[Freeipa-users] Replica install fails when using --setup-ca

Martin Kosek mkosek at redhat.com
Tue Jan 13 11:32:01 UTC 2015 

On 01/12/2015 03:53 PM, dbischof at hrz.uni-kassel.de wrote:
> Hi,
> 
> no ideas about this one?
> 
> I'm unsure if I did something wrong, but since I installed both systems the
> same way, I really don't know, what could be wrong.
> 
> One thing that may be related: The working system (the one that doesn't fail to
> create a replica with "--setup-ca") went productive in April 2014, the one that
> fails in September 2014. In between were several updates to the ipa-server
> package, including one related to Dogtag ("Proxy calls to
> /ca/ee/ca/profileSubmit to PKI to enable installation of replicas with Dogtag
> 10 PKI (#1083878)"). Can this cause errors like the one I observe?

That's a good guess. Installing a RHEL/CentOS 7.0 replica with having such
server without this update as the master would indeed cause a failure. Did you
try updating it?

> Something else I may want to look into? My installations are pretty much
> standard, except that I use an external DNS and have SELinux disabled.

If the referred update does not help, we would need to see full
ipareplica-install.log and PKI logs (/var/log/pki/) on replica to continue with
debug.

> 
> 
> Best regards,
> 
> --Daniel.
> 
> On Tue, 6 Jan 2015, dbischof at hrz.uni-kassel.de wrote:
> 
>> I have two small FreeIPA installations (for two different realms), both with
>> CentOS 6/FreeIPA 3.0.0-42. After running them both with only one master
>> server each for a while, I attempted to extend both installations with one
>> replica each.
>>
>> Doing a
>>
>> ipa-replica-install --setup-ca /var/lib/ipa/replica-info-...
>>
>> worked fine for one of the installations, but failed for the other:
>>
>> ---
>> [...]
>>
>>  [3/17]: configuring certificate server instance ipa : CRITICAL failed to
>> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA
>> -cs_hostname xxx -cs_port 9445 -client_certdb_dir /tmp/tmp-YsXvhP
>> -client_certdb_pwd XXXXXXXX -preop_pin vJl0m3xc9Oz7b1fIgttD -domain_name IPA
>> -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX
>> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>> -agent_cert_subject CN=ipa-ca-agent,O=YYY -ldap_host xxx -ldap_port 7389
>> -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca
>> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
>> -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
>> internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY
>> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=YYY
>> -ca_server_cert_subject_name CN=xxx,O=YYY -ca_audit_signing_cert_subject_name
>> CN=CA Audit,O=YYY -ca_sign_cert_subject_name CN=Certificate Authority,O=YYY
>> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password
>> XXXXXXXX -sd_hostname mmm -sd_admin_port 443 -sd_admin_name admin
>> -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://mmm:443'
>> returned non-zero exit status 255
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> ---
>>
>> /var/log/ipareplica-install.log:
>>
>> ---
>> [...]
>> Error in DomainPanel(): updateStatus value is null
>> ERROR: ConfigureCA: DomainPanel() failure
>> ERROR: unable to create CA
>>
>> #######################################################################
>>
>> 2015-01-06T13:36:25Z DEBUG stderr=
>> 2015-01-06T13:36:25Z CRITICAL failed to configure ca instance Command
>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>> 2015-01-06T13:36:25Z INFO   File
>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line
>> 614, in run_script
>>    return_value = main_function()
>>
>>  File "/usr/sbin/ipa-replica-install", line 476, in main
>>    (CA, cs) = cainstance.install_replica_ca(config)
>>
>>  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
>> line 1626, in install_replica_ca
>>    subject_base=config.subject_base)
>>
>>  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
>> line 626, in configure_instance
>>    self.start_creation(runtime=210)
>>
>>  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
>> 358, in start_creation
>>    method()
>>
>>  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
>> line 888, in __configure_instance
>>    raise RuntimeError('Configuration of CA failed')
>>
>> 2015-01-06T13:36:25Z INFO The ipa-replica-install command failed, exception:
>> RuntimeError: Configuration of CA failed
>> ---
>>
>> Omitting "--setup-ca" lets me successfully install a working replica server.
>>
>> The problem appears to be my installation (since the other one works) -
>> however: Both (intended) replica servers are nearly identical (operating
>> system version, installed packages, etc.).
>>
>> My understanding is that a replica without a CA is not a 100%-clone of a IPA
>> master, right? What are the downsides of having a replica without a CA?
>

More information about the Freeipa-users mailing list