[Freeipa-users] CA Replication Installation Failing
Dmitri Pal
dpal at redhat.com
Tue Dec 9 04:49:21 UTC 2014
On 12/08/2014 11:04 PM, Les Stott wrote:
>
> Does anyone have any ideas on the below errors when trying to add CA
> replication to an existing replica?
>
People who might be able to help are or PTO right now.
Is your installation older than 2 years?
Did you generate a new replica package or use the original one?
May be the problem is that the cert that is in that package already expired?
Just a thought...
The simplest workaround IMO would be to prepare Server C, install it
with CA and then decommission replica B.
Do not forget to clean replication agreements on master.
But that would be work around, would not solve this specific problem, it
will kill it.
> Thanks in advance,
>
> Les
>
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Les Stott
> *Sent:* Tuesday, 2 December 2014 6:17 PM
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] CA Replication Installation Failing
>
> Hi All,
>
> I have RHEL6 with ipa servers running standard ipa server 3.0.0-42.
> Pki components are also standard version 9.0.3-38.
>
> Servera is the master
>
> Serverb is the replica
>
> Both have been running for many, many months. Serverb was initially
> setup as a replica, but not a CA replica.
>
> I am now trying to add CA Replication to serverb but it is failing
> midway through and I cannot figure out why.
>
> Annoyingly, I used the same method/command to setup a CA replica on
> test servers and it completed without issue.
>
> Here is what I get....(for the sake of brevity, I am excluding the
> lines for connection check which were all OK)
>
> =================
>
> /usr/sbin/ipa-ca-install
> /var/lib/ipa/replica-info-serverb.mydomain.com.gpg
>
> Directory Manager (existing master) password:
>
> Get credentials to log in to remote master
>
> admin at MYDOMAIN.COM <mailto:admin at MYDOMAIN.COM> password:
>
> Execute check on remote master
>
> Connection check OK
>
> Configuring directory server for the CA (pkids): Estimated time 30 seconds
>
> [1/3]: creating directory server user
>
> [2/3]: creating directory server instance
>
> [3/3]: restarting directory server
>
> Done configuring directory server for the CA (pkids).
>
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30
> seconds
>
> [1/16]: creating certificate server user
>
> [2/16]: creating pki-ca instance
>
> [3/16]: configuring certificate server instance
>
> ipa : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7
> -client_certdb_pwd XXXXXXXX -preop_pin exoyO2y7bawG5yjZMACM
> -domain_name IPA -admin_user admin -admin_email root at localhost
> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
> -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM
> -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory
> Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12
> true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM
> -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM
> -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM
> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password
> XXXXXXXX -sd_hostname servera.mydomain.com -sd_admin_port 443
> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
> -clone_uri https://servera.mydomain.com:443' returned non-zero exit
> status 255
>
> Your system may be partly configured.
>
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
>
> =================
>
> Additional excerpt from the log file
> /var/log/ipareplica-ca-install.log at the point of failure....
>
> =================
>
> #############################################
>
> Attempting to connect to: serverb.mydomain.com:9445
>
> Connected.
>
> Posting Query =
> https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12
> <https://serverb.mydomain.com:9445/ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12>
>
> RESPONSE STATUS: HTTP/1.1 200 OK
>
> RESPONSE HEADER: Server: Apache-Coyote/1.1
>
> RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
>
> RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT
>
> RESPONSE HEADER: Connection: close
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <!-- BEGIN COPYRIGHT BLOCK
>
> This program is free software; you can redistribute it and/or modify
>
> it under the terms of the GNU General Public License as published by
>
> the Free Software Foundation; version 2 of the License.
>
> This program is distributed in the hope that it will be useful,
>
> but WITHOUT ANY WARRANTY; without even the implied warranty of
>
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>
> GNU General Public License for more details.
>
> You should have received a copy of the GNU General Public License
> along
>
> with this program; if not, write to the Free Software Foundation,
> Inc.,
>
> 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
>
> Copyright (C) 2007 Red Hat, Inc.
>
> All rights reserved.
>
> END COPYRIGHT BLOCK -->
>
> <response>
>
> <panel>admin/console/config/restorekeycertpanel.vm</panel>
>
> <res/>
>
> <updateStatus>failure</updateStatus>
>
> <password/>
>
> <errorString>The pkcs12 file is not correct.</errorString>
>
> <size>19</size>
>
> <title>Import Keys and Certificates</title>
>
> <panels>
>
> <Vector>
>
> <Panel>
>
> <Id>welcome</Id>
>
> <Name>Welcome</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>module</Id>
>
> <Name>Key Store</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>confighsmlogin</Id>
>
> <Name>ConfigHSMLogin</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>securitydomain</Id>
>
> <Name>Security Domain</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>securitydomain</Id>
>
> <Name>Display Certificate Chain</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>subsystem</Id>
>
> <Name>Subsystem Type</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>clone</Id>
>
> <Name>Display Certificate Chain</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>restorekeys</Id>
>
> <Name>Import Keys and Certificates</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>cahierarchy</Id>
>
> <Name>PKI Hierarchy</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>database</Id>
>
> <Name>Internal Database</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>size</Id>
>
> <Name>Key Pairs</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>subjectname</Id>
>
> <Name>Subject Names</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>certrequest</Id>
>
> <Name>Requests and Certificates</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>backupkeys</Id>
>
> <Name>Export Keys and Certificates</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>savepk12</Id>
>
> <Name>Save Keys and Certificates</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>importcachain</Id>
>
> <Name>Import CA's Certificate Chain</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>admin</Id>
>
> <Name>Administrator</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>importadmincert</Id>
>
> <Name>Import Administrator's Certificate</Name>
>
> </Panel>
>
> <Panel>
>
> <Id>done</Id>
>
> <Name>Done</Name>
>
> </Panel>
>
> </Vector>
>
> </panels>
>
> <name>CA Setup Wizard</name>
>
> <p>7</p>
>
> <path/>
>
> <req/>
>
> <panelname>restorekeys</panelname>
>
> </response>
>
> Error in RestoreKeyCertPanel(): updateStatus returns failure
>
> ERROR: ConfigureCA: RestoreKeyCertPanel() failure
>
> ERROR: unable to create CA
>
> #######################################################################
>
> 2014-12-02T05:44:19Z DEBUG stderr=
>
> 2014-12-02T05:44:19Z CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1Tqws5
> -client_certdb_pwd XXXXXXXX -preop_pin rdkE0y2CiGMKNcRRPKKc
> -domain_name IPA -admin_user admin -admin_email root at localhost
> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
> -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM
> -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory
> Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12
> true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM
> -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM
> -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM
> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password
> XXXXXXXX -sd_hostname servera.mydomain.com -sd_admin_port 443
> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
> -clone_uri https://servera.mydomain.com:443
> <https://servera.mydomain.com:443>' returned non-zero exit status 255
>
> 2014-12-02T05:44:19Z INFO File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 614, in run_script
>
> return_value = main_function()
>
> File "/usr/sbin/ipa-ca-install", line 149, in main
>
> (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 1626, in install_replica_ca
>
> subject_base=config.subject_base)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 626, in configure_instance
>
> self.start_creation(runtime=210)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
> 358, in start_creation
>
> method()
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 888, in __configure_instance
>
> raise RuntimeError('Configuration of CA failed')
>
> 2014-12-02T05:44:19Z INFO The ipa-ca-install command failed,
> exception: RuntimeError: Configuration of CA failed
>
> =================
>
> I am not sure why this is happening.
>
> Certutil shows that the setup isn't complete on serverb when comparing
> against the CA replica in my test servers which were successful.
>
> # certutil -L -d /var/lib/pki-ca/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Certificate Authority - MYDOMAIN.COM CT,c,
>
> Server-Cert cert-pki-ca CTu,Cu,Cu
>
> # certutil -K -d /var/lib/pki-ca/alias
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
> Private Key and Certificate Services"
>
> Enter Password or Pin for "NSS Certificate DB":
>
> < 0> rsa ef25de4fb656a27e297899509bc3dad582bcd643 NSS Certificate
> DB:Server-Cert cert-pki-ca
>
> As yet, I have not tried "/usr/sbin/ipa-server-install --uninstall" in
> an attempt to cleanup as this is a production server and apart from CA
> replication, it is running fine. I have tried multiple times manually
> removing pki instances and reinstalling but it still won't get past
> the above error.
>
> Can anyone shed any light on this?
>
> Thanks in advance,
>
> Les
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141208/7b8e103f/attachment.htm>
More information about the Freeipa-users
mailing list