[Freeipa-users] CA: Failing to add Centos7 replica to Centos6.7 ipa server
Martin Basti
mbasti at redhat.com
Thu Feb 11 13:04:31 UTC 2016
On 11.02.2016 13:33, Quasar wrote:
>
> Thank you!
> Dodgig the dogtag guys, then ;-)
>
Do you have CA configured as external CA?
It could be:
https://bugzilla.redhat.com/show_bug.cgi?id=1291747
I don't think that it is already in CentOS
>
> Il giorno Gio 11 Feb 2016 13:26 Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> ha scritto:
>
>
>
> On 11.02.2016 12:51, Quasar wrote:
>> Martin,
>>
>> I've re-tested the replica with a freshly-installed CentOS 7 (1511).
>> Installation still fails (damn!) and the log is a bit more
>> verbose. I suppose it has something to do with certificate in my
>> master server proably due to incremental updates did in the past.
>>
>> 2016-02-11T11:09:21Z DEBUG Starting external process
>> 2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA'
>> '-f' '/tmp/tmpRHosRn'
>> 2016-02-11T11:10:58Z DEBUG Process finished, return code=1
>> 2016-02-11T11:10:58Z DEBUG stdout=Log file:
>> /var/log/pki/pki-ca-spawn.20160211120921.log
>> Loading deployment configuration from /tmp/tmpRHosRn.
>> Installing CA into /var/lib/pki/pki-tomcat.
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>
>> Installation failed.
>>
>>
>> 2016-02-11T11:10:58Z DEBUG
>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>> InsecureRequestWarning: Unverified HTTPS request is being made.
>> Adding certificate verification is strongly advised. See:
>> https://urllib3.readthedocs.org/en/latest/security.html
>> InsecureRequestWarning)
>> pkispawn : WARNING ....... unable to validate security domain
>> user/password through REST interface. Interface not available
>> pkispawn : ERROR ....... Exception from Java Configuration
>> Servlet: 500 Server Error: Internal Server Error
>> pkispawn : ERROR ....... ParseError: not well-formed
>> (invalid token): line 1, column 0:
>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
>> while updating security domain: java.io.IOException: 2"}
>>
>> 2016-02-11T11:10:58Z CRITICAL Failed to configure CA instance:
>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpRHosRn''
>> returned non-zero exit status 1
>> 2016-02-11T11:10:58Z CRITICAL See the installation logs and the
>> following files/directories for more information:
>> 2016-02-11T11:10:58Z CRITICAL /var/log/pki-ca-install.log
>> 2016-02-11T11:10:58Z CRITICAL /var/log/pki/pki-tomcat
>> 2016-02-11T11:10:58Z DEBUG Traceback (most recent call last):
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 418, in start_creation
>> run_step(full_msg, method)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 408, in run_step
>> method()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 620, in __spawn_instance
>> DogtagInstance.spawn_instance(self, cfg_file)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
>> line 201, in spawn_instance
>> self.handle_setup_error(e)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
>> line 465, in handle_setup_error
>> raise RuntimeError("%s configuration failed." % self.subsystem)
>> RuntimeError: CA configuration failed.
>>
>> I'm attaching the 3 log files, as usual:
>>
>>
>>
>> On Thu, Feb 11, 2016 at 11:28 AM, Quasar <quasar7 at gmail.com
>> <mailto:quasar7 at gmail.com>> wrote:
>>
>> Hi Martin,
>>
>> first of all thanks for taking some time to read and provide
>> feedback, much appreciated.
>>
>> I firstly tried with CentOS 7.x (build 1511) but got the same
>> errore during CA configuration. Then I supposed I had to
>> upgrade step-by-step, from 3.0 to 3.3 (instead of 3.0 to 4.x)
>> and used Fedora 23, 20, 19 and 18 but with no luck.
>> If you need the exact log from CentOS 7.x migration I can
>> provide them to you.
>>
>> About the debug log file, it was attached and these are the
>> final lines containing the error:
>>
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML:
>> domainInfo=<?xml version="1.0" encoding="UTF-8"
>> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipaserver.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipaserver-ha.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2&l!
>> t;/Subsyst
>> emCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a
>> domain master
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
>> updateDomainXML start hostname=ipaserver.it.fx.lan port=443
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
>> updateSecurityDomain: failed to update security domain using
>> admin port 443: org.xml.sax.SAXParseException; lineNumber: 1;
>> columnNumber: 50; White spaces are required between publicId
>> and systemId.
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
>> updateSecurityDomain: now trying agent port with client auth
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
>> updateDomainXML start hostname=ipaserver.it.fx.lan port=443
>> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
>> updateDomainXML() nickname=subsystemCert cert-pki-ca
>> [09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase
>> updateDomainXML: status=1
>>
>>
>>
>> --
>> Giuseppe Calignano
>>
>>
>>
>>
>> --
>> Giuseppe Calignano
>
> I'm not sure but it looks like the known bug in dogtag 9 and 10
> compatibility (I will try to find related bugzillas).
> This should be already fixed in RHEL, so I do not know when it
> will hit CentOS or if it is already there.
>
> pkispawn : WARNING ....... unable to validate security domain
> user/password through REST interface. Interface not available
> pkispawn : ERROR ....... Exception from Java Configuration
> Servlet: 500 Server Error: Internal Server Error
> pkispawn : ERROR ....... ParseError: not well-formed
> (invalid token): line 1, column 0:
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
> while updating security domain: java.io.IOException: 2"}
>
> But I might be wrong, Dogtag guys can you look at it please? :-)
>
>
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/5a4b7df3/attachment.htm>
More information about the Freeipa-users
mailing list