Hi, On Fri, Dec 9, 2011 at 09:24, Rob Crittenden <rcrit...@redhat.com> wrote: > Dan Scott wrote: >> >> Hi, >> >> On Thu, Dec 8, 2011 at 13:29, Rob Crittenden<rcrit...@redhat.com> wrote: >>> >>> Dan Scott wrote: >>>> >>>> >>>> Hi, >>>> >>>> I just tried to add a CA replica to my IPA replica (Both Fedora 15) >>>> using: >>>> >>>> ipa-ca-install replica-info-ohm.gpg >>>> >>>> It proceeds to configure the directory server for the CA, but fails >>>> when 'configuring certificate server': >>>> >>>> Configuring certificate server: Estimated time 3 minutes 30 seconds >>>> [1/11]: creating certificate server user >>>> [2/11]: creating pki-ca instance >>>> [3/11]: configuring certificate server instance >>>> root : CRITICAL failed to configure ca instance Command >>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >>>> 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir' >>>> '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' XXXXXXXX '-preop_pin' >>>> 'XXXXXXXXX' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' >>>> 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' >>>> 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' >>>> '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' >>>> 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory >>>> Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' >>>> 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' >>>> 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX >>>> '-subsystem_name' 'pki-cad' '-token_name' 'internal' >>>> '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' >>>> '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' >>>> '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM' >>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' >>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' >>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >>>> '-clone_p12_password' XXXXXXXX '-sd_hostname' 'curie.example.com' >>>> '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' >>>> XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' >>>> 'https://curie.example.com:443'' returned non-zero exit status 255 >>>> creation of replica failed: Configuration of CA failed >>>> >>>> Some errors from /var/log/ipareplica-ca-install.log >>>> >>>> Error in DomainPanel(): updateStatus value is null >>>> ERROR: ConfigureCA: DomainPanel() failure >>>> ERROR: unable to create CA >>>> >>>> File "/usr/sbin/ipa-ca-install", line 156, in<module> >>>> main() >>>> >>>> File "/usr/sbin/ipa-ca-install", line 141, in main >>>> (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 1136, in install_replica_ca >>>> subject_base=config.subject_base) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 537, in configure_instance >>>> self.start_creation("Configuring certificate server", 210) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 248, in start_creation >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 680, in __configure_instance >>>> raise RuntimeError('Configuration of CA failed') >>>> >>>> Anyone have any ideas? >>> >>> >>> >>> /var/log/pki-ca/debug probably has more details. >> >> >> This file contains the following errors: >> >> [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating >> SSL Admin HTTPS . . . >> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started >> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser >> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; >> White spaces are required between publicId and systemId. >> [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS >> no successful response for SSL Admin HTTPS >> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase >> getCertChainUsingSecureAdminPort start >> [08/Dec/2011:12:24:40][http-9445-2]: >> WizardPanelBase::getCertChainUsingSecureAdminPort() - >> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: >> 50; White spaces are required between publicId and systemId. >> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: >> getCertChainUsingSecureAdminPort: java.io.IOException: >> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White >> spaces are required between publicId and systemId. >> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started >> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri = >> /ca/admin/ca/getStatus >> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to >> service. >> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08 >> 12:24:40 EST 2011 id=caGetStatus time=32 >> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML >> parsed >> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0 >> [08/Dec/2011:12:24:40][http-9445-2]: panel no=3 >> [08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain >> [08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19 >> [08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml >> [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type >> org.apache.catalina.connector.ResponseFacade >> [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type >> org.apache.catalina.connector.RequestFacade > > > I'll point the dogtag guys at this to see if they notice anything. > > >>> This might also be ticket https://fedorahosted.org/freeipa/ticket/2148 >> >> >> The script passes the port-check, so it doesn't look like it's the >> issue mentioned. Is there a workaround for this issue? > > > This is different from port-check. Dogtag stores the security domain > information in its LDAP database. When creating a replica (or clone, in > dogtag lingo) it compares the ports being requested with what is stored in > the security domain and will reject if they don't match. Look for invalid > clone_uri in the debug log to see if this is the problem.
There's no mention of clone_uri anywhere in the debug log. Dan _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users