[Freeipa-users] replica install failing with : "Clone does not have all the required certificates"

Wed Jan 13 23:10:40 UTC 2016

I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and
the replica process is failing to install on the new system:

2016-01-13T17:27:46Z DEBUG Starting external process
2016-01-13T17:27:46Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpjklK4o'
2016-01-13T17:28:19Z DEBUG Process finished, return code=1
2016-01-13T17:28:19Z DEBUG stdout=Log file: /var/log/pki/pki-ca-
spawn.20160113122746.log
Loading deployment configuration from /tmp/tmpjklK4o.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.

Installation failed.

2016-01-13T17:28:19Z DEBUG stderr=/usr/lib/python2.7/site-
packages/urllib3/connectionpool.py:769: InsecureRequestWarning:
Unverified HTTPS request is being made. Adding certifi
cate verification is strongly advised. See: https://urllib3.readthedocs
.org/en/latest/security.html
  InsecureRequestWarning)
pkispawn    : WARNING  ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn    : ERROR    ....... Exception from Java Configuration
Servlet: 500 Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid
token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.P
KIException
","Code":500,"Message":"Clone does not have all the required
certificates"} 

2016-01-13T17:28:19Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o'' returned non-
zero exit status 1
2016-01-13T17:28:19Z CRITICAL See the installation logs and the
following files/directories for more information:
2016-01-13T17:28:19Z CRITICAL   /var/log/pki-ca-install.log
2016-01-13T17:28:19Z CRITICAL   /var/log/pki/pki-tomcat
2016-01-13T17:28:19Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 418, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 408, in run_step
    method()
  File "/usr/lib/python2.7/site-
packages/ipaserver/install/cainstance.py", line 620, in
__spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-
packages/ipaserver/install/dogtaginstance.py", line 201, in
spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-
packages/ipaserver/install/dogtaginstance.py", line 465, in
handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2016-01-13T17:28:19Z DEBUG   [error] RuntimeError: CA configuration
failed.
2016-01-13T17:28:19Z DEBUG   File "/usr/lib/python2.7/site-
packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run

It looks to me that the original, first install version 3.0 system is generating a bad gpg file.  Will a reinstall of the orginal cert file solve this? If so, where and what is the best procedure? Is there a way to add CA capability to an existing master replicant by reusing it's original replica.gpg file?

Background: the old v3.0 system runs on a virtual machine (ovirt). The physical host had a series of "bad days" that involved multiple crashes and lock-ups that were ultimately attributed to insufficient cooling of the RAID card. It is suspected that the data was scrambled on the drive. The original cert is backed up but the remaining machine backups are of dubious quality (long story - bad week at the datacenter).

This is the last system on old hardware that was hit when the datacenter cooling totally failed and erased all the backups. Some days your're the pigeon, some days you're the statue.

-- 

Jim Kinney

Senior System Administrator

36 Eagle Row Suite 588

Department of Biomedical Informatics

Emory University School of Medicine

jkinney at emory.edu

404-712-0300

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160113/528daabb/attachment.htm>