[Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
Giorgos Kafataridis
g.kafataridis at nelios.com
Fri Sep 9 12:33:51 UTC 2016
>> Yes, I have followed
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>> to the letter.
>> The only reason I had to recreate the cacert.p12 file is because it is not
>> renewed automatically in v3, so the cacert.p12 was outdated and the CA was
>> throwing an "p12 invalid digest" error.
>>
>> * I opened all necessary ports
>> * I checked all certs and they are valid for another year
>>
>>
>> /Run connection check to master//
>> //Check connection from replica to remote master 'ipa-server.nelios'://
>> // Directory Service: Unsecure port (389): OK//
>> // Directory Service: Secure port (636): OK//
>> // Kerberos KDC: TCP (88): OK//
>> // Kerberos Kpasswd: TCP (464): OK//
>> // HTTP Server: Unsecure port (80): OK//
>> // HTTP Server: Secure port (443): OK//
>> // PKI-CA: Directory Service port (7389): OK//
>> //
>> //The following list of ports use UDP protocol and would need to be//
>> //checked manually://
>> // Kerberos KDC: UDP (88): SKIPPED//
>> // Kerberos Kpasswd: UDP (464): SKIPPED//
>> //
>> //Connection from replica to master is OK.//
>> //Start listening on required ports for remote master check//
>> //Get credentials to log in to remote master//
>> //Check SSH connection to remote master//
>> //Execute check on remote master//
>> //Check connection from master to remote replica 'ipa2-server2.nelios'://
>> // Directory Service: Unsecure port (389): OK//
>> // Directory Service: Secure port (636): OK//
>> // Kerberos KDC: TCP (88): OK//
>> // Kerberos KDC: UDP (88): OK//
>> // Kerberos Kpasswd: TCP (464): OK//
>> // Kerberos Kpasswd: UDP (464): OK//
>> // HTTP Server: Unsecure port (80): OK//
>> // HTTP Server: Secure port (443): OK//
>> //
>> //Connection from master to replica is OK.//
>> //
>> //Connection check OK/
>>
>> *Even with a fresh install of centos 7 with different hostname and ip and I
>> still get the the error below*
>>
>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
>> [1/24]: creating certificate server user
>> [2/24]: configuring certificate server instance
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_''
>> returned non-zero exit status 1
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
>> and the following files/directories for more information:
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
>> [error] RuntimeError: CA configuration failed.
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed.
>>
>> *
>> **With debug enabled I get: *
>>
>> pa : DEBUG Starting external process
>> ipa : DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpwY8XjR'
>> ipa : DEBUG Process finished, return code=1
>> ipa : DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160909044214.log
>> Loading deployment configuration from /tmp/tmpwY8XjR.
>> Installing CA into /var/lib/pki/pki-tomcat.
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>
>> Installation failed.
>>
>>
>> ipa : DEBUG
>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
>> certificate verification is strongly advised. See:
>> https://urllib3.readthedocs.org/en/latest/security.html
>> InsecureRequestWarning)
>> pkispawn : WARNING ....... unable to validate security domain user/password
>> through REST interface. Interface not available
>> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500
>> Server Error: Internal Server Error
>> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line
>> 1, column 0:
>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed
>> to obtain installation token from security domain"}
>>
>>
>> Is there a way to validate the repilca .gpg file from a v3 installation against
>> a v4.2 freeipa installation to check for any errors before going through the
>> ipa-replica-install?
>> The ipa-replica-install completes if I don't include the --setup-ca flag but I
>> don't want that
>>
> There is no automatic method to verify the replica file.
>
> Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug +
> couple lines before and after?
>
>
Contents of /var/log/pki/pki-tomcat/ca/debug:
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
SystemConfigResource.configure()
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
content-type: application/json
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
accept: [application/json]
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
request format: application/json
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
response format: application/json
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: SystemConfigService:
configure()
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: SystemConfigService:
request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage
Token, tokenPassword=XXXX, securityDomainType=existingdomain,
securityDomainUri=https://ipa-server.nelios:443,
securityDomainName=null, securityDomainUser=admin,
securityDomainPassword=XXXX, isClone=true,
cloneUri=https://ipa-server.nelios:443, subsystemName=CA
ipa2-server2.nelios 8443, p12File=/tmp/ca.p12, p12Password=XXXX,
hierarchy=root, dsHost=ipa2-server2.nelios, dsPort=389, baseDN=o=ipaca,
bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca,
secureConn=false, removeData=true, replicateSchema=false,
masterReplicationPort=7389, cloneReplicationPort=389,
replicationSecurity=TLS,
systemCerts=[com.netscape.certsrv.system.SystemCertData at 434a841],
issuingCA=https://ipa-server.nelios:443, backupKeys=true,
backupPassword=XXXX,
backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null,
adminPassword=XXXX, adminEmail=null, adminCertRequest=null,
adminCertRequestType=null, adminSubjectDN=null, adminName=null,
adminProfileID=null, adminCert=null, importAdminCert=false,
generateServerCert=true, external=false, standAlone=false,
stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null,
authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null,
enableServerSideKeyGen=null, importSharedSecret=null,
generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null,
createNewDB=true, setupReplication=True, subordinateSecurityDomainNamenull]
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: === Token Panel ===
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: === Security Domain Panel ===
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: Joining existing security
domain
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: Resolving security domain
URLhttps://ipa-server.nelios:443
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: Getting security domain
cert chain
[09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Getting install token
[09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Getting install token
[09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Getting old cookie
[09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Token: null
[09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Install token is null
[09/Sep/2016:08:22:52][http-bio-8443-exec-3]: Failed to obtain
installation token from security domain
I assume it is the null token the perpetrator ? if yes what should I fix
on master?
More information about the Freeipa-users
mailing list