[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Rob Crittenden
rcritten at redhat.com
Tue Feb 24 22:27:07 UTC 2015
Jani West wrote:
> On old master apache logs looks like this:
>
> ---------------
> [Tue Feb 24 23:37:40 2015] [error] [client 192.168.177.8] File does not
> exist: /var/www/html/ca
> [Tue Feb 24 23:37:41 2015] [error] [client 192.168.177.8] File does not
> exist: /var/www/html/ca
> [Tue Feb 24 23:38:22 2015] [error] [client 192.168.177.8] File does not
> exist: /var/www/html/ca
> 192.168.177.8 - - [24/Feb/2015:10:35:47 +0200] "POST
> /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
> 192.168.177.8 - - [24/Feb/2015:23:37:40 +0200] "GET
> /ca/rest/securityDomain/domainInfo HTTP/1.1" 404 325
> 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] "GET
> /ca/admin/ca/getDomainXML HTTP/1.1" 200 1158
> 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] "GET
> /ca/rest/account/login HTTP/1.1" 404 313
> 192.168.177.8 - - [24/Feb/2015:23:38:19 +0200] "POST
> /ca/admin/ca/getCertChain HTTP/1.0" 200 1410
> 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] "GET
> /ca/rest/account/login HTTP/1.1" 404 313
> 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] "POST
> /ca/admin/ca/getCookie HTTP/1.1" 200 4088
> 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] "POST
> /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
> 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] "POST
> /ca/admin/ca/getCertChain HTTP/1.0" 200 1410
> 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] "POST
> /ca/admin/ca/updateNumberRange HTTP/1.0" 404 -
> 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] "POST
> /ca/admin/ca/updateNumberRange HTTP/1.0" 404 -
> 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] "POST
> /ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
> 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] "POST
> /ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
> 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] "POST
> /ca/admin/ca/updateNumberRange HTTP/1.0" 404 -
> 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] "POST
> /ca/ee/ca/updateNumberRange HTTP/1.0" 200 153
> 192.168.177.8 - - [24/Feb/2015:23:38:30 +0200] "POST
> /ca/admin/ca/getConfigEntries HTTP/1.0" 200 13714
> 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] "POST
> /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
> 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] "POST
> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 -
> 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] "POST
> /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115
> ---------------------
>
> and /var/log/ipareplica-install.log on new replica looks like this:
> --------------------
> pkispawn : ERROR ....... Exception from Java Configuration
> Servlet: Error while updating security domain: java.io.IOException: 2
>
> 2015-02-24T21:40:54Z CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpR56_Ck' returned non-zero exit
> status 1
> 2015-02-24T21:40:54Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 638, in run_script
> return_value = main_function()
>
> File "/usr/sbin/ipa-replica-install", line 667, in main
> CA = cainstance.install_replica_ca(config)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1689, in install_replica_ca
> subject_base=config.subject_base)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 478, in configure_instance
> self.start_creation(runtime=210)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 364, in start_creation
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 615, in __spawn_instance
> raise RuntimeError('Configuration of CA failed')
>
> 2015-02-24T21:40:54Z DEBUG The ipa-replica-install command failed,
> exception: RuntimeError: Configuration of CA failed
> --------------------
>
> Just give me a shout if you want me to run replication again and if you
> need any extra logs.
The full ipaserver-install.log and /var/log/pki/pki-tomcat/ca/debug
would be handy. Feel free to send them to me directly as they are
probably rather large.
rob
>
>
> On 02/25/2015 12:00 AM, Rob Crittenden wrote:
>> Jani West wrote:
>>> Re-created replication file and run ipa-replica-install o fresh CentOS 7
>>> server.
>>>
>>> It is still giving the same error:
>>>
>>> ---------------------
>>> 2015-02-24T21:40:54Z DEBUG Process finished, return code=1
>>> 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from
>>> /tmp/tmpR56_Ck.
>>> Installing CA into /var/lib/pki/pki-tomcat.
>>> Storing deployment configuration into
>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>> Installation failed.
>>>
>>>
>>> 2015-02-24T21:40:54Z DEBUG stderr=pkispawn : WARNING ....... unable
>>> to validate security domain user/password through REST interface.
>>> Interface not available
>>
>> That is expected.
>>
>>> pkispawn : ERROR ....... Exception from Java Configuration
>>> Servlet: Error while updating security domain: java.io.IOException: 2
>>
>> I think a fresh set of logs is in needed.
>>
>> rob
>>
>>> --------------------.
>>>
>>> On 02/24/2015 06:06 PM, Rob Crittenden wrote:
>>>> West, Jani wrote:
>>>>> Thank you for the tip,
>>>>>
>>>>> Just created new /root/cacerts.p12. Should I import it to the CA
>>>>> somehow
>>>>> or just restart the ipa server?
>>>>>
>>>>> Will reset the new replicate vm to clean CentOS 7 installation without
>>>>> any leftovers from ipa-replica-install.
>>>>>
>>>>
>>>> Re-run ipa-replica-prepare and it will pick up the new file. Use that
>>>> newly prepared file on your replica and hopefully that will do the
>>>> trick.
>>>>
>>>> rob
>>>>
>>>
>>>
>
>
More information about the Freeipa-users
mailing list