On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote: > > > ______________________________________________________________________ > From: freeipa-users-boun...@redhat.com > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal > [d...@redhat.com] > Sent: Tuesday, December 09, 2014 3:49 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > On 12/08/2014 11:04 PM, Les Stott wrote: > > > Does anyone have any ideas on the below errors when trying to add CA > > replication to an existing replica? > > > > > > > People who might be able to help are or PTO right now. > > > > Is your installation older than 2 years? > > No, December 2013 was when it was originally built. > > > Did you generate a new replica package or use the original one? > > I used the original replica file for serverb, based on instructions i > came across. I can try regenerating the replica file. > > Interestingly, now that you mention it, servera had to be restored a > couple of months back. Perhaps this is an issue and regenerating the > replica file for serverb will be required. > > I will try this. >
I think that this is a safe bet to be the problem. The error in the log snippet you posted says: <errorString>The pkcs12 file is not correct.</errorString> This indicates that the clone CA was unable to decode the pkcs12 file in the replica. Perhaps the certs changed -- or the DM password changed? Ade > > May be the problem is that the cert that is in that package already > expired? > > original replica file was created on Dec 16 2013. Cert is not set to > expire until 2015-12-17. > > > Just a thought... > > > > The simplest workaround IMO would be to prepare Server C, install it > with CA and then decommission replica B. > > Do not forget to clean replication agreements on master. > > > > But that would be work around, would not solve this specific > problem, it will kill it. > > I actually do have serverc and serverd. I planned to have CA > replication on at least 2 other servers, but held off on trying on > serverc due to issues with serverb. > > I'll report back what i find after regenerating the replica file and > re-trying to setup CA replication. > > Thanks, > > Les > > > > > > > Thanks in advance, > > > > > > > > Les > > > > > > > > From:freeipa-users-boun...@redhat.com > > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott > > Sent: Tuesday, 2 December 2014 6:17 PM > > To: freeipa-users@redhat.com > > Subject: [Freeipa-users] CA Replication Installation Failing > > > > > > > > > > Hi All, > > > > > > > > I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. > > Pki components are also standard version 9.0.3-38. > > > > > > > > Servera is the master > > > > Serverb is the replica > > > > > > > > Both have been running for many, many months. Serverb was initially > > setup as a replica, but not a CA replica. > > > > > > > > I am now trying to add CA Replication to serverb but it is failing > > midway through and I cannot figure out why. > > > > > > > > Annoyingly, I used the same method/command to setup a CA replica on > > test servers and it completed without issue. > > > > > > > > Here is what I get….(for the sake of brevity, I am excluding the > > lines for connection check which were all OK) > > > > > > > > ================= > > > > /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg > > > > Directory Manager (existing master) password: > > > > Get credentials to log in to remote master > > > > ad...@mydomain.com password: > > > > Execute check on remote master > > > > Connection check OK > > > > Configuring directory server for the CA (pkids): Estimated time 30 > > seconds > > > > [1/3]: creating directory server user > > > > [2/3]: creating directory server instance > > > > [3/3]: restarting directory server > > > > Done configuring directory server for the CA (pkids). > > > > Configuring certificate server (pki-cad): Estimated time 3 minutes > > 30 seconds > > > > [1/16]: creating certificate server user > > > > [2/16]: creating pki-ca instance > > > > [3/16]: configuring certificate server instance > > > > ipa : CRITICAL failed to configure ca instance Command > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > > serverb.mydomain.com -cs_port 9445 > > -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd XXXXXXXX > > -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin > > -admin_email root@localhost -admin_password XXXXXXXX -agent_name > > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > > -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host > > serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager > > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size > > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true > > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM > > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM > > -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM > > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM > > -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM > > -external false -clone true -clone_p12_file ca.p12 > > -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com > > -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX > > -clone_start_tls true -clone_uri https://servera.mydomain.com:443' > > returned non-zero exit status 255 > > > > > > > > Your system may be partly configured. > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > > > > > Configuration of CA failed > > > > ================= > > > > > > > > Additional excerpt from the log > > file /var/log/ipareplica-ca-install.log at the point of failure…. > > > > > > > > ================= > > > > > > > > ############################################# > > > > Attempting to connect to: serverb.mydomain.com:9445 > > > > Connected. > > > > Posting Query = > > https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=XXXXXXXX&path=ca.p12 > > > > RESPONSE STATUS: HTTP/1.1 200 OK > > > > RESPONSE HEADER: Server: Apache-Coyote/1.1 > > > > RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 > > > > RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT > > > > RESPONSE HEADER: Connection: close > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <!-- BEGIN COPYRIGHT BLOCK > > > > This program is free software; you can redistribute it and/or > > modify > > > > it under the terms of the GNU General Public License as > > published by > > > > the Free Software Foundation; version 2 of the License. > > > > > > > > This program is distributed in the hope that it will be useful, > > > > but WITHOUT ANY WARRANTY; without even the implied warranty of > > > > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > > > > GNU General Public License for more details. > > > > > > > > You should have received a copy of the GNU General Public > > License along > > > > with this program; if not, write to the Free Software > > Foundation, Inc., > > > > 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. > > > > > > > > Copyright (C) 2007 Red Hat, Inc. > > > > All rights reserved. > > > > END COPYRIGHT BLOCK --> > > > > <response> > > > > <panel>admin/console/config/restorekeycertpanel.vm</panel> > > > > <res/> > > > > <updateStatus>failure</updateStatus> > > > > <password/> > > > > <errorString>The pkcs12 file is not correct.</errorString> > > > > <size>19</size> > > > > <title>Import Keys and Certificates</title> > > > > <panels> > > > > <Vector> > > > > <Panel> > > > > <Id>welcome</Id> > > > > <Name>Welcome</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>module</Id> > > > > <Name>Key Store</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>confighsmlogin</Id> > > > > <Name>ConfigHSMLogin</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>securitydomain</Id> > > > > <Name>Security Domain</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>securitydomain</Id> > > > > <Name>Display Certificate Chain</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>subsystem</Id> > > > > <Name>Subsystem Type</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>clone</Id> > > > > <Name>Display Certificate Chain</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>restorekeys</Id> > > > > <Name>Import Keys and Certificates</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>cahierarchy</Id> > > > > <Name>PKI Hierarchy</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>database</Id> > > > > <Name>Internal Database</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>size</Id> > > > > <Name>Key Pairs</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>subjectname</Id> > > > > <Name>Subject Names</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>certrequest</Id> > > > > <Name>Requests and Certificates</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>backupkeys</Id> > > > > <Name>Export Keys and Certificates</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>savepk12</Id> > > > > <Name>Save Keys and Certificates</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>importcachain</Id> > > > > <Name>Import CA's Certificate Chain</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>admin</Id> > > > > <Name>Administrator</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>importadmincert</Id> > > > > <Name>Import Administrator's Certificate</Name> > > > > </Panel> > > > > <Panel> > > > > <Id>done</Id> > > > > <Name>Done</Name> > > > > </Panel> > > > > </Vector> > > > > </panels> > > > > <name>CA Setup Wizard</name> > > > > <p>7</p> > > > > <path/> > > > > <req/> > > > > <panelname>restorekeys</panelname> > > > > </response> > > > > Error in RestoreKeyCertPanel(): updateStatus returns failure > > > > ERROR: ConfigureCA: RestoreKeyCertPanel() failure > > > > ERROR: unable to create CA > > > > > > > > ####################################################################### > > > > 2014-12-02T05:44:19Z DEBUG stderr= > > > > 2014-12-02T05:44:19Z CRITICAL failed to configure ca instance > > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > > serverb.mydomain.com -cs_port 9445 > > -client_certdb_dir /tmp/tmp-1Tqws5 -client_certdb_pwd XXXXXXXX > > -preop_pin rdkE0y2CiGMKNcRRPKKc -domain_name IPA -admin_user admin > > -admin_email root@localhost -admin_password XXXXXXXX -agent_name > > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > > -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host > > serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager > > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size > > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true > > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM > > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM > > -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM > > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM > > -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM > > -external false -clone true -clone_p12_file ca.p12 > > -clone_p12_password XXXXXXXX -sd_hostname servera.mydomain.com > > -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX > > -clone_start_tls true -clone_uri https://servera.mydomain.com:443' > > returned non-zero exit status 255 > > > > 2014-12-02T05:44:19Z INFO File > > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line > > 614, in run_script > > > > return_value = main_function() > > > > > > > > File "/usr/sbin/ipa-ca-install", line 149, in main > > > > (CA, cs) = cainstance.install_replica_ca(config, > > postinstall=True) > > > > > > > > File > > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > > line 1626, in install_replica_ca > > > > subject_base=config.subject_base) > > > > > > > > File > > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > > line 626, in configure_instance > > > > self.start_creation(runtime=210) > > > > > > > > File > > "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", > > line 358, in start_creation > > > > method() > > > > > > > > File > > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > > line 888, in __configure_instance > > > > raise RuntimeError('Configuration of CA failed') > > > > > > > > 2014-12-02T05:44:19Z INFO The ipa-ca-install command failed, > > exception: RuntimeError: Configuration of CA failed > > > > > > > > ================= > > > > > > > > I am not sure why this is happening. > > > > > > > > Certutil shows that the setup isn’t complete on serverb when > > comparing against the CA replica in my test servers which were > > successful. > > > > > > > > # certutil -L -d /var/lib/pki-ca/alias > > > > > > > > Certificate Nickname Trust > > Attributes > > > > > > SSL,S/MIME,JAR/XPI > > > > > > > > Certificate Authority - MYDOMAIN.COM CT,c, > > > > Server-Cert cert-pki-ca > > CTu,Cu,Cu > > > > > > > > # certutil -K -d /var/lib/pki-ca/alias > > > > certutil: Checking token "NSS Certificate DB" in slot "NSS User > > Private Key and Certificate Services" > > > > Enter Password or Pin for "NSS Certificate DB": > > > > < 0> rsa ef25de4fb656a27e297899509bc3dad582bcd643 NSS > > Certificate DB:Server-Cert cert-pki-ca > > > > > > > > > > > > As yet, I have not tried “/usr/sbin/ipa-server-install –uninstall” > > in an attempt to cleanup as this is a production server and apart > > from CA replication, it is running fine. I have tried multiple times > > manually removing pki instances and reinstalling but it still won’t > > get past the above error. > > > > > > > > Can anyone shed any light on this? > > > > > > > > Thanks in advance, > > > > > > > > Les > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project