[Freeipa-users] Another CA replica install issue

Rob Crittenden rcritten at redhat.com
Wed Mar 28 18:50:12 UTC 2012 

Dan Scott wrote:
> Can anyone help with this?
>
> Thanks,
>
> Dan
>
> On Mon, Mar 26, 2012 at 16:17, Dan Scott<danieljamesscott at gmail.com>  wrote:
>> On Mon, Mar 26, 2012 at 15:53, Rob Crittenden<rcritten at redhat.com>  wrote:
>>> Dan Scott wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'm having another replica CA install issue. Fedora 16 with latest
>>>> updates applied this morning:
>>>>
>>>> ipa-ca-install replica-info-fileserver4.example.com.gpg
>>>>
>>>> [snip]
>>>>
>>>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>>>>    [1/11]: creating certificate server user
>>>>    [2/11]: creating pki-ca instance
>>>>    [3/11]: configuring certificate server instance
>>>> root        : CRITICAL failed to configure ca instance Command
>>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
>>>> 'fileserver4.example.com' '-cs_port' '9445' '-client_certdb_dir'
>>>> '/tmp/tmp-w8FRe5' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
>>>> 'zIK3zLWJhhdzciy3HiE3' '-domain_name' 'IPA' '-admin_user' 'admin'
>>>> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX
>>>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048'
>>>> '-agent_key_type' 'rsa' '-agent_cert_subject'
>>>> 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'fileserver4.example.com'
>>>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
>>>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
>>>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
>>>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
>>>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
>>>> Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP
>>>> Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name'
>>>> 'CN=fileserver4.example.com,O=EXAMPLE.COM'
>>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
>>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
>>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
>>>> '-clone_p12_password' XXXXXXXX '-sd_hostname'
>>>> 'fileserver1.example.com' '-sd_admin_port' '443' '-sd_admin_name'
>>>> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true'
>>>> '-clone_uri' 'https://fileserver1.example.com:443'' returned non-zero
>>>> exit status 255
>>>> creation of replica failed: Configuration of CA failed
>>>>
>>>> /var/log/ipareplica-ca-install.log contains:
>>>>
>>>> <errorString>org.xml.sax.SAXParseException; lineNumber: 1;
>>>> columnNumber: 50; White spaces are required between publicId and
>>>> systemId.</errorString>
>>>>
>>>> 2012-03-26 14:22:36,714 DEBUG Configuration of CA failed
>>>>    File "/usr/sbin/ipa-ca-install", line 157, in<module>
>>>>      main()
>>>>
>>>>    File "/usr/sbin/ipa-ca-install", line 142, in main
>>>>      (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
>>>>
>>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 1136, in install_replica_ca
>>>>      subject_base=config.subject_base)
>>>>
>>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 537, in configure_instance
>>>>      self.start_creation("Configuring certificate server", 210)
>>>>
>>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 248, in start_creation
>>>>      method()
>>>>
>>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 680, in __configure_instance
>>>>      raise RuntimeError('Configuration of CA failed')
>>>>
>>>> /var/log/pki-ca/debug contains:
>>>>
>>>> [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: validating
>>>> SSL Admin HTTPS . . .
>>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started
>>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase: pingCS: parser
>>>> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
>>>> White spaces are required between publicId and systemId.
>>>> [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: pingAdminCS
>>>> no successful response for SSL Admin HTTPS
>>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase
>>>> getCertChainUsingSecureAdminPort start
>>>> [26/Mar/2012:14:22:36][http-9445-2]:
>>>> WizardPanelBase::getCertChainUsingSecureAdminPort() -
>>>> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
>>>> 50; White spaces are required between publicId and systemId.
>>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase:
>>>> getCertChainUsingSecureAdminPort: java.io.IOException:
>>>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
>>>> spaces are required between publicId and systemId.
>>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started
>>>> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet:service() uri =
>>>> /ca/admin/ca/getStatus
>>>> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet: caGetStatus start to
>>>> service.
>>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: got XML
>>>> parsed
>>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: state=0
>>>> [26/Mar/2012:14:22:36][http-9445-2]: panel no=3
>>>> [26/Mar/2012:14:22:36][http-9445-2]: panel name=securitydomain
>>>> [26/Mar/2012:14:22:36][http-9445-2]: total number of panels=19
>>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardServlet: found xml
>>>> [26/Mar/2012:14:22:36][http-9445-2]: Error: unknown type
>>>> org.apache.catalina.connector.ResponseFacade
>>>> [26/Mar/2012:14:22:36][http-9445-2]: Error: unknown type
>>>> org.apache.catalina.connector.RequestFacade
>>>> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet: curDate=Mon Mar 26
>>>> 14:22:36 EDT 2012 id=caGetStatus time=13
>>>>
>>>> I found a SELinux error:
>>>>
>>>> type=AVC msg=audit(1332788252.062:222): avc:  denied  { name_connect }
>>>> for  pid=3042 comm="java" dest=43323
>>>> scontext=system_u:system_r:pki_ca_t:s0
>>>> tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
>>>>
>>>> But the install still failed in the same way after I put SELinux into
>>>> enforcing mode.
>>>
>>>
>>> I assume you mean you set it to permissive mode?
>>
>> Yes, sorry.
>>
>>> What about /var/log/ipareplica-ca-install.log, what is at the end of that?
>>
>> The errors from that are in the second part of the message above.
>> Right after the console output and before /var/log/pki-ca/debug
>>
>> Thanks,
>>
>> Dan

Sorry, I meant to respond yesterday.

We need more context. This type of error sometimes occurs well before 
the actual exception. Can we see the full ipareplica-install.log and CA 
debug log? You can send them to me privately if you wish.

rob

More information about the Freeipa-users mailing list