[Freeipa-users] CA Replication Installation Failing - SOLVED!
Les Stott
Less at imagine-sw.com
Thu Feb 5 06:59:55 UTC 2015
Guys,
Thanks for your help. You pointed me in the right direction (checking the apache logs).
In the end, it was missing modules in httpd.conf on the Master.
I saw this error in /var/log/httpd/error_log
[Wed Feb 04 21:26:00 2015] [warn] proxy: No protocol handler was valid for the URL /ca/admin/ca/getStatus. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Feb 04 21:26:00 2015] [warn] proxy: No protocol handler was valid for the URL /ca/admin/ca/getCertChain. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
These modules were not being loaded...
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
Now it works.
(well I have a different issue now with setting up a second replica ca, but that's another story and better in a new thread)
Thanks,
Les
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Thursday, 5 February 2015 2:24 AM
> To: Les Stott; freeipa-users at redhat.com
> Cc: Ade Lee
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>
> Les Stott wrote:
> > Has anyone got any ideas on this?
> >
> > I am stuck with not being able to deploy a CA Replica and this is halting
> rollout of the project.
> >
> > Help please...
> >
> > Regards,
>
> What is the version of IPA on the master you are connecting to?
>
> Can you confirm on the existing master that /etc/httpd/conf.d/ipa-pki-
> proxy.conf has /ca/ee/ca/profileSubmit in it:
>
> # matches for ee port
> <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/
> ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/
> updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
>
> rob
>
> >
> > Les
> >
> >> -----Original Message-----
> >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> >> bounces at redhat.com] On Behalf Of Les Stott
> >> Sent: Friday, 30 January 2015 4:48 PM
> >> To: freeipa-users at redhat.com
> >> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> >>> bounces at redhat.com] On Behalf Of Les Stott
> >>> Sent: Wednesday, 10 December 2014 6:22 PM
> >>> To: freeipa-users at redhat.com
> >>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: Ade Lee [mailto:alee at redhat.com]
> >>>> Sent: Wednesday, 10 December 2014 5:05 AM
> >>>> To: Les Stott
> >>>> Cc: freeipa-users at redhat.com
> >>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >>>>
> >>>> On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> __________________________________________________________
> >>>> ____________
> >>>>> From: freeipa-users-bounces at redhat.com
> >>>>> [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
> >>>>> [dpal at redhat.com]
> >>>>> Sent: Tuesday, December 09, 2014 3:49 PM
> >>>>> To: freeipa-users at redhat.com
> >>>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 12/08/2014 11:04 PM, Les Stott wrote:
> >>>>>
> >>>>>> Does anyone have any ideas on the below errors when trying to add
> >>>>>> CA replication to an existing replica?
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>> People who might be able to help are or PTO right now.
> >>>>>>
> >>>>>> Is your installation older than 2 years?
> >>>>>
> >>>>> No, December 2013 was when it was originally built.
> >>>>>
> >>>>>> Did you generate a new replica package or use the original one?
> >>>>>
> >>>>> I used the original replica file for serverb, based on
> >>>>> instructions i came across. I can try regenerating the replica file.
> >>>>>
> >>>>> Interestingly, now that you mention it, servera had to be restored
> >>>>> a couple of months back. Perhaps this is an issue and regenerating
> >>>>> the replica file for serverb will be required.
> >>>>>
> >>>>> I will try this.
> >>>>>
> >>>>
> >>>> I think that this is a safe bet to be the problem.
> >>>>
> >>>> The error in the log snippet you posted says:
> >>>>
> >>>> <errorString>The pkcs12 file is not correct.</errorString>
> >>>>
> >>>> This indicates that the clone CA was unable to decode the pkcs12
> >>>> file in the replica. Perhaps the certs changed -- or the DM
> >>>> password
> >> changed?
> >>>>
> >>>> Ade
> >>>
> >>> I regenerated the replica file and retired the CA replica setup, but
> >>> it failed at the same point with the same error.
> >>>
> >>> I am thinking that the next step is to uninstall the ipa replica to
> >>> cleanup, remove all traces and re-add as a replica on serverb.
> >>>
> >>> I wonder if the cert that its having an issue with is the one on
> >>> serverB under /etc/ipa/ca.crt which is from Dec 2013.
> >>>
> >>> I will try that in a couple of days as I have to schedule this work
> >>> in as its in production.
> >>>
> >>> Regards,
> >>>
> >>> Les
> >>>
> >>>
> >>>>>> May be the problem is that the cert that is in that package
> >>>>>> already
> >>>>> expired?
> >>>>>
> >>>>> original replica file was created on Dec 16 2013. Cert is not set
> >>>>> to expire until 2015-12-17.
> >>>>>
> >>>>>> Just a thought...
> >>>>>>
> >>>>>> The simplest workaround IMO would be to prepare Server C, install
> >>>>>> it
> >>>>> with CA and then decommission replica B.
> >>>>>> Do not forget to clean replication agreements on master.
> >>>>>>
> >>>>>> But that would be work around, would not solve this specific
> >>>>> problem, it will kill it.
> >>>>>
> >>>>> I actually do have serverc and serverd. I planned to have CA
> >>>>> replication on at least 2 other servers, but held off on trying on
> >>>>> serverc due to issues with serverb.
> >>>>>
> >>>>> I'll report back what i find after regenerating the replica file
> >>>>> and re-trying to setup CA replication.
> >>>>>
> >>
> >> After a bit of a hiatus I have revisited this issue and I still have it.
> >>
> >> Just to re-iterate the problem...
> >>
> >> Trying to setup a ca replica on an already installed replica fails in
> >> rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38.
> >>
> >> /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U
> >> /var/lib/ipa/replica-info- myhost.mydomain.com.gpg
> >>
> >> It fails showing.... "CRITICAL failed to configure ca instance"
> >> Configuring certificate server (pki-cad): Estimated time 3 minutes 30
> >> seconds
> >> [1/16]: creating certificate server user
> >> [2/16]: creating pki-ca instance
> >> [3/16]: configuring certificate server instance
> >>
> >> Your system may be partly configured.
> >> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >>
> >> It doesn't matter if I run it interactively or unattended.
> >>
> >> I have done this on similar servers that were rhel 6.5, pki-9.0.3-32,
> >> ipa 3.0.0-
> >> 37 without any issue.
> >>
> >> The /var/log/ipareplica-ca-install.log shows the following error
> >> about White
> >> Spaces:
> >>
> >> #############################################
> >> Attempting to connect to: mymaster.mydomain.com:9445 Connected.
> >> Posting Query = https://
> >>
> mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomain
> >>
> URL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=&
> >> choice=existingdomain&p=3&op=next&xml=true
> >> RESPONSE STATUS: HTTP/1.1 200 OK
> >> RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER:
> >> Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date:
> >> Fri,
> >> 30 Jan 2015 05:05:04 GMT RESPONSE HEADER: Connection: close <?xml
> >> version="1.0" encoding="UTF-8"?> <response>
> >> <panel>admin/console/config/securitydomainpanel.vm</panel>
> >> <https_agent_port>443</https_agent_port>
> >> <machineName>mymaster.mydomain.com</machineName>
> >> <res/>
> >> <cstype>CA</cstype>
> >> <initCommand>/sbin/service pki-cad</initCommand>
> >> <instanceId><security_domain_instance_name></instanceId>
> >> <sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL>
> >> <sdomainName/>
> >> <http_ee_port>80</http_ee_port>
> >> <errorString>org.xml.sax.SAXParseException; lineNumber: 1;
> >> columnNumber: 50; White spaces are required between publicId and
> >> systemId.</errorString>
> >>
> >> The /var/log/pki-ca/debug also shows....
> >>
> >> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating
> >> SSL Admin HTTPS . . .
> >> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started
> >> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser
> >> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
> >> White spaces are required between publicId and systemId.
> >> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS
> >> no successful response for SSL Admin HTTPS
> >> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase
> >> getCertChainUsingSecureAdminPort start
> >> [30/Jan/2015:00:05:05][http-9445-1]:
> >> WizardPanelBase::getCertChainUsingSecureAdminPort() -
> >> Exception=org.xml.sax.SAXParseException; lineNumber: 1;
> columnNumber:
> >> 50; White spaces are required between publicId and systemId.
> >> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase:
> >> getCertChainUsingSecureAdminPort: java.io.IOException:
> >> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
> White
> >> spaces are required between publicId and systemId.
> >>
> >> When I compare those logs to the logs from the server I installed a
> >> ca- replica on successfully, the above is the point where the logs
> >> differ and it must be the source of the error.
> >>
> >> In the log of the server that was successful it shows what should
> >> have happened...
> >>
> >> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating
> >> SSL Admin HTTPS . . .
> >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started
> >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML
> >> parsed
> >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1
> >> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS
> >> returns: 1
> >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase
> >> getCertChainUsingSecureAdminPort start
> >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase
> >> getCertChainUsingSecureAdminPort: status=0
> >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase
> >> getCertChainUsingSecureAdminPort: certchain=<certstring>
> >>
> >> I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped.
> >>
> >> Note, also, I am trying this on new servers, not the same ones used
> >> in December.
> >>
> >> I have searched high and low on google to try and find a resolution
> >> for the White Space issue but haven't found anything that worked.
> >>
> >> This seems like a bug to me.
> >>
> >> Can anyone help with this please?
> >>
> >> Thanks in advance,
> >>
> >> Regards,
> >>
> >> Les
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go To http://freeipa.org for more info on the project
> >
More information about the Freeipa-users
mailing list