[Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

Petr Vobornik pvoborni at redhat.com
Fri Sep 9 12:06:55 UTC 2016 

On 09/09/2016 12:13 PM, Giorgos Kafataridis wrote:
> Yes, I have followed 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html 
> to the letter.
> The only reason I had to recreate the cacert.p12 file is because it is not 
> renewed automatically in v3, so the cacert.p12 was outdated and the CA was 
> throwing an "p12 invalid digest" error.
> 
>   * I opened all necessary ports
>   * I checked all certs and they are valid for another year
> 
> 
> /Run connection check to master//
> //Check connection from replica to remote master 'ipa-server.nelios'://
> //   Directory Service: Unsecure port (389): OK//
> //   Directory Service: Secure port (636): OK//
> //   Kerberos KDC: TCP (88): OK//
> //   Kerberos Kpasswd: TCP (464): OK//
> //   HTTP Server: Unsecure port (80): OK//
> //   HTTP Server: Secure port (443): OK//
> //   PKI-CA: Directory Service port (7389): OK//
> //
> //The following list of ports use UDP protocol and would need to be//
> //checked manually://
> //   Kerberos KDC: UDP (88): SKIPPED//
> //   Kerberos Kpasswd: UDP (464): SKIPPED//
> //
> //Connection from replica to master is OK.//
> //Start listening on required ports for remote master check//
> //Get credentials to log in to remote master//
> //Check SSH connection to remote master//
> //Execute check on remote master//
> //Check connection from master to remote replica 'ipa2-server2.nelios'://
> //   Directory Service: Unsecure port (389): OK//
> //   Directory Service: Secure port (636): OK//
> //   Kerberos KDC: TCP (88): OK//
> //   Kerberos KDC: UDP (88): OK//
> //   Kerberos Kpasswd: TCP (464): OK//
> //   Kerberos Kpasswd: UDP (464): OK//
> //   HTTP Server: Unsecure port (80): OK//
> //   HTTP Server: Secure port (443): OK//
> //
> //Connection from master to replica is OK.//
> //
> //Connection check OK/
> 
> *Even with a fresh install of centos 7 with different hostname and ip and I 
> still get the  the error below*
> 
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
>    [1/24]: creating certificate server user
>    [2/24]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA 
> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' 
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs 
> and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
>    [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA configuration failed.
> 
> *
> **With debug enabled I get: *
> 
> pa         : DEBUG    Starting external process
> ipa         : DEBUG    args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpwY8XjR'
> ipa         : DEBUG    Process finished, return code=1
> ipa         : DEBUG    stdout=Log file: /var/log/pki/pki-ca-spawn.20160909044214.log
> Loading deployment configuration from /tmp/tmpwY8XjR.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into 
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> 
> Installation failed.
> 
> 
> ipa         : DEBUG 
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
> certificate verification is strongly advised. See: 
> https://urllib3.readthedocs.org/en/latest/security.html
>    InsecureRequestWarning)
> pkispawn    : WARNING  ....... unable to validate security domain user/password 
> through REST interface. Interface not available
> pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 
> Server Error: Internal Server Error
> pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 
> 1, column 0: 
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed 
> to obtain installation token from security domain"}
> 
> 
> Is there a way to validate the repilca .gpg file from a v3 installation against 
> a v4.2 freeipa installation to check for any errors before going through the 
> ipa-replica-install?
> The ipa-replica-install completes if I don't include the --setup-ca flag but I 
> don't want that
> 

There is no automatic method to verify the replica file.

Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
couple lines before and after?

-- 
Petr Vobornik

More information about the Freeipa-users mailing list