Dan Scott wrote:
Hi,
On Thu, Dec 8, 2011 at 13:29, Rob Crittenden<rcrit...@redhat.com> wrote:
Dan Scott wrote:
Hi,
I just tried to add a CA replica to my IPA replica (Both Fedora 15) using:
ipa-ca-install replica-info-ohm.gpg
It proceeds to configure the directory server for the CA, but fails
when 'configuring certificate server':
Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/11]: creating certificate server user
[2/11]: creating pki-ca instance
[3/11]: configuring certificate server instance
root : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-Mbw1ut' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
'XXXXXXXXX' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
'root@localhost' '-admin_password' XXXXXXXX '-agent_name'
'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
'-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host'
'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name'
'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX
'-subsystem_name' 'pki-cad' '-token_name' 'internal'
'-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM'
'-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM'
'-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' XXXXXXXX '-sd_hostname' 'curie.example.com'
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
'https://curie.example.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed
Some errors from /var/log/ipareplica-ca-install.log
Error in DomainPanel(): updateStatus value is null
ERROR: ConfigureCA: DomainPanel() failure
ERROR: unable to create CA
File "/usr/sbin/ipa-ca-install", line 156, in<module>
main()
File "/usr/sbin/ipa-ca-install", line 141, in main
(CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1136, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 537, in configure_instance
self.start_creation("Configuring certificate server", 210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 248, in start_creation
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 680, in __configure_instance
raise RuntimeError('Configuration of CA failed')
Anyone have any ideas?
/var/log/pki-ca/debug probably has more details.
This file contains the following errors:
[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating
SSL Admin HTTPS . . .
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser
failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS
no successful response for SSL Admin HTTPS
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase
getCertChainUsingSecureAdminPort start
[08/Dec/2011:12:24:40][http-9445-2]:
WizardPanelBase::getCertChainUsingSecureAdminPort() -
Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
50; White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase:
getCertChainUsingSecureAdminPort: java.io.IOException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri =
/ca/admin/ca/getStatus
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to service.
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08
12:24:40 EST 2011 id=caGetStatus time=32
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML parsed
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0
[08/Dec/2011:12:24:40][http-9445-2]: panel no=3
[08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain
[08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19
[08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
org.apache.catalina.connector.ResponseFacade
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
org.apache.catalina.connector.RequestFacade
I'll point the dogtag guys at this to see if they notice anything.
This might also be ticket https://fedorahosted.org/freeipa/ticket/2148
The script passes the port-check, so it doesn't look like it's the
issue mentioned. Is there a workaround for this issue?
This is different from port-check. Dogtag stores the security domain
information in its LDAP database. When creating a replica (or clone, in
dogtag lingo) it compares the ports being requested with what is stored
in the security domain and will reject if they don't match. Look for
invalid clone_uri in the debug log to see if this is the problem.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
