[Freeipa-users] CA Replication Installation Failing
Ade Lee
alee at redhat.com
Tue Dec 9 18:04:51 UTC 2014
On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote:
>
>
> ______________________________________________________________________
> From: freeipa-users-bounces at redhat.com
> [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
> [dpal at redhat.com]
> Sent: Tuesday, December 09, 2014 3:49 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>
>
>
> On 12/08/2014 11:04 PM, Les Stott wrote:
>
> > Does anyone have any ideas on the below errors when trying to add CA
> > replication to an existing replica?
> >
> >
>
> > People who might be able to help are or PTO right now.
> >
> > Is your installation older than 2 years?
>
> No, December 2013 was when it was originally built.
>
> > Did you generate a new replica package or use the original one?
>
> I used the original replica file for serverb, based on instructions i
> came across. I can try regenerating the replica file.
>
> Interestingly, now that you mention it, servera had to be restored a
> couple of months back. Perhaps this is an issue and regenerating the
> replica file for serverb will be required.
>
> I will try this.
>
I think that this is a safe bet to be the problem.
The error in the log snippet you posted says:
<errorString>The pkcs12 file is not correct.</errorString>
This indicates that the clone CA was unable to decode the pkcs12 file in
the replica. Perhaps the certs changed -- or the DM password changed?
Ade
> > May be the problem is that the cert that is in that package already
> expired?
>
> original replica file was created on Dec 16 2013. Cert is not set to
> expire until 2015-12-17.
>
> > Just a thought...
> >
> > The simplest workaround IMO would be to prepare Server C, install it
> with CA and then decommission replica B.
> > Do not forget to clean replication agreements on master.
> >
> > But that would be work around, would not solve this specific
> problem, it will kill it.
>
> I actually do have serverc and serverd. I planned to have CA
> replication on at least 2 other servers, but held off on trying on
> serverc due to issues with serverb.
>
> I'll report back what i find after regenerating the replica file and
> re-trying to setup CA replication.
>
> Thanks,
>
> Les
>
> >
> >
> > Thanks in advance,
> >
> >
> >
> > Les
> >
> >
> >
> > From:freeipa-users-bounces at redhat.com
> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Les Stott
> > Sent: Tuesday, 2 December 2014 6:17 PM
> > To: freeipa-users at redhat.com
> > Subject: [Freeipa-users] CA Replication Installation Failing
> >
> >
> >
> >
> > Hi All,
> >
> >
> >
> > I have RHEL6 with ipa servers running standard ipa server 3.0.0-42.
> > Pki components are also standard version 9.0.3-38.
> >
> >
> >
> > Servera is the master
> >
> > Serverb is the replica
> >
> >
> >
> > Both have been running for many, many months. Serverb was initially
> > setup as a replica, but not a CA replica.
> >
> >
> >
> > I am now trying to add CA Replication to serverb but it is failing
> > midway through and I cannot figure out why.
> >
> >
> >
> > Annoyingly, I used the same method/command to setup a CA replica on
> > test servers and it completed without issue.
> >
> >
> >
> > Here is what I get….(for the sake of brevity, I am excluding the
> > lines for connection check which were all OK)
> >
> >
> >
> > =================
> >
> > /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg
> >
> > Directory Manager (existing master) password:
> >
> > Get credentials to log in to remote master
> >
> > admin at MYDOMAIN.COM password:
> >
> > Execute check on remote master
> >
> > Connection check OK
> >
> > Configuring directory server for the CA (pkids): Estimated time 30
> > seconds
> >
> > [1/3]: creating directory server user
> >
> > [2/3]: creating directory server instance
> >
> > [3/3]: restarting directory server
> >
> > Done configuring directory server for the CA (pkids).
> >
> > Configuring certificate server (pki-cad): Estimated time 3 minutes
> > 30 seconds
> >
> > [1/16]: creating certificate server user
> >
> > [2/16]: creating pki-ca instance
> >
> > [3/16]: configuring certificate server instance
> >
> > ipa : CRITICAL failed to configure ca instance Command
> > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> > serverb.mydomain.com -cs_port 9445
> > -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd XXXXXXXX
> > -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin
> > -admin_email root at localhost -admin_password XXXXXXXX -agent_name
> > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> > -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host
> > serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager
> > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size
> > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
> > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM
> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM
> > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM
> > -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM
> > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM
> > -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM
> > -external false -clone true -clone_p12_file ca.p12
> > -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com
> > -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX
> > -clone_start_tls true -clone_uri https://servera.mydomain.com:443'
> > returned non-zero exit status 255
> >
> >
> >
> > Your system may be partly configured.
> >
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> >
> >
> > Configuration of CA failed
> >
> > =================
> >
> >
> >
> > Additional excerpt from the log
> > file /var/log/ipareplica-ca-install.log at the point of failure….
> >
> >
> >
> > =================
> >
> >
> >
> > #############################################
> >
> > Attempting to connect to: serverb.mydomain.com:9445
> >
> > Connected.
> >
> > Posting Query =
> > https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12
> >
> > RESPONSE STATUS: HTTP/1.1 200 OK
> >
> > RESPONSE HEADER: Server: Apache-Coyote/1.1
> >
> > RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
> >
> > RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT
> >
> > RESPONSE HEADER: Connection: close
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> > <!-- BEGIN COPYRIGHT BLOCK
> >
> > This program is free software; you can redistribute it and/or
> > modify
> >
> > it under the terms of the GNU General Public License as
> > published by
> >
> > the Free Software Foundation; version 2 of the License.
> >
> >
> >
> > This program is distributed in the hope that it will be useful,
> >
> > but WITHOUT ANY WARRANTY; without even the implied warranty of
> >
> > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> >
> > GNU General Public License for more details.
> >
> >
> >
> > You should have received a copy of the GNU General Public
> > License along
> >
> > with this program; if not, write to the Free Software
> > Foundation, Inc.,
> >
> > 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> >
> >
> >
> > Copyright (C) 2007 Red Hat, Inc.
> >
> > All rights reserved.
> >
> > END COPYRIGHT BLOCK -->
> >
> > <response>
> >
> > <panel>admin/console/config/restorekeycertpanel.vm</panel>
> >
> > <res/>
> >
> > <updateStatus>failure</updateStatus>
> >
> > <password/>
> >
> > <errorString>The pkcs12 file is not correct.</errorString>
> >
> > <size>19</size>
> >
> > <title>Import Keys and Certificates</title>
> >
> > <panels>
> >
> > <Vector>
> >
> > <Panel>
> >
> > <Id>welcome</Id>
> >
> > <Name>Welcome</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>module</Id>
> >
> > <Name>Key Store</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>confighsmlogin</Id>
> >
> > <Name>ConfigHSMLogin</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>securitydomain</Id>
> >
> > <Name>Security Domain</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>securitydomain</Id>
> >
> > <Name>Display Certificate Chain</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>subsystem</Id>
> >
> > <Name>Subsystem Type</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>clone</Id>
> >
> > <Name>Display Certificate Chain</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>restorekeys</Id>
> >
> > <Name>Import Keys and Certificates</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>cahierarchy</Id>
> >
> > <Name>PKI Hierarchy</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>database</Id>
> >
> > <Name>Internal Database</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>size</Id>
> >
> > <Name>Key Pairs</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>subjectname</Id>
> >
> > <Name>Subject Names</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>certrequest</Id>
> >
> > <Name>Requests and Certificates</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>backupkeys</Id>
> >
> > <Name>Export Keys and Certificates</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>savepk12</Id>
> >
> > <Name>Save Keys and Certificates</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>importcachain</Id>
> >
> > <Name>Import CA's Certificate Chain</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>admin</Id>
> >
> > <Name>Administrator</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>importadmincert</Id>
> >
> > <Name>Import Administrator's Certificate</Name>
> >
> > </Panel>
> >
> > <Panel>
> >
> > <Id>done</Id>
> >
> > <Name>Done</Name>
> >
> > </Panel>
> >
> > </Vector>
> >
> > </panels>
> >
> > <name>CA Setup Wizard</name>
> >
> > <p>7</p>
> >
> > <path/>
> >
> > <req/>
> >
> > <panelname>restorekeys</panelname>
> >
> > </response>
> >
> > Error in RestoreKeyCertPanel(): updateStatus returns failure
> >
> > ERROR: ConfigureCA: RestoreKeyCertPanel() failure
> >
> > ERROR: unable to create CA
> >
> >
> >
> > #######################################################################
> >
> > 2014-12-02T05:44:19Z DEBUG stderr=
> >
> > 2014-12-02T05:44:19Z CRITICAL failed to configure ca instance
> > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> > serverb.mydomain.com -cs_port 9445
> > -client_certdb_dir /tmp/tmp-1Tqws5 -client_certdb_pwd XXXXXXXX
> > -preop_pin rdkE0y2CiGMKNcRRPKKc -domain_name IPA -admin_user admin
> > -admin_email root at localhost -admin_password XXXXXXXX -agent_name
> > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> > -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host
> > serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager
> > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size
> > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
> > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM
> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM
> > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM
> > -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM
> > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM
> > -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM
> > -external false -clone true -clone_p12_file ca.p12
> > -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com
> > -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX
> > -clone_start_tls true -clone_uri https://servera.mydomain.com:443'
> > returned non-zero exit status 255
> >
> > 2014-12-02T05:44:19Z INFO File
> > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
> >
> > return_value = main_function()
> >
> >
> >
> > File "/usr/sbin/ipa-ca-install", line 149, in main
> >
> > (CA, cs) = cainstance.install_replica_ca(config,
> > postinstall=True)
> >
> >
> >
> > File
> > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> > line 1626, in install_replica_ca
> >
> > subject_base=config.subject_base)
> >
> >
> >
> > File
> > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> > line 626, in configure_instance
> >
> > self.start_creation(runtime=210)
> >
> >
> >
> > File
> > "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> > line 358, in start_creation
> >
> > method()
> >
> >
> >
> > File
> > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> > line 888, in __configure_instance
> >
> > raise RuntimeError('Configuration of CA failed')
> >
> >
> >
> > 2014-12-02T05:44:19Z INFO The ipa-ca-install command failed,
> > exception: RuntimeError: Configuration of CA failed
> >
> >
> >
> > =================
> >
> >
> >
> > I am not sure why this is happening.
> >
> >
> >
> > Certutil shows that the setup isn’t complete on serverb when
> > comparing against the CA replica in my test servers which were
> > successful.
> >
> >
> >
> > # certutil -L -d /var/lib/pki-ca/alias
> >
> >
> >
> > Certificate Nickname Trust
> > Attributes
> >
> >
> > SSL,S/MIME,JAR/XPI
> >
> >
> >
> > Certificate Authority - MYDOMAIN.COM CT,c,
> >
> > Server-Cert cert-pki-ca
> > CTu,Cu,Cu
> >
> >
> >
> > # certutil -K -d /var/lib/pki-ca/alias
> >
> > certutil: Checking token "NSS Certificate DB" in slot "NSS User
> > Private Key and Certificate Services"
> >
> > Enter Password or Pin for "NSS Certificate DB":
> >
> > < 0> rsa ef25de4fb656a27e297899509bc3dad582bcd643 NSS
> > Certificate DB:Server-Cert cert-pki-ca
> >
> >
> >
> >
> >
> > As yet, I have not tried “/usr/sbin/ipa-server-install –uninstall”
> > in an attempt to cleanup as this is a production server and apart
> > from CA replication, it is running fine. I have tried multiple times
> > manually removing pki instances and reinstalling but it still won’t
> > get past the above error.
> >
> >
> >
> > Can anyone shed any light on this?
> >
> >
> >
> > Thanks in advance,
> >
> >
> >
> > Les
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
More information about the Freeipa-users
mailing list