> -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Les Stott > Sent: Wednesday, 10 December 2014 6:22 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > > -----Original Message----- > > From: Ade Lee [mailto:a...@redhat.com] > > Sent: Wednesday, 10 December 2014 5:05 AM > > To: Les Stott > > Cc: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote: > > > > > > > > > > > > __________________________________________________________ > > ____________ > > > From: freeipa-users-boun...@redhat.com > > > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal > > > [d...@redhat.com] > > > Sent: Tuesday, December 09, 2014 3:49 PM > > > To: freeipa-users@redhat.com > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > > > > > > > > > On 12/08/2014 11:04 PM, Les Stott wrote: > > > > > > > Does anyone have any ideas on the below errors when trying to add > > > > CA replication to an existing replica? > > > > > > > > > > > > > > > People who might be able to help are or PTO right now. > > > > > > > > Is your installation older than 2 years? > > > > > > No, December 2013 was when it was originally built. > > > > > > > Did you generate a new replica package or use the original one? > > > > > > I used the original replica file for serverb, based on instructions > > > i came across. I can try regenerating the replica file. > > > > > > Interestingly, now that you mention it, servera had to be restored a > > > couple of months back. Perhaps this is an issue and regenerating the > > > replica file for serverb will be required. > > > > > > I will try this. > > > > > > > I think that this is a safe bet to be the problem. > > > > The error in the log snippet you posted says: > > > > <errorString>The pkcs12 file is not correct.</errorString> > > > > This indicates that the clone CA was unable to decode the pkcs12 file > > in the replica. Perhaps the certs changed -- or the DM password changed? > > > > Ade > > I regenerated the replica file and retired the CA replica setup, but it > failed at > the same point with the same error. > > I am thinking that the next step is to uninstall the ipa replica to cleanup, > remove all traces and re-add as a replica on serverb. > > I wonder if the cert that its having an issue with is the one on serverB under > /etc/ipa/ca.crt which is from Dec 2013. > > I will try that in a couple of days as I have to schedule this work in as its > in > production. > > Regards, > > Les > > > > > > May be the problem is that the cert that is in that package > > > > already > > > expired? > > > > > > original replica file was created on Dec 16 2013. Cert is not set to > > > expire until 2015-12-17. > > > > > > > Just a thought... > > > > > > > > The simplest workaround IMO would be to prepare Server C, install > > > > it > > > with CA and then decommission replica B. > > > > Do not forget to clean replication agreements on master. > > > > > > > > But that would be work around, would not solve this specific > > > problem, it will kill it. > > > > > > I actually do have serverc and serverd. I planned to have CA > > > replication on at least 2 other servers, but held off on trying on > > > serverc due to issues with serverb. > > > > > > I'll report back what i find after regenerating the replica file and > > > re-trying to setup CA replication. > > >
After a bit of a hiatus I have revisited this issue and I still have it. Just to re-iterate the problem... Trying to setup a ca replica on an already installed replica fails in rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38. /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U /var/lib/ipa/replica-info-myhost.mydomain.com.gpg It fails showing.... "CRITICAL failed to configure ca instance" Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. It doesn't matter if I run it interactively or unattended. I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0-37 without any issue. The /var/log/ipareplica-ca-install.log shows the following error about White Spaces: ############################################# Attempting to connect to: mymaster.mydomain.com:9445 Connected. Posting Query = https:// mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomainURL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=&choice=existingdomain&p=3&op=next&xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, 30 Jan 2015 05:05:04 GMT RESPONSE HEADER: Connection: close <?xml version="1.0" encoding="UTF-8"?> <response> <panel>admin/console/config/securitydomainpanel.vm</panel> <https_agent_port>443</https_agent_port> <machineName>mymaster.mydomain.com</machineName> <res/> <cstype>CA</cstype> <initCommand>/sbin/service pki-cad</initCommand> <instanceId><security_domain_instance_name></instanceId> <sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL> <sdomainName/> <http_ee_port>80</http_ee_port> <errorString>org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.</errorString> The /var/log/pki-ca/debug also shows.... [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase getCertChainUsingSecureAdminPort start [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. When I compare those logs to the logs from the server I installed a ca-replica on successfully, the above is the point where the logs differ and it must be the source of the error. In the log of the server that was successful it shows what should have happened... [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML parsed [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1 [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS returns: 1 [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort: status=0 [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort: certchain=<certstring> I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped. Note, also, I am trying this on new servers, not the same ones used in December. I have searched high and low on google to try and find a resolution for the White Space issue but haven't found anything that worked. This seems like a bug to me. Can anyone help with this please? Thanks in advance, Regards, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
