=YYY -external 
false -clone true -clone_p12_file ca.p12 -clone_p12_password  
-sd_hostname mmm -sd_admin_port 443 -sd_admin_name admin 
-sd_admin_password  -clone_start_tls true -clone_uri 
https://mmm:443' returned non-zero exit status 255


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
---

/var/log/ipareplica-install.log:

---
[...]
Error in DomainPanel(): updateStatus value is null
ERROR: ConfigureCA: DomainPanel() failure
ERROR: unable to create CA

###

2015-01-06T13:36:25Z DEBUG stderr=
2015-01-06T13:36:25Z CRITICAL failed to configure ca instance Command 
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
2015-01-06T13:36:25Z INFO   File 
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 
614, in run_script

   return_value = main_function()

 File "/usr/sbin/ipa-replica-install", line 476, in main
   (CA, cs) = cainstance.install_replica_ca(config)

 File 
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 
1626, in install_replica_ca

   subject_base=config.subject_base)

 File 
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 
626, in configure_instance

   self.start_creation(runtime=210)

 File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", 
line 358, in start_creation

   method()

 File 
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 
888, in __configure_instance

   raise RuntimeError('Configuration of CA failed')

2015-01-06T13:36:25Z INFO The ipa-replica-install command failed, 
exception: RuntimeError: Configuration of CA failed

---

Omitting "--setup-ca" lets me successfully install a working replica 
server.


The problem appears to be my installation (since the other one works) - 
however: Both (intended) replica servers are nearly identical (operating 
system version, installed packages, etc.).


My understanding is that a replica without a CA is not a 100%-clone of a 
IPA master, right? What are the downsides of having a replica without a 
CA?



Mit freundlichen Gruessen/With best regards,

--Daniel.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica install fails when using --setup-ca

2015-01-13 Thread Martin Kosek

On 01/12/2015 03:53 PM, dbisc...@hrz.uni-kassel.de wrote:
> Hi,
> 
> no ideas about this one?
> 
> I'm unsure if I did something wrong, but since I installed both systems the
> same way, I really don't know, what could be wrong.
> 
> One thing that may be related: The working system (the one that doesn't fail 
> to
> create a replica with "--setup-ca") went productive in April 2014, the one 
> that
> fails in September 2014. In between were several updates to the ipa-server
> package, including one related to Dogtag ("Proxy calls to
> /ca/ee/ca/profileSubmit to PKI to enable installation of replicas with Dogtag
> 10 PKI (#1083878)"). Can this cause errors like the one I observe?

That's a good guess. Installing a RHEL/CentOS 7.0 replica with having such
server without this update as the master would indeed cause a failure. Did you
try updating it?

> Something else I may want to look into? My installations are pretty much
> standard, except that I use an external DNS and have SELinux disabled.

If the referred update does not help, we would need to see full
ipareplica-install.log and PKI logs (/var/log/pki/) on replica to continue with
debug.

> 
> 
> Best regards,
> 
> --Daniel.
> 
> On Tue, 6 Jan 2015, dbisc...@hrz.uni-kassel.de wrote:
> 
>> I have two small FreeIPA installations (for two different realms), both with
>> CentOS 6/FreeIPA 3.0.0-42. After running them both with only one master
>> server each for a while, I attempted to extend both installations with one
>> replica each.
>>
>> Doing a
>>
>> ipa-replica-install --setup-ca /var/lib/ipa/replica-info-...
>>
>> worked fine for one of the installations, but failed for the other:
>>
>> ---
>> [...]
>>
>>  [3/17]: configuring certificate server instance ipa : CRITICAL failed to
>> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA
>> -cs_hostname xxx -cs_port 9445 -client_certdb_dir /tmp/tmp-YsXvhP
>> -client_certdb_pwd  -preop_pin vJl0m3xc9Oz7b1fIgttD -domain_name IPA
>> -admin_user admin -admin_email root@localhost -admin_password 
>> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>> -agent_cert_subject CN=ipa-ca-agent,O=YYY -ldap_host xxx -ldap_port 7389
>> -bind_dn cn=Directory Manager -bind_password  -base_dn o=ipaca
>> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
>> -save_p12 true -backup_pwd  -subsystem_name pki-cad -token_name
>> internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY
>> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=YYY
>> -ca_server_cert_subject_name CN=xxx,O=YYY -ca_audit_signing_cert_subject_name
>> CN=CA Audit,O=YYY -ca_sign_cert_subject_name CN=Certificate Authority,O=YYY
>> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password
>>  -sd_hostname mmm -sd_admin_port 443 -sd_admin_name admin
>> -sd_admin_password  -clone_start_tls true -clone_uri https://mmm:443'
>> returned non-zero exit status 255
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> ---
>>
>> /var/log/ipareplica-install.log:
>>
>> ---
>> [...]
>> Error in DomainPanel(): updateStatus value is null
>> ERROR: ConfigureCA: DomainPanel() failure
>> ERROR: unable to create CA
>>
>> ###
>>
>> 2015-01-06T13:36:25Z DEBUG stderr=
>> 2015-01-06T13:36:25Z CRITICAL failed to configure ca instance Command
>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>> 2015-01-06T13:36:25Z INFO   File
>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line
>> 614, in run_script
>>return_value = main_function()
>>
>>  File "/usr/sbin/ipa-replica-install", line 476, in main
>>(CA, cs) = cainstance.install_replica_ca(config)
>>
>>  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
>> line 1626, in install_replica_ca
>>subject_base=config.subject_base)
>>
>>  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
>> line 626, in configure_instance
>>self.start_creation(runtime=210)
>>
>>  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
>> 358, in start_creation
>>method()
>>
>>  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
>> line 888, in __configure_instance
>>raise RuntimeError('Configuration of CA failed')
>>
>> 2015-01-06T13:36:25Z INFO The ipa-replica-install command failed, exception:
>> RuntimeError: Configuration of CA failed
>> ---
>>
>> Omitting "--setup-ca" lets me successfully install a working replica server.
>>
>> The problem appears to be my installation (since the other one works) -
>> however: Both (intended) replica servers are nearly identical (operating
>> system version, installed packages, etc.).
>>
>> My understanding is that a replica without a CA is not a 100%-clone of a IPA
>> master, righ

Re: [Freeipa-users] Replica install fails when using --setup-ca

2015-01-12 Thread dbischof


Hi,

no ideas about this one?

I'm unsure if I did something wrong, but since I installed both systems 
the same way, I really don't know, what could be wrong.


One thing that may be related: The working system (the one that doesn't 
fail to create a replica with "--setup-ca") went productive in April 2014, 
the one that fails in September 2014. In between were several updates to 
the ipa-server package, including one related to Dogtag ("Proxy calls to 
/ca/ee/ca/profileSubmit to PKI to enable installation of replicas with 
Dogtag 10 PKI (#1083878)"). Can this cause errors like the one I observe?


Something else I may want to look into? My installations are pretty much 
standard, except that I use an external DNS and have SELinux disabled.



Best regards,

--Daniel.

On Tue, 6 Jan 2015, dbisc...@hrz.uni-kassel.de wrote:

I have two small FreeIPA installations (for two different realms), both 
with CentOS 6/FreeIPA 3.0.0-42. After running them both with only one 
master server each for a while, I attempted to extend both installations 
with one replica each.


Doing a

ipa-replica-install --setup-ca /var/lib/ipa/replica-info-...

worked fine for one of the installations, but failed for the other:

---
[...]

 [3/17]: configuring certificate server instance ipa : CRITICAL failed 
to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 
ConfigureCA -cs_hostname xxx -cs_port 9445 -client_certdb_dir 
/tmp/tmp-YsXvhP -client_certdb_pwd  -preop_pin 
vJl0m3xc9Oz7b1fIgttD -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password  -agent_name ipa-ca-agent 
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
CN=ipa-ca-agent,O=YYY -ldap_host xxx -ldap_port 7389 -bind_dn 
cn=Directory Manager -bind_password  -base_dn o=ipaca -db_name 
ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA 
-save_p12 true -backup_pwd  -subsystem_name pki-cad -token_name 
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=YYY 
-ca_server_cert_subject_name CN=xxx,O=YYY 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=YYY 
-ca_sign_cert_subject_name CN=Certificate Authority,O=YYY -external 
false -clone true -clone_p12_file ca.p12 -clone_p12_password  
-sd_hostname mmm -sd_admin_port 443 -sd_admin_name admin 
-sd_admin_password  -clone_start_tls true -clone_uri 
https://mmm:443' returned non-zero exit status 255


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
---

/var/log/ipareplica-install.log:

---
[...]
Error in DomainPanel(): updateStatus value is null
ERROR: ConfigureCA: DomainPanel() failure
ERROR: unable to create CA

###

2015-01-06T13:36:25Z DEBUG stderr=
2015-01-06T13:36:25Z CRITICAL failed to configure ca instance Command 
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
2015-01-06T13:36:25Z INFO   File 
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 
614, in run_script

   return_value = main_function()

 File "/usr/sbin/ipa-replica-install", line 476, in main
   (CA, cs) = cainstance.install_replica_ca(config)

 File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", 
line 1626, in install_replica_ca

   subject_base=config.subject_base)

 File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", 
line 626, in configure_instance

   self.start_creation(runtime=210)

 File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 
358, in start_creation

   method()

 File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", 
line 888, in __configure_instance

   raise RuntimeError('Configuration of CA failed')

2015-01-06T13:36:25Z INFO The ipa-replica-install command failed, exception: 
RuntimeError: Configuration of CA failed

---

Omitting "--setup-ca" lets me successfully install a working replica 
server.


The problem appears to be my installation (since the other one works) - 
however: Both (intended) replica servers are nearly identical (operating 
system version, installed packages, etc.).


My understanding is that a replica without a CA is not a 100%-clone of a 
IPA master, right? What are the downsides of having a replica without a 
CA?


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Replica install fails when using --setup-ca

2015-01-06 Thread dbischof


Hi,

I have two small FreeIPA installations (for two different realms), both 
with CentOS 6/FreeIPA 3.0.0-42. After running them both with only one 
master server each for a while, I attempted to extend both installations 
with one replica each.


Doing a

ipa-replica-install --setup-ca /var/lib/ipa/replica-info-...

worked fine for one of the installations, but failed for the other:

---
[...]

  [3/17]: configuring certificate server instance ipa : CRITICAL failed to 
configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 
ConfigureCA -cs_hostname xxx -cs_port 9445 -client_certdb_dir 
/tmp/tmp-YsXvhP -client_certdb_pwd  -preop_pin 
vJl0m3xc9Oz7b1fIgttD -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password  -agent_name ipa-ca-agent 
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
CN=ipa-ca-agent,O=YYY -ldap_host xxx -ldap_port 7389 -bind_dn cn=Directory 
Manager -bind_password  -base_dn o=ipaca -db_name ipaca -key_size 
2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
 -subsystem_name pki-cad -token_name internal 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=YYY 
-ca_server_cert_subject_name CN=xxx,O=YYY 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=YYY 
-ca_sign_cert_subject_name CN=Certificate Authority,O=YYY -external false 
-clone true -clone_p12_file ca.p12 -clone_p12_password  
-sd_hostname mmm -sd_admin_port 443 -sd_admin_name admin 
-sd_admin_password  -clone_start_tls true -clone_uri 
https://mmm:443' returned non-zero exit status 255


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
---

/var/log/ipareplica-install.log:

---
[...]
Error in DomainPanel(): updateStatus value is null
ERROR: ConfigureCA: DomainPanel() failure
ERROR: unable to create CA

###

2015-01-06T13:36:25Z DEBUG stderr=
2015-01-06T13:36:25Z CRITICAL failed to configure ca instance Command 
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
2015-01-06T13:36:25Z INFO   File 
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 
614, in run_script

return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 476, in main
(CA, cs) = cainstance.install_replica_ca(config)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", 
line 1626, in install_replica_ca

subject_base=config.subject_base)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", 
line 626, in configure_instance

self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", 
line 358, in start_creation

method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", 
line 888, in __configure_instance

raise RuntimeError('Configuration of CA failed')

2015-01-06T13:36:25Z INFO The ipa-replica-install command failed, 
exception: RuntimeError: Configuration of CA failed

---

Omitting "--setup-ca" lets me successfully install a working replica 
server.


The problem appears to be my installation (since the other one works) - 
however: Both (intended) replica servers are nearly identical (operating 
system version, installed packages, etc.).


My understanding is that a replica without a CA is not a 100%-clone of a 
IPA master, right? What are the downsides of having a replica without a 
CA?


Thank you for looking into this,


--Daniel.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica install fails when using --setup-ca

[Freeipa-users] Replica install fails when using --setup-ca

Re: [Freeipa-users] Replica install fails when using --setup-ca

Re: [Freeipa-users] Replica install fails when using --setup-ca

Re: [Freeipa-users] Replica install fails when using --setup-ca

Re: [Freeipa-users] Replica install fails when using --setup-ca

[Freeipa-users] Replica install fails when using --setup-ca

7 matches

Site Navigation

Mail list logo

Footer information