[Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

Quasar quasar7 at gmail.com
Thu Feb 11 11:51:04 UTC 2016 

Martin,

I've re-tested the replica with a freshly-installed CentOS 7 (1511).
Installation still fails (damn!) and the log is a bit more verbose. I
suppose it has something to do with certificate in my master server proably
due to incremental updates did in the past.

2016-02-11T11:09:21Z DEBUG Starting external process
2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpRHosRn'
2016-02-11T11:10:58Z DEBUG Process finished, return code=1
2016-02-11T11:10:58Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160211120921.log
Loading deployment configuration from /tmp/tmpRHosRn.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2016-02-11T11:10:58Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
pkispawn    : WARNING  ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet:
500 Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token):
line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}

2016-02-11T11:10:58Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpRHosRn'' returned non-zero
exit status 1
2016-02-11T11:10:58Z CRITICAL See the installation logs and the following
files/directories for more information:
2016-02-11T11:10:58Z CRITICAL   /var/log/pki-ca-install.log
2016-02-11T11:10:58Z CRITICAL   /var/log/pki/pki-tomcat
2016-02-11T11:10:58Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 620, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
    self.handle_setup_error(e)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

I'm attaching the 3 log files, as usual:



On Thu, Feb 11, 2016 at 11:28 AM, Quasar <quasar7 at gmail.com> wrote:

> Hi Martin,
>
> first of all thanks for taking some time to read and provide feedback,
> much appreciated.
>
> I firstly tried with CentOS 7.x (build 1511) but got the same errore
> during CA configuration. Then I supposed I had to upgrade step-by-step,
> from 3.0 to 3.3 (instead of 3.0 to 4.x) and used Fedora 23, 20, 19 and 18
> but with no luck.
> If you need the exact log from CentOS 7.x migration I can provide them to
> you.
>
> About the debug log file, it was attached and these are the final lines
> containing the error:
>
> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML:
> domainInfo=<?xml version="1.0" encoding="UTF-8"
> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipaserver.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipaserver-ha.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a domain master
> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
> updateDomainXML start hostname=ipaserver.it.fx.lan port=443
> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: failed
> to update security domain using admin port 443:
> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
> spaces are required between publicId and systemId.
> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: now
> trying agent port with client auth
> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
> updateDomainXML start hostname=ipaserver.it.fx.lan port=443
> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateDomainXML()
> nickname=subsystemCert cert-pki-ca
> [09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase
> updateDomainXML: status=1
>
>
>
> --
> Giuseppe Calignano
>



-- 
Giuseppe Calignano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/2a513e60/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug
Type: application/octet-stream
Size: 88289 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/2a513e60/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipareplica-install.log
Type: text/x-log
Size: 191748 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/2a513e60/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-ca-spawn.20160211120921.log
Type: text/x-log
Size: 156026 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/2a513e60/attachment-0001.bin>

More information about the Freeipa-users mailing list