Has anyone got any ideas on this? I am stuck with not being able to deploy a CA Replica and this is halting rollout of the project.
Help please... Regards, Les > -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Les Stott > Sent: Friday, 30 January 2015 4:48 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > > -----Original Message----- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Les Stott > > Sent: Wednesday, 10 December 2014 6:22 PM > > To: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > > > > > > -----Original Message----- > > > From: Ade Lee [mailto:a...@redhat.com] > > > Sent: Wednesday, 10 December 2014 5:05 AM > > > To: Les Stott > > > Cc: freeipa-users@redhat.com > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > > > On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote: > > > > > > > > > > > > > > > > > __________________________________________________________ > > > ____________ > > > > From: freeipa-users-boun...@redhat.com > > > > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal > > > > [d...@redhat.com] > > > > Sent: Tuesday, December 09, 2014 3:49 PM > > > > To: freeipa-users@redhat.com > > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > > > > > > > > > > > > > On 12/08/2014 11:04 PM, Les Stott wrote: > > > > > > > > > Does anyone have any ideas on the below errors when trying to > > > > > add CA replication to an existing replica? > > > > > > > > > > > > > > > > > > > People who might be able to help are or PTO right now. > > > > > > > > > > Is your installation older than 2 years? > > > > > > > > No, December 2013 was when it was originally built. > > > > > > > > > Did you generate a new replica package or use the original one? > > > > > > > > I used the original replica file for serverb, based on > > > > instructions i came across. I can try regenerating the replica file. > > > > > > > > Interestingly, now that you mention it, servera had to be restored > > > > a couple of months back. Perhaps this is an issue and regenerating > > > > the replica file for serverb will be required. > > > > > > > > I will try this. > > > > > > > > > > I think that this is a safe bet to be the problem. > > > > > > The error in the log snippet you posted says: > > > > > > <errorString>The pkcs12 file is not correct.</errorString> > > > > > > This indicates that the clone CA was unable to decode the pkcs12 > > > file in the replica. Perhaps the certs changed -- or the DM password > changed? > > > > > > Ade > > > > I regenerated the replica file and retired the CA replica setup, but > > it failed at the same point with the same error. > > > > I am thinking that the next step is to uninstall the ipa replica to > > cleanup, remove all traces and re-add as a replica on serverb. > > > > I wonder if the cert that its having an issue with is the one on > > serverB under /etc/ipa/ca.crt which is from Dec 2013. > > > > I will try that in a couple of days as I have to schedule this work in > > as its in production. > > > > Regards, > > > > Les > > > > > > > > > May be the problem is that the cert that is in that package > > > > > already > > > > expired? > > > > > > > > original replica file was created on Dec 16 2013. Cert is not set > > > > to expire until 2015-12-17. > > > > > > > > > Just a thought... > > > > > > > > > > The simplest workaround IMO would be to prepare Server C, > > > > > install it > > > > with CA and then decommission replica B. > > > > > Do not forget to clean replication agreements on master. > > > > > > > > > > But that would be work around, would not solve this specific > > > > problem, it will kill it. > > > > > > > > I actually do have serverc and serverd. I planned to have CA > > > > replication on at least 2 other servers, but held off on trying on > > > > serverc due to issues with serverb. > > > > > > > > I'll report back what i find after regenerating the replica file > > > > and re-trying to setup CA replication. > > > > > > After a bit of a hiatus I have revisited this issue and I still have it. > > Just to re-iterate the problem... > > Trying to setup a ca replica on an already installed replica fails in rhel > 6.6, > ipa-3.0.0.42, pki 9.0.3-38. > > /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U /var/lib/ipa/replica-info- > myhost.mydomain.com.gpg > > It fails showing.... "CRITICAL failed to configure ca instance" > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 > seconds > [1/16]: creating certificate server user > [2/16]: creating pki-ca instance > [3/16]: configuring certificate server instance > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > It doesn't matter if I run it interactively or unattended. > > I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa > 3.0.0- > 37 without any issue. > > The /var/log/ipareplica-ca-install.log shows the following error about White > Spaces: > > ############################################# > Attempting to connect to: mymaster.mydomain.com:9445 Connected. > Posting Query = https:// > mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomain > URL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=& > choice=existingdomain&p=3&op=next&xml=true > RESPONSE STATUS: HTTP/1.1 200 OK > RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: > Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, > 30 Jan 2015 05:05:04 GMT RESPONSE HEADER: Connection: close <?xml > version="1.0" encoding="UTF-8"?> <response> > <panel>admin/console/config/securitydomainpanel.vm</panel> > <https_agent_port>443</https_agent_port> > <machineName>mymaster.mydomain.com</machineName> > <res/> > <cstype>CA</cstype> > <initCommand>/sbin/service pki-cad</initCommand> > <instanceId><security_domain_instance_name></instanceId> > <sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL> > <sdomainName/> > <http_ee_port>80</http_ee_port> > <errorString>org.xml.sax.SAXParseException; lineNumber: 1; > columnNumber: 50; White spaces are required between publicId and > systemId.</errorString> > > The /var/log/pki-ca/debug also shows.... > > [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating SSL > Admin HTTPS . . . > [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started > [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser > failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; > White spaces are required between publicId and systemId. > [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS no > successful response for SSL Admin HTTPS > [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase > getCertChainUsingSecureAdminPort start > [30/Jan/2015:00:05:05][http-9445-1]: > WizardPanelBase::getCertChainUsingSecureAdminPort() - > Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: > 50; White spaces are required between publicId and systemId. > [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase: > getCertChainUsingSecureAdminPort: java.io.IOException: > org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White > spaces are required between publicId and systemId. > > When I compare those logs to the logs from the server I installed a ca- > replica on successfully, the above is the point where the logs differ and it > must be the source of the error. > > In the log of the server that was successful it shows what should have > happened... > > [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating SSL > Admin HTTPS . . . > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML > parsed > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1 > [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS > returns: 1 > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase > getCertChainUsingSecureAdminPort start > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase > getCertChainUsingSecureAdminPort: status=0 > [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase > getCertChainUsingSecureAdminPort: certchain=<certstring> > > I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped. > > Note, also, I am trying this on new servers, not the same ones used in > December. > > I have searched high and low on google to try and find a resolution for the > White Space issue but haven't found anything that worked. > > This seems like a bug to me. > > Can anyone help with this please? > > Thanks in advance, > > Regards, > > Les > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project