[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master
Rob Crittenden
rcritten at redhat.com
Fri Jun 3 21:21:17 UTC 2016
Dan.Finkelstein at high5games.com wrote:
> A further update: when I try to install the CA component, it erroneously
> says that the CA is installed:
>
> root at ipa ~]# ipa-ca-install --skip-conncheck --debug
[ snip ]
> ipa : DEBUG The ipa-ca-install command failed, exception:
> SystemExit: CA is already installed.
>
> CA is already installed.
Try:
# pkidestroy -i pki-tomcat -s CA
> Yet:
>
> [root at ipa ~]# ipa-csreplica-manage list
>
> Directory Manager password:
>
> ipa.example.com: CA not configured
Two different methods are used to determine whether a CA is installed.
I'll open a ticket to look into that.
rob
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Senior Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_| 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender
> by return email, and delete or destroy this and all copies of this
> message and all attachments. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful./
>
> *From: *<freeipa-users-bounces at redhat.com> on behalf of Daniel
> Finkestein <Dan.Finkelstein at high5games.com>
> *Date: *Thursday, June 2, 2016 at 17:42
> *To: *"freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
> FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
> cannot promote to master
>
> Hi Rob,
>
> There's a few logs in there, I'm not sure which is most informative.
> Here are some sections from what I think are relevant logs:
>
> /var/log/pki/pki-tomcat/localhost.log:
>
> Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve
> invoke
>
> SEVERE: Servlet.service() for servlet [Resteasy] in context with path
> [/ca] threw exception
>
> org.jboss.resteasy.spi.UnhandledException:
> org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find
> MessageBodyWriter for response object of type:
> com.netscape.certsrv.base.PKIException$Data of media type:
> application/x-www-form-urlencoded
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>
> at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>
> at
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>
> at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
>
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
>
> ...skipping...
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>
> at
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>
> at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
>
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>
> at java.lang.Thread.run(Thread.java:745)
>
> Caused by: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure:
> Could not find MessageBodyWriter for response object of type:
> com.netscape.certsrv.base.PKIException$Data of media type:
> application/x-www-form-urlencoded
>
> at
> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153)
>
> ... 52 more
>
> /var/log/pki/pki-tomcat/catalina.out:
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'ssl2Ciphers' to
> '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5'
> did not find a matching property.
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'ssl3Ciphers' to
> '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'
> did not find a matching property.
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'tlsCiphers' to
> '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA'
> did not find a matching property.
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a
> matching property.
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a
> matching property.
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'sslRangeCiphers' to
> '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,!
-TLS_ECDHE
_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256'
> did not find a matching property.
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'serverCertNickFile' to
> '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
> matching property.
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf'
> did not find a matching property.
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'passwordClass' to
> 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a
> matching property.
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a
> matching property.
>
> WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting
> property 'xmlValidation' to 'false' did not find a matching property.
>
> WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting
> property 'xmlNamespaceAware' to 'false' did not find a matching property.
>
> /var/log/pki/pki-tomcat/ca/system:
>
> 0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [3] [3] Cannot
> build CA chain. Error java.security.cert.CertificateException:
> Certificate is not a PKCS #11 certificate
>
> 0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [13] [3] authz
> instance DirAclAuthz initialization failed and skipped, error=Property
> internaldb.ldapconn.port missing value
>
> 0.http-bio-8443-exec-3 - [01/Jun/2016:12:15:55 EDT] [3] [3] Cannot build
> CA chain. Error java.security.cert.CertificateException: Certificate is
> not a PKCS #11 certificate
>
> 0.Thread-14 - [01/Jun/2016:12:16:17 EDT] [8] [3] Publishing: Could not
> publish certificate serial number 0x7. Error Failed to publish using
> rule: No rules enabled
>
> 0.Thread-13 - [01/Jun/2016:12:16:45 EDT] [8] [3] Publishing: Could not
> publish certificate serial number 0x8. Error Failed to publish using
> rule: No rules enabled
>
> 0.Thread-13 - [01/Jun/2016:12:20:22 EDT] [8] [3] Publishing: Could not
> publish certificate serial number 0x9. Error Failed to publish using
> rule: No rules enabled
>
> 0.Thread-14 - [01/Jun/2016:12:20:23 EDT] [8] [3] Publishing: Could not
> publish certificate serial number 0xa. Error Failed to publish using
> rule: No rules enabled
>
> 0.profileChangeMonitor - [01/Jun/2016:12:20:28 EDT] [8] [3] In Ldap
> (bound) connection pool to host ipa.example.com port 636, Cannot connect
> to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating
> JSS SSL Socket (-1)
>
> (repeats)
>
> 0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap
> (bound) connection pool to host ipa.h5c.local port 636, Cannot connect
> to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating
> JSS SSL Socket (-1)
>
> 0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [5] [3] Failed
> to get a connection to the LDAP server. Error Could not connect to LDAP
> server host ipa.example.com port 636 Error netscape.ldap.LDAPException:
> IO Error creating JSS SSL Socket (-1)
>
> 0.profileChangeMonitor - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap
> (bound) connection pool to host ipa.example.com port 636, Cannot connect
> to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating
> JSS SSL Socket (-1)
>
> Thanks,
>
> Dan
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Senior Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_| 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender
> by return email, and delete or destroy this and all copies of this
> message and all attachments. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful./
>
> *From: *Rob Crittenden <rcritten at redhat.com>
> *Date: *Thursday, June 2, 2016 at 17:29
> *To: *Daniel Finkestein <Dan.Finkelstein at high5games.com>,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
> FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
> cannot promote to master
>
> Dan.Finkelstein at high5games.com <mailto:Dan.Finkelstein at high5games.com>
> wrote:
>
> Hi Sebastian,
>
> Unfortunately, that doesn't seem to be it and reinstalling the replica
>
> with setup-ca failed again with the same errors. I've included relevant
>
> sections of the logs.
>
> /var/log/ipareplica-install.log:
>
> 016-06-02T10:43:16Z DEBUG Starting external process
>
> 2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>
> '/tmp/tmpl8RqSM'
>
> 2016-06-02T10:43:16Z DEBUG Process finished, return code=1
>
> 2016-06-02T10:43:16Z DEBUG stdout=Log file:
>
> /var/log/pki/pki-ca-spawn.20160602064316.log
>
> Loading deployment configuration from /tmp/tmpl8RqSM.
>
> 2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last):
>
> File "/usr/sbin/pkispawn", line 717, in <module>
>
> main(sys.argv)
>
> File "/usr/sbin/pkispawn", line 523, in main
>
> parser.compose_pki_master_dictionary()
>
> File
>
> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
>
> line 573, in compose_pki_master_dictionary
>
> instance.load()
>
> File "/usr/lib/python2.7/site-packages/pki/server/__init__.py",
> line
>
> 454, in load
>
> subsystem.load()
>
> File "/usr/lib/python2.7/site-packages/pki/server/__init__.py",
> line
>
> 118, in load
>
> lines = open(self.cs_conf).read().splitlines()
>
> IOError: [Errno 2] No such file or directory:
>
> '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'
>
> 2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command
>
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero
>
> exit status 1
>
> 2016-06-02T10:43:16Z CRITICAL See the installation logs and the
>
> following files/directories for more information:
>
> 2016-06-02T10:43:16Z CRITICAL /var/log/pki-ca-install.log
>
> 2016-06-02T10:43:16Z CRITICAL /var/log/pki/pki-tomcat
>
> 2016-06-02T10:43:16Z DEBUG Traceback (most recent call last):
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>
> line 418, in start_creation
>
> run_step(full_msg, method)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>
> line 408, in run_step
>
> method()
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>
> 620, in __spawn_instance
>
> DogtagInstance.spawn_instance(self, cfg_file)
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
>
> line 201, in spawn_instance
>
> self.handle_setup_error(e)
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
>
> line 465, in handle_setup_error
>
> raise RuntimeError("%s configuration failed." % self.subsystem)
>
> RuntimeError: CA configuration failed.
>
> 2016-06-02T10:43:16Z DEBUG [error] RuntimeError: CA configuration
> failed.
>
> 2016-06-02T10:43:16Z DEBUG File
>
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>
> execute
>
> return_value = self.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>
> line 311, in run
>
> cfgr.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 281, in run
>
> self.execute()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 303, in execute
>
> for nothing in self._executor():
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 343, in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 333, in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>
> line 87, in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>
> line 65, in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 524, in _configure
>
> executor.next()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 343, in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 421, in _handle_exception
>
> self.__parent._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 418, in _handle_exception
>
> super(ComponentBase, self)._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>
> line 333, in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>
> line 87, in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>
> line 65, in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>
> line 63, in _install
>
> for nothing in self._installer(self.parent):
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>
> line 879, in main
>
> install(self)
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>
> line 295, in decorated
>
> func(installer)
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>
> line 584, in install
>
> ca.install(False, config, options)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
>
> 106, in install
>
> install_step_0(standalone, replica_config, options)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
>
> 130, in install_step_0
>
> ra_p12=getattr(options, 'ra_p12', None))
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>
> 1543, in install_replica_ca
>
> subject_base=config.subject_base)
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>
> 486, in configure_instance
>
> self.start_creation(runtime=210)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>
> line 418, in start_creation
>
> run_step(full_msg, method)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>
> line 408, in run_step
>
> method()
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>
> 620, in __spawn_instance
>
> DogtagInstance.spawn_instance(self, cfg_file)
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
>
> line 201, in spawn_instance
>
> self.handle_setup_error(e)
>
> File
>
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
>
> line 465, in handle_setup_error
>
> raise RuntimeError("%s configuration failed." % self.subsystem)
>
> 2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed,
>
> exception: RuntimeError: CA configuration failed.
>
> 2016-06-02T10:43:16Z ERROR CA configuration failed.
>
> Of note, there is no /var/log/pki-ca-install.log file nor (as the error
>
> above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
>
> Best regards,
>
> Dan
>
> cid:image001.jpg at 01D1BC9A.CBB33580
> <mailto:image001.jpg at 01D1BC9A.CBB33580> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Senior Dev Ops Engineer
>
> Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>
> <mailto:Dan.Finkelstein at h5g.com>|
> <mailto:Dan.Finkelstein at h5g.com%3E|> 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/>and
> <https://apps.facebook.com/highfivecasino/%3Eand> Shake
>
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
>
> <https://twitter.com/High5Games>, YouTube
>
> <http://www.youtube.com/High5Games>, Linkedin
>
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
>
> information and are only for the use of the intended recipient of this
>
> message. If you are not the intended recipient, please notify the sender
>
> by return email, and delete or destroy this and all copies of this
>
> message and all attachments. Any unauthorized disclosure, use,
>
> distribution, or reproduction of this message or any attachments is
>
> prohibited and may be unlawful./
>
> *From: *Sebastian Schäfer <sebastian.schaefer at dlr.de
> <mailto:sebastian.schaefer at dlr.de>>
>
> *Date: *Thursday, June 2, 2016 at 02:59
>
> *To: *"freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>"
> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>, Daniel
>
> Finkestein <Dan.Finkelstein at high5games.com
> <mailto:Dan.Finkelstein at high5games.com>>
>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
>
> FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
>
> cannot promote to master
>
> Hi Dan,
>
> I had a similar problem when updating my FreeIPA. In my case it turned
>
> out that the certificates that get bundled with the replica preparation
>
> file were expired. This is due to the /root/cacert.p12 file not being
>
> updated during the preparation process until FreeIPA 3.2.2
>
> The file can be recreated with the commands from step 2 of
>
> http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>
> If that does not solve the problem, it would be good to see (part of)
>
> the actual logfiles of your replica installation attempt.
>
> Best regards
>
> --
>
> Sebastian Schäfer, M. A.
>
> -------------------------------
>
> Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)
>
> Institute of Space Operations and Astronaut Training
>
> Microgravity User Support Center (MUSC)
>
> Linder Höhe | 51147 Köln
>
> Telefon 02203 601-30 01 | Telefax: 02203 61471 |
>
> sebastian.schaefer at dlr.de <mailto:sebastian.schaefer at dlr.de>
> <mailto:sebastian.schaefer at dlr.de>
>
> www.DLR.de
>
> On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com
> <mailto:Dan.Finkelstein at high5games.com>
>
> <mailto:Dan.Finkelstein at high5games.com> wrote:
>
> Hi folks,
>
> As the subject suggests, we're converting from FreeIPA 3.0.0
> on CentOS 6
>
> to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA
>
> replicas in CentOS 7 and then hope to promote one of them to
> the CA
>
> master. I'm running into two problems:
>
> The first is that when we create a replica in FreeIPA 4.2.0
> with the
>
> setup-ca option, that portion fails. Here's a snippet of the
> output:
>
> Configuring certificate server (pki-tomcatd). Estimated time:
> 3 minutes
>
> 30 seconds
>
> [1/23]: creating certificate server user
>
> [2/23]: configuring certificate server instance
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
>
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA'
> '-f'
>
> '/tmp/tmpqPeYOW'' returned non-zero exit status 1
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>
> installation logs and the following files/directories for more
>
> information:
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>
> /var/log/pki-ca-install.log
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>
> /var/log/pki/pki-tomcat
>
> [error] RuntimeError: CA configuration failed.
>
> Your system may be partly configured.
>
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> You need to find the CA logs. All IPA gets is "the install failed" and
>
> no details why. Lok in /var/log/pki/pki-tomcat for the relevant logs.
>
> rob
>
>
>
More information about the Freeipa-users
mailing list