[Freeipa-users] Replica of a Replica and Master Recovery

Dmitri Pal dpal at redhat.com
Fri Sep 20 15:25:39 UTC 2013 

On 09/17/2013 03:40 PM, Trevor T Kates (Services - 6) wrote:
> I apologize for the weird subject. The problem I'm facing feels a
> little weird and I could use some help.
>
> I'm running IPA in a test environment and trying to find different
> ways in which I can break it and then repair it. My IPA is running on
> CentOS 6.4:
>
> Linux ipa00.testdomain.com 2.6.32-358.18.1.el6.x86_64 #1 SMP Wed Aug
> 28 17:19:38 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> bind-9.8.2-0.17.rc1.el6_4.6.x86_64
> bind-dyndb-ldap-2.3-2.el6_4.1.x86_64
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> I seem to have created a problem for myself involving the original
> master server. At the beginning, I created a master IPA server with
> the dogtag CA and several replicas with replica dogtag CAs. I stored
> the /root/cacert.p12 file in a backup, reimaged the original master
> and turned it into a replica. In doing so, I seem to have eliminated
> my ability to create additional replicas due to not completely backing
> up everything related to the CA on the master. After preparing a
> replica on my reimaged master and attemping to install it on a
> different test server, I ran into the following error:
>
> [root at ipa04 ~]# ipa-replica-install --setup-ca -N --setup-dns
> /var/lib/ipa/replica-info-ipa04.testdomain.com.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'ipa00.testdomain.com':
>    Directory Service: Unsecure port (389): OK
>    Directory Service: Secure port (636): OK
>    Kerberos KDC: TCP (88): OK
>    Kerberos Kpasswd: TCP (464): OK
>    HTTP Server: Unsecure port (80): OK
>    HTTP Server: Secure port (443): OK
>    PKI-CA: Directory Service port (7389): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
>    Kerberos KDC: UDP (88): SKIPPED
>    Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> admin at TESTDOMAIN.COM password:
>
> Execute check on remote master
> admin at ipa00.testdomain.com's password:
> Check connection from master to remote replica 'ipa04.testdomain.com':
>    Directory Service: Unsecure port (389): OK
>    Directory Service: Secure port (636): OK
>    Kerberos KDC: TCP (88): OK
>    Kerberos KDC: UDP (88): OK
>    Kerberos Kpasswd: TCP (464): OK
>    Kerberos Kpasswd: UDP (464): OK
>    HTTP Server: Unsecure port (80): OK
>    HTTP Server: Secure port (443): OK
>    PKI-CA: Directory Service port (7389): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring directory server for the CA (pkids): Estimated time 30 seconds
>   [1/3]: creating directory server user
>   [2/3]: creating directory server instance
>   [3/3]: restarting directory server
> Done configuring directory server for the CA (pkids).
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30
> seconds
>   [1/17]: creating certificate server user
>   [2/17]: creating pki-ca instance
>   [3/17]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ipa04.testdomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-krRAM2
> -client_certdb_pwd XXXXXXXX -preop_pin 2e3Wsf8VDR8lEXLi3HyX
> -domain_name IPA -admin_user admin -admin_email root at localhost
> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
> -agent_key_type rsa -agent_cert_subject
> CN=ipa-ca-agent,O=TESTDOMAIN.COM -ldap_host ipa04.testdomain.com
> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTDOMAIN.COM
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTDOMAIN.COM
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTDOMAIN.COM
> -ca_server_cert_subject_name CN=ipa04.testdomain.com,O=TESTDOMAIN.COM
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTDOMAIN.COM
> -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTDOMAIN.COM
> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password
> XXXXXXXX -sd_hostname ipa00.testdomain.com -sd_admin_port 443
> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
> -clone_uri https://ipa00.testdomain.com:443' returned non-zero exit
> status 255
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
>
> ___
> /var/log/ipareplica-install.log:
>
> #############################################
> Attempting to connect to: ipa04.testdomain.com:9445
> Connected.
> Posting Query =
> https://ipa04.testdomain.com:9445//ca/admin/console/config/wi
> zard?p=5&subsystem=CA&session_id=-4262354986382644304&xml=true
> RESPONSE STATUS:  HTTP/1.1 200 OK
> RESPONSE HEADER:  Server: Apache-Coyote/1.1
> RESPONSE HEADER:  Content-Type: text/html;charset=UTF-8
> RESPONSE HEADER:  Date: Tue, 17 Sep 2013 17:49:16 GMT
> RESPONSE HEADER:  Connection: close
> Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid
> clone_uri
> ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure
> ERROR: unable to create CA
>
> #######################################################################
>
> 2013-09-17T17:49:17Z DEBUG stderr=java.lang.Exception: Invalid clone_uri
>         at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:392)
>         at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1188)
>         at ConfigureCA.main(ConfigureCA.java:1672)
>
> 2013-09-17T17:49:17Z CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ipa04.testdomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-krRAM2
> -client_certdb_pwd XXXXXXXX -preop_pin 2e3Wsf8VDR8lEXLi3HyX
> -domain_name IPA -admin_user admin -admin_email root at localhost
> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
> -agent_key_type rsa -agent_cert_subject
> CN=ipa-ca-agent,O=VANCPOWER.COM -ldap_host ipa04.testdomain.com
> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=VANCPOWER.COM
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=VANCPOWER.COM
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=VANCPOWER.COM
> -ca_server_cert_subject_name CN=ipa04.testdomain.com,O=VANCPOWER.COM
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=VANCPOWER.COM
> -ca_sign_cert_subject_name CN=Certificate Authority,O=VANCPOWER.COM
> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password
> XXXXXXXX -sd_hostname ipa00.testdomain.com -sd_admin_port 443
> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
> -clone_uri https://ipa00.testdomain.com:443' returned non-zero exit
> status 255
> 2013-09-17T17:49:17Z INFO   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 614, in run_script
>     return_value = main_function()
>
>   File "/usr/sbin/ipa-replica-install", line 467, in main
>     (CA, cs) = cainstance.install_replica_ca(config)
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 1604, in install_replica_ca
>     subject_base=config.subject_base)
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 617, in configure_instance
>     self.start_creation(runtime=210)
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
> 358, in start_creation
>     method()
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
>
> 2013-09-17T17:49:17Z INFO The ipa-replica-install command failed,
> exception: RuntimeError: Configuration of CA failed
>
> ___
>
> In the event that there is no recovery from this short of rebuilding
> the master, is there a way for me to repopulate it with existing data
> from the name server and user store? As always, your help is greatly
> appreciated.

Nathan, do you think it is a problem with IPA replica management or Dogtag?

>
>
> Thanks.
>
>
>
> Trevor T. Kates
>
> *CONFIDENTIALITY NOTICE:* This electronic message contains information
> which may be legally confidential and/or privileged and does not in
> any case represent a firm ENERGY COMMODITY bid or offer relating
> thereto which binds the sender without an additional express written
> confirmation to that effect. The information is intended solely for
> the individual or entity named above and access by anyone else is
> unauthorized. If you are not the intended recipient, any disclosure,
> copying, distribution, or use of the contents of this information is
> prohibited and may be unlawful. If you have received this electronic
> transmission in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank you.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130920/8ccc92c1/attachment.htm>

More information about the Freeipa-users mailing list