[Freeipa-users] CA Replication Installation Failing
Les Stott
Less at imagine-sw.com
Tue Dec 9 04:04:41 UTC 2014
Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica?
Thanks in advance,
Les
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Les Stott
Sent: Tuesday, 2 December 2014 6:17 PM
To: freeipa-users at redhat.com
Subject: [Freeipa-users] CA Replication Installation Failing
Hi All,
I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38.
Servera is the master
Serverb is the replica
Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica.
I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why.
Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue.
Here is what I get....(for the sake of brevity, I am excluding the lines for connection check which were all OK)
=================
/usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg
Directory Manager (existing master) password:
Get credentials to log in to remote master
admin at MYDOMAIN.COM<mailto:admin at MYDOMAIN.COM> password:
Execute check on remote master
Connection check OK
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
[1/16]: creating certificate server user
[2/16]: creating pki-ca instance
[3/16]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd XXXXXXXX -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Configuration of CA failed
=================
Additional excerpt from the log file /var/log/ipareplica-ca-install.log at the point of failure....
=================
#############################################
Attempting to connect to: serverb.mydomain.com:9445
Connected.
Posting Query = https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12<https://serverb.mydomain.com:9445/ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12>
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
END COPYRIGHT BLOCK -->
<response>
<panel>admin/console/config/restorekeycertpanel.vm</panel>
<res/>
<updateStatus>failure</updateStatus>
<password/>
<errorString>The pkcs12 file is not correct.</errorString>
<size>19</size>
<title>Import Keys and Certificates</title>
<panels>
<Vector>
<Panel>
<Id>welcome</Id>
<Name>Welcome</Name>
</Panel>
<Panel>
<Id>module</Id>
<Name>Key Store</Name>
</Panel>
<Panel>
<Id>confighsmlogin</Id>
<Name>ConfigHSMLogin</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Security Domain</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>subsystem</Id>
<Name>Subsystem Type</Name>
</Panel>
<Panel>
<Id>clone</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>restorekeys</Id>
<Name>Import Keys and Certificates</Name>
</Panel>
<Panel>
<Id>cahierarchy</Id>
<Name>PKI Hierarchy</Name>
</Panel>
<Panel>
<Id>database</Id>
<Name>Internal Database</Name>
</Panel>
<Panel>
<Id>size</Id>
<Name>Key Pairs</Name>
</Panel>
<Panel>
<Id>subjectname</Id>
<Name>Subject Names</Name>
</Panel>
<Panel>
<Id>certrequest</Id>
<Name>Requests and Certificates</Name>
</Panel>
<Panel>
<Id>backupkeys</Id>
<Name>Export Keys and Certificates</Name>
</Panel>
<Panel>
<Id>savepk12</Id>
<Name>Save Keys and Certificates</Name>
</Panel>
<Panel>
<Id>importcachain</Id>
<Name>Import CA's Certificate Chain</Name>
</Panel>
<Panel>
<Id>admin</Id>
<Name>Administrator</Name>
</Panel>
<Panel>
<Id>importadmincert</Id>
<Name>Import Administrator's Certificate</Name>
</Panel>
<Panel>
<Id>done</Id>
<Name>Done</Name>
</Panel>
</Vector>
</panels>
<name>CA Setup Wizard</name>
<p>7</p>
<path/>
<req/>
<panelname>restorekeys</panelname>
</response>
Error in RestoreKeyCertPanel(): updateStatus returns failure
ERROR: ConfigureCA: RestoreKeyCertPanel() failure
ERROR: unable to create CA
#######################################################################
2014-12-02T05:44:19Z DEBUG stderr=
2014-12-02T05:44:19Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1Tqws5 -client_certdb_pwd XXXXXXXX -preop_pin rdkE0y2CiGMKNcRRPKKc -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255
2014-12-02T05:44:19Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 149, in main
(CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1626, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
method()
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 888, in __configure_instance
raise RuntimeError('Configuration of CA failed')
2014-12-02T05:44:19Z INFO The ipa-ca-install command failed, exception: RuntimeError: Configuration of CA failed
=================
I am not sure why this is happening.
Certutil shows that the setup isn't complete on serverb when comparing against the CA replica in my test servers which were successful.
# certutil -L -d /var/lib/pki-ca/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Certificate Authority - MYDOMAIN.COM CT,c,
Server-Cert cert-pki-ca CTu,Cu,Cu
# certutil -K -d /var/lib/pki-ca/alias
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa ef25de4fb656a27e297899509bc3dad582bcd643 NSS Certificate DB:Server-Cert cert-pki-ca
As yet, I have not tried "/usr/sbin/ipa-server-install -uninstall" in an attempt to cleanup as this is a production server and apart from CA replication, it is running fine. I have tried multiple times manually removing pki instances and reinstalling but it still won't get past the above error.
Can anyone shed any light on this?
Thanks in advance,
Les
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141209/1d9307bf/attachment.htm>
More information about the Freeipa-users
mailing list