[Freeipa-users] CA Replication Installation Failing
Les Stott
Less at imagine-sw.com
Wed Dec 10 07:22:08 UTC 2014
> -----Original Message-----
> From: Ade Lee [mailto:alee at redhat.com]
> Sent: Wednesday, 10 December 2014 5:05 AM
> To: Les Stott
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>
> On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote:
> >
> >
> >
> __________________________________________________________
> ____________
> > From: freeipa-users-bounces at redhat.com
> > [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
> > [dpal at redhat.com]
> > Sent: Tuesday, December 09, 2014 3:49 PM
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >
> >
> >
> > On 12/08/2014 11:04 PM, Les Stott wrote:
> >
> > > Does anyone have any ideas on the below errors when trying to add CA
> > > replication to an existing replica?
> > >
> > >
> >
> > > People who might be able to help are or PTO right now.
> > >
> > > Is your installation older than 2 years?
> >
> > No, December 2013 was when it was originally built.
> >
> > > Did you generate a new replica package or use the original one?
> >
> > I used the original replica file for serverb, based on instructions i
> > came across. I can try regenerating the replica file.
> >
> > Interestingly, now that you mention it, servera had to be restored a
> > couple of months back. Perhaps this is an issue and regenerating the
> > replica file for serverb will be required.
> >
> > I will try this.
> >
>
> I think that this is a safe bet to be the problem.
>
> The error in the log snippet you posted says:
>
> <errorString>The pkcs12 file is not correct.</errorString>
>
> This indicates that the clone CA was unable to decode the pkcs12 file in the
> replica. Perhaps the certs changed -- or the DM password changed?
>
> Ade
I regenerated the replica file and retired the CA replica setup, but it failed at the same point with the same error.
I am thinking that the next step is to uninstall the ipa replica to cleanup, remove all traces and re-add as a replica on serverb.
I wonder if the cert that its having an issue with is the one on serverB under /etc/ipa/ca.crt which is from Dec 2013.
I will try that in a couple of days as I have to schedule this work in as its in production.
Regards,
Les
> > > May be the problem is that the cert that is in that package already
> > expired?
> >
> > original replica file was created on Dec 16 2013. Cert is not set to
> > expire until 2015-12-17.
> >
> > > Just a thought...
> > >
> > > The simplest workaround IMO would be to prepare Server C, install it
> > with CA and then decommission replica B.
> > > Do not forget to clean replication agreements on master.
> > >
> > > But that would be work around, would not solve this specific
> > problem, it will kill it.
> >
> > I actually do have serverc and serverd. I planned to have CA
> > replication on at least 2 other servers, but held off on trying on
> > serverc due to issues with serverb.
> >
> > I'll report back what i find after regenerating the replica file and
> > re-trying to setup CA replication.
> >
> > Thanks,
> >
> > Les
> >
> > >
> > >
> > > Thanks in advance,
> > >
> > >
> > >
> > > Les
> > >
> > >
> > >
> > > From:freeipa-users-bounces at redhat.com
> > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Les Stott
> > > Sent: Tuesday, 2 December 2014 6:17 PM
> > > To: freeipa-users at redhat.com
> > > Subject: [Freeipa-users] CA Replication Installation Failing
> > >
> > >
> > >
> > >
> > > Hi All,
> > >
> > >
> > >
> > > I have RHEL6 with ipa servers running standard ipa server 3.0.0-42.
> > > Pki components are also standard version 9.0.3-38.
> > >
> > >
> > >
> > > Servera is the master
> > >
> > > Serverb is the replica
> > >
> > >
> > >
> > > Both have been running for many, many months. Serverb was initially
> > > setup as a replica, but not a CA replica.
> > >
> > >
> > >
> > > I am now trying to add CA Replication to serverb but it is failing
> > > midway through and I cannot figure out why.
> > >
> > >
> > >
> > > Annoyingly, I used the same method/command to setup a CA replica on
> > > test servers and it completed without issue.
> > >
> > >
> > >
> > > Here is what I get….(for the sake of brevity, I am excluding the
> > > lines for connection check which were all OK)
> > >
> > >
> > >
> > > =================
> > >
> > > /usr/sbin/ipa-ca-install
> > > /var/lib/ipa/replica-info-serverb.mydomain.com.gpg
> > >
> > > Directory Manager (existing master) password:
> > >
> > > Get credentials to log in to remote master
> > >
> > > admin at MYDOMAIN.COM password:
> > >
> > > Execute check on remote master
> > >
> > > Connection check OK
> > >
> > > Configuring directory server for the CA (pkids): Estimated time 30
> > > seconds
> > >
> > > [1/3]: creating directory server user
> > >
> > > [2/3]: creating directory server instance
> > >
> > > [3/3]: restarting directory server
> > >
> > > Done configuring directory server for the CA (pkids).
> > >
> > > Configuring certificate server (pki-cad): Estimated time 3 minutes
> > > 30 seconds
> > >
> > > [1/16]: creating certificate server user
> > >
> > > [2/16]: creating pki-ca instance
> > >
> > > [3/16]: configuring certificate server instance
> > >
> > > ipa : CRITICAL failed to configure ca instance Command
> > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> > > serverb.mydomain.com -cs_port 9445 -client_certdb_dir
> > > /tmp/tmp-t3aHM7 -client_certdb_pwd XXXXXXXX -preop_pin
> > > exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -
> admin_email
> > > root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
> > > -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
> > > CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host
> serverb.mydomain.com
> > > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
> > > XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size
> > > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
> > > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
> internal
> > > -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=MYDOMAIN.COM
> > > -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=MYDOMAIN.COM
> > > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM
> > > -ca_server_cert_subject_name
> CN=serverb.mydomain.com,O=MYDOMAIN.COM
> > > -ca_audit_signing_cert_subject_name CN=CA
> Audit,O=MYDOMAIN.COM
> > > -ca_sign_cert_subject_name CN=Certificate
> Authority,O=MYDOMAIN.COM
> > > -external false -clone true -clone_p12_file ca.p12
> > > -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com
> > > -sd_admin_port 443 -sd_admin_name admin -sd_admin_password
> XXXXXXXX
> > > -clone_start_tls true -clone_uri https://servera.mydomain.com:443'
> > > returned non-zero exit status 255
> > >
> > >
> > >
> > > Your system may be partly configured.
> > >
> > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > >
> > >
> > >
> > > Configuration of CA failed
> > >
> > > =================
> > >
> > >
> > >
> > > Additional excerpt from the log
> > > file /var/log/ipareplica-ca-install.log at the point of failure….
> > >
> > >
> > >
> > > =================
> > >
> > >
> > >
> > > #############################################
> > >
> > > Attempting to connect to: serverb.mydomain.com:9445
> > >
> > > Connected.
> > >
> > > Posting Query =
> > >
> https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=
> > > 7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12
> > >
> > > RESPONSE STATUS: HTTP/1.1 200 OK
> > >
> > > RESPONSE HEADER: Server: Apache-Coyote/1.1
> > >
> > > RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
> > >
> > > RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT
> > >
> > > RESPONSE HEADER: Connection: close
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > >
> > > <!-- BEGIN COPYRIGHT BLOCK
> > >
> > > This program is free software; you can redistribute it and/or
> > > modify
> > >
> > > it under the terms of the GNU General Public License as
> > > published by
> > >
> > > the Free Software Foundation; version 2 of the License.
> > >
> > >
> > >
> > > This program is distributed in the hope that it will be useful,
> > >
> > > but WITHOUT ANY WARRANTY; without even the implied warranty of
> > >
> > > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > >
> > > GNU General Public License for more details.
> > >
> > >
> > >
> > > You should have received a copy of the GNU General Public
> > > License along
> > >
> > > with this program; if not, write to the Free Software
> > > Foundation, Inc.,
> > >
> > > 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> > >
> > >
> > >
> > > Copyright (C) 2007 Red Hat, Inc.
> > >
> > > All rights reserved.
> > >
> > > END COPYRIGHT BLOCK -->
> > >
> > > <response>
> > >
> > > <panel>admin/console/config/restorekeycertpanel.vm</panel>
> > >
> > > <res/>
> > >
> > > <updateStatus>failure</updateStatus>
> > >
> > > <password/>
> > >
> > > <errorString>The pkcs12 file is not correct.</errorString>
> > >
> > > <size>19</size>
> > >
> > > <title>Import Keys and Certificates</title>
> > >
> > > <panels>
> > >
> > > <Vector>
> > >
> > > <Panel>
> > >
> > > <Id>welcome</Id>
> > >
> > > <Name>Welcome</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>module</Id>
> > >
> > > <Name>Key Store</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>confighsmlogin</Id>
> > >
> > > <Name>ConfigHSMLogin</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>securitydomain</Id>
> > >
> > > <Name>Security Domain</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>securitydomain</Id>
> > >
> > > <Name>Display Certificate Chain</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>subsystem</Id>
> > >
> > > <Name>Subsystem Type</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>clone</Id>
> > >
> > > <Name>Display Certificate Chain</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>restorekeys</Id>
> > >
> > > <Name>Import Keys and Certificates</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>cahierarchy</Id>
> > >
> > > <Name>PKI Hierarchy</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>database</Id>
> > >
> > > <Name>Internal Database</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>size</Id>
> > >
> > > <Name>Key Pairs</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>subjectname</Id>
> > >
> > > <Name>Subject Names</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>certrequest</Id>
> > >
> > > <Name>Requests and Certificates</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>backupkeys</Id>
> > >
> > > <Name>Export Keys and Certificates</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>savepk12</Id>
> > >
> > > <Name>Save Keys and Certificates</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>importcachain</Id>
> > >
> > > <Name>Import CA's Certificate Chain</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>admin</Id>
> > >
> > > <Name>Administrator</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>importadmincert</Id>
> > >
> > > <Name>Import Administrator's Certificate</Name>
> > >
> > > </Panel>
> > >
> > > <Panel>
> > >
> > > <Id>done</Id>
> > >
> > > <Name>Done</Name>
> > >
> > > </Panel>
> > >
> > > </Vector>
> > >
> > > </panels>
> > >
> > > <name>CA Setup Wizard</name>
> > >
> > > <p>7</p>
> > >
> > > <path/>
> > >
> > > <req/>
> > >
> > > <panelname>restorekeys</panelname>
> > >
> > > </response>
> > >
> > > Error in RestoreKeyCertPanel(): updateStatus returns failure
> > >
> > > ERROR: ConfigureCA: RestoreKeyCertPanel() failure
> > >
> > > ERROR: unable to create CA
> > >
> > >
> > >
> > >
> ##########################################################
> ##########
> > > ###
> > >
> > > 2014-12-02T05:44:19Z DEBUG stderr=
> > >
> > > 2014-12-02T05:44:19Z CRITICAL failed to configure ca instance
> > > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> > > serverb.mydomain.com -cs_port 9445 -client_certdb_dir
> > > /tmp/tmp-1Tqws5 -client_certdb_pwd XXXXXXXX -preop_pin
> > > rdkE0y2CiGMKNcRRPKKc -domain_name IPA -admin_user admin -
> admin_email
> > > root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
> > > -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
> > > CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host
> serverb.mydomain.com
> > > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
> > > XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size
> > > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
> > > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
> internal
> > > -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=MYDOMAIN.COM
> > > -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=MYDOMAIN.COM
> > > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM
> > > -ca_server_cert_subject_name
> CN=serverb.mydomain.com,O=MYDOMAIN.COM
> > > -ca_audit_signing_cert_subject_name CN=CA
> Audit,O=MYDOMAIN.COM
> > > -ca_sign_cert_subject_name CN=Certificate
> Authority,O=MYDOMAIN.COM
> > > -external false -clone true -clone_p12_file ca.p12
> > > -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com
> > > -sd_admin_port 443 -sd_admin_name admin -sd_admin_password
> XXXXXXXX
> > > -clone_start_tls true -clone_uri https://servera.mydomain.com:443'
> > > returned non-zero exit status 255
> > >
> > > 2014-12-02T05:44:19Z INFO File
> > > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py"
> > > , line 614, in run_script
> > >
> > > return_value = main_function()
> > >
> > >
> > >
> > > File "/usr/sbin/ipa-ca-install", line 149, in main
> > >
> > > (CA, cs) = cainstance.install_replica_ca(config,
> > > postinstall=True)
> > >
> > >
> > >
> > > File
> > > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> > > line 1626, in install_replica_ca
> > >
> > > subject_base=config.subject_base)
> > >
> > >
> > >
> > > File
> > > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> > > line 626, in configure_instance
> > >
> > > self.start_creation(runtime=210)
> > >
> > >
> > >
> > > File
> > > "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> > > line 358, in start_creation
> > >
> > > method()
> > >
> > >
> > >
> > > File
> > > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> > > line 888, in __configure_instance
> > >
> > > raise RuntimeError('Configuration of CA failed')
> > >
> > >
> > >
> > > 2014-12-02T05:44:19Z INFO The ipa-ca-install command failed,
> > > exception: RuntimeError: Configuration of CA failed
> > >
> > >
> > >
> > > =================
> > >
> > >
> > >
> > > I am not sure why this is happening.
> > >
> > >
> > >
> > > Certutil shows that the setup isn’t complete on serverb when
> > > comparing against the CA replica in my test servers which were
> > > successful.
> > >
> > >
> > >
> > > # certutil -L -d /var/lib/pki-ca/alias
> > >
> > >
> > >
> > > Certificate Nickname Trust
> > > Attributes
> > >
> > >
> > > SSL,S/MIME,JAR/XPI
> > >
> > >
> > >
> > > Certificate Authority - MYDOMAIN.COM CT,c,
> > >
> > > Server-Cert cert-pki-ca
> > > CTu,Cu,Cu
> > >
> > >
> > >
> > > # certutil -K -d /var/lib/pki-ca/alias
> > >
> > > certutil: Checking token "NSS Certificate DB" in slot "NSS User
> > > Private Key and Certificate Services"
> > >
> > > Enter Password or Pin for "NSS Certificate DB":
> > >
> > > < 0> rsa ef25de4fb656a27e297899509bc3dad582bcd643 NSS
> > > Certificate DB:Server-Cert cert-pki-ca
> > >
> > >
> > >
> > >
> > >
> > > As yet, I have not tried “/usr/sbin/ipa-server-install –uninstall”
> > > in an attempt to cleanup as this is a production server and apart
> > > from CA replication, it is running fine. I have tried multiple times
> > > manually removing pki instances and reinstalling but it still won’t
> > > get past the above error.
> > >
> > >
> > >
> > > Can anyone shed any light on this?
> > >
> > >
> > >
> > > Thanks in advance,
> > >
> > >
> > >
> > > Les
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
>
More information about the Freeipa-users
mailing list