[Freeipa-users] Problem installing replica CA

Rob Crittenden rcritten at redhat.com
Tue Apr 24 15:28:30 UTC 2012


Dan Scott wrote:
> On Tue, Apr 24, 2012 at 02:58, Ondrej Hamada<ohamada at redhat.com>  wrote:
>> On 04/20/2012 09:35 PM, Dan Scott wrote:
>>>
>>> On Fri, Apr 20, 2012 at 15:26, Dmitri Pal<dpal at redhat.com>    wrote:
>>>>
>>>> On 04/20/2012 12:15 PM, Dan Scott wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> My FreeIPA servers were in a real mess recently and I think I've
>>>>> finally got them into a reasonable state by cleaning up the tombstone
>>>>> entries and fixing some broken replication agreements.
>>>>>
>>>>> I'm trying to setup a new replica and receive the following error:
>>>>>
>>>>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>>>>>    [1/12]: creating certificate server user
>>>>>    [2/12]: creating pki-ca instance
>>>>>    [3/12]: configuring certificate server instance
>>>>> root        : CRITICAL failed to configure ca instance Command
>>>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
>>>>> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir'
>>>>> '/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
>>>>> '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin'
>>>>> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX
>>>>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048'
>>>>> '-agent_key_type' 'rsa' '-agent_cert_subject'
>>>>> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu'
>>>>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
>>>>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
>>>>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
>>>>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
>>>>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
>>>>> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP
>>>>> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name'
>>>>> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU'
>>>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU'
>>>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU'
>>>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
>>>>> '-clone_p12_password' XXXXXXXX '-sd_hostname'
>>>>> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name'
>>>>> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true'
>>>>> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero
>>>>> exit status 255
>>>>> creation of replica failed: Configuration of CA failed
>>>>>
>>>>> The /var/log/pki-ca/debug file contains:
>>>>>
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to
>>>>> import user certificate.org.mozilla.jss.crypto.TokenException:
>>>>> PK11_ImportDERCertForKey Unable to import certificate to its token:
>>>>> (-8054) You are attempting to import a cert with the same
>>>>> issuer/serial as an existing cert, but that is not the same cert.
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: Updating local request...
>>>>> certTag=sslserver
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn()
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn()
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: panel no=13
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type
>>>>> org.apache.catalina.connector.ResponseFacade
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type
>>>>> java.lang.Boolean
>>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type
>>>>> org.apache.catalina.connector.RequestFacade
>>>>>
>>>>> So it looks like there's some certificate confusion going on.
>>>>>
>>>>> Can someone help? Is there anything particularly sensitive in the
>>>>> /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I
>>>>> shouldn't send them to the list?
>>>>>
>>>> Are you installing it on a new machine?
>>>> What version of the OS and tomcat is there?
>>>> There have been some glitches in the tomcat package in the past.
>>>
>>> It's quite new - a VM which I installed 10 days ago. I tried to
>>> install a replica on it before I cleaned my other IPA servers.
>>
>> Are you sure that the CA was cleaned up on the replica? Run
>> 'ipa-server-install --uninstall' and then check existence of
>> /var/lib/pki-ca. if it's still there ->
>> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/Installation_and_Configuration-Uninstalling_Certificate_System_Subsystems.html
>
> Yes, the CA was cleaned on the replica - I've also re-installed this
> system from scratch and the install still fails.
>
> Thanks,
>
> Dan

It is a very strange error message. What this means is that the same 
cert exists somewhere (same subject and serial number but has a 
different set of keys). Where that somewhere is I don't know, and 
considering you have a fresh VM the mystery only deepens.

I'm cc'ing one of the dogtag devs to see if he has any ideas.

rob




More information about the Freeipa-users mailing list