Re: [Freeipa-users] error setting up replication client
Ok. The log directory being empty is indicative of the server not having started - which is what I suspected based on the output you provided. There might have been some indication in /var/log/messages or in /var/log/audit/audit.log (for selinux) as to why this happened. If this does happen again, I would check there. Ade On Thu, 2013-03-21 at 16:24 -0400, Patrick Hemmer wrote: > I'm not sure what happened here. The log dir for pki-ca was completely > empty. I restarted pki-ca, the log files were created, and it appeared > to operate normally. > I rebuilt the box from scratch (just to have a clean start) and > everything came up perfectly fine. > > -Patrick > > > On 2013/20/03 12:54, Ade Lee wrote: > > Patrick, > > > > Can you provide some log files? Looks like pkisilent is trying to get > > to the first configuration panel on the CA and is getting a 302. > > > > I would need to see the logs under /var/log/pki-ca for the replica > > subsystem. > > > > Thanks, > > Ade Lee > > > > On Wed, 2013-03-20 at 12:04 -0400, Patrick Hemmer wrote: > >> I'm trying to set up an ipa replica, and each time I try the install > >> process fails at the same point. When I look in the > >> ipareplica-install.log I see a 302 redirection which seems to be > >> causing the issue. Any ideas why this is happening (or if something > >> else is the issue)? > >> > >> Thanks > >> > >> -Patrick > >> > >> (http://fpaste.org/gbYz/) > >> 2013-03-15T17:19:50Z DEBUG stderr= > >> 2013-03-15T17:19:50Z DEBUG duration: 5 seconds > >> 2013-03-15T17:19:50Z DEBUG [3/17]: configuring certificate server > >> instance > >> 2013-03-15T17:19:51Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent > >> ConfigureCA -cs_hostname i-d1579ba3.ipa-server.us-east-1.cloud.com > >> -cs_port 9445 -client_certdb_dir /tmp/tmp-2l64F1 -client_certdb_pw > >> d -preop_pin IWk44JzZT6A78Pha3SrM -domain_name IPA -admin_user > >> admin -admin_email root@localhost -admin_password -agent_name > >> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa - > >> agent_cert_subject CN=ipa-ca-agent,O=CLOUD.COM -ldap_host > >> i-d1579ba3.ipa-server.us-east-1.cloud.com -ldap_port 7389 -bind_dn > >> cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ip > >> aca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 > >> true -backup_pwd -subsystem_name pki-cad -token_name internal > >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=CLOUD > >> .COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=CLOUD.COM > >> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=CLOUD.COM > >> -ca_server_cert_subject_name > >> CN=i-d1579ba3.ipa-server.us-east-1.cloud.com,O= > >> CLOUD.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=CLOUD.COM > >> -ca_sign_cert_subject_name CN=Certificate Authority,O=CLOUD.COM -external > >> false -clone true -clone_p12_file ca.p12 -clone_p12_pa > >> ssword -sd_hostname i-6775b715.ipa-server.us-east-1.cloud.com > >> -sd_admin_port 443 -sd_admin_name admin -sd_admin_password > >> -clone_start_tls true -clone_uri https://i-6775b715.ipa-ser > >> ver.us-east-1.cloud.com:443 > >> 2013-03-15T17:19:51Z DEBUG stdout=libpath=/usr/lib64 > >> ### > >> CRYPTO INIT WITH CERTDB:/tmp/tmp-2l64F1 > >> tokenpwd: > >> # > >> Attempting to connect to: i-d1579ba3.ipa-server.us-east-1.cloud.com:9445 > >> in TestCertApprovalCallback.approve() > >> Peer cert details: > >> subject: CN=i-d1579ba3.ipa-server.us-east-1.cloud.com,O=CLOUD.COM > >> issuer: CN=Certificate Authority,O=CLOUD.COM > >> serial: 3 > >> item 1 reason=-8172 depth=1 > >> cert details: > >> subject: CN=Certificate Authority,O=CLOUD.COM > >> issuer: CN=Certificate Authority,O=CLOUD.COM > >> serial: 1 > >> importing certificate. > >> Connected. > >> Posting Query = > >> https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445//ca/admin/console/config/login?pin=IWk44JzZT6A78Pha3SrM&xml=true > >> RESPONSE STATUS: HTTP/1.1 200 OK > >> RESPONSE HEADER: Server: Apache-Coyote/1.1 > >> RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 > >> RESPONSE HEADER: Content-Length: 0 > >> RESPONSE HEADER: Date: Fri, 15 Mar 2013 17:19:51 GMT > >> RESPONSE HEADER: Connection: keep-alive > >> xml returned: > >> # > >> Attempting to connect to: i-d1579ba3.ipa-server.us-east-1.cloud.com:9445 > >> Connected. > >> Posting Query = > >> https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445//ca/admin/console/config/wizard?p=0&op=next&xml=true > >> RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily > >> RESPONSE HEADER: Server: Apache-Coyote/1.1 > >> RESPONSE HEADER: Set-Cookie: JSESSIONID=A8B36AB92F386DB22B193215907C01AC; > >> Path=/ca; Secure > >> RESPONSE HEADER: Location: > >> https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445/ca/admi
Re: [Freeipa-users] error setting up replication client
I'm not sure what happened here. The log dir for pki-ca was completely empty. I restarted pki-ca, the log files were created, and it appeared to operate normally. I rebuilt the box from scratch (just to have a clean start) and everything came up perfectly fine. -Patrick On 2013/20/03 12:54, Ade Lee wrote: > Patrick, > > Can you provide some log files? Looks like pkisilent is trying to get > to the first configuration panel on the CA and is getting a 302. > > I would need to see the logs under /var/log/pki-ca for the replica > subsystem. > > Thanks, > Ade Lee > > On Wed, 2013-03-20 at 12:04 -0400, Patrick Hemmer wrote: >> I'm trying to set up an ipa replica, and each time I try the install >> process fails at the same point. When I look in the >> ipareplica-install.log I see a 302 redirection which seems to be >> causing the issue. Any ideas why this is happening (or if something >> else is the issue)? >> >> Thanks >> >> -Patrick >> >> (http://fpaste.org/gbYz/) >> 2013-03-15T17:19:50Z DEBUG stderr= >> 2013-03-15T17:19:50Z DEBUG duration: 5 seconds >> 2013-03-15T17:19:50Z DEBUG [3/17]: configuring certificate server instance >> 2013-03-15T17:19:51Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA >> -cs_hostname i-d1579ba3.ipa-server.us-east-1.cloud.com -cs_port 9445 >> -client_certdb_dir /tmp/tmp-2l64F1 -client_certdb_pw >> d -preop_pin IWk44JzZT6A78Pha3SrM -domain_name IPA -admin_user >> admin -admin_email root@localhost -admin_password -agent_name >> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa - >> agent_cert_subject CN=ipa-ca-agent,O=CLOUD.COM -ldap_host >> i-d1579ba3.ipa-server.us-east-1.cloud.com -ldap_port 7389 -bind_dn >> cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ip >> aca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true >> -backup_pwd -subsystem_name pki-cad -token_name internal >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=CLOUD >> .COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=CLOUD.COM >> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=CLOUD.COM >> -ca_server_cert_subject_name CN=i-d1579ba3.ipa-server.us-east-1.cloud.com,O= >> CLOUD.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=CLOUD.COM >> -ca_sign_cert_subject_name CN=Certificate Authority,O=CLOUD.COM -external >> false -clone true -clone_p12_file ca.p12 -clone_p12_pa >> ssword -sd_hostname i-6775b715.ipa-server.us-east-1.cloud.com >> -sd_admin_port 443 -sd_admin_name admin -sd_admin_password >> -clone_start_tls true -clone_uri https://i-6775b715.ipa-ser >> ver.us-east-1.cloud.com:443 >> 2013-03-15T17:19:51Z DEBUG stdout=libpath=/usr/lib64 >> ### >> CRYPTO INIT WITH CERTDB:/tmp/tmp-2l64F1 >> tokenpwd: >> # >> Attempting to connect to: i-d1579ba3.ipa-server.us-east-1.cloud.com:9445 >> in TestCertApprovalCallback.approve() >> Peer cert details: >> subject: CN=i-d1579ba3.ipa-server.us-east-1.cloud.com,O=CLOUD.COM >> issuer: CN=Certificate Authority,O=CLOUD.COM >> serial: 3 >> item 1 reason=-8172 depth=1 >> cert details: >> subject: CN=Certificate Authority,O=CLOUD.COM >> issuer: CN=Certificate Authority,O=CLOUD.COM >> serial: 1 >> importing certificate. >> Connected. >> Posting Query = >> https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445//ca/admin/console/config/login?pin=IWk44JzZT6A78Pha3SrM&xml=true >> RESPONSE STATUS: HTTP/1.1 200 OK >> RESPONSE HEADER: Server: Apache-Coyote/1.1 >> RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 >> RESPONSE HEADER: Content-Length: 0 >> RESPONSE HEADER: Date: Fri, 15 Mar 2013 17:19:51 GMT >> RESPONSE HEADER: Connection: keep-alive >> xml returned: >> # >> Attempting to connect to: i-d1579ba3.ipa-server.us-east-1.cloud.com:9445 >> Connected. >> Posting Query = >> https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445//ca/admin/console/config/wizard?p=0&op=next&xml=true >> RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily >> RESPONSE HEADER: Server: Apache-Coyote/1.1 >> RESPONSE HEADER: Set-Cookie: JSESSIONID=A8B36AB92F386DB22B193215907C01AC; >> Path=/ca; Secure >> RESPONSE HEADER: Location: >> https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445/ca/admin/console/config/login >> RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 >> RESPONSE HEADER: Content-Length: 0 >> RESPONSE HEADER: Date: Fri, 15 Mar 2013 17:19:51 GMT >> RESPONSE HEADER: Connection: keep-alive >> ERROR: unable to parse xml >> ERROR XML = >> ERROR: Tag=statushas no values >> Error in LoginPanel(): status value is null >> ERROR: ConfigureCA: LoginPanel() failure >> ERROR: unable to create CA >> >> ### >> >> 2013-03-15T17:19:51Z DEBUG stderr=[Fatal Error] :-1:-1: Premature end of >> file.
Re: [Freeipa-users] error setting up replication client
Patrick, Can you provide some log files? Looks like pkisilent is trying to get to the first configuration panel on the CA and is getting a 302. I would need to see the logs under /var/log/pki-ca for the replica subsystem. Thanks, Ade Lee On Wed, 2013-03-20 at 12:04 -0400, Patrick Hemmer wrote: > I'm trying to set up an ipa replica, and each time I try the install > process fails at the same point. When I look in the > ipareplica-install.log I see a 302 redirection which seems to be > causing the issue. Any ideas why this is happening (or if something > else is the issue)? > > Thanks > > -Patrick > > (http://fpaste.org/gbYz/) > 2013-03-15T17:19:50Z DEBUG stderr= > 2013-03-15T17:19:50Z DEBUG duration: 5 seconds > 2013-03-15T17:19:50Z DEBUG [3/17]: configuring certificate server instance > 2013-03-15T17:19:51Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA > -cs_hostname i-d1579ba3.ipa-server.us-east-1.cloud.com -cs_port 9445 > -client_certdb_dir /tmp/tmp-2l64F1 -client_certdb_pw > d -preop_pin IWk44JzZT6A78Pha3SrM -domain_name IPA -admin_user admin > -admin_email root@localhost -admin_password -agent_name ipa-ca-agent > -agent_key_size 2048 -agent_key_type rsa - > agent_cert_subject CN=ipa-ca-agent,O=CLOUD.COM -ldap_host > i-d1579ba3.ipa-server.us-east-1.cloud.com -ldap_port 7389 -bind_dn > cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ip > aca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true > -backup_pwd -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=CLOUD > .COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=CLOUD.COM > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=CLOUD.COM > -ca_server_cert_subject_name CN=i-d1579ba3.ipa-server.us-east-1.cloud.com,O= > CLOUD.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=CLOUD.COM > -ca_sign_cert_subject_name CN=Certificate Authority,O=CLOUD.COM -external > false -clone true -clone_p12_file ca.p12 -clone_p12_pa > ssword -sd_hostname i-6775b715.ipa-server.us-east-1.cloud.com > -sd_admin_port 443 -sd_admin_name admin -sd_admin_password > -clone_start_tls true -clone_uri https://i-6775b715.ipa-ser > ver.us-east-1.cloud.com:443 > 2013-03-15T17:19:51Z DEBUG stdout=libpath=/usr/lib64 > ### > CRYPTO INIT WITH CERTDB:/tmp/tmp-2l64F1 > tokenpwd: > # > Attempting to connect to: i-d1579ba3.ipa-server.us-east-1.cloud.com:9445 > in TestCertApprovalCallback.approve() > Peer cert details: > subject: CN=i-d1579ba3.ipa-server.us-east-1.cloud.com,O=CLOUD.COM > issuer: CN=Certificate Authority,O=CLOUD.COM > serial: 3 > item 1 reason=-8172 depth=1 > cert details: > subject: CN=Certificate Authority,O=CLOUD.COM > issuer: CN=Certificate Authority,O=CLOUD.COM > serial: 1 > importing certificate. > Connected. > Posting Query = > https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445//ca/admin/console/config/login?pin=IWk44JzZT6A78Pha3SrM&xml=true > RESPONSE STATUS: HTTP/1.1 200 OK > RESPONSE HEADER: Server: Apache-Coyote/1.1 > RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 > RESPONSE HEADER: Content-Length: 0 > RESPONSE HEADER: Date: Fri, 15 Mar 2013 17:19:51 GMT > RESPONSE HEADER: Connection: keep-alive > xml returned: > # > Attempting to connect to: i-d1579ba3.ipa-server.us-east-1.cloud.com:9445 > Connected. > Posting Query = > https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445//ca/admin/console/config/wizard?p=0&op=next&xml=true > RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily > RESPONSE HEADER: Server: Apache-Coyote/1.1 > RESPONSE HEADER: Set-Cookie: JSESSIONID=A8B36AB92F386DB22B193215907C01AC; > Path=/ca; Secure > RESPONSE HEADER: Location: > https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445/ca/admin/console/config/login > RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 > RESPONSE HEADER: Content-Length: 0 > RESPONSE HEADER: Date: Fri, 15 Mar 2013 17:19:51 GMT > RESPONSE HEADER: Connection: keep-alive > ERROR: unable to parse xml > ERROR XML = > ERROR: Tag=statushas no values > Error in LoginPanel(): status value is null > ERROR: ConfigureCA: LoginPanel() failure > ERROR: unable to create CA > > ### > > 2013-03-15T17:19:51Z DEBUG stderr=[Fatal Error] :-1:-1: Premature end of file. > org.xml.sax.SAXParseException; Premature end of file. > at org.apache.xerces.parsers.DOMParser.parse(DOMParser.java:239) > at > org.apache.xerces.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:283) > at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) > at ParseXML.parse(ParseXML.java:43) > at ConfigureCA.getStatus(ConfigureCA.java:205) >
