[Freeipa-users] CA Replication Installation Failing

Rob Crittenden rcritten at redhat.com
Wed Feb 4 15:24:06 UTC 2015 

Les Stott wrote:
> Has anyone got any ideas on this?
> 
> I am stuck with not being able to deploy a CA Replica and this is halting rollout of the project. 
> 
> Help please...
> 
> Regards,

What is the version of IPA on the master you are connecting to?

Can you confirm on the existing master that
/etc/httpd/conf.d/ipa-pki-proxy.conf has /ca/ee/ca/profileSubmit in it:

 # matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/
ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">

rob

> 
> Les
> 
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>> bounces at redhat.com] On Behalf Of Les Stott
>> Sent: Friday, 30 January 2015 4:48 PM
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>>
>>
>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>>> bounces at redhat.com] On Behalf Of Les Stott
>>> Sent: Wednesday, 10 December 2014 6:22 PM
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Ade Lee [mailto:alee at redhat.com]
>>>> Sent: Wednesday, 10 December 2014 5:05 AM
>>>> To: Les Stott
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>>>>
>>>> On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote:
>>>>>
>>>>>
>>>>>
>>>>
>>> __________________________________________________________
>>>> ____________
>>>>> From: freeipa-users-bounces at redhat.com
>>>>> [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
>>>>> [dpal at redhat.com]
>>>>> Sent: Tuesday, December 09, 2014 3:49 PM
>>>>> To: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>>>>>
>>>>>
>>>>>
>>>>> On 12/08/2014 11:04 PM, Les Stott wrote:
>>>>>
>>>>>> Does anyone have any ideas on the below errors when trying to
>>>>>> add CA replication to an existing replica?
>>>>>>
>>>>>>
>>>>>
>>>>>> People who might be able to help are or PTO right now.
>>>>>>
>>>>>> Is your installation older than 2 years?
>>>>>
>>>>> No, December 2013 was when it was originally built.
>>>>>
>>>>>> Did you generate a new replica package or use the original one?
>>>>>
>>>>> I used the original replica file for serverb, based on
>>>>> instructions i came across. I can try regenerating the replica file.
>>>>>
>>>>> Interestingly, now that you mention it, servera had to be restored
>>>>> a couple of months back. Perhaps this is an issue and regenerating
>>>>> the replica file for serverb will be required.
>>>>>
>>>>> I will try this.
>>>>>
>>>>
>>>> I think that this is a safe bet to be the problem.
>>>>
>>>> The error in the log snippet you posted says:
>>>>
>>>>  <errorString>The pkcs12 file is not correct.</errorString>
>>>>
>>>> This indicates that the clone CA was unable to decode the pkcs12
>>>> file in the replica.  Perhaps the certs changed -- or the DM password
>> changed?
>>>>
>>>> Ade
>>>
>>> I regenerated the replica file and retired the CA replica setup, but
>>> it failed at the same point with the same error.
>>>
>>> I am thinking that the next step is to uninstall the ipa replica to
>>> cleanup, remove all traces and re-add as a replica on serverb.
>>>
>>> I wonder if the cert that its having an issue with is the one on
>>> serverB under /etc/ipa/ca.crt which is from Dec 2013.
>>>
>>> I will try that in a couple of days as I have to schedule this work in
>>> as its in production.
>>>
>>> Regards,
>>>
>>> Les
>>>
>>>
>>>>>> May be the problem is that the cert that is in that package
>>>>>> already
>>>>> expired?
>>>>>
>>>>> original replica file was created on Dec 16 2013. Cert is not set
>>>>> to expire until 2015-12-17.
>>>>>
>>>>>> Just a thought...
>>>>>>
>>>>>> The simplest workaround IMO would be to prepare Server C,
>>>>>> install it
>>>>> with CA and then decommission replica B.
>>>>>> Do not forget to clean replication agreements on master.
>>>>>>
>>>>>> But that would be work around, would not solve this specific
>>>>> problem, it will kill it.
>>>>>
>>>>> I actually do have serverc and serverd. I planned to have CA
>>>>> replication on at least 2 other servers, but held off on trying on
>>>>> serverc due to issues with serverb.
>>>>>
>>>>> I'll report back what i find after regenerating the replica file
>>>>> and re-trying to setup CA replication.
>>>>>
>>
>> After a bit of a hiatus I have revisited this issue and I still have it.
>>
>> Just to re-iterate the problem...
>>
>> Trying to setup a ca replica on an already installed replica fails in rhel 6.6,
>> ipa-3.0.0.42, pki 9.0.3-38.
>>
>> /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U /var/lib/ipa/replica-info-
>> myhost.mydomain.com.gpg
>>
>> It fails showing.... "CRITICAL failed to configure ca instance"
>> Configuring certificate server (pki-cad): Estimated time 3 minutes 30
>> seconds
>>   [1/16]: creating certificate server user
>>   [2/16]: creating pki-ca instance
>>   [3/16]: configuring certificate server instance
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> It doesn't matter if I run it interactively or unattended.
>>
>> I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0-
>> 37 without any issue.
>>
>> The /var/log/ipareplica-ca-install.log shows the following error about White
>> Spaces:
>>
>> #############################################
>> Attempting to connect to: mymaster.mydomain.com:9445 Connected.
>> Posting Query = https://
>> mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomain
>> URL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=&
>> choice=existingdomain&p=3&op=next&xml=true
>> RESPONSE STATUS:  HTTP/1.1 200 OK
>> RESPONSE HEADER:  Server: Apache-Coyote/1.1 RESPONSE HEADER:
>> Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER:  Date: Fri,
>> 30 Jan 2015 05:05:04 GMT RESPONSE HEADER:  Connection: close <?xml
>> version="1.0" encoding="UTF-8"?> <response>
>>   <panel>admin/console/config/securitydomainpanel.vm</panel>
>>   <https_agent_port>443</https_agent_port>
>>   <machineName>mymaster.mydomain.com</machineName>
>>   <res/>
>>   <cstype>CA</cstype>
>>   <initCommand>/sbin/service pki-cad</initCommand>
>>   <instanceId><security_domain_instance_name></instanceId>
>>   <sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL>
>>   <sdomainName/>
>>   <http_ee_port>80</http_ee_port>
>>   <errorString>org.xml.sax.SAXParseException; lineNumber: 1;
>> columnNumber: 50; White spaces are required between publicId and
>> systemId.</errorString>
>>
>> The /var/log/pki-ca/debug also shows....
>>
>> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating SSL
>> Admin HTTPS . . .
>> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started
>> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser
>> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
>> White spaces are required between publicId and systemId.
>> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS no
>> successful response for SSL Admin HTTPS
>> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase
>> getCertChainUsingSecureAdminPort start
>> [30/Jan/2015:00:05:05][http-9445-1]:
>> WizardPanelBase::getCertChainUsingSecureAdminPort() -
>> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
>> 50; White spaces are required between publicId and systemId.
>> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase:
>> getCertChainUsingSecureAdminPort: java.io.IOException:
>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
>> spaces are required between publicId and systemId.
>>
>> When I compare those logs to the logs from the server I installed a ca-
>> replica on successfully, the above is the point where the logs differ and it
>> must be the source of the error.
>>
>> In the log of the server that was successful it shows what should have
>> happened...
>>
>> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating SSL
>> Admin HTTPS . . .
>> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started
>> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML
>> parsed
>> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1
>> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS
>> returns: 1
>> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase
>> getCertChainUsingSecureAdminPort start
>> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase
>> getCertChainUsingSecureAdminPort: status=0
>> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase
>> getCertChainUsingSecureAdminPort: certchain=<certstring>
>>
>> I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped.
>>
>> Note, also, I am trying this on new servers, not the same ones used in
>> December.
>>
>> I have searched high and low on google to try and find a resolution for the
>> White Space issue but haven't found anything that worked.
>>
>> This seems like a bug to me.
>>
>> Can anyone help with this please?
>>
>> Thanks in advance,
>>
>> Regards,
>>
>> Les
>>
>>
>>
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list