[Freeipa-users] Clone URI does not match available subsystems ?

Jack Eidsness jack.eidsness at zayo.com
Tue May 9 20:45:06 UTC 2017 

​I'm hoping to get a lead on this issue ​from a few months back - I work
with John. Maybe a more narrow question will get us somewhere. When
ipa-ca-install is comparing the URI in the .gpg file to the  "available
subsystems", what does that mean? How do I know what the correct URLs for
my "available subsystems" actually are? I reviewed the logs, and the site &
port seem like they're probably right to me, unless they need a more
specific path or something. Maybe it could be having trouble
authenticating? I don't know why that would be.

Is it safe to decrypt the .gpg file, re-encrypt it, and try running it
again, if I knew what edits to make, to the URI?

-Jack Eidsness




> ------------------------------
>
>    - *From*: John Bowman <john bowman zayo com>
>    - *To*: freeipa-users redhat com
>    - *Subject*: [Freeipa-users] Clone URI does not match available
>    subsystems ?
>    - *Date*: Wed, 17 Aug 2016 10:41:38 -0500
>
> ------------------------------
> Howdy!
>
> Trying to figure out how to get past the error:  Clone URI does not match
> available subsystems when running ipa-ca-install on new ipa server.
>
> A little background.  We have 3 FreeIPA 3.0.0 servers running on RHEL
> 6.7.  We just recently (within the last month) added a new FreeIPA 4.2
> server replica running on RHEL 7.2 at a new location which will hopefully
> be the start of replacing all the 3.0.0 instances.
>
> Unfortunately during the 4.2 install the --setup-ca was failing so we
> decided to install without it to make sure everything else worked.  And it
> did everything seems to be replicating properly and all is good.
>
> Now its time to add the ca replication to the new server but its failing
> with that error.
>
> Command output:
> # ipa-ca-install --skip-conncheck /var/lib/ipa/replica-info-new-
> server.example.com.gpg
> Directory Manager (existing master) password:
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/22]: creating certificate server user
>   [2/22]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
> CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P''
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> CA configuration failed.
>
>
> ipareplica-ca-install.log output:
> 2016-08-17T15:25:52Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.2016
> 0817092533.log
> Loading deployment configuration from /tmp/tmp7cBK9P.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
> tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2016-08-17T15:25:52Z DEBUG stderr=/usr/lib/python2.7/site
> -packages/urllib3/connectionpool.py:769: InsecureRequestWarning:
> Unverified HTTPS request is being made. Adding certificate verification is
> strongly advised. See: https://urllib3.readthedo
> cs.org/en/latest/security.h
> tml
>   InsecureRequestWarning)
> pkispawn    : WARNING  ....... unable to validate security domain
> user/password through REST interface. Interface not available
> pkispawn    : ERROR    ....... Exception from Java Configuration Servlet:
> 400 Client Error: Bad Request
> pkispawn    : ERROR    ....... ParseError: not well-formed (invalid
> token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName"
> :"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone
> URI does not match available subsystems: https://master.idm
> .example.com:443 <https://master.idm.example.com/>"}
>
> 2016-08-17T15:25:52Z CRITICAL Failed to configure CA instance: Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' returned n
> on-zero exit status 1
> 2016-08-17T15:25:52Z CRITICAL See the installation logs and the following
> files/directories for more information:
> 2016-08-17T15:25:52Z CRITICAL   /var/log/pki-ca-install.log
> 2016-08-17T15:25:52Z CRITICAL   /var/log/pki/pki-tomcat
> 2016-08-17T15:25:52Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 418, in start_creation
>     run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 408, in run_step
>     method()
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 622, in __spawn_instance
>     DogtagInstance.spawn_instance(self, cfg_file)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 201, in spawn_instance
>     self.handle_setup_error(e)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 465, in handle_setup_error
>     raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
>
> 2016-08-17T15:25:52Z DEBUG   [error] RuntimeError: CA configuration failed.
> 2016-08-17T15:25:52Z DEBUG   File "/usr/lib/python2.7/site-packa
> ges/ipaserver/install/installutils.py", line 732, in run_script
>     return_value = main_function()
>
>   File "/sbin/ipa-ca-install", line 202, in main
>     install_replica(safe_options, options, filename)
>
>   File "/sbin/ipa-ca-install", line 150, in install_replica
>     ca.install(True, config, options)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
> 114, in install
>     install_step_0(standalone, replica_config, options)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
> 138, in install_step_0
>     ra_p12=getattr(options, 'ra_p12', None))
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 1545, in install_replica_ca
>     subject_base=config.subject_base)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 488, in configure_instance
>     self.start_creation(runtime=210)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 418, in start_creation
>     run_step(full_msg, method)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 408, in run_step
>     method()
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 622, in __spawn_instance
>     DogtagInstance.spawn_instance(self, cfg_file)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 201, in spawn_instance
>     self.handle_setup_error(e)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 465, in handle_setup_error
>     raise RuntimeError("%s configuration failed." % self.subsystem)
>
> 2016-08-17T15:25:52Z DEBUG The ipa-ca-install command failed, exception:
> RuntimeError: CA configuration failed.
>
>
> ****
>
> I've tried running the pkispawn command manually by using the
> deployment.cfg file but it gives the same error:
>
> # pkidestroy -s CA -i pki-tomcat
> Log file: /var/log/pki/pki-ca-destroy.20160817093402.log
> Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/reg
> istry/ca/deployment.cfg.
> Uninstalling CA from /var/lib/pki/pki-tomcat.
> pkidestroy  : WARNING  ....... this 'CA' entry will NOT be deleted from
> security domain 'unknown'!
> pkidestroy  : ERROR    ....... No security domain defined.
> If this is an unconfigured instance, then that is OK.
> Otherwise, manually delete the entry from the security domain master.
>
> Uninstallation complete.
>
> # /usr/sbin/pkispawn -s CA -f /tmp/replica_file
> Log file: /var/log/pki/pki-ca-spawn.20160817093444.log
> Loading deployment configuration from /tmp/replica_file.
> /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
>   InsecureRequestWarning)
> pkispawn    : WARNING  ....... unable to validate security domain
> user/password through REST interface. Interface not available
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
> tomcat/ca/deployment.cfg.
> pkispawn    : ERROR    ....... Exception from Java Configuration Servlet:
> 400 Client Error: Bad Request
> pkispawn    : ERROR    ....... ParseError: not well-formed (invalid
> token): line 1, column 0: {"Attributes":{"Attribute":[]}
> ,"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone
> URI does not match available subsystems: https://master.idm
> .example.com:443 <https://master.idm.example.com/>"}
>
> Installation failed.
>
>
> Any ideas on how to proceed would be much appreciated!
>
> Thanks!
> -John
>

-- 





*Jack Eidsness*

*Developer, NOPSS | Zayo Group*

13861 Sunrise Valley Dr, Herndon, VA 20171

Cell: 301.706.3912 <%28301%29%20706-3912> | jack.eidsness at zayo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170509/73df18b8/attachment.htm>

More information about the Freeipa-users mailing list