Re: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master
Quoting Endi Sukma Dewata : On 1/6/2015 4:55 AM, Anthony Messina wrote: I'm discussing this with Ade (CC'd). Based on the stack trace it looks like the replica thinks the master returns an incomplete information about the security domain, probably due to the different Dogtag versions used in master and replica. We need some additional info: 1. What is the pki-ca version on the master (F20)? pki-ca-10.1.2-7.fc20.noarch 2. What is the pki-ca version on the replica (F21)? pki-ca-10.2.0-5.fc21.noarch 3. What is the output of this URL on the master? https://:8443/ca/rest/securityDomain/domainInfo FALSE TRUE ipa1.example.com 80 443 443 443 443 CA ipa1.example.com 8443 TRUE TRUE ipa2.example.com 80 443 443 443 443 CA ipa2.example.com 8443 Thanks for the info. This is indeed a bug. I filed the following ticket for Dogtag: https://fedorahosted.org/pki/ticket/1235 -- Endi S. Dewata Thank you Endi. -A -- Anthony - https://messinet.com - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E pgpwxk4G712M3.pgp Description: PGP Digital Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master
On 1/6/2015 4:55 AM, Anthony Messina wrote: I'm discussing this with Ade (CC'd). Based on the stack trace it looks like the replica thinks the master returns an incomplete information about the security domain, probably due to the different Dogtag versions used in master and replica. We need some additional info: 1. What is the pki-ca version on the master (F20)? pki-ca-10.1.2-7.fc20.noarch 2. What is the pki-ca version on the replica (F21)? pki-ca-10.2.0-5.fc21.noarch 3. What is the output of this URL on the master? https://:8443/ca/rest/securityDomain/domainInfo FALSE TRUE ipa1.example.com 80 443 443 443 443 CA ipa1.example.com 8443 TRUE TRUE ipa2.example.com 80 443 443 443 443 CA ipa2.example.com 8443 Thanks for the info. This is indeed a bug. I filed the following ticket for Dogtag: https://fedorahosted.org/pki/ticket/1235 -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master
On Monday, January 05, 2015 10:40:08 PM Endi Sukma Dewata wrote: > On 1/5/2015 8:53 PM, Martin Kosek wrote: > > On 01/05/2015 02:05 PM, Anthony Messina wrote: > I was hoping to "migrate" from F20 to F21 using: > http://www.freeipa.org/page/Howto/Migration > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > >>> > >>> The migration procedure is only needed if you run FreeIPA server with > >>> PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 > >>> FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported > >>> since Fedora 18, so I was surprised such setup worked in Fedora 20. > >> > >> I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum > >> upgraded to F20. With the significant changes for Fedora.next, > >> systemd-216, and FreeIPA 4, I wanted to create a new "master" (amd > >> retire the old) by replicating the current F20 3.3.5 master to what > >> would become an F21 4.1.2 master.> > > Ah, makes more sense then. The PKI error below gets more serious then - > > Fraser and Endi, please help Anthony. > > I'm discussing this with Ade (CC'd). Based on the stack trace it looks > like the replica thinks the master returns an incomplete information > about the security domain, probably due to the different Dogtag versions > used in master and replica. > > We need some additional info: > > 1. What is the pki-ca version on the master (F20)? pki-ca-10.1.2-7.fc20.noarch > 2. What is the pki-ca version on the replica (F21)? pki-ca-10.2.0-5.fc21.noarch > 3. What is the output of this URL on the master? > https://:8443/ca/rest/securityDomain/domainInfo FALSE TRUE ipa1.example.com 80 443 443 443 443 CA ipa1.example.com 8443 TRUE TRUE ipa2.example.com 80 443 443 443 443 CA ipa2.example.com 8443 -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master
Quoting Martin Kosek : On 01/05/2015 02:05 PM, Anthony Messina wrote: Quoting Martin Kosek : On 01/04/2015 12:29 AM, Anthony Messina wrote: I was hoping to "migrate" from F20 to F21 using: http://www.freeipa.org/page/Howto/Migration http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master The migration procedure is only needed if you run FreeIPA server with PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was surprised such setup worked in Fedora 20. I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum upgraded to F20. With the significant changes for Fedora.next, systemd-216, and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by replicating the current F20 3.3.5 master to what would become an F21 4.1.2 master. Ah, makes more sense then. The PKI error below gets more serious then - Fraser and Endi, please help Anthony. While I use the yum upgrade procedure often with great success on a number of my other servers, it can be tricky and sometimes unreliablem leaving around cruft that can interfere with proper operation. I'm one of those folks that's waiting patiently for the FreeIPA-to-FreeIPA migration ;) I am just afraid everyone is just waiting and no one is willing to invest in this feature and code ;-) IIRC, the difficulty in implementing the migration tool is mostly in handling Kerberos and certificate data, which are based on data secret and unique to the original server. You may be right here about everyone waiting. Unfortnuately for this case, I am not a programmer, but a mere sysadmin. However, I can do code/design digging to look at the situation from outside the box to see what I might be able to find. Is the proper, recommended procedure to yum upgrade the F20 FreeIPA 3.3.5 VM instance to F21 FreeIPA 4.1.2? It should work, yes. Even so, it seems like I should be able to create a 4.1.2 replica of a 3.3.5 master. Indeed. This looks like a bug :-( Where the new F21 replica would become the new "master" from which I would later create other F21 replica(s). F20 master: freeipa-server-3.3.5-1.fc20.x86_64 F21 replica: freeipa-server-4.1.2-1.fc21.x86_64 The first F21 replica installation fails when attempting to setup the CA and I'm not sure where to go from here. Any guidance is appreciated. Thanks. CCing Fraser and Endi from PKI team to advise. 2015-01-03T23:09:39Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-03T23:09:39Z DEBUG Starting external process 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb' 2015-01-03T23:09:39Z DEBUG Process finished, return code=1 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from /tmp/tmpZNHZWb. 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 579, in main(sys.argv) File "/usr/sbin/pkispawn", line 480, in main info = parser.sd_get_info() File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 464, in sd_get_info info = sd.get_security_domain_info() File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in get_security_domain_info info = SecurityDomainInfo.from_json(response.json()) File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, in from_json ret.name = json_value['id'] KeyError: 'id' 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned non-zero exit status 1 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 671, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed -- Anthony - https://messinet.com - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E pgpwUadt8lU3q.pgp Description: PGP Digital Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master
On 1/5/2015 8:53 PM, Martin Kosek wrote: On 01/05/2015 02:05 PM, Anthony Messina wrote: I was hoping to "migrate" from F20 to F21 using: http://www.freeipa.org/page/Howto/Migration http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master The migration procedure is only needed if you run FreeIPA server with PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was surprised such setup worked in Fedora 20. I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum upgraded to F20. With the significant changes for Fedora.next, systemd-216, and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by replicating the current F20 3.3.5 master to what would become an F21 4.1.2 master. Ah, makes more sense then. The PKI error below gets more serious then - Fraser and Endi, please help Anthony. I'm discussing this with Ade (CC'd). Based on the stack trace it looks like the replica thinks the master returns an incomplete information about the security domain, probably due to the different Dogtag versions used in master and replica. We need some additional info: 1. What is the pki-ca version on the master (F20)? 2. What is the pki-ca version on the replica (F21)? 3. What is the output of this URL on the master? https://:8443/ca/rest/securityDomain/domainInfo Thanks. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master
On 01/05/2015 02:05 PM, Anthony Messina wrote: > > Quoting Martin Kosek : > >> On 01/04/2015 12:29 AM, Anthony Messina wrote: >>> I was hoping to "migrate" from F20 to F21 using: >>> http://www.freeipa.org/page/Howto/Migration >>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >> >> The migration procedure is only needed if you run FreeIPA server with PKI >> based >> on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance >> functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was >> surprised such setup worked in Fedora 20. > > I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum > upgraded to F20. With the significant changes for Fedora.next, systemd-216, > and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by > replicating the current F20 3.3.5 master to what would become an F21 4.1.2 > master. Ah, makes more sense then. The PKI error below gets more serious then - Fraser and Endi, please help Anthony. > While I use the yum upgrade procedure often with great success on a number of > my other servers, it can be tricky and sometimes unreliablem leaving around > cruft that can interfere with proper operation. I'm one of those folks that's > waiting patiently for the FreeIPA-to-FreeIPA migration ;) I am just afraid everyone is just waiting and no one is willing to invest in this feature and code ;-) IIRC, the difficulty in implementing the migration tool is mostly in handling Kerberos and certificate data, which are based on data secret and unique to the original server. > Is the proper, recommended procedure to yum upgrade the F20 FreeIPA 3.3.5 VM > instance to F21 FreeIPA 4.1.2? It should work, yes. > Even so, it seems like I should be able to create a 4.1.2 replica of a 3.3.5 > master. Indeed. This looks like a bug :-( >>> Where the new F21 replica would become the new "master" from which I would >>> later create other F21 replica(s). >>> >>> F20 master: freeipa-server-3.3.5-1.fc20.x86_64 >>> F21 replica: freeipa-server-4.1.2-1.fc21.x86_64 >>> >>> The first F21 replica installation fails when attempting to setup the CA and >>> I'm not sure where to go from here. Any guidance is appreciated. Thanks. >> >> CCing Fraser and Endi from PKI team to advise. >> >>> 2015-01-03T23:09:39Z DEBUG Saving StateFile to >>> '/var/lib/ipa/sysrestore/sysrestore.state' >>> 2015-01-03T23:09:39Z DEBUG Starting external process >>> 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' >>> '/tmp/tmpZNHZWb' >>> 2015-01-03T23:09:39Z DEBUG Process finished, return code=1 >>> 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from >>> /tmp/tmpZNHZWb. >>> >>> 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last): >>> File "/usr/sbin/pkispawn", line 579, in >>> main(sys.argv) >>> File "/usr/sbin/pkispawn", line 480, in main >>> info = parser.sd_get_info() >>> File >>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", >>> line 464, in sd_get_info >>> info = sd.get_security_domain_info() >>> File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in >>> get_security_domain_info >>> info = SecurityDomainInfo.from_json(response.json()) >>> File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, in >>> from_json >>> ret.name = json_value['id'] >>> KeyError: 'id' >>> >>> 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command >>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned non-zero >>> exit >>> status 1 >>> 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 382, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 372, in run_step >>> method() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 671, in __spawn_instance >>> raise RuntimeError('Configuration of CA failed') >>> RuntimeError: Configuration of CA failed >>> >>> >>> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master
Quoting Martin Kosek : On 01/04/2015 12:29 AM, Anthony Messina wrote: I was hoping to "migrate" from F20 to F21 using: http://www.freeipa.org/page/Howto/Migration http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master The migration procedure is only needed if you run FreeIPA server with PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was surprised such setup worked in Fedora 20. I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum upgraded to F20. With the significant changes for Fedora.next, systemd-216, and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by replicating the current F20 3.3.5 master to what would become an F21 4.1.2 master. While I use the yum upgrade procedure often with great success on a number of my other servers, it can be tricky and sometimes unreliablem leaving around cruft that can interfere with proper operation. I'm one of those folks that's waiting patiently for the FreeIPA-to-FreeIPA migration ;) Is the proper, recommended procedure to yum upgrade the F20 FreeIPA 3.3.5 VM instance to F21 FreeIPA 4.1.2? Even so, it seems like I should be able to create a 4.1.2 replica of a 3.3.5 master. Where the new F21 replica would become the new "master" from which I would later create other F21 replica(s). F20 master: freeipa-server-3.3.5-1.fc20.x86_64 F21 replica: freeipa-server-4.1.2-1.fc21.x86_64 The first F21 replica installation fails when attempting to setup the CA and I'm not sure where to go from here. Any guidance is appreciated. Thanks. CCing Fraser and Endi from PKI team to advise. 2015-01-03T23:09:39Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-03T23:09:39Z DEBUG Starting external process 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb' 2015-01-03T23:09:39Z DEBUG Process finished, return code=1 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from /tmp/tmpZNHZWb. 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 579, in main(sys.argv) File "/usr/sbin/pkispawn", line 480, in main info = parser.sd_get_info() File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 464, in sd_get_info info = sd.get_security_domain_info() File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in get_security_domain_info info = SecurityDomainInfo.from_json(response.json()) File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, in from_json ret.name = json_value['id'] KeyError: 'id' 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned non-zero exit status 1 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 671, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed -- Anthony - https://messinet.com - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E pgpEbxY8vT5ts.pgp Description: PGP Digital Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master
On 01/04/2015 12:29 AM, Anthony Messina wrote: > I was hoping to "migrate" from F20 to F21 using: > http://www.freeipa.org/page/Howto/Migration > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master The migration procedure is only needed if you run FreeIPA server with PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was surprised such setup worked in Fedora 20. > Where the new F21 replica would become the new "master" from which I would > later create other F21 replica(s). > > F20 master: freeipa-server-3.3.5-1.fc20.x86_64 > F21 replica: freeipa-server-4.1.2-1.fc21.x86_64 > > The first F21 replica installation fails when attempting to setup the CA and > I'm not sure where to go from here. Any guidance is appreciated. Thanks. CCing Fraser and Endi from PKI team to advise. > 2015-01-03T23:09:39Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-01-03T23:09:39Z DEBUG Starting external process > 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpZNHZWb' > 2015-01-03T23:09:39Z DEBUG Process finished, return code=1 > 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from > /tmp/tmpZNHZWb. > > 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last): > File "/usr/sbin/pkispawn", line 579, in > main(sys.argv) > File "/usr/sbin/pkispawn", line 480, in main > info = parser.sd_get_info() > File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", > line 464, in sd_get_info > info = sd.get_security_domain_info() > File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in > get_security_domain_info > info = SecurityDomainInfo.from_json(response.json()) > File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, in from_json > ret.name = json_value['id'] > KeyError: 'id' > > 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned non-zero exit > status 1 > 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 382, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 372, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 671, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > RuntimeError: Configuration of CA failed > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project