[Freeipa-users] CA replication

Rob Crittenden rcritten at redhat.com
Fri Dec 9 16:09:35 UTC 2011 

Dan Scott wrote:
> Hi,
>
> On Fri, Dec 9, 2011 at 09:24, Rob Crittenden<rcritten at redhat.com>  wrote:
>> Dan Scott wrote:
>>>
>>> Hi,
>>>
>>> On Thu, Dec 8, 2011 at 13:29, Rob Crittenden<rcritten at redhat.com>    wrote:
>>>>
>>>> Dan Scott wrote:
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I just tried to add a CA replica to my IPA replica (Both Fedora 15)
>>>>> using:
>>>>>
>>>>> ipa-ca-install replica-info-ohm.gpg
>>>>>
>>>>> It proceeds to configure the directory server for the CA, but fails
>>>>> when 'configuring certificate server':
>>>>>
>>>>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>>>>>    [1/11]: creating certificate server user
>>>>>    [2/11]: creating pki-ca instance
>>>>>    [3/11]: configuring certificate server instance
>>>>> root        : CRITICAL failed to configure ca instance Command
>>>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
>>>>> 'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir'
>>>>> '/tmp/tmp-Mbw1ut' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
>>>>> 'XXXXXXXXX' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
>>>>> 'root at localhost' '-admin_password' XXXXXXXX '-agent_name'
>>>>> 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
>>>>> '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host'
>>>>> 'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
>>>>> Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name'
>>>>> 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
>>>>> 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX
>>>>> '-subsystem_name' 'pki-cad' '-token_name' 'internal'
>>>>> '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM'
>>>>> '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM'
>>>>> '-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM'
>>>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
>>>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
>>>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
>>>>> '-clone_p12_password' XXXXXXXX '-sd_hostname' 'curie.example.com'
>>>>> '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
>>>>> XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
>>>>> 'https://curie.example.com:443'' returned non-zero exit status 255
>>>>> creation of replica failed: Configuration of CA failed
>>>>>
>>>>> Some errors from /var/log/ipareplica-ca-install.log
>>>>>
>>>>> Error in DomainPanel(): updateStatus value is null
>>>>> ERROR: ConfigureCA: DomainPanel() failure
>>>>> ERROR: unable to create CA
>>>>>
>>>>>    File "/usr/sbin/ipa-ca-install", line 156, in<module>
>>>>>      main()
>>>>>
>>>>>    File "/usr/sbin/ipa-ca-install", line 141, in main
>>>>>      (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
>>>>>
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>> line 1136, in install_replica_ca
>>>>>      subject_base=config.subject_base)
>>>>>
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>> line 537, in configure_instance
>>>>>      self.start_creation("Configuring certificate server", 210)
>>>>>
>>>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>> line 248, in start_creation
>>>>>      method()
>>>>>
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>> line 680, in __configure_instance
>>>>>      raise RuntimeError('Configuration of CA failed')
>>>>>
>>>>> Anyone have any ideas?
>>>>
>>>>
>>>>
>>>> /var/log/pki-ca/debug probably has more details.
>>>
>>>
>>> This file contains the following errors:
>>>
>>> [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating
>>> SSL Admin HTTPS . . .
>>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
>>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser
>>> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
>>> White spaces are required between publicId and systemId.
>>> [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS
>>> no successful response for SSL Admin HTTPS
>>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase
>>> getCertChainUsingSecureAdminPort start
>>> [08/Dec/2011:12:24:40][http-9445-2]:
>>> WizardPanelBase::getCertChainUsingSecureAdminPort() -
>>> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
>>> 50; White spaces are required between publicId and systemId.
>>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase:
>>> getCertChainUsingSecureAdminPort: java.io.IOException:
>>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
>>> spaces are required between publicId and systemId.
>>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
>>> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri =
>>> /ca/admin/ca/getStatus
>>> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to
>>> service.
>>> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08
>>> 12:24:40 EST 2011 id=caGetStatus time=32
>>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML
>>> parsed
>>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0
>>> [08/Dec/2011:12:24:40][http-9445-2]: panel no=3
>>> [08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain
>>> [08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19
>>> [08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
>>> [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
>>> org.apache.catalina.connector.ResponseFacade
>>> [08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
>>> org.apache.catalina.connector.RequestFacade
>>
>>
>> I'll point the dogtag guys at this to see if they notice anything.
>>
>>
>>>> This might also be ticket https://fedorahosted.org/freeipa/ticket/2148
>>>
>>>
>>> The script passes the port-check, so it doesn't look like it's the
>>> issue mentioned. Is there a workaround for this issue?
>>
>>
>> This is different from port-check. Dogtag stores the security domain
>> information in its LDAP database. When creating a replica (or clone, in
>> dogtag lingo) it compares the ports being requested with what is stored in
>> the security domain and will reject if they don't match. Look for invalid
>> clone_uri in the debug log to see if this is the problem.
>
> There's no mention of clone_uri anywhere in the debug log.
>
> Dan

Ok, can you provide the contents of the security domain? This will be 
printed out in the debug log.

Or you can send me the debug log out of band.

rob

More information about the Freeipa-users mailing list