[Freeipa-users] backing up and starting over...
Robert Story
rstory at tislabs.com
Thu Dec 22 21:48:10 UTC 2016
On Thu, 22 Dec 2016 09:25:52 +0100 Florence wrote:
FBR> you can find more information about backup and restore procedure in this
FBR> guide [1]. But, as stated in the documentation, the safest method would
FBR> rather be to install a replica [2].
FBR> [...]
FBR> [2]
FBR> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-replica.html
I tried to create a replica. It went well for the directory server, but
then:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds [1/27]: creating certificate server user
[2/27]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ' returned
non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance:
CRITICAL See the installation logs and the following files/directories for
more information: ipa.ipaserver.install.cainstance.CAInstance:
CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration
failed.
from ipa-replica-install.log:
2016-12-22T21:00:53Z DEBUG Starting external process
2016-12-22T21:00:53Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ
2016-12-22T21:10:08Z DEBUG Process finished, return code=1
2016-12-22T21:10:08Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20161222160055.log
Loading deployment configuration from /tmp/tmpqYyqJJ.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Importing certificates from /tmp/ca.p12:
...
Import complete
---------------
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Installation failed:
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2016-12-22T21:10:08Z DEBUG stderr=
2016-12-22T21:10:08Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ' returned non-zero exit status 1
2016-12-22T21:10:08Z CRITICAL See the installation logs and the following files/directories for more information:
2016-12-22T21:10:08Z CRITICAL /var/log/pki/pki-tomcat
2016-12-22T21:10:08Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2016-12-22T21:10:08Z DEBUG [error] RuntimeError: CA configuration failed.
2016-12-22T21:10:08Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
for nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1718, in main
install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 822, in install
ca.install_step_0(False, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 140, in install_step_0
ra_p12=getattr(options, 'ra_p12', None))
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1562, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 437, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2016-12-22T21:10:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed.
2016-12-22T21:10:08Z ERROR CA configuration failed.
2016-12-22T21:10:08Z ERROR The ipa-replica-install command failed.
See /var/log/ipareplica-install.log for more information
/var/log/pki/pki-tomcat/ca/system:
0.localhost-startStop-1 - [22/Dec/2016:16:02:38 EST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value
/var/log/pki/pki-tomcat/ca/debug:
22/Dec/2016:16:05:47][http-bio-8443-exec-3]: === Subsystem Configuration ===
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://auth-1.example:443
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: SystemConfigService: import certificate chain from master
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: Searching for SecureAdminPort in CA hosts
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: host: auth-1.example
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: SecurePort port: 443
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: SecureAdminPort port found: 443
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils.importCertChain()
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: ConfigurationUtils: GET https://auth-1.example:443/ca/admin/ca/getCertChain
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: Server certificate:
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: - subject: CN=auth-1.example,O=EXAMPLE
[22/Dec/2016:16:05:47][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=EXAMPLE
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: SystemConfigService: get configuration entries from master
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: updateNumberRange start host=auth-1.example adminPort=443 eePort=443
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: ConfigurationUtils: POST https://auth-1.example:443/ca/admin/ca/updateNumberRange
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: Server certificate:
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: - subject: CN=auth-1.example,O=EXAMPLE
[22/Dec/2016:16:06:48][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=EXAMPLE
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Failed to contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Attempting to contact master using EE port
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: ConfigurationUtils: POST https://auth-1.example:443/ca/ee/ca/updateNumberRange
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: Server certificate:
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: - subject: CN=auth-1.example,O=EXAMPLE
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=EXAMPLE
javax.ws.rs.NotFoundException: HTTP 404 Not Found
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:181)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:154)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:444)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.post(ClientInvocationBuilder.java:201)
at com.netscape.certsrv.client.PKIConnection.post(PKIConnection.java:476)
...
So this looks like the culprit:
[22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Failed to contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
Any suggestions on how to fix this? Or do I need to switch to the
backup/restore method?
Robert
--
Senior Software Engineer @ Parsons
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161222/61331489/attachment.sig>
More information about the Freeipa-users
mailing list