<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/17/2013 03:40 PM, Trevor T Kates (Services - 6) wrote:
<blockquote
cite="mid:C87AF9F44FE9AC4584EC3ACBE6A1079A030900@OJRE10W801.mbu.ad.dominionnet.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style id="owaParaStyle" type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr; font-family: Candara; color: rgb(0, 0,
0); font-size: 10pt;">
<div style="font-family: Times New Roman; color: rgb(0, 0, 0);
font-size: 16px;">I apologize for the weird subject. The
problem I'm facing feels a little weird and I could use some
help.<br>
<div>
<div style="direction: ltr; font-family: Candara; color:
rgb(0, 0, 0); font-size: 10pt;"><br>
I'm running IPA in a test environment and trying to find
different ways in which I can break it and then repair it.
My IPA is running on CentOS 6.4:<br>
<br>
Linux ipa00.testdomain.com 2.6.32-358.18.1.el6.x86_64 #1
SMP Wed Aug 28 17:19:38 UTC 2013 x86_64 x86_64 x86_64
GNU/Linux<br>
bind-9.8.2-0.17.rc1.el6_4.6.x86_64<br>
<div>bind-dyndb-ldap-2.3-2.el6_4.1.x86_64<br>
ipa-server-3.0.0-26.el6_4.4.x86_64<br>
<br>
I seem to have created a problem for myself involving
the original master server. At the beginning, I created
a master IPA server with the dogtag CA and several
replicas with replica dogtag CAs. I stored the
/root/cacert.p12 file in a backup, reimaged the original
master and turned it into a replica. In doing so, I seem
to have eliminated my ability to create additional
replicas due to not completely backing up everything
related to the CA on the master. After preparing a
replica on my reimaged master and attemping to install
it on a different test server, I ran into the following
error:<br>
<br>
[root@ipa04 ~]# ipa-replica-install --setup-ca -N
--setup-dns
/var/lib/ipa/replica-info-ipa04.testdomain.com.gpg<br>
Directory Manager (existing master) password:<br>
<br>
Run connection check to master<br>
Check connection from replica to remote master
'ipa00.testdomain.com':<br>
Directory Service: Unsecure port (389): OK<br>
Directory Service: Secure port (636): OK<br>
Kerberos KDC: TCP (88): OK<br>
Kerberos Kpasswd: TCP (464): OK<br>
HTTP Server: Unsecure port (80): OK<br>
HTTP Server: Secure port (443): OK<br>
PKI-CA: Directory Service port (7389): OK<br>
<br>
The following list of ports use UDP protocol and would
need to be<br>
checked manually:<br>
Kerberos KDC: UDP (88): SKIPPED<br>
Kerberos Kpasswd: UDP (464): SKIPPED<br>
<br>
Connection from replica to master is OK.<br>
Start listening on required ports for remote master
check<br>
Get credentials to log in to remote master<br>
<a class="moz-txt-link-abbreviated" href="mailto:admin@TESTDOMAIN.COM">admin@TESTDOMAIN.COM</a> password:<br>
<br>
Execute check on remote master<br>
<a class="moz-txt-link-abbreviated" href="mailto:admin@ipa00.testdomain.com">admin@ipa00.testdomain.com</a>'s password:<br>
Check connection from master to remote replica
'ipa04.testdomain.com':<br>
Directory Service: Unsecure port (389): OK<br>
Directory Service: Secure port (636): OK<br>
Kerberos KDC: TCP (88): OK<br>
Kerberos KDC: UDP (88): OK<br>
Kerberos Kpasswd: TCP (464): OK<br>
Kerberos Kpasswd: UDP (464): OK<br>
HTTP Server: Unsecure port (80): OK<br>
HTTP Server: Secure port (443): OK<br>
PKI-CA: Directory Service port (7389): OK<br>
<br>
Connection from master to replica is OK.<br>
<br>
Connection check OK<br>
Configuring directory server for the CA (pkids):
Estimated time 30 seconds<br>
[1/3]: creating directory server user<br>
[2/3]: creating directory server instance<br>
[3/3]: restarting directory server<br>
Done configuring directory server for the CA (pkids).<br>
Configuring certificate server (pki-cad): Estimated time
3 minutes 30 seconds<br>
[1/17]: creating certificate server user<br>
[2/17]: creating pki-ca instance<br>
[3/17]: configuring certificate server instance<br>
ipa : CRITICAL failed to configure ca instance
Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA
-cs_hostname ipa04.testdomain.com -cs_port 9445
-client_certdb_dir /tmp/tmp-krRAM2 -client_certdb_pwd
XXXXXXXX -preop_pin 2e3Wsf8VDR8lEXLi3HyX -domain_name
IPA -admin_user admin -admin_email root@localhost
-admin_password XXXXXXXX -agent_name ipa-ca-agent
-agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TESTDOMAIN.COM
-ldap_host ipa04.testdomain.com -ldap_port 7389 -bind_dn
cn=Directory Manager -bind_password XXXXXXXX -base_dn
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd
XXXXXXXX -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TESTDOMAIN.COM
-ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TESTDOMAIN.COM -ca_ocsp_cert_subject_name
CN=OCSP Subsystem,O=TESTDOMAIN.COM
-ca_server_cert_subject_name
CN=ipa04.testdomain.com,O=TESTDOMAIN.COM
-ca_audit_signing_cert_subject_name CN=CA
Audit,O=TESTDOMAIN.COM -ca_sign_cert_subject_name
CN=Certificate Authority,O=TESTDOMAIN.COM -external
false -clone true -clone_p12_file ca.p12
-clone_p12_password XXXXXXXX -sd_hostname
ipa00.testdomain.com -sd_admin_port 443 -sd_admin_name
admin -sd_admin_password XXXXXXXX -clone_start_tls true
-clone_uri <a class="moz-txt-link-freetext" href="https://ipa00.testdomain.com:443">https://ipa00.testdomain.com:443</a>' returned
non-zero exit status 255<br>
<br>
Your system may be partly configured.<br>
Run /usr/sbin/ipa-server-install --uninstall to clean
up.<br>
<br>
Configuration of CA failed<br>
<br>
___<br>
/var/log/ipareplica-install.log:<br>
<br>
#############################################<br>
Attempting to connect to: ipa04.testdomain.com:9445<br>
Connected.<br>
Posting Query =
<a class="moz-txt-link-freetext" href="https://ipa04.testdomain.com:9445//ca/admin/console/config/wi">https://ipa04.testdomain.com:9445//ca/admin/console/config/wi</a><br>
zard?p=5&subsystem=CA&session_id=-4262354986382644304&xml=true<br>
RESPONSE STATUS: HTTP/1.1 200 OK<br>
RESPONSE HEADER: Server: Apache-Coyote/1.1<br>
RESPONSE HEADER: Content-Type: text/html;charset=UTF-8<br>
RESPONSE HEADER: Date: Tue, 17 Sep 2013 17:49:16 GMT<br>
RESPONSE HEADER: Connection: close<br>
Exception in SecurityDomainLoginPanel():
java.lang.Exception: Invalid clone_uri<br>
ERROR: ConfigureSubCA: SecurityDomainLoginPanel()
failure<br>
ERROR: unable to create CA<br>
<br>
#######################################################################<br>
<br>
2013-09-17T17:49:17Z DEBUG stderr=java.lang.Exception:
Invalid clone_uri<br>
at
ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:392)<br>
at
ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1188)<br>
at ConfigureCA.main(ConfigureCA.java:1672)<br>
<br>
2013-09-17T17:49:17Z CRITICAL failed to configure ca
instance Command '/usr/bin/perl /usr/bin/pkisilent
ConfigureCA -cs_hostname ipa04.testdomain.com -cs_port
9445 -client_certdb_dir /tmp/tmp-krRAM2
-client_certdb_pwd XXXXXXXX -preop_pin
2e3Wsf8VDR8lEXLi3HyX -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password XXXXXXXX
-agent_name ipa-ca-agent -agent_key_size 2048
-agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=VANCPOWER.COM -ldap_host
ipa04.testdomain.com -ldap_port 7389 -bind_dn
cn=Directory Manager -bind_password XXXXXXXX -base_dn
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd
XXXXXXXX -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA
Subsystem,O=VANCPOWER.COM
-ca_subsystem_cert_subject_name CN=CA
Subsystem,O=VANCPOWER.COM -ca_ocsp_cert_subject_name
CN=OCSP Subsystem,O=VANCPOWER.COM
-ca_server_cert_subject_name
CN=ipa04.testdomain.com,O=VANCPOWER.COM
-ca_audit_signing_cert_subject_name CN=CA
Audit,O=VANCPOWER.COM -ca_sign_cert_subject_name
CN=Certificate Authority,O=VANCPOWER.COM -external false
-clone true -clone_p12_file ca.p12 -clone_p12_password
XXXXXXXX -sd_hostname ipa00.testdomain.com
-sd_admin_port 443 -sd_admin_name admin
-sd_admin_password XXXXXXXX -clone_start_tls true
-clone_uri <a class="moz-txt-link-freetext" href="https://ipa00.testdomain.com:443">https://ipa00.testdomain.com:443</a>' returned
non-zero exit status 255<br>
2013-09-17T17:49:17Z INFO File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 614, in run_script<br>
return_value = main_function()<br>
<br>
File "/usr/sbin/ipa-replica-install", line 467, in
main<br>
(CA, cs) = cainstance.install_replica_ca(config)<br>
<br>
File
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 1604, in install_replica_ca<br>
subject_base=config.subject_base)<br>
<br>
File
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 617, in configure_instance<br>
self.start_creation(runtime=210)<br>
<br>
File
"/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 358, in start_creation<br>
method()<br>
<br>
File
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 879, in __configure_instance<br>
raise RuntimeError('Configuration of CA failed')<br>
<br>
2013-09-17T17:49:17Z INFO The ipa-replica-install
command failed, exception: RuntimeError: Configuration
of CA failed<br>
<br>
___<br>
<br>
In the event that there is no recovery from this short
of rebuilding the master, is there a way for me to
repopulate it with existing data from the name server
and user store? As always, your help is greatly
appreciated.<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Nathan, do you think it is a problem with IPA replica management or
Dogtag?<br>
<br>
<blockquote
cite="mid:C87AF9F44FE9AC4584EC3ACBE6A1079A030900@OJRE10W801.mbu.ad.dominionnet.com"
type="cite">
<div style="direction: ltr;font-family: Candara;color:
#000000;font-size: 10pt;">
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<div>
<div style="direction:ltr; font-family:Candara;
color:#000000; font-size:10pt">
<div>
<br>
<br>
Thanks.<br>
<br>
<br>
<br>
<div class="BodyFragment"><font size="2">
<div class="PlainText">Trevor T. Kates<br>
</div>
</font></div>
</div>
</div>
</div>
</div>
</div>
<br>
<p><b>CONFIDENTIALITY NOTICE:</b> This electronic message contains
information which may be legally confidential and/or privileged
and does not in any case represent a firm ENERGY COMMODITY bid
or offer relating thereto which binds the sender without an
additional express written confirmation to that effect. The
information is intended solely for the individual or entity
named above and access by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying,
distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this
electronic transmission in error, please reply immediately to
the sender that you have received the message in error, and
delete it. Thank you.</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>