[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master
Rob Crittenden
rcritten at redhat.com
Thu Jun 2 21:29:35 UTC 2016
Dan.Finkelstein at high5games.com wrote:
> Hi Sebastian,
>
> Unfortunately, that doesn't seem to be it and reinstalling the replica
> with —setup-ca failed again with the same errors. I've included relevant
> sections of the logs.
>
> /var/log/ipareplica-install.log:
>
> 016-06-02T10:43:16Z DEBUG Starting external process
>
> 2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpl8RqSM'
>
> 2016-06-02T10:43:16Z DEBUG Process finished, return code=1
>
> 2016-06-02T10:43:16Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160602064316.log
>
> Loading deployment configuration from /tmp/tmpl8RqSM.
>
> 2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last):
>
> File "/usr/sbin/pkispawn", line 717, in <module>
>
> main(sys.argv)
>
> File "/usr/sbin/pkispawn", line 523, in main
>
> parser.compose_pki_master_dictionary()
>
> File
> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
> line 573, in compose_pki_master_dictionary
>
> instance.load()
>
> File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
> 454, in load
>
> subsystem.load()
>
> File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
> 118, in load
>
> lines = open(self.cs_conf).read().splitlines()
>
> IOError: [Errno 2] No such file or directory:
> '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'
>
> 2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero
> exit status 1
>
> 2016-06-02T10:43:16Z CRITICAL See the installation logs and the
> following files/directories for more information:
>
> 2016-06-02T10:43:16Z CRITICAL /var/log/pki-ca-install.log
>
> 2016-06-02T10:43:16Z CRITICAL /var/log/pki/pki-tomcat
>
> 2016-06-02T10:43:16Z DEBUG Traceback (most recent call last):
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 418, in start_creation
>
> run_step(full_msg, method)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 408, in run_step
>
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 620, in __spawn_instance
>
> DogtagInstance.spawn_instance(self, cfg_file)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 201, in spawn_instance
>
> self.handle_setup_error(e)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 465, in handle_setup_error
>
> raise RuntimeError("%s configuration failed." % self.subsystem)
>
> RuntimeError: CA configuration failed.
>
> 2016-06-02T10:43:16Z DEBUG [error] RuntimeError: CA configuration failed.
>
> 2016-06-02T10:43:16Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
>
> return_value = self.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
> line 311, in run
>
> cfgr.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 281, in run
>
> self.execute()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 303, in execute
>
> for nothing in self._executor():
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 343, in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 333, in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 87, in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 65, in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 524, in _configure
>
> executor.next()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 343, in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in _handle_exception
>
> self.__parent._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 418, in _handle_exception
>
> super(ComponentBase, self)._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 333, in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 87, in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 65, in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
> line 63, in _install
>
> for nothing in self._installer(self.parent):
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 879, in main
>
> install(self)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 295, in decorated
>
> func(installer)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 584, in install
>
> ca.install(False, config, options)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
> 106, in install
>
> install_step_0(standalone, replica_config, options)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
> 130, in install_step_0
>
> ra_p12=getattr(options, 'ra_p12', None))
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1543, in install_replica_ca
>
> subject_base=config.subject_base)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 486, in configure_instance
>
> self.start_creation(runtime=210)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 418, in start_creation
>
> run_step(full_msg, method)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 408, in run_step
>
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 620, in __spawn_instance
>
> DogtagInstance.spawn_instance(self, cfg_file)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 201, in spawn_instance
>
> self.handle_setup_error(e)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 465, in handle_setup_error
>
> raise RuntimeError("%s configuration failed." % self.subsystem)
>
> 2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed,
> exception: RuntimeError: CA configuration failed.
>
> 2016-06-02T10:43:16Z ERROR CA configuration failed.
>
> Of note, there is no /var/log/pki-ca-install.log file nor (as the error
> above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
>
> Best regards,
>
> Dan
>
> cid:image001.jpg at 01D1BC9A.CBB33580 <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Senior Dev Ops Engineer
>
> Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>| 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/>and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender
> by return email, and delete or destroy this and all copies of this
> message and all attachments. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful./
>
> *From: *Sebastian Schäfer <sebastian.schaefer at dlr.de>
> *Date: *Thursday, June 2, 2016 at 02:59
> *To: *"freeipa-users at redhat.com" <freeipa-users at redhat.com>, Daniel
> Finkestein <Dan.Finkelstein at high5games.com>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
> FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
> cannot promote to master
>
> Hi Dan,
>
> I had a similar problem when updating my FreeIPA. In my case it turned
>
> out that the certificates that get bundled with the replica preparation
>
> file were expired. This is due to the /root/cacert.p12 file not being
>
> updated during the preparation process until FreeIPA 3.2.2
>
> The file can be recreated with the commands from step 2 of
>
> http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>
> If that does not solve the problem, it would be good to see (part of)
>
> the actual logfiles of your replica installation attempt.
>
> Best regards
>
> --
>
> Sebastian Schäfer, M. A.
>
> -------------------------------
>
> Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)
>
> Institute of Space Operations and Astronaut Training
>
> Microgravity User Support Center (MUSC)
>
> Linder Höhe | 51147 Köln
>
> Telefon 02203 601-30 01 | Telefax: 02203 61471 |
> sebastian.schaefer at dlr.de <mailto:sebastian.schaefer at dlr.de>
>
> www.DLR.de
>
> On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com
> <mailto:Dan.Finkelstein at high5games.com> wrote:
>
> Hi folks,
>
> As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6
>
> to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA
>
> replicas in CentOS 7 and then hope to promote one of them to the CA
>
> master. I'm running into two problems:
>
> The first is that when we create a replica in FreeIPA 4.2.0 with the
>
> —setup-ca option, that portion fails. Here's a snippet of the output:
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>
> 30 seconds
>
> [1/23]: creating certificate server user
>
> [2/23]: configuring certificate server instance
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
>
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
>
> '/tmp/tmpqPeYOW'' returned non-zero exit status 1
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>
> installation logs and the following files/directories for more
> information:
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>
> /var/log/pki-ca-install.log
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>
> /var/log/pki/pki-tomcat
>
> [error] RuntimeError: CA configuration failed.
>
> Your system may be partly configured.
>
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
>
You need to find the CA logs. All IPA gets is "the install failed" and
no details why. Lok in /var/log/pki/pki-tomcat for the relevant logs.
rob
More information about the Freeipa-users
mailing list