[Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

Giorgos Kafataridis g.kafataridis at nelios.com
Fri Sep 9 10:13:48 UTC 2016 

Yes, I have followed 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html 
to the letter.
The only reason I had to recreate the cacert.p12 file is because it is 
not renewed automatically in v3, so the cacert.p12 was outdated and the 
CA was throwing an "p12 invalid digest" error.

  * I opened all necessary ports
  * I checked all certs and they are valid for another year


/Run connection check to master//
//Check connection from replica to remote master 'ipa-server.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//   PKI-CA: Directory Service port (7389): OK//
//
//The following list of ports use UDP protocol and would need to be//
//checked manually://
//   Kerberos KDC: UDP (88): SKIPPED//
//   Kerberos Kpasswd: UDP (464): SKIPPED//
//
//Connection from replica to master is OK.//
//Start listening on required ports for remote master check//
//Get credentials to log in to remote master//
//Check SSH connection to remote master//
//Execute check on remote master//
//Check connection from master to remote replica 'ipa2-server2.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos KDC: UDP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   Kerberos Kpasswd: UDP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//
//Connection from master to replica is OK.//
//
//Connection check OK/

*Even with a fresh install of centos 7 with different hostname and ip 
and I still get the  the error below*

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 
30 seconds
   [1/24]: creating certificate server user
   [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpbMwmp_'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat
   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA 
configuration failed.

*
**With debug enabled I get: *

pa         : DEBUG    Starting external process
ipa         : DEBUG    args='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpwY8XjR'
ipa         : DEBUG    Process finished, return code=1
ipa         : DEBUG    stdout=Log file: 
/var/log/pki/pki-ca-spawn.20160909044214.log
Loading deployment configuration from /tmp/tmpwY8XjR.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


ipa         : DEBUG 
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
certificate verification is strongly advised. See: 
https://urllib3.readthedocs.org/en/latest/security.html
   InsecureRequestWarning)
pkispawn    : WARNING  ....... unable to validate security domain 
user/password through REST interface. Interface not available
pkispawn    : ERROR    ....... Exception from Java Configuration 
Servlet: 500 Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid 
token): line 1, column 0: 
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed 
to obtain installation token from security domain"}


Is there a way to validate the repilca .gpg file from a v3 installation 
against a v4.2 freeipa installation to check for any errors before going 
through the ipa-replica-install?
The ipa-replica-install completes if I don't include the --setup-ca flag 
but I don't want that
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160909/f864123c/attachment.htm>

More information about the Freeipa-users mailing list