Guys, Thanks for your help. You pointed me in the right direction (checking the apache logs).
In the end, it was missing modules in httpd.conf on the Master. I saw this error in /var/log/httpd/error_log [Wed Feb 04 21:26:00 2015] [warn] proxy: No protocol handler was valid for the URL /ca/admin/ca/getStatus. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Wed Feb 04 21:26:00 2015] [warn] proxy: No protocol handler was valid for the URL /ca/admin/ca/getCertChain. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. These modules were not being loaded... LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_connect_module modules/mod_proxy_connect.so Now it works. (well I have a different issue now with setting up a second replica ca, but that's another story and better in a new thread) Thanks, Les > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Thursday, 5 February 2015 2:24 AM > To: Les Stott; freeipa-users@redhat.com > Cc: Ade Lee > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > Les Stott wrote: > > Has anyone got any ideas on this? > > > > I am stuck with not being able to deploy a CA Replica and this is halting > rollout of the project. > > > > Help please... > > > > Regards, > > What is the version of IPA on the master you are connecting to? > > Can you confirm on the existing master that /etc/httpd/conf.d/ipa-pki- > proxy.conf has /ca/ee/ca/profileSubmit in it: > > # matches for ee port > <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ > ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/ > updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> > > rob > > > > > Les > > > >> -----Original Message----- > >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > >> boun...@redhat.com] On Behalf Of Les Stott > >> Sent: Friday, 30 January 2015 4:48 PM > >> To: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] CA Replication Installation Failing > >> > >> > >> > >>> -----Original Message----- > >>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > >>> boun...@redhat.com] On Behalf Of Les Stott > >>> Sent: Wednesday, 10 December 2014 6:22 PM > >>> To: freeipa-users@redhat.com > >>> Subject: Re: [Freeipa-users] CA Replication Installation Failing > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: Ade Lee [mailto:a...@redhat.com] > >>>> Sent: Wednesday, 10 December 2014 5:05 AM > >>>> To: Les Stott > >>>> Cc: freeipa-users@redhat.com > >>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing > >>>> > >>>> On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote: > >>>>> > >>>>> > >>>>> > >>>> > >>> > __________________________________________________________ > >>>> ____________ > >>>>> From: freeipa-users-boun...@redhat.com > >>>>> [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal > >>>>> [d...@redhat.com] > >>>>> Sent: Tuesday, December 09, 2014 3:49 PM > >>>>> To: freeipa-users@redhat.com > >>>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing > >>>>> > >>>>> > >>>>> > >>>>> On 12/08/2014 11:04 PM, Les Stott wrote: > >>>>> > >>>>>> Does anyone have any ideas on the below errors when trying to add > >>>>>> CA replication to an existing replica? > >>>>>> > >>>>>> > >>>>> > >>>>>> People who might be able to help are or PTO right now. > >>>>>> > >>>>>> Is your installation older than 2 years? > >>>>> > >>>>> No, December 2013 was when it was originally built. > >>>>> > >>>>>> Did you generate a new replica package or use the original one? > >>>>> > >>>>> I used the original replica file for serverb, based on > >>>>> instructions i came across. I can try regenerating the replica file. > >>>>> > >>>>> Interestingly, now that you mention it, servera had to be restored > >>>>> a couple of months back. Perhaps this is an issue and regenerating > >>>>> the replica file for serverb will be required. > >>>>> > >>>>> I will try this. > >>>>> > >>>> > >>>> I think that this is a safe bet to be the problem. > >>>> > >>>> The error in the log snippet you posted says: > >>>> > >>>> <errorString>The pkcs12 file is not correct.</errorString> > >>>> > >>>> This indicates that the clone CA was unable to decode the pkcs12 > >>>> file in the replica. Perhaps the certs changed -- or the DM > >>>> password > >> changed? > >>>> > >>>> Ade > >>> > >>> I regenerated the replica file and retired the CA replica setup, but > >>> it failed at the same point with the same error. > >>> > >>> I am thinking that the next step is to uninstall the ipa replica to > >>> cleanup, remove all traces and re-add as a replica on serverb. > >>> > >>> I wonder if the cert that its having an issue with is the one on > >>> serverB under /etc/ipa/ca.crt which is from Dec 2013. > >>> > >>> I will try that in a couple of days as I have to schedule this work > >>> in as its in production. > >>> > >>> Regards, > >>> > >>> Les > >>> > >>> > >>>>>> May be the problem is that the cert that is in that package > >>>>>> already > >>>>> expired? > >>>>> > >>>>> original replica file was created on Dec 16 2013. Cert is not set > >>>>> to expire until 2015-12-17. > >>>>> > >>>>>> Just a thought... > >>>>>> > >>>>>> The simplest workaround IMO would be to prepare Server C, install > >>>>>> it > >>>>> with CA and then decommission replica B. > >>>>>> Do not forget to clean replication agreements on master. > >>>>>> > >>>>>> But that would be work around, would not solve this specific > >>>>> problem, it will kill it. > >>>>> > >>>>> I actually do have serverc and serverd. I planned to have CA > >>>>> replication on at least 2 other servers, but held off on trying on > >>>>> serverc due to issues with serverb. > >>>>> > >>>>> I'll report back what i find after regenerating the replica file > >>>>> and re-trying to setup CA replication. > >>>>> > >> > >> After a bit of a hiatus I have revisited this issue and I still have it. > >> > >> Just to re-iterate the problem... > >> > >> Trying to setup a ca replica on an already installed replica fails in > >> rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38. > >> > >> /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U > >> /var/lib/ipa/replica-info- myhost.mydomain.com.gpg > >> > >> It fails showing.... "CRITICAL failed to configure ca instance" > >> Configuring certificate server (pki-cad): Estimated time 3 minutes 30 > >> seconds > >> [1/16]: creating certificate server user > >> [2/16]: creating pki-ca instance > >> [3/16]: configuring certificate server instance > >> > >> Your system may be partly configured. > >> Run /usr/sbin/ipa-server-install --uninstall to clean up. > >> > >> It doesn't matter if I run it interactively or unattended. > >> > >> I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, > >> ipa 3.0.0- > >> 37 without any issue. > >> > >> The /var/log/ipareplica-ca-install.log shows the following error > >> about White > >> Spaces: > >> > >> ############################################# > >> Attempting to connect to: mymaster.mydomain.com:9445 Connected. > >> Posting Query = https:// > >> > mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomain > >> > URL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=& > >> choice=existingdomain&p=3&op=next&xml=true > >> RESPONSE STATUS: HTTP/1.1 200 OK > >> RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: > >> Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: > >> Fri, > >> 30 Jan 2015 05:05:04 GMT RESPONSE HEADER: Connection: close <?xml > >> version="1.0" encoding="UTF-8"?> <response> > >> <panel>admin/console/config/securitydomainpanel.vm</panel> > >> <https_agent_port>443</https_agent_port> > >> <machineName>mymaster.mydomain.com</machineName> > >> <res/> > >> <cstype>CA</cstype> > >> <initCommand>/sbin/service pki-cad</initCommand> > >> <instanceId><security_domain_instance_name></instanceId> > >> <sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL> > >> <sdomainName/> > >> <http_ee_port>80</http_ee_port> > >> <errorString>org.xml.sax.SAXParseException; lineNumber: 1; > >> columnNumber: 50; White spaces are required between publicId and > >> systemId.</errorString> > >> > >> The /var/log/pki-ca/debug also shows.... > >> > >> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating > >> SSL Admin HTTPS . . . > >> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started > >> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser > >> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; > >> White spaces are required between publicId and systemId. > >> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS > >> no successful response for SSL Admin HTTPS > >> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase > >> getCertChainUsingSecureAdminPort start > >> [30/Jan/2015:00:05:05][http-9445-1]: > >> WizardPanelBase::getCertChainUsingSecureAdminPort() - > >> Exception=org.xml.sax.SAXParseException; lineNumber: 1; > columnNumber: > >> 50; White spaces are required between publicId and systemId. > >> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase: > >> getCertChainUsingSecureAdminPort: java.io.IOException: > >> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; > White > >> spaces are required between publicId and systemId. > >> > >> When I compare those logs to the logs from the server I installed a > >> ca- replica on successfully, the above is the point where the logs > >> differ and it must be the source of the error. > >> > >> In the log of the server that was successful it shows what should > >> have happened... > >> > >> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating > >> SSL Admin HTTPS . . . > >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started > >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML > >> parsed > >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1 > >> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS > >> returns: 1 > >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase > >> getCertChainUsingSecureAdminPort start > >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase > >> getCertChainUsingSecureAdminPort: status=0 > >> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase > >> getCertChainUsingSecureAdminPort: certchain=<certstring> > >> > >> I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped. > >> > >> Note, also, I am trying this on new servers, not the same ones used > >> in December. > >> > >> I have searched high and low on google to try and find a resolution > >> for the White Space issue but haven't found anything that worked. > >> > >> This seems like a bug to me. > >> > >> Can anyone help with this please? > >> > >> Thanks in advance, > >> > >> Regards, > >> > >> Les > >> > >> > >> > >> > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go To http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project