[Freeipa-users] Replica of a Replica and Master Recovery

Rob Crittenden rcritten at redhat.com
Fri Sep 20 15:38:13 UTC 2013 

Trevor T Kates (Services - 6) wrote:
> I apologize for the weird subject. The problem I'm facing feels a little
> weird and I could use some help.
>
> I'm running IPA in a test environment and trying to find different ways
> in which I can break it and then repair it. My IPA is running on CentOS 6.4:
>
> Linux ipa00.testdomain.com 2.6.32-358.18.1.el6.x86_64 #1 SMP Wed Aug 28
> 17:19:38 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> bind-9.8.2-0.17.rc1.el6_4.6.x86_64
> bind-dyndb-ldap-2.3-2.el6_4.1.x86_64
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> I seem to have created a problem for myself involving the original
> master server. At the beginning, I created a master IPA server with the
> dogtag CA and several replicas with replica dogtag CAs. I stored the
> /root/cacert.p12 file in a backup, reimaged the original master and
> turned it into a replica. In doing so, I seem to have eliminated my
> ability to create additional replicas due to not completely backing up
> everything related to the CA on the master. After preparing a replica on
> my reimaged master and attemping to install it on a different test
> server, I ran into the following error:

I think some clarification is needed. Every server in IPA is a master, 
on equal footing with the exception of some optional services like the 
CA and DNS. The initial CA is also responsible for CRL generation and 
distributing renewed certificates, but those can be moved.

I think we need to know what state the machine is in an how it got 
there. What does reimaging mean in this case?

rob


>
> [root at ipa04 ~]# ipa-replica-install --setup-ca -N --setup-dns
> /var/lib/ipa/replica-info-ipa04.testdomain.com.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'ipa00.testdomain.com':
>     Directory Service: Unsecure port (389): OK
>     Directory Service: Secure port (636): OK
>     Kerberos KDC: TCP (88): OK
>     Kerberos Kpasswd: TCP (464): OK
>     HTTP Server: Unsecure port (80): OK
>     HTTP Server: Secure port (443): OK
>     PKI-CA: Directory Service port (7389): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
>     Kerberos KDC: UDP (88): SKIPPED
>     Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> admin at TESTDOMAIN.COM password:
>
> Execute check on remote master
> admin at ipa00.testdomain.com's password:
> Check connection from master to remote replica 'ipa04.testdomain.com':
>     Directory Service: Unsecure port (389): OK
>     Directory Service: Secure port (636): OK
>     Kerberos KDC: TCP (88): OK
>     Kerberos KDC: UDP (88): OK
>     Kerberos Kpasswd: TCP (464): OK
>     Kerberos Kpasswd: UDP (464): OK
>     HTTP Server: Unsecure port (80): OK
>     HTTP Server: Secure port (443): OK
>     PKI-CA: Directory Service port (7389): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring directory server for the CA (pkids): Estimated time 30 seconds
>    [1/3]: creating directory server user
>    [2/3]: creating directory server instance
>    [3/3]: restarting directory server
> Done configuring directory server for the CA (pkids).
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30
> seconds
>    [1/17]: creating certificate server user
>    [2/17]: creating pki-ca instance
>    [3/17]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ipa04.testdomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-krRAM2
> -client_certdb_pwd XXXXXXXX -preop_pin 2e3Wsf8VDR8lEXLi3HyX -domain_name
> IPA -admin_user admin -admin_email root at localhost -admin_password
> XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type
> rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTDOMAIN.COM -ldap_host
> ipa04.testdomain.com -ldap_port 7389 -bind_dn cn=Directory Manager
> -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048
> -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd
> XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTDOMAIN.COM
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTDOMAIN.COM
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTDOMAIN.COM
> -ca_server_cert_subject_name CN=ipa04.testdomain.com,O=TESTDOMAIN.COM
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTDOMAIN.COM
> -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTDOMAIN.COM
> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password
> XXXXXXXX -sd_hostname ipa00.testdomain.com -sd_admin_port 443
> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
> -clone_uri https://ipa00.testdomain.com:443' returned non-zero exit
> status 255
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
>
> ___
> /var/log/ipareplica-install.log:
>
> #############################################
> Attempting to connect to: ipa04.testdomain.com:9445
> Connected.
> Posting Query =
> https://ipa04.testdomain.com:9445//ca/admin/console/config/wi
> zard?p=5&subsystem=CA&session_id=-4262354986382644304&xml=true
> RESPONSE STATUS:  HTTP/1.1 200 OK
> RESPONSE HEADER:  Server: Apache-Coyote/1.1
> RESPONSE HEADER:  Content-Type: text/html;charset=UTF-8
> RESPONSE HEADER:  Date: Tue, 17 Sep 2013 17:49:16 GMT
> RESPONSE HEADER:  Connection: close
> Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid
> clone_uri
> ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure
> ERROR: unable to create CA
>
> #######################################################################
>
> 2013-09-17T17:49:17Z DEBUG stderr=java.lang.Exception: Invalid clone_uri
>          at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:392)
>          at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1188)
>          at ConfigureCA.main(ConfigureCA.java:1672)
>
> 2013-09-17T17:49:17Z CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ipa04.testdomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-krRAM2
> -client_certdb_pwd XXXXXXXX -preop_pin 2e3Wsf8VDR8lEXLi3HyX -domain_name
> IPA -admin_user admin -admin_email root at localhost -admin_password
> XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type
> rsa -agent_cert_subject CN=ipa-ca-agent,O=VANCPOWER.COM -ldap_host
> ipa04.testdomain.com -ldap_port 7389 -bind_dn cn=Directory Manager
> -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048
> -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd
> XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=VANCPOWER.COM
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=VANCPOWER.COM
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=VANCPOWER.COM
> -ca_server_cert_subject_name CN=ipa04.testdomain.com,O=VANCPOWER.COM
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=VANCPOWER.COM
> -ca_sign_cert_subject_name CN=Certificate Authority,O=VANCPOWER.COM
> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password
> XXXXXXXX -sd_hostname ipa00.testdomain.com -sd_admin_port 443
> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
> -clone_uri https://ipa00.testdomain.com:443' returned non-zero exit
> status 255
> 2013-09-17T17:49:17Z INFO   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 614, in run_script
>      return_value = main_function()
>
>    File "/usr/sbin/ipa-replica-install", line 467, in main
>      (CA, cs) = cainstance.install_replica_ca(config)
>
>    File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
> 1604, in install_replica_ca
>      subject_base=config.subject_base)
>
>    File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
> 617, in configure_instance
>      self.start_creation(runtime=210)
>
>    File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> line 358, in start_creation
>      method()
>
>    File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
> 879, in __configure_instance
>      raise RuntimeError('Configuration of CA failed')
>
> 2013-09-17T17:49:17Z INFO The ipa-replica-install command failed,
> exception: RuntimeError: Configuration of CA failed
>
> ___
>
> In the event that there is no recovery from this short of rebuilding the
> master, is there a way for me to repopulate it with existing data from
> the name server and user store? As always, your help is greatly appreciated.
>
>
> Thanks.
>
>
>
> Trevor T. Kates
>
> *CONFIDENTIALITY NOTICE:* This electronic message contains information
> which may be legally confidential and/or privileged and does not in any
> case represent a firm ENERGY COMMODITY bid or offer relating thereto
> which binds the sender without an additional express written
> confirmation to that effect. The information is intended solely for the
> individual or entity named above and access by anyone else is
> unauthorized. If you are not the intended recipient, any disclosure,
> copying, distribution, or use of the contents of this information is
> prohibited and may be unlawful. If you have received this electronic
> transmission in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank you.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list