[Freeipa-users] CA Replication Installation Failing
Les Stott
Less at imagine-sw.com
Fri Jan 30 05:48:18 UTC 2015
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Les Stott
> Sent: Wednesday, 10 December 2014 6:22 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>
>
>
> > -----Original Message-----
> > From: Ade Lee [mailto:alee at redhat.com]
> > Sent: Wednesday, 10 December 2014 5:05 AM
> > To: Les Stott
> > Cc: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >
> > On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote:
> > >
> > >
> > >
> >
> __________________________________________________________
> > ____________
> > > From: freeipa-users-bounces at redhat.com
> > > [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
> > > [dpal at redhat.com]
> > > Sent: Tuesday, December 09, 2014 3:49 PM
> > > To: freeipa-users at redhat.com
> > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > >
> > >
> > >
> > > On 12/08/2014 11:04 PM, Les Stott wrote:
> > >
> > > > Does anyone have any ideas on the below errors when trying to add
> > > > CA replication to an existing replica?
> > > >
> > > >
> > >
> > > > People who might be able to help are or PTO right now.
> > > >
> > > > Is your installation older than 2 years?
> > >
> > > No, December 2013 was when it was originally built.
> > >
> > > > Did you generate a new replica package or use the original one?
> > >
> > > I used the original replica file for serverb, based on instructions
> > > i came across. I can try regenerating the replica file.
> > >
> > > Interestingly, now that you mention it, servera had to be restored a
> > > couple of months back. Perhaps this is an issue and regenerating the
> > > replica file for serverb will be required.
> > >
> > > I will try this.
> > >
> >
> > I think that this is a safe bet to be the problem.
> >
> > The error in the log snippet you posted says:
> >
> > <errorString>The pkcs12 file is not correct.</errorString>
> >
> > This indicates that the clone CA was unable to decode the pkcs12 file
> > in the replica. Perhaps the certs changed -- or the DM password changed?
> >
> > Ade
>
> I regenerated the replica file and retired the CA replica setup, but it failed at
> the same point with the same error.
>
> I am thinking that the next step is to uninstall the ipa replica to cleanup,
> remove all traces and re-add as a replica on serverb.
>
> I wonder if the cert that its having an issue with is the one on serverB under
> /etc/ipa/ca.crt which is from Dec 2013.
>
> I will try that in a couple of days as I have to schedule this work in as its in
> production.
>
> Regards,
>
> Les
>
>
> > > > May be the problem is that the cert that is in that package
> > > > already
> > > expired?
> > >
> > > original replica file was created on Dec 16 2013. Cert is not set to
> > > expire until 2015-12-17.
> > >
> > > > Just a thought...
> > > >
> > > > The simplest workaround IMO would be to prepare Server C, install
> > > > it
> > > with CA and then decommission replica B.
> > > > Do not forget to clean replication agreements on master.
> > > >
> > > > But that would be work around, would not solve this specific
> > > problem, it will kill it.
> > >
> > > I actually do have serverc and serverd. I planned to have CA
> > > replication on at least 2 other servers, but held off on trying on
> > > serverc due to issues with serverb.
> > >
> > > I'll report back what i find after regenerating the replica file and
> > > re-trying to setup CA replication.
> > >
After a bit of a hiatus I have revisited this issue and I still have it.
Just to re-iterate the problem...
Trying to setup a ca replica on an already installed replica fails in rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38.
/usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U /var/lib/ipa/replica-info-myhost.mydomain.com.gpg
It fails showing.... "CRITICAL failed to configure ca instance"
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
[1/16]: creating certificate server user
[2/16]: creating pki-ca instance
[3/16]: configuring certificate server instance
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
It doesn't matter if I run it interactively or unattended.
I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0-37 without any issue.
The /var/log/ipareplica-ca-install.log shows the following error about White Spaces:
#############################################
Attempting to connect to: mymaster.mydomain.com:9445
Connected.
Posting Query = https:// mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomainURL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=&choice=existingdomain&p=3&op=next&xml=true
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Fri, 30 Jan 2015 05:05:04 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<response>
<panel>admin/console/config/securitydomainpanel.vm</panel>
<https_agent_port>443</https_agent_port>
<machineName>mymaster.mydomain.com</machineName>
<res/>
<cstype>CA</cstype>
<initCommand>/sbin/service pki-cad</initCommand>
<instanceId><security_domain_instance_name></instanceId>
<sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL>
<sdomainName/>
<http_ee_port>80</http_ee_port>
<errorString>org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.</errorString>
The /var/log/pki-ca/debug also shows....
[30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating SSL Admin HTTPS . . .
[30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started
[30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.
[30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS
[30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase getCertChainUsingSecureAdminPort start
[30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.
[30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.
When I compare those logs to the logs from the server I installed a ca-replica on successfully, the above is the point where the logs differ and it must be the source of the error.
In the log of the server that was successful it shows what should have happened...
[25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . .
[25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started
[25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML parsed
[25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1
[25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS returns: 1
[25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start
[25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort: status=0
[25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort: certchain=<certstring>
I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped.
Note, also, I am trying this on new servers, not the same ones used in December.
I have searched high and low on google to try and find a resolution for the White Space issue but haven't found anything that worked.
This seems like a bug to me.
Can anyone help with this please?
Thanks in advance,
Regards,
Les
More information about the Freeipa-users
mailing list