[Freeipa-users] CA replication

Dan Scott danieljamesscott at gmail.com
Fri Dec 9 15:16:41 UTC 2011 

Hi,

On Fri, Dec 9, 2011 at 09:24, Rob Crittenden <rcritten at redhat.com> wrote:
> Dan Scott wrote:
>>
>> Hi,
>>
>> On Thu, Dec 8, 2011 at 13:29, Rob Crittenden<rcritten at redhat.com>  wrote:
>>>
>>> Dan Scott wrote:
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I just tried to add a CA replica to my IPA replica (Both Fedora 15)
>>>> using:
>>>>
>>>> ipa-ca-install replica-info-ohm.gpg
>>>>
>>>> It proceeds to configure the directory server for the CA, but fails
>>>> when 'configuring certificate server':
>>>>
>>>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>>>>   [1/11]: creating certificate server user
>>>>   [2/11]: creating pki-ca instance
>>>>   [3/11]: configuring certificate server instance
>>>> root        : CRITICAL failed to configure ca instance Command
>>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
>>>> 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir'
>>>> '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
>>>> 'XXXXXXXXX' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
>>>> 'root at localhost' '-admin_password' XXXXXXXX '-agent_name'
>>>> 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
>>>> '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host'
>>>> 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
>>>> Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name'
>>>> 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
>>>> 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX
>>>> '-subsystem_name' 'pki-cad' '-token_name' 'internal'
>>>> '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM'
>>>> '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM'
>>>> '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM'
>>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
>>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
>>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
>>>> '-clone_p12_password' XXXXXXXX '-sd_hostname' 'curie.example.com'
>>>> '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
>>>> XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
>>>> 'https://curie.example.com:443'' returned non-zero exit status 255
>>>> creation of replica failed: Configuration of CA failed
>>>>
>>>> Some errors from /var/log/ipareplica-ca-install.log
>>>>
>>>> Error in DomainPanel(): updateStatus value is null
>>>> ERROR: ConfigureCA: DomainPanel() failure
>>>> ERROR: unable to create CA
>>>>
>>>>   File "/usr/sbin/ipa-ca-install", line 156, in<module>
>>>>     main()
>>>>
>>>>   File "/usr/sbin/ipa-ca-install", line 141, in main
>>>>     (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
>>>>
>>>>   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 1136, in install_replica_ca
>>>>     subject_base=config.subject_base)
>>>>
>>>>   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 537, in configure_instance
>>>>     self.start_creation("Configuring certificate server", 210)
>>>>
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 248, in start_creation
>>>>     method()
>>>>
>>>>   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 680, in __configure_instance
>>>>     raise RuntimeError('Configuration of CA failed')
>>>>
>>>> Anyone have any ideas?
>>>
>>>
>>>
>>> /var/log/pki-ca/debug probably has more details.
>>
>>
>> This file contains the following errors:
>>
>> [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating
>> SSL Admin HTTPS . . .
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser
>> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
>> White spaces are required between publicId and systemId.
>> [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS
>> no successful response for SSL Admin HTTPS
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase
>> getCertChainUsingSecureAdminPort start
>> [08/Dec/2011:12:24:40][http-9445-2]:
>> WizardPanelBase::getCertChainUsingSecureAdminPort() -
>> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
>> 50; White spaces are required between publicId and systemId.
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase:
>> getCertChainUsingSecureAdminPort: java.io.IOException:
>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
>> spaces are required between publicId and systemId.
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
>> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri =
>> /ca/admin/ca/getStatus
>> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to
>> service.
>> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08
>> 12:24:40 EST 2011 id=caGetStatus time=32
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML
>> parsed
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0
>> [08/Dec/2011:12:24:40][http-9445-2]: panel no=3
>> [08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain
>> [08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
>> [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
>> org.apache.catalina.connector.ResponseFacade
>> [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
>> org.apache.catalina.connector.RequestFacade
>
>
> I'll point the dogtag guys at this to see if they notice anything.
>
>
>>> This might also be ticket https://fedorahosted.org/freeipa/ticket/2148
>>
>>
>> The script passes the port-check, so it doesn't look like it's the
>> issue mentioned. Is there a workaround for this issue?
>
>
> This is different from port-check. Dogtag stores the security domain
> information in its LDAP database. When creating a replica (or clone, in
> dogtag lingo) it compares the ports being requested with what is stored in
> the security domain and will reject if they don't match. Look for invalid
> clone_uri in the debug log to see if this is the problem.

There's no mention of clone_uri anywhere in the debug log.

Dan

More information about the Freeipa-users mailing list