Has anyone got any ideas on the below errors I am now receiving? Thanks in advance,
Les > > > > I will test this out (update to 3.7.19-260) next week as I've got a > > few more CA replicas to setup. > > > > I'm still having issues. Different one this time. > > As I have previously worked around the install of CA replicas in my > production Production environment as above, I went to setup CA replication > in DR (both environments are completely separate). > > Make sure I did a yum update for all packages, including selinux-policy, and > also making sure all needed modules were loaded in httpd.conf I proceeded > to retry installation of CA replication. However, it failed with the > following: > > Note: sb2sys01.domain.com is the replica I am trying to install.... > > (abbreviated below) > > ############################################# > Attempting to connect to: sb2sys01.domain.com:9445 Connected. > Posting Query = > https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7& > op=next&xml=true&__password=XXXXXXXX&path=ca.p12 > RESPONSE STATUS: HTTP/1.1 200 OK > RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: > Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, > 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close <?xml > version="1.0" encoding="UTF-8"?> > <!-- BEGIN COPYRIGHT BLOCK > > END COPYRIGHT BLOCK --> > <response> > <panel>admin/console/config/restorekeycertpanel.vm</panel> > <res/> > <updateStatus>failure</updateStatus> > <password/> > <errorString>The pkcs12 file is not correct.</errorString> > <size>19</size> > Error in RestoreKeyCertPanel(): updateStatus returns failure > ERROR: ConfigureCA: RestoreKeyCertPanel() failure > ERROR: unable to create CA > > ############################################ > > In /var/log/pki-ca/catalina.out I see... > > CMS Warning: FAILURE: Cannot build CA chain. Error > java.security.cert.CertificateException: Certificate is not a PKCS #11 > certificate|FAILURE: authz instance DirAclAuthz initialization failed and > skipped, error=Property internaldb.ldapconn.port missing value| Server is > started. > > Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a > working system). > > grep DirAclAuthz /etc/pki-ca/CS.cfg > authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz > authz.instance.DirAclAuthz.ldap=internaldb > authz.instance.DirAclAuthz.pluginName=DirAclAuthz > authz.instance.DirAclAuthz.ldap._000=## > authz.instance.DirAclAuthz.ldap._001=## Internal Database > authz.instance.DirAclAuthz.ldap._002=## > authz.instance.DirAclAuthz.ldap.basedn= > authz.instance.DirAclAuthz.ldap.maxConns=15 > authz.instance.DirAclAuthz.ldap.minConns=3 > authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth > authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager > authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP > Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname= > authz.instance.DirAclAuthz.ldap.ldapconn.host= > authz.instance.DirAclAuthz.ldap.ldapconn.port= > authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false > authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false > > The CA cert looks ok to me on the master. It does get copied to the replica in > /usr/share/ipa/html/ca.crt > > I don't see any errors in httpd error or access logs on the master or the > intended replica. > > The ipa-pki-proxy.conf config has the profilesubmit section. > > # matches for ee port > <LocationMatch > "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI > nfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberR > ange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> > > I can confirm that pki-cad does start (but is unconfigured) and that it does > listen on port 9445. > > # netstat -apn |grep 9445 > tcp 0 0 :::9445 :::* > LISTEN 31264/java > # service pki-cad status > pki-ca (pid 31264) is running... [ OK ] > 'pki-ca' must still be CONFIGURED! > (see /var/log/pki-ca-install.log) > > I am not sure what to try next. > > Appreciate any help to get over this error. > > Thanks, > > Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project