On 07/27/2017 08:29 PM, Mark Haney via FreeIPA-users wrote:
Heh. That's the EXACT SAME error I kept getting whether I ran the install-ca from an existing replica, or when adding a CA while installing a new replica. Glad I'm not the only one seeing such weird errors.On Thu, Jul 27, 2017 at 12:28 PM, Petros Triantafyllidis via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote:On 07/27/2017 06:06 PM, Florence Blanc-Renaud via FreeIPA-users wrote:On 07/27/2017 04:03 PM, Petros Triantafyllidis wrote:On 07/27/2017 04:17 PM, Florence Blanc-Renaud via FreeIPA-users wrote:On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote:On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote:On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote:Hi all, I would appreciate any help on my attempt to promote an existing client to replica. After client installation, I added replica-to-be to ipaservers hostgroup and then run "replica-install --setup-ca" but unfortunately I end up with the errors below. Both master and client have ipa-server-4.4.0-14.el7.centos.7.x86_64 Thanks in advance, Petros _____________________________________________________________________________________________________________ On replica-to-be: [...] Done configuring ipa-otpd. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/26]: creating certificate server user [2/26]: creating certificate server db [3/26]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [4/26]: creating installation admin user [5/26]: setting up certificate server ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information _____________________________________________________________________________________________________________ /var/log/ipareplica-install.log [...] Import complete --------------- Imported certificates in /etc/pki/pki-tomcat/alias: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu Installation failed: Please check the CA logs in /var/log/pki/pki-tomcat/ca. 2017-07-27T06:57:54Z DEBUG stderr= 2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1 2017-07-27T06:57:54Z CRITICAL See the installation logs and the following files/directories for more information: 2017-07-27T06:57:54Z CRITICAL /var/log/pki/pki-tomcat 2017-07-27T06:57:54Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 586, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2017-07-27T06:57:54Z DEBUG [error] RuntimeError: CA configuration failed. 2017-07-27T06:57:54Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1519, in promote ca_cert_bundle=ca_data) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1392, in configure_replica self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 586, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2017-07-27T06:57:54Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. 2017-07-27T06:57:54Z ERROR CA configuration failed. 2017-07-27T06:57:54Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information _____________________________________________________________________________________________________________ On master server: [27/Jul/2017:09:53:19.624201120 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [27/Jul/2017:09:53:19.910732845 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:53:21.525459152 +0300] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389)". [27/Jul/2017:09:53:26.923911503 +0300] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389)". Sent 719 entries. [27/Jul/2017:09:53:29.398775963 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [27/Jul/2017:09:53:32.746503539 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [27/Jul/2017:09:53:38.862288126 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [27/Jul/2017:09:53:51.238616755 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:54:30.937398919 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [27/Jul/2017:09:56:03.537114454 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr <http://meTomedea.geo.auth.gr>" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:56:04.495965497 +0300] NSMMReplicationPlugin - agmt="cn=caTomedea.geo.auth.gr <http://caTomedea.geo.auth.gr>" (medea:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [27/Jul/2017:09:56:06.236968406 +0300] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=caTomedea.geo.auth.gr <http://caTomedea.geo.auth.gr>" (medea:389)". [27/Jul/2017:09:56:10.494727689 +0300] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=caTomedea.geo.auth.gr <http://caTomedea.geo.auth.gr>" (medea:389)". Sent 159 entries. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org <mailto:freeipa-users-le...@lists.fedorahosted.org>Hi Petros, there is no need to add the replica-to-be to the ipaservers hostgroup as it will be done automatically during ipa-replica-install. To diagnose the install issue, can you post the logs relevant to the CA installation? They are: /var/log/pki/pki-ca-spawn.$TIME_OF_INSTALLATION.log /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log /var/log/pki/pki-tomcat/ca/system /var/log/pki/pki-tomcat/ca/debug Flo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org <mailto:freeipa-users-le...@lists.fedorahosted.org>Hi Flo, Thanks for responding. I attach the files as requested. /var/log/pki/pki-tomcat/catalina.$TIME_OF_INSTALLATION.log was empty and therefore excluded. Regards, Petros _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org <mailto:freeipa-users-le...@lists.fedorahosted.org>Hi, the /var/log/pki-tomcat/ca/debug log shows that the replica Dogtag instance failed to POST https://fidias.geo.auth.gr:443/ca/admin/ca/updateNumberRange <https://fidias.geo.auth.gr:443/ca/admin/ca/updateNumberRange> You may find more info on the master's Dogtag log (same file but on the host fidias.geo.auth.gr <http://fidias.geo.auth.gr>). The relevant logs would start with UpdateNumberRange: initializing... or CMSServlet:service() uri = /ca/admin/ca/updateNumberRange HTH, Flo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org <mailto:freeipa-users-le...@lists.fedorahosted.org>I am not sure I understand this and how I am supposed to resolve it. Indeed, master's apache reports: "POST /ca/admin/ca/updateNumberRange HTTP/1.1" 500 5478 while the /var/log/pki-tomcat/ca/debug shows the following: [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet:service() uri = /ca/admin/ca/updateNumberRange [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet::service() param name='xmlOutput' value='true' [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet::service() param name='sessionID' value='1129328291888586443' [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet::service() param name='type' value='request' [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet: caUpdateNumberRange start to service. [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: UpdateNumberRange: processing... [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: UpdateNumberRange process: authentication starts [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: IP: 155.207.61.84 [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: AuthMgrName: TokenAuth [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: CMSServlet: no client certificate found [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: TokenAuthentication: start [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: TokenAuthentication: content={hostname=[155.207.61.84], sessionID=[1129328291888586443]} [27/Jul/2017:09:56:34][ajp-bio-127.0.0.1-8009-exec-5]: ConfigurationUtils: POST https://fidias.geo.auth.gr:443/ca/admin/ca/tokenAuthenticate <https://fidias.geo.auth.gr:443/ca/admin/ca/tokenAuthenticate> What is so obvious that I can't see? Any hint? PetrosHi, I was looking for any error message between UpdateNumberRange: processing... and UpdateNumberRange: Sending response or UpdateNumberRange: Failed to update number range If I recall well, this is related to assigning ranges of serial Ids for certificates delivered by the replica (each CA instance uses its own range to avoid delivering certificates with the same serial id on a master or replica). Flo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org <mailto:freeipa-users-le...@lists.fedorahosted.org>Hi again, Sorry, but I am not sure that I can follow. I can't recognize anything erroneous related to UpdateNumberRange apart the entries I listed before. From a previous attempt though, there is also an extra line which might be helpful: [26/Jul/2017:12:48:04][ajp-bio-127.0.0.1-8009-exec-11]: UpdateNumberRange: initializing... [26/Jul/2017:12:48:04][ajp-bio-127.0.0.1-8009-exec-11]: according to ccMode, authorization for servlet: caUpdateNumberRange is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Jul/2017:12:48:04][ajp-bio-127.0.0.1-8009-exec-11]: UpdateNumberRange: done initializing... Petros _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org <mailto:freeipa-users-le...@lists.fedorahosted.org> -- photo Mark Haney Network Engineer at NeoNova919-460-3330 <tel:%28919%29%20460-3330> (opt 1) • mark.ha...@neonova.net <mailto:mark.ha...@neonova.net> www.neonova.net <https://neonova.net/> <https://www.facebook.com/NeoNovaNNS/> <https://twitter.com/NeoNova_NNS> <http://www.linkedin.com/company/neonova-network-services>_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi, An update to the issue above:Flo's latest reply gave me an idea and after I disenrolled the replica-to-be, I also revoked all of it's certificates that have been created during my previous replica-install attempts. I have no clue whether this action changed anything, but the next replica-install --ca-setup completed without errors.
Thanks anyway, Petros
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
