I'm hoping to get a lead on this issue from a few months back - I work with John. Maybe a more narrow question will get us somewhere. When ipa-ca-install is comparing the URI in the .gpg file to the "available subsystems", what does that mean? How do I know what the correct URLs for my "available subsystems" actually are? I reviewed the logs, and the site & port seem like they're probably right to me, unless they need a more specific path or something. Maybe it could be having trouble authenticating? I don't know why that would be.
Is it safe to decrypt the .gpg file, re-encrypt it, and try running it again, if I knew what edits to make, to the URI? -Jack Eidsness > ------------------------------ > > - *From*: John Bowman <john bowman zayo com> > - *To*: freeipa-users redhat com > - *Subject*: [Freeipa-users] Clone URI does not match available > subsystems ? > - *Date*: Wed, 17 Aug 2016 10:41:38 -0500 > > ------------------------------ > Howdy! > > Trying to figure out how to get past the error: Clone URI does not match > available subsystems when running ipa-ca-install on new ipa server. > > A little background. We have 3 FreeIPA 3.0.0 servers running on RHEL > 6.7. We just recently (within the last month) added a new FreeIPA 4.2 > server replica running on RHEL 7.2 at a new location which will hopefully > be the start of replacing all the 3.0.0 instances. > > Unfortunately during the 4.2 install the --setup-ca was failing so we > decided to install without it to make sure everything else worked. And it > did everything seems to be replicating properly and all is good. > > Now its time to add the ca replication to the new server but its failing > with that error. > > Command output: > # ipa-ca-install --skip-conncheck /var/lib/ipa/replica-info-new- > server.example.com.gpg > Directory Manager (existing master) password: > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/22]: creating certificate server user > [2/22]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure > CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' > returned non-zero exit status 1 > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > installation logs and the following files/directories for more information: > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki-ca-install.log > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > CA configuration failed. > > > ipareplica-ca-install.log output: > 2016-08-17T15:25:52Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.2016 > 0817092533.log > Loading deployment configuration from /tmp/tmp7cBK9P. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- > tomcat/ca/deployment.cfg. > > Installation failed. > > > 2016-08-17T15:25:52Z DEBUG stderr=/usr/lib/python2.7/site > -packages/urllib3/connectionpool.py:769: InsecureRequestWarning: > Unverified HTTPS request is being made. Adding certificate verification is > strongly advised. See: https://urllib3.readthedo > cs.org/en/latest/security.h > tml > InsecureRequestWarning) > pkispawn : WARNING ....... unable to validate security domain > user/password through REST interface. Interface not available > pkispawn : ERROR ....... Exception from Java Configuration Servlet: > 400 Client Error: Bad Request > pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName" > :"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone > URI does not match available subsystems: https://master.idm > .example.com:443 <https://master.idm.example.com/>"} > > 2016-08-17T15:25:52Z CRITICAL Failed to configure CA instance: Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' returned n > on-zero exit status 1 > 2016-08-17T15:25:52Z CRITICAL See the installation logs and the following > files/directories for more information: > 2016-08-17T15:25:52Z CRITICAL /var/log/pki-ca-install.log > 2016-08-17T15:25:52Z CRITICAL /var/log/pki/pki-tomcat > 2016-08-17T15:25:52Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 622, in __spawn_instance > DogtagInstance.spawn_instance(self, cfg_file) > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 201, in spawn_instance > self.handle_setup_error(e) > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 465, in handle_setup_error > raise RuntimeError("%s configuration failed." % self.subsystem) > RuntimeError: CA configuration failed. > > 2016-08-17T15:25:52Z DEBUG [error] RuntimeError: CA configuration failed. > 2016-08-17T15:25:52Z DEBUG File "/usr/lib/python2.7/site-packa > ges/ipaserver/install/installutils.py", line 732, in run_script > return_value = main_function() > > File "/sbin/ipa-ca-install", line 202, in main > install_replica(safe_options, options, filename) > > File "/sbin/ipa-ca-install", line 150, in install_replica > ca.install(True, config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 114, in install > install_step_0(standalone, replica_config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 138, in install_step_0 > ra_p12=getattr(options, 'ra_p12', None)) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 1545, in install_replica_ca > subject_base=config.subject_base) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 488, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 622, in __spawn_instance > DogtagInstance.spawn_instance(self, cfg_file) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 201, in spawn_instance > self.handle_setup_error(e) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 465, in handle_setup_error > raise RuntimeError("%s configuration failed." % self.subsystem) > > 2016-08-17T15:25:52Z DEBUG The ipa-ca-install command failed, exception: > RuntimeError: CA configuration failed. > > > **** > > I've tried running the pkispawn command manually by using the > deployment.cfg file but it gives the same error: > > # pkidestroy -s CA -i pki-tomcat > Log file: /var/log/pki/pki-ca-destroy.20160817093402.log > Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/reg > istry/ca/deployment.cfg. > Uninstalling CA from /var/lib/pki/pki-tomcat. > pkidestroy : WARNING ....... this 'CA' entry will NOT be deleted from > security domain 'unknown'! > pkidestroy : ERROR ....... No security domain defined. > If this is an unconfigured instance, then that is OK. > Otherwise, manually delete the entry from the security domain master. > > Uninstallation complete. > > # /usr/sbin/pkispawn -s CA -f /tmp/replica_file > Log file: /var/log/pki/pki-ca-spawn.20160817093444.log > Loading deployment configuration from /tmp/replica_file. > /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html > InsecureRequestWarning) > pkispawn : WARNING ....... unable to validate security domain > user/password through REST interface. Interface not available > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- > tomcat/ca/deployment.cfg. > pkispawn : ERROR ....... Exception from Java Configuration Servlet: > 400 Client Error: Bad Request > pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line 1, column 0: {"Attributes":{"Attribute":[]} > ,"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone > URI does not match available subsystems: https://master.idm > .example.com:443 <https://master.idm.example.com/>"} > > Installation failed. > > > Any ideas on how to proceed would be much appreciated! > > Thanks! > -John > -- *Jack Eidsness* *Developer, NOPSS | Zayo Group* 13861 Sunrise Valley Dr, Herndon, VA 20171 Cell: 301.706.3912 <%28301%29%20706-3912> | jack.eidsn...@zayo.com
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project