[Freeipa-users] Problem installing replica CA

[Dan Scott]

Hi,

My FreeIPA servers were in a real mess recently and I think I've
finally got them into a reasonable state by cleaning up the tombstone
entries and fixing some broken replication agreements.

I'm trying to setup a new replica and receive the following error:

Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/12]: creating certificate server user
  [2/12]: creating pki-ca instance
  [3/12]: configuring certificate server instance
root        : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
'5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin'
'-admin_email' 'root at localhost' '-admin_password' XXXXXXXX
'-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048'
'-agent_key_type' 'rsa' '-agent_cert_subject'
'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu'
'-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
'-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
'-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP
Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name'
'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' XXXXXXXX '-sd_hostname'
'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name'
'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true'
'-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero
exit status 255
creation of replica failed: Configuration of CA failed

The /var/log/pki-ca/debug file contains:

[20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to
import user certificate.org.mozilla.jss.crypto.TokenException:
PK11_ImportDERCertForKey Unable to import certificate to its token:
(-8054) You are attempting to import a cert with the same
issuer/serial as an existing cert, but that is not the same cert.
[20/Apr/2012:12:07:36][http-9445-1]: Updating local request... certTag=sslserver
[20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn()
[20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true
[20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true
[20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2
[20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3
[20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn()
[20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true
[20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true
[20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2
[20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3
[20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12
[20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13
[20/Apr/2012:12:07:36][http-9445-1]: panel no=13
[20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys
[20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19
[20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml
[20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type
org.apache.catalina.connector.ResponseFacade
[20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean
[20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type
org.apache.catalina.connector.RequestFacade

So it looks like there's some certificate confusion going on.

Can someone help? Is there anything particularly sensitive in the
/var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I
shouldn't send them to the list?

Thanks,

Dan