[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master
Dan.Finkelstein at high5games.com
Dan.Finkelstein at high5games.com
Fri Jun 3 20:14:35 UTC 2016
A further update: when I try to install the CA component, it erroneously says that the CA is installed:
root at ipa ~]# ipa-ca-install --skip-conncheck --debug
ipa : DEBUG /sbin/ipa-ca-install was invoked with options: {'external_cert_files': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_signing_algorithm': None, 'debug': True, 'external_ca': False, 'skip_conncheck': True}
ipa : DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1
ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUG importing all plugin modules in ipalib.plugins...
ipa : DEBUG importing plugin module ipalib.plugins.aci
ipa : DEBUG importing plugin module ipalib.plugins.automember
ipa : DEBUG importing plugin module ipalib.plugins.automount
ipa : DEBUG importing plugin module ipalib.plugins.baseldap
ipa : DEBUG importing plugin module ipalib.plugins.baseuser
ipa : DEBUG importing plugin module ipalib.plugins.batch
ipa : DEBUG importing plugin module ipalib.plugins.caacl
ipa : DEBUG importing plugin module ipalib.plugins.cert
ipa : DEBUG importing plugin module ipalib.plugins.certprofile
ipa : DEBUG importing plugin module ipalib.plugins.config
ipa : DEBUG importing plugin module ipalib.plugins.delegation
ipa : DEBUG importing plugin module ipalib.plugins.dns
ipa : DEBUG importing plugin module ipalib.plugins.domainlevel
ipa : DEBUG importing plugin module ipalib.plugins.group
ipa : DEBUG importing plugin module ipalib.plugins.hbacrule
ipa : DEBUG importing plugin module ipalib.plugins.hbacsvc
ipa : DEBUG importing plugin module ipalib.plugins.hbacsvcgroup
ipa : DEBUG importing plugin module ipalib.plugins.hbactest
ipa : DEBUG importing plugin module ipalib.plugins.host
ipa : DEBUG importing plugin module ipalib.plugins.hostgroup
ipa : DEBUG importing plugin module ipalib.plugins.idrange
ipa : DEBUG importing plugin module ipalib.plugins.idviews
ipa : DEBUG importing plugin module ipalib.plugins.internal
ipa : DEBUG importing plugin module ipalib.plugins.kerberos
ipa : DEBUG importing plugin module ipalib.plugins.krbtpolicy
ipa : DEBUG importing plugin module ipalib.plugins.migration
ipa : DEBUG importing plugin module ipalib.plugins.misc
ipa : DEBUG importing plugin module ipalib.plugins.netgroup
ipa : DEBUG importing plugin module ipalib.plugins.otpconfig
ipa : DEBUG importing plugin module ipalib.plugins.otptoken
ipa : DEBUG importing plugin module ipalib.plugins.otptoken_yubikey
ipa : DEBUG importing plugin module ipalib.plugins.passwd
ipa : DEBUG importing plugin module ipalib.plugins.permission
ipa : DEBUG importing plugin module ipalib.plugins.ping
ipa : DEBUG importing plugin module ipalib.plugins.pkinit
ipa : DEBUG importing plugin module ipalib.plugins.privilege
ipa : DEBUG importing plugin module ipalib.plugins.pwpolicy
ipa : DEBUG Starting external process
ipa : DEBUG args='klist' '-V'
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=Kerberos 5 version 1.13.2
ipa : DEBUG stderr=
ipa : DEBUG importing plugin module ipalib.plugins.radiusproxy
ipa : DEBUG importing plugin module ipalib.plugins.realmdomains
ipa : DEBUG importing plugin module ipalib.plugins.role
ipa : DEBUG importing plugin module ipalib.plugins.rpcclient
ipa : DEBUG importing plugin module ipalib.plugins.selfservice
ipa : DEBUG importing plugin module ipalib.plugins.selinuxusermap
ipa : DEBUG importing plugin module ipalib.plugins.server
ipa : DEBUG importing plugin module ipalib.plugins.service
ipa : DEBUG importing plugin module ipalib.plugins.servicedelegation
ipa : DEBUG importing plugin module ipalib.plugins.session
ipa : DEBUG importing plugin module ipalib.plugins.stageuser
ipa : DEBUG importing plugin module ipalib.plugins.sudocmd
ipa : DEBUG importing plugin module ipalib.plugins.sudocmdgroup
ipa : DEBUG importing plugin module ipalib.plugins.sudorule
ipa : DEBUG importing plugin module ipalib.plugins.topology
ipa : DEBUG importing plugin module ipalib.plugins.trust
ipa : DEBUG importing plugin module ipalib.plugins.user
ipa : DEBUG importing plugin module ipalib.plugins.vault
ipa : DEBUG importing plugin module ipalib.plugins.virtual
ipa : DEBUG importing all plugin modules in ipaserver.plugins...
ipa : DEBUG importing plugin module ipaserver.plugins.dogtag
ipa : DEBUG importing plugin module ipaserver.plugins.join
ipa : DEBUG importing plugin module ipaserver.plugins.ldap2
ipa : DEBUG importing plugin module ipaserver.plugins.rabase
ipa : DEBUG importing plugin module ipaserver.plugins.xmlserver
ipa.ipalib.session.SessionAuthManager: DEBUG SessionAuthManager.register: name=jsonserver_session_59800912
ipa.ipalib.session.SessionAuthManager: DEBUG SessionAuthManager.register: name=xmlserver_session_59823824
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
ipa.ipaserver.rpcserver.login_password: DEBUG session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json'
ipa.ipaserver.rpcserver.jsonserver_session: DEBUG session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json'
ipa.ipaserver.rpcserver.jsonserver_kerb: DEBUG session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml'
ipa.ipaserver.rpcserver.xmlserver_session: DEBUG session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.xmlserver_session: DEBUG session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
ipa.ipaserver.rpcserver.login_kerberos: DEBUG session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password'
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token'
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml'
ipa.ipaserver.rpcserver.xmlserver: DEBUG session_auth_duration: 0:20:00
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_59800272
ipa.ipalib.plugins.config.config_show: DEBUG raw: config_show(version=u'2.156')
ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False, all=False, raw=False, version=u'2.156')
ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x37c9128>
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw: ca_is_enabled(version=u'2.156')
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG ca_is_enabled(version=u'2.156')
ipa : DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 732, in run_script
return_value = main_function()
File "/sbin/ipa-ca-install", line 204, in main
install_master(safe_options, options)
File "/sbin/ipa-ca-install", line 191, in install_master
ca.install_check(True, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 49, in install_check
sys.exit("CA is already installed.\n")
ipa : DEBUG The ipa-ca-install command failed, exception: SystemExit: CA is already installed.
CA is already installed.
Yet:
[root at ipa ~]# ipa-csreplica-manage list
Directory Manager password:
ipa.example.com: CA not configured
[cid:image001.jpg at 01D1BDB3.052EE4D0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Senior Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
From: <freeipa-users-bounces at redhat.com> on behalf of Daniel Finkestein <Dan.Finkelstein at high5games.com>
Date: Thursday, June 2, 2016 at 17:42
To: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master
Hi Rob,
There's a few logs in there, I'm not sure which is most informative. Here are some sections from what I think are relevant logs:
/var/log/pki/pki-tomcat/localhost.log:
Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception
org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
...skipping...
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded
at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153)
... 52 more
/var/log/pki/pki-tomcat/catalina.out:
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property.
/var/log/pki/pki-tomcat/ca/system:
0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value
0.http-bio-8443-exec-3 - [01/Jun/2016:12:15:55 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
0.Thread-14 - [01/Jun/2016:12:16:17 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x7. Error Failed to publish using rule: No rules enabled
0.Thread-13 - [01/Jun/2016:12:16:45 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x8. Error Failed to publish using rule: No rules enabled
0.Thread-13 - [01/Jun/2016:12:20:22 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x9. Error Failed to publish using rule: No rules enabled
0.Thread-14 - [01/Jun/2016:12:20:23 EDT] [8] [3] Publishing: Could not publish certificate serial number 0xa. Error Failed to publish using rule: No rules enabled
0.profileChangeMonitor - [01/Jun/2016:12:20:28 EDT] [8] [3] In Ldap (bound) connection pool to host ipa.example.com port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
(repeats)
0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap (bound) connection pool to host ipa.h5c.local port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [5] [3] Failed to get a connection to the LDAP server. Error Could not connect to LDAP server host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
0.profileChangeMonitor - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap (bound) connection pool to host ipa.example.com port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
Thanks,
Dan
[cid:image002.jpg at 01D1BDB3.052EE4D0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Senior Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
From: Rob Crittenden <rcritten at redhat.com>
Date: Thursday, June 2, 2016 at 17:29
To: Daniel Finkestein <Dan.Finkelstein at high5games.com>, "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master
Dan.Finkelstein at high5games.com<mailto:Dan.Finkelstein at high5games.com> wrote:
Hi Sebastian,
Unfortunately, that doesn't seem to be it and reinstalling the replica
with —setup-ca failed again with the same errors. I've included relevant
sections of the logs.
/var/log/ipareplica-install.log:
016-06-02T10:43:16Z DEBUG Starting external process
2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpl8RqSM'
2016-06-02T10:43:16Z DEBUG Process finished, return code=1
2016-06-02T10:43:16Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160602064316.log
Loading deployment configuration from /tmp/tmpl8RqSM.
2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last):
File "/usr/sbin/pkispawn", line 717, in <module>
main(sys.argv)
File "/usr/sbin/pkispawn", line 523, in main
parser.compose_pki_master_dictionary()
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
line 573, in compose_pki_master_dictionary
instance.load()
File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
454, in load
subsystem.load()
File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
118, in load
lines = open(self.cs_conf).read().splitlines()
IOError: [Errno 2] No such file or directory:
'/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'
2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero
exit status 1
2016-06-02T10:43:16Z CRITICAL See the installation logs and the
following files/directories for more information:
2016-06-02T10:43:16Z CRITICAL /var/log/pki-ca-install.log
2016-06-02T10:43:16Z CRITICAL /var/log/pki/pki-tomcat
2016-06-02T10:43:16Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
620, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2016-06-02T10:43:16Z DEBUG [error] RuntimeError: CA configuration failed.
2016-06-02T10:43:16Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 281, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 303, in execute
for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 524, in _configure
executor.next()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
for nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 879, in main
install(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 295, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 584, in install
ca.install(False, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
106, in install
install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
130, in install_step_0
ra_p12=getattr(options, 'ra_p12', None))
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1543, in install_replica_ca
subject_base=config.subject_base)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
486, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
620, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: CA configuration failed.
2016-06-02T10:43:16Z ERROR CA configuration failed.
Of note, there is no /var/log/pki-ca-install.log file nor (as the error
above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
Best regards,
Dan
cid:image001.jpg at 01D1BC9A.CBB33580<mailto:image001.jpg at 01D1BC9A.CBB33580> <http://www.high5games.com/>
*Daniel Alex Finkelstein*| Senior Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> <mailto:Dan.Finkelstein at h5g.com>|<mailto:Dan.Finkelstein at h5g.com%3E|> 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com <http://www.high5games.com/>
Play High 5 Casino <https://apps.facebook.com/highfivecasino/>and<https://apps.facebook.com/highfivecasino/%3Eand> Shake
the Sky <https://apps.facebook.com/shakethesky/>
Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>
//
/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./
*From: *Sebastian Schäfer <sebastian.schaefer at dlr.de<mailto:sebastian.schaefer at dlr.de>>
*Date: *Thursday, June 2, 2016 at 02:59
*To: *"freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>" <freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>>, Daniel
Finkestein <Dan.Finkelstein at high5games.com<mailto:Dan.Finkelstein at high5games.com>>
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master
Hi Dan,
I had a similar problem when updating my FreeIPA. In my case it turned
out that the certificates that get bundled with the replica preparation
file were expired. This is due to the /root/cacert.p12 file not being
updated during the preparation process until FreeIPA 3.2.2
The file can be recreated with the commands from step 2 of
http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
If that does not solve the problem, it would be good to see (part of)
the actual logfiles of your replica installation attempt.
Best regards
--
Sebastian Schäfer, M. A.
-------------------------------
Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)
Institute of Space Operations and Astronaut Training
Microgravity User Support Center (MUSC)
Linder Höhe | 51147 Köln
Telefon 02203 601-30 01 | Telefax: 02203 61471 |
sebastian.schaefer at dlr.de<mailto:sebastian.schaefer at dlr.de> <mailto:sebastian.schaefer at dlr.de>
www.DLR.de
On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com<mailto:Dan.Finkelstein at high5games.com>
<mailto:Dan.Finkelstein at high5games.com> wrote:
Hi folks,
As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6
to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA
replicas in CentOS 7 and then hope to promote one of them to the CA
master. I'm running into two problems:
The first is that when we create a replica in FreeIPA 4.2.0 with the
—setup-ca option, that portion fails. Here's a snippet of the output:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
30 seconds
[1/23]: creating certificate server user
[2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpqPeYOW'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
You need to find the CA logs. All IPA gets is "the install failed" and
no details why. Lok in /var/log/pki/pki-tomcat for the relevant logs.
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160603/9787486b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4331 bytes
Desc: image001.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160603/9787486b/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 4332 bytes
Desc: image002.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160603/9787486b/attachment-0001.jpg>
More information about the Freeipa-users
mailing list