[Freeipa-users] CA Replication Installation Failing

Les Stott Less at imagine-sw.com
Tue Feb 3 21:33:55 UTC 2015 

Has anyone got any ideas on this?

I am stuck with not being able to deploy a CA Replica and this is halting rollout of the project. 

Help please...

Regards,

Les

> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Les Stott
> Sent: Friday, 30 January 2015 4:48 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> 
> 
> 
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> > bounces at redhat.com] On Behalf Of Les Stott
> > Sent: Wednesday, 10 December 2014 6:22 PM
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >
> >
> >
> > > -----Original Message-----
> > > From: Ade Lee [mailto:alee at redhat.com]
> > > Sent: Wednesday, 10 December 2014 5:05 AM
> > > To: Les Stott
> > > Cc: freeipa-users at redhat.com
> > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > >
> > > On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote:
> > > >
> > > >
> > > >
> > >
> > __________________________________________________________
> > > ____________
> > > > From: freeipa-users-bounces at redhat.com
> > > > [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
> > > > [dpal at redhat.com]
> > > > Sent: Tuesday, December 09, 2014 3:49 PM
> > > > To: freeipa-users at redhat.com
> > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > >
> > > >
> > > >
> > > > On 12/08/2014 11:04 PM, Les Stott wrote:
> > > >
> > > > > Does anyone have any ideas on the below errors when trying to
> > > > > add CA replication to an existing replica?
> > > > >
> > > > >
> > > >
> > > > > People who might be able to help are or PTO right now.
> > > > >
> > > > > Is your installation older than 2 years?
> > > >
> > > > No, December 2013 was when it was originally built.
> > > >
> > > > > Did you generate a new replica package or use the original one?
> > > >
> > > > I used the original replica file for serverb, based on
> > > > instructions i came across. I can try regenerating the replica file.
> > > >
> > > > Interestingly, now that you mention it, servera had to be restored
> > > > a couple of months back. Perhaps this is an issue and regenerating
> > > > the replica file for serverb will be required.
> > > >
> > > > I will try this.
> > > >
> > >
> > > I think that this is a safe bet to be the problem.
> > >
> > > The error in the log snippet you posted says:
> > >
> > >  <errorString>The pkcs12 file is not correct.</errorString>
> > >
> > > This indicates that the clone CA was unable to decode the pkcs12
> > > file in the replica.  Perhaps the certs changed -- or the DM password
> changed?
> > >
> > > Ade
> >
> > I regenerated the replica file and retired the CA replica setup, but
> > it failed at the same point with the same error.
> >
> > I am thinking that the next step is to uninstall the ipa replica to
> > cleanup, remove all traces and re-add as a replica on serverb.
> >
> > I wonder if the cert that its having an issue with is the one on
> > serverB under /etc/ipa/ca.crt which is from Dec 2013.
> >
> > I will try that in a couple of days as I have to schedule this work in
> > as its in production.
> >
> > Regards,
> >
> > Les
> >
> >
> > > > > May be the problem is that the cert that is in that package
> > > > > already
> > > > expired?
> > > >
> > > > original replica file was created on Dec 16 2013. Cert is not set
> > > > to expire until 2015-12-17.
> > > >
> > > > > Just a thought...
> > > > >
> > > > > The simplest workaround IMO would be to prepare Server C,
> > > > > install it
> > > > with CA and then decommission replica B.
> > > > > Do not forget to clean replication agreements on master.
> > > > >
> > > > > But that would be work around, would not solve this specific
> > > > problem, it will kill it.
> > > >
> > > > I actually do have serverc and serverd. I planned to have CA
> > > > replication on at least 2 other servers, but held off on trying on
> > > > serverc due to issues with serverb.
> > > >
> > > > I'll report back what i find after regenerating the replica file
> > > > and re-trying to setup CA replication.
> > > >
> 
> After a bit of a hiatus I have revisited this issue and I still have it.
> 
> Just to re-iterate the problem...
> 
> Trying to setup a ca replica on an already installed replica fails in rhel 6.6,
> ipa-3.0.0.42, pki 9.0.3-38.
> 
> /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U /var/lib/ipa/replica-info-
> myhost.mydomain.com.gpg
> 
> It fails showing.... "CRITICAL failed to configure ca instance"
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30
> seconds
>   [1/16]: creating certificate server user
>   [2/16]: creating pki-ca instance
>   [3/16]: configuring certificate server instance
> 
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> It doesn't matter if I run it interactively or unattended.
> 
> I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0-
> 37 without any issue.
> 
> The /var/log/ipareplica-ca-install.log shows the following error about White
> Spaces:
> 
> #############################################
> Attempting to connect to: mymaster.mydomain.com:9445 Connected.
> Posting Query = https://
> mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomain
> URL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=&
> choice=existingdomain&p=3&op=next&xml=true
> RESPONSE STATUS:  HTTP/1.1 200 OK
> RESPONSE HEADER:  Server: Apache-Coyote/1.1 RESPONSE HEADER:
> Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER:  Date: Fri,
> 30 Jan 2015 05:05:04 GMT RESPONSE HEADER:  Connection: close <?xml
> version="1.0" encoding="UTF-8"?> <response>
>   <panel>admin/console/config/securitydomainpanel.vm</panel>
>   <https_agent_port>443</https_agent_port>
>   <machineName>mymaster.mydomain.com</machineName>
>   <res/>
>   <cstype>CA</cstype>
>   <initCommand>/sbin/service pki-cad</initCommand>
>   <instanceId><security_domain_instance_name></instanceId>
>   <sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL>
>   <sdomainName/>
>   <http_ee_port>80</http_ee_port>
>   <errorString>org.xml.sax.SAXParseException; lineNumber: 1;
> columnNumber: 50; White spaces are required between publicId and
> systemId.</errorString>
> 
> The /var/log/pki-ca/debug also shows....
> 
> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating SSL
> Admin HTTPS . . .
> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started
> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser
> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
> White spaces are required between publicId and systemId.
> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS no
> successful response for SSL Admin HTTPS
> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase
> getCertChainUsingSecureAdminPort start
> [30/Jan/2015:00:05:05][http-9445-1]:
> WizardPanelBase::getCertChainUsingSecureAdminPort() -
> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
> 50; White spaces are required between publicId and systemId.
> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase:
> getCertChainUsingSecureAdminPort: java.io.IOException:
> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
> spaces are required between publicId and systemId.
> 
> When I compare those logs to the logs from the server I installed a ca-
> replica on successfully, the above is the point where the logs differ and it
> must be the source of the error.
> 
> In the log of the server that was successful it shows what should have
> happened...
> 
> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating SSL
> Admin HTTPS . . .
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML
> parsed
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1
> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS
> returns: 1
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase
> getCertChainUsingSecureAdminPort start
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase
> getCertChainUsingSecureAdminPort: status=0
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase
> getCertChainUsingSecureAdminPort: certchain=<certstring>
> 
> I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped.
> 
> Note, also, I am trying this on new servers, not the same ones used in
> December.
> 
> I have searched high and low on google to try and find a resolution for the
> White Space issue but haven't found anything that worked.
> 
> This seems like a bug to me.
> 
> Can anyone help with this please?
> 
> Thanks in advance,
> 
> Regards,
> 
> Les
> 
> 
> 
> 
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list