Hi,
I have successfully configured one IPA replica, now I'm trying to
configure a second replica, but I'm not having much success. I've
attached the output of ipa-replica-install -d. I get as far as "[4/11]:
configuring certificate server instance". The machine is configured in
the same way as the 2 first machines. They are all F15, updated with all
available packages from the official repos.
The installation fails when it's trying to connect to the dogtag server
on the ipa replica it's just configured, with a "Invalid clone_uri"
message. (See the attached file for details).
I'm not sure where to start looking. The only difference from the 2
first IPA servers, is that this server is located at another subnet,
over a site-to-site VPN connection.
Any suggestions to what might be wrong?
Rgds,
Siggi
root : DEBUG [4/11]: configuring certificate server instance
[4/11]: configuring certificate server instance
root : DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA
-cs_hostname ipa03.ix.test.com -cs_port 9445 -client_certdb_dir /tmp/tmp-wAosPS
-client_certdb_pwd 'XXXXXXXX' -preop_pin AuVgVftQywtXPkiYKppu -domain_name IPA
-admin_user admin -admin_email root@localhost -admin_password 'XXXXXXXX'
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject "CN=ipa-ca-agent,O=IX.test.COM" -ldap_host
ipa03.ix.test.com -ldap_port 7389 -bind_dn "cn=Directory Manager"
-bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048
-key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd
'XXXXXXXX' -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IX.test.COM"
-ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IX.test.COM"
-ca_server_cert_subject_name "CN=ipa03.ix.test.com,O=IX.test.COM"
-ca_audit_signing_cert_subject_name "CN=CA Audit,O=IX.test.COM"
-ca_sign_cert_subject_name "CN=Certificate Authority,O=IX.test.COM" -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX'
-sd_hostname ipa01.ix.test.com -sd_admin_port 9445 -sd_admin_name admin
-sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri
https://ipa01.ix.test.com:9444
root : DEBUG stdout=libpath=/usr/lib64
#######################################################################
CRYPTO INIT WITH CERTDB:/tmp/tmp-wAosPS
tokenpwd:XXXXXXXX
#############################################
Attempting to connect to: ipa03.ix.test.com:9445
in TestCertApprovalCallback.approve()
Peer cert details:
subject: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
issuer: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
serial: 0
item 1 reason=-8156 depth=1
cert details:
subject: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
issuer: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
serial: 0
item 2 reason=-8172 depth=1
cert details:
subject: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
issuer: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
serial: 0
importing certificate.
Connected.
Posting Query =
https://ipa03.ix.test.com:9445//ca/admin/console/config/login?pin=AuVgVftQywtXPkiYKppu&xml=true
RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Set-Cookie: JSESSIONID=5437708C678FDD32C9ED6B488D9236CC;
Path=/ca; Secure
RESPONSE HEADER: Location:
https://ipa03.ix.test.com:9445/ca/admin/console/config/wizard
RESPONSE HEADER: Content-Type: text/html;charset=UTF-8
RESPONSE HEADER: Content-Length: 0
RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:22 GMT
RESPONSE HEADER: Connection: keep-alive
xml returned:
cookie list: JSESSIONID=5437708C678FDD32C9ED6B488D9236CC; Path=/ca; Secure
#############################################
Attempting to connect to: ipa03.ix.test.com:9445
Connected.
Posting Query =
https://ipa03.ix.test.com:9445//ca/admin/console/config/wizard?p=0&op=next&xml=true
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:22 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
END COPYRIGHT BLOCK -->
<response>
<panel>admin/console/config/modulepanel.vm</panel>
<res/>
<showApplyButton/>
<status>display</status>
<subpanelno>2</subpanelno>
<sms>
<Vector>
<Module>
<CommonName>NSS Internal PKCS #11 Module</CommonName>
<UserFriendlyName>NSS Internal PKCS #11 Module</UserFriendlyName>
<ImagePath>../img/clearpixel.gif</ImagePath>
</Module>
<Module>
<CommonName>nfast</CommonName>
<UserFriendlyName>nCipher's nFast Token Hardware
Module</UserFriendlyName>
<ImagePath>../img/clearpixel.gif</ImagePath>
</Module>
<Module>
<CommonName>lunasa</CommonName>
<UserFriendlyName>SafeNet's LunaSA Token Hardware
Module</UserFriendlyName>
<ImagePath>../img/clearpixel.gif</ImagePath>
</Module>
</Vector>
</sms>
<errorString/>
<size>19</size>
<title>Key Store</title>
<panels>
<Vector>
<Panel>
<Id>welcome</Id>
<Name>Welcome</Name>
</Panel>
<Panel>
<Id>module</Id>
<Name>Key Store</Name>
</Panel>
<Panel>
<Id>confighsmlogin</Id>
<Name>ConfigHSMLogin</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Security Domain</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>subsystem</Id>
<Name>Subsystem Type</Name>
</Panel>
<Panel>
<Id>clone</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>restorekeys</Id>
<Name>Import Keys and Certificates</Name>
</Panel>
<Panel>
<Id>cahierarchy</Id>
<Name>PKI Hierarchy</Name>
</Panel>
<Panel>
<Id>database</Id>
<Name>Internal Database</Name>
</Panel>
<Panel>
<Id>size</Id>
<Name>Key Pairs</Name>
</Panel>
<Panel>
<Id>subjectname</Id>
<Name>Subject Names</Name>
</Panel>
<Panel>
<Id>certrequest</Id>
<Name>Requests and Certificates</Name>
</Panel>
<Panel>
<Id>backupkeys</Id>
<Name>Export Keys and Certificates</Name>
</Panel>
<Panel>
<Id>savepk12</Id>
<Name>Save Keys and Certificates</Name>
</Panel>
<Panel>
<Id>importcachain</Id>
<Name>Import CA's Certificate Chain</Name>
</Panel>
<Panel>
<Id>admin</Id>
<Name>Administrator</Name>
</Panel>
<Panel>
<Id>importadmincert</Id>
<Name>Import Administrator's Certificate</Name>
</Panel>
<Panel>
<Id>done</Id>
<Name>Done</Name>
</Panel>
</Vector>
</panels>
<p>1</p>
<name>CA Setup Wizard</name>
<oms>
<Vector/>
</oms>
<defTok>Internal Key Storage Token</defTok>
<req/>
<panelname>module</panelname>
</response>
Sleeping for 5 secs..
#############################################
Attempting to connect to: ipa03.ix.test.com:9445
Connected.
Posting Query =
https://ipa03.ix.test.com:9445//ca/admin/console/config/wizard?p=1&op=next&xml=true&choice=Internal+Key+Storage+Token
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:28 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
END COPYRIGHT BLOCK -->
<response>
<machineName>ipa03.ix.test.com</machineName>
<panel>admin/console/config/securitydomainpanel.vm</panel>
<res/>
<showApplyButton/>
<initCommand>/sbin/service pki-cad</initCommand>
<sdomainName>Ixtest Domain</sdomainName>
<sdomainURL>https://ipa03.ix.test.com:9445</sdomainURL>
<http_ee_port>9180</http_ee_port>
<systemname>CA</systemname>
<title>Security Domain</title>
<panels>
<Vector>
<Panel>
<Id>welcome</Id>
<Name>Welcome</Name>
</Panel>
<Panel>
<Id>module</Id>
<Name>Key Store</Name>
</Panel>
<Panel>
<Id>confighsmlogin</Id>
<Name>ConfigHSMLogin</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Security Domain</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>subsystem</Id>
<Name>Subsystem Type</Name>
</Panel>
<Panel>
<Id>clone</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>restorekeys</Id>
<Name>Import Keys and Certificates</Name>
</Panel>
<Panel>
<Id>cahierarchy</Id>
<Name>PKI Hierarchy</Name>
</Panel>
<Panel>
<Id>database</Id>
<Name>Internal Database</Name>
</Panel>
<Panel>
<Id>size</Id>
<Name>Key Pairs</Name>
</Panel>
<Panel>
<Id>subjectname</Id>
<Name>Subject Names</Name>
</Panel>
<Panel>
<Id>certrequest</Id>
<Name>Requests and Certificates</Name>
</Panel>
<Panel>
<Id>backupkeys</Id>
<Name>Export Keys and Certificates</Name>
</Panel>
<Panel>
<Id>savepk12</Id>
<Name>Save Keys and Certificates</Name>
</Panel>
<Panel>
<Id>importcachain</Id>
<Name>Import CA's Certificate Chain</Name>
</Panel>
<Panel>
<Id>admin</Id>
<Name>Administrator</Name>
</Panel>
<Panel>
<Id>importadmincert</Id>
<Name>Import Administrator's Certificate</Name>
</Panel>
<Panel>
<Id>done</Id>
<Name>Done</Name>
</Panel>
</Vector>
</panels>
<sdomainAdminURL>https://ipa03.ix.test.com:9445</sdomainAdminURL>
<check_existingdomain/>
<name>CA Setup Wizard</name>
<https_ee_port>9444</https_ee_port>
<https_admin_port>9445</https_admin_port>
<panelname>securitydomain</panelname>
<https_agent_port>9443</https_agent_port>
<cstype>CA</cstype>
<instanceId><security_domain_instance_name></instanceId>
<errorString/>
<size>19</size>
<p>3</p>
<check_newdomain>checked</check_newdomain>
<req/>
<wizardname>CA Setup Wizard</wizardname>
</response>
Sleeping for 5 secs..
#############################################
Attempting to connect to: ipa03.ix.test.com:9445
Connected.
Posting Query =
https://ipa03.ix.test.com:9445//ca/admin/console/config/wizard?sdomainURL=https%3A%2F%2Fipa01.ix.test.com%3A9445&sdomainName=&choice=existingdomain&p=3&op=next&xml=true
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:33 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
END COPYRIGHT BLOCK -->
<response>
<panel>admin/console/config/securitydomainpanel.vm</panel>
<https_agent_port>9443</https_agent_port>
<machineName>ipa03.ix.test.com</machineName>
<res/>
<cstype>CA</cstype>
<initCommand>/sbin/service pki-cad</initCommand>
<instanceId><security_domain_instance_name></instanceId>
<sdomainURL>https://ipa03.ix.test.com:9445</sdomainURL>
<sdomainName/>
<http_ee_port>9180</http_ee_port>
<errorString>Error: Failed to get certificate chain.</errorString>
<size>19</size>
<title>Security Domain</title>
<panels>
<Vector>
<Panel>
<Id>welcome</Id>
<Name>Welcome</Name>
</Panel>
<Panel>
<Id>module</Id>
<Name>Key Store</Name>
</Panel>
<Panel>
<Id>confighsmlogin</Id>
<Name>ConfigHSMLogin</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Security Domain</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>subsystem</Id>
<Name>Subsystem Type</Name>
</Panel>
<Panel>
<Id>clone</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>restorekeys</Id>
<Name>Import Keys and Certificates</Name>
</Panel>
<Panel>
<Id>cahierarchy</Id>
<Name>PKI Hierarchy</Name>
</Panel>
<Panel>
<Id>database</Id>
<Name>Internal Database</Name>
</Panel>
<Panel>
<Id>size</Id>
<Name>Key Pairs</Name>
</Panel>
<Panel>
<Id>subjectname</Id>
<Name>Subject Names</Name>
</Panel>
<Panel>
<Id>certrequest</Id>
<Name>Requests and Certificates</Name>
</Panel>
<Panel>
<Id>backupkeys</Id>
<Name>Export Keys and Certificates</Name>
</Panel>
<Panel>
<Id>savepk12</Id>
<Name>Save Keys and Certificates</Name>
</Panel>
<Panel>
<Id>importcachain</Id>
<Name>Import CA's Certificate Chain</Name>
</Panel>
<Panel>
<Id>admin</Id>
<Name>Administrator</Name>
</Panel>
<Panel>
<Id>importadmincert</Id>
<Name>Import Administrator's Certificate</Name>
</Panel>
<Panel>
<Id>done</Id>
<Name>Done</Name>
</Panel>
</Vector>
</panels>
<sdomainAdminURL>https://ipa03.ix.test.com:9445</sdomainAdminURL>
<p>3</p>
<name>CA Setup Wizard</name>
<check_existingdomain>checked</check_existingdomain>
<https_ee_port>9444</https_ee_port>
<check_newdomain/>
<https_admin_port>9445</https_admin_port>
<req/>
<panelname>securitydomain</panelname>
</response>
ERROR: Tag=sdomainNamehas no values
sdomainname=null
Sleeping for 5 secs..
#############################################
Attempting to connect to: ipa03.ix.test.com:9445
Connected.
Posting Query =
https://ipa03.ix.test.com:9445//ca/admin/console/config/wizard?p=4&op=next&xml=true
RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Location:
https://ipa01.ix.test.com:9445/ca/admin/ca/securityDomainLogin?url=https%3A%2F%2Fipa03.ix.test.com%3A9445%2Fca%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D5%26subsystem%3DCA
RESPONSE HEADER: Content-Type: text/html;charset=UTF-8
RESPONSE HEADER: Content-Length: 0
RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:38 GMT
RESPONSE HEADER: Connection: keep-alive
#############################################
Attempting to connect to: ipa01.ix.test.com:9445
in TestCertApprovalCallback.approve()
Peer cert details:
subject: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
issuer: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
serial: 0
item 1 reason=-12276 depth=0
cert details:
subject: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
issuer: CN=ipa03.ix.test.com,O=2011-06-13 14:26:29
serial: 0
Connected.
Posting Query =
https://ipa01.ix.test.com:9445//ca/admin/ca/securityDomainLogin?url=https%3A%2F%2Fipa03.ix.test.com%3A9445%2Fca%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D5%26subsystem%3DCA
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: text/html;charset=UTF-8
RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:38 GMT
RESPONSE HEADER: Connection: close
#############################################
Attempting to connect to: ipa01.ix.test.com:9445
Connected.
Posting Query =
https://ipa01.ix.test.com:9445//ca/admin/ca/getCookie?uid=admin&pwd=XXXXXXXX&url=https%3A%2F%2Fipa03.ix.test.com%3A9445%2Fca%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D5%26subsystem%3DCA
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: text/html
RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:38 GMT
RESPONSE HEADER: Connection: close
SUBCA_SESSION_ID=null
SUBCA_URL=https://ipa03.ix.test.com:9445/ca/admin/console/config/wizard?p=5&subsystem=CA
#############################################
Attempting to connect to: ipa03.ix.test.com:9445
Connected.
Posting Query =
https://ipa03.ix.test.com:9445//ca/admin/console/config/wizard?p=5&subsystem=CA&session_id=null&xml=true
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: text/html;charset=UTF-8
RESPONSE HEADER: Date: Mon, 13 Jun 2011 12:27:38 GMT
RESPONSE HEADER: Connection: close
Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid clone_uri
ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure
ERROR: unable to create CA
#######################################################################
root : DEBUG stderr=java.lang.Exception: Invalid clone_uri
at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:384)
at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239)
at ConfigureCA.main(ConfigureCA.java:1761)
root : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname ipa03.ix.test.com -cs_port 9445
-client_certdb_dir /tmp/tmp-wAosPS -client_certdb_pwd 'XXXXXXXX' -preop_pin
AuVgVftQywtXPkiYKppu -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
"CN=ipa-ca-agent,O=IX.test.COM" -ldap_host ipa03.ix.test.com -ldap_port 7389
-bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IX.test.COM"
-ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IX.test.COM"
-ca_server_cert_subject_name "CN=ipa03.ix.test.com,O=IX.test.COM"
-ca_audit_signing_cert_subject_name "CN=CA Audit,O=IX.test.COM"
-ca_sign_cert_subject_name "CN=Certificate Authority,O=IX.test.COM" -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX'
-sd_hostname ipa01.ix.test.com -sd_admin_port 9445 -sd_admin_name admin
-sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri
https://ipa01.ix.test.com:9444' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed
root : DEBUG Configuration of CA failed
File "/usr/sbin/ipa-replica-install", line 543, in <module>
main()
File "/usr/sbin/ipa-replica-install", line 486, in main
(CA, cs) = install_ca(config)
File "/usr/sbin/ipa-replica-install", line 186, in install_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
557, in configure_instance
self.start_creation("Configuring certificate server", 360)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
289, in start_creation
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
696, in __configure_instance
raise RuntimeError('Configuration of CA failed')
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
[root@ipa03 ~]#
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
