Since taking over our FreeIPA environment I've been unable to create a new CA replica. A bunch of failed attempts and upgrades over the last year and I keep running in to issues. After my latest attempt I noticed something that I had not seen before (likely a result of an recent upgrade) and I was wondering if this would cause a CA install to fail.
Our env: 3 x ipa-server-3.0.0-51.el6.x86_64 3 x ipa-server-4.4.0-14.el7_3.7.x86_64 2 of the 3.x IPA servers are currently acting as CAs and I've been trying to create a new 4.x CA replica in order to start removing the 3.x IPA servers. I've been able to do a simple test with vanilla CentOS 6.9 and 7.3 and it seems to work fine as far as I can tell but when I try it in our environment it fails. I noticed this error in one of the logs and something jumped out at me that I had never seen before: [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization === [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security domain [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml from CA... [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA ><Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld </Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using admin interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin interface: javax.ws.rs.NotFoundException: HTTP 404 Not Found [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using agent interface [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=ipa-master.domain.tld port=443 [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate: [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject: CN=ipa-master.domain.tld,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=DOMAIN.US [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML: status=1 [14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security domain: 2 java.io.IOException: Unable to update security domain: 2 The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x servers but the other two listed in that domainxml file one does not exist (it may have at some point been renamed) and the other server is not a CA replica but it is a replica. Is it possible this bad info would cause a failure when trying to create a new CA replica? If so is it something I can try cleaning up? Any info would be appreciated. Thanks! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
