[Freeipa-users] error while installin ipa-replica with ca

Tue Jan 12 01:05:41 UTC 2016

On Mon, Jan 11, 2016 at 12:55:52PM +0100, Martin Kosek wrote:
> On 01/11/2016 12:51 PM, Arthur Fayzullin wrote:
> > Bingo!!!
> > that it is!!!
> > dm password contains % - symbol!
> > 
> > I am not sure but with previous versions that have not caused any problem.
> 
> Good :-)
> 
> Still, it would be nice to fix Dogtag installation procedures to not parse
> passwords that way. Endi, please just make sure there is a Dogtag Bugzilla
> filed and in some realistic milestone as this bug's root cause is not so obvious.
> 
There is an existing BZ and upstream ticket:

https://bugzilla.redhat.com/show_bug.cgi?id=1283631
https://fedorahosted.org/pki/ticket/1703

> > 
> > Thanks a lot!
> > 
> > 11.01.2016 16:48, Martin Kosek пишет:
> >> On 01/11/2016 12:01 PM, Arthur Fayzullin wrote:
> >>> Good day, Colleagues!
> >>>
> >>> And Happy New Year!
> >>>
> >>> I have tried to install test stend with ipa v4.2 and 2 master-master
> >>> servers.
> >>>
> >>> files /etc/hosts on both servers contain:
> >>> 127.0.0.1   localhost localhost.localdomain localhost4
> >>> localhost4.localdomain4
> >>> ::1         localhost localhost.localdomain localhost6
> >>> localhost6.localdomain6
> >>>
> >>> 10.254.1.114 radipa00.test.ckt radipa00
> >>> 10.254.1.154 radipa01.test.ckt radipa01
> >>>
> >>> prepare key for replica server:
> >>> [root at radipa00 ipa]# ipa-replica-prepare --ip-address=10.254.1.154
> >>> radipa01.test.ckt
> >>>
> >>> copy it to replica:
> >>> [root at radipa00 ipa]# scp /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
> >>> root at radipa01.test.ckt:/var/lib/ipa/
> >>>
> >>> then on replica start installation:
> >>> [root at radipa01 ~]# ipa-replica-install --setup-ca --setup-kra
> >>> --mkhomedir --ssh-trust-dns --ip-address=10.254.1.154 --setup-dns
> >>> --forwarder=77.88.8.7 --forwarder=77.88.8.3
> >>> /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
> >>>
> >>> and!!! I have got such error:
> >>>   [2/23]: configuring certificate server instance
> >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> >>> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> >>> '/tmp/tmpvgc4S6'' returned non-zero exit status 1
> >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> >>> installation logs and the following files/directories for more information:
> >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> >>> /var/log/pki-ca-install.log
> >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> >>> /var/log/pki/pki-tomcat
> >>>   [error] RuntimeError: CA configuration failed.
> >>> Your system may be partly configured.
> >>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >>>
> >>> log file contains this error:
> >>> [root at radipa01 ~]# less /var/log/pki/pki-ca-spawn.20160111150634.log
> >>>     'application_version': '[APPLICATION_VERSION]'}
> >>> 2016-01-11 15:06:34 pkispawn    : ERROR    ....... Deployment file could
> >>> not be parsed correctly.  This might be because of unescaped '%%'
> >>> characters.  You must escape '%%' characters in deployment files
> >>> (example - 'setting=foo%%%%bar').
> >>> 2016-01-11 15:06:34 pkispawn    : ERROR    ....... Interpolation error
> >>> ('%' must be followed by '%' or '(', found: '%')
> >>>
> >>> I have reproduced that error several times with cenos7 and fedora23
> >>> installations.
> >>>
> >>> I am really confused if I am doing something wrong or may it is
> >>> something else...
> >>> what it can be?
> >>> ____________
> >>> Best wishes!
> >> CCing Endi. There used to be an error, when DM password (used also for Dogtag)
> >> contained special characters, PKI installer choked on it. I could not find the
> >> bug number right now.
> > 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project