[Freeipa-users] Replica Setup Issue
Matt Chesler
mchesler at chesent.com
Fri Dec 12 20:59:55 UTC 2014
1. Create replica ipa-1 from old-ipa-1
2. Followed procedure documented at
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master to
make ipa-1 the node responsible for CRL generation and CA renewal
3. Prepare ipa-2 to be a replica by running 'ipa-replica-prepare
ipa-2.example.com' on ipa-1 and copying over the resulting gpg
4. Ran ipa-replica-install on ipa-2 and received the following
output/failure:
===================
[root at ipa-2 ~]# ipa-replica-install --setup-ca
/var/lib/ipa/replica-info-ipa-2.example.com.gpg
Directory Manager (existing master) password:
Run connection check to master
Check connection from replica to remote master 'ipa-1.example.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at EXAMPLE.COM password:
Execute check on remote master
Check connection from master to remote replica 'ipa-2.example.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
Connection from master to replica is OK.
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30
seconds
[1/17]: creating certificate server user
[2/17]: creating pki-ca instance
[3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa-2.example.com
-cs_port 9445 -client_certdb_dir /tmp/tmp-ATedaS -client_certdb_pwd
XXXXXXXX -preop_pin SAW89xQS4ICFy5zYWv0m -domain_name IPA -admin_user admin
-admin_email root at localhost -admin_password XXXXXXXX -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host ipa-2.example.com -ldap_port 7389
-bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM
-ca_server_cert_subject_name CN=ipa-2.example.com,O=EXAMPLE.COM
-ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM
-ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX
-sd_hostname ipa-1.example.com -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri
https://ipa-1.example.com:443' returned non-zero exit status 255
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Configuration of CA failed
===================
Found the following in /var/log/ipareplica-install.log:
--snip--
#############################################
Attempting to connect to: ipa-2.example.com:9445
Connected.
Posting Query =
https://ipa-2.example.com:9445//ca/admin/console/config/wizard?p=5&subsystem=CA&session_id=4306304501997072616&xml=true
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: text/html;charset=UTF-8
RESPONSE HEADER: Date: Fri, 12 Dec 2014 20:47:08 GMT
RESPONSE HEADER: Connection: close
Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid
clone_uri
ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure
ERROR: unable to create CA
#######################################################################
2014-12-12T20:47:08Z DEBUG stderr=java.lang.Exception: Invalid clone_uri
at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:392)
at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1188)
at ConfigureCA.main(ConfigureCA.java:1672)
2014-12-12T20:47:08Z CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa-2.example.com
-cs_port 9445 -client_certdb_dir /tmp/tmp-ATedaS -client_certdb_pwd
XXXXXXXX -preop_pin SAW89xQS4ICFy5zYWv0m -domain_name IPA -admin_user admin
-admin_email root at localhost -admin_password XXXXXXXX -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host ipa-2.example.com -ldap_port 7389
-bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM
-ca_server_cert_subject_name CN=ipa-2.example.com,O=EXAMPLE.COM
-ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM
-ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX
-sd_hostname ipa-1.example.com -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri
https://ipa-1.example.com:443' returned non-zero exit status 255
2014-12-12T20:47:08Z INFO File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line
614, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 476, in main
(CA, cs) = cainstance.install_replica_ca(config)
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 1626, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 626, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 358, in start_creation
method()
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 888, in __configure_instance
raise RuntimeError('Configuration of CA failed')
2014-12-12T20:47:08Z INFO The ipa-replica-install command failed,
exception: RuntimeError: Configuration of CA failed
--snip--
===================
I've searched high and low for a solution and the closest I've found is
this exchange from Sept 2013 -
http://www.redhat.com/archives/freeipa-users/2013-September/msg00203.html -
which doesn't have a resolution. My issue is almost identical with the
exception of newer revisions:
Linux ipa-2.example.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11
17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
ipa-server-3.0.0-42.el6.x86_64
pki-selinux-9.0.3-38.el6_6.noarch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141212/87648923/attachment.htm>
More information about the Freeipa-users
mailing list