Followup: I also tested converting an existing 4.2 system to be a CA
by running ipa-ca-install <path to original replica file> and got the
same error. So it seems the original system had a failure point prior
to the heating issues. The 4.2 system has been running for quite a
while (with regular updates from an early 4.0).
On Wed, 2016-01-13 at 18:10 -0500, James Kinney wrote:
> I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and
> the replica process is failing to install on the new system:
>
> 2016-01-13T17:27:46Z DEBUG Starting external process
> 2016-01-13T17:27:46Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpjklK4o'
> 2016-01-13T17:28:19Z DEBUG Process finished, return code=1
> 2016-01-13T17:28:19Z DEBUG stdout=Log file: /var/log/pki/pki-ca-
> spawn.20160113122746.log
> Loading deployment configuration from /tmp/tmpjklK4o.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
> tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2016-01-13T17:28:19Z DEBUG stderr=/usr/lib/python2.7/site-
> packages/urllib3/connectionpool.py:769: InsecureRequestWarning:
> Unverified HTTPS request is being made. Adding certifi
> cate verification is strongly advised. See: https://urllib3.readthedo
> cs.org/en/latest/security.html
> InsecureRequestWarning)
> pkispawn : WARNING ....... unable to validate security domain
> user/password through REST interface. Interface not available
> pkispawn : ERROR ....... Exception from Java Configuration
> Servlet: 500 Server Error: Internal Server Error
> pkispawn : ERROR ....... ParseError: not well-formed (invalid
> token): line 1, column 0:
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base
> .PKIException
> ","Code":500,"Message":"Clone does not have all the required
> certificates"}
>
> 2016-01-13T17:28:19Z CRITICAL Failed to configure CA instance:
> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o''
> returned non-zero exit status 1
> 2016-01-13T17:28:19Z CRITICAL See the installation logs and the
> following files/directories for more information:
> 2016-01-13T17:28:19Z CRITICAL /var/log/pki-ca-install.log
> 2016-01-13T17:28:19Z CRITICAL /var/log/pki/pki-tomcat
> 2016-01-13T17:28:19Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python2.7/site-
> packages/ipaserver/install/service.py", line 418, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/site-
> packages/ipaserver/install/service.py", line 408, in run_step
> method()
> File "/usr/lib/python2.7/site-
> packages/ipaserver/install/cainstance.py", line 620, in
> __spawn_instance
> DogtagInstance.spawn_instance(self, cfg_file)
> File "/usr/lib/python2.7/site-
> packages/ipaserver/install/dogtaginstance.py", line 201, in
> spawn_instance
> self.handle_setup_error(e)
> File "/usr/lib/python2.7/site-
> packages/ipaserver/install/dogtaginstance.py", line 465, in
> handle_setup_error
> raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
>
> 2016-01-13T17:28:19Z DEBUG [error] RuntimeError: CA configuration
> failed.
> 2016-01-13T17:28:19Z DEBUG File "/usr/lib/python2.7/site-
> packages/ipapython/admintool.py", line 171, in execute
> return_value = self.run()
> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
> line 311, in run
>
>
>
> It looks to me that the original, first install version 3.0 system is
> generating a bad gpg file. Will a reinstall of the orginal cert file
> solve this? If so, where and what is the best procedure? Is there a
> way to add CA capability to an existing master replicant by reusing
> it's original replica.gpg file?
>
> Background: the old v3.0 system runs on a virtual machine (ovirt).
> The physical host had a series of "bad days" that involved multiple
> crashes and lock-ups that were ultimately attributed to insufficient
> cooling of the RAID card. It is suspected that the data was scrambled
> on the drive. The original cert is backed up but the remaining
> machine backups are of dubious quality (long story - bad week at the
> datacenter).
>
> This is the last system on old hardware that was hit when the
> datacenter cooling totally failed and erased all the backups. Some
> days your're the pigeon, some days you're the statue.
>
>
> --
>
>
>
> Jim Kinney
> Senior System Administrator
> 36 Eagle Row Suite 588
> Department of Biomedical Informatics
> Emory University School of Medicine
> jkin...@emory.edu
> 404-712-0300
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Jim Kinney
Senior System Administrator
36 Eagle Row Suite 588
Department of Biomedical Informatics
Emory University School of Medicine
jkin...@emory.edu
404-712-0300
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project