[Freeipa-users] CA Replication Installation Failing

Ade Lee alee at redhat.com
Wed Feb 4 14:19:43 UTC 2015 

>From the snippet of log below, it looks like the replica CA is trying to
contact the master CA to obtain the security domain information and is
failing to get a valid response.

The message about "spaces and parsing" is basically the replica saying
that it cannot understand the response -- or lack of one from the master
CA.  As this is an old version of IPA and Dogtag, it is trying to
contact the master CA on port 9443.

Things to look into:
1) Is the CA on the master up?  Is port 9443 open on the master 
   (firewalls on master or replica)?  You could test this by using a 
   browser/curl on the replica to go to
   https://<master_host>:9443/ca/admin/ca/getDomainXML

2) Is selinux preventing the access?  You might want to set it in 
   permissive mode on either master or replica.

3) Do you see activity in the master's debug log?

This looks to me like a different error from what was described before.
Its failing much earlier now.

Ade

On Fri, 2015-01-30 at 05:48 +0000, Les Stott wrote:
> 
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> > bounces at redhat.com] On Behalf Of Les Stott
> > Sent: Wednesday, 10 December 2014 6:22 PM
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: Ade Lee [mailto:alee at redhat.com]
> > > Sent: Wednesday, 10 December 2014 5:05 AM
> > > To: Les Stott
> > > Cc: freeipa-users at redhat.com
> > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > >
> > > On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote:
> > > >
> > > >
> > > >
> > >
> > __________________________________________________________
> > > ____________
> > > > From: freeipa-users-bounces at redhat.com
> > > > [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
> > > > [dpal at redhat.com]
> > > > Sent: Tuesday, December 09, 2014 3:49 PM
> > > > To: freeipa-users at redhat.com
> > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > >
> > > >
> > > >
> > > > On 12/08/2014 11:04 PM, Les Stott wrote:
> > > >
> > > > > Does anyone have any ideas on the below errors when trying to add
> > > > > CA replication to an existing replica?
> > > > >
> > > > >
> > > >
> > > > > People who might be able to help are or PTO right now.
> > > > >
> > > > > Is your installation older than 2 years?
> > > >
> > > > No, December 2013 was when it was originally built.
> > > >
> > > > > Did you generate a new replica package or use the original one?
> > > >
> > > > I used the original replica file for serverb, based on instructions
> > > > i came across. I can try regenerating the replica file.
> > > >
> > > > Interestingly, now that you mention it, servera had to be restored a
> > > > couple of months back. Perhaps this is an issue and regenerating the
> > > > replica file for serverb will be required.
> > > >
> > > > I will try this.
> > > >
> > >
> > > I think that this is a safe bet to be the problem.
> > >
> > > The error in the log snippet you posted says:
> > >
> > >  <errorString>The pkcs12 file is not correct.</errorString>
> > >
> > > This indicates that the clone CA was unable to decode the pkcs12 file
> > > in the replica.  Perhaps the certs changed -- or the DM password changed?
> > >
> > > Ade
> > 
> > I regenerated the replica file and retired the CA replica setup, but it failed at
> > the same point with the same error.
> > 
> > I am thinking that the next step is to uninstall the ipa replica to cleanup,
> > remove all traces and re-add as a replica on serverb.
> > 
> > I wonder if the cert that its having an issue with is the one on serverB under
> > /etc/ipa/ca.crt which is from Dec 2013.
> > 
> > I will try that in a couple of days as I have to schedule this work in as its in
> > production.
> > 
> > Regards,
> > 
> > Les
> > 
> > 
> > > > > May be the problem is that the cert that is in that package
> > > > > already
> > > > expired?
> > > >
> > > > original replica file was created on Dec 16 2013. Cert is not set to
> > > > expire until 2015-12-17.
> > > >
> > > > > Just a thought...
> > > > >
> > > > > The simplest workaround IMO would be to prepare Server C, install
> > > > > it
> > > > with CA and then decommission replica B.
> > > > > Do not forget to clean replication agreements on master.
> > > > >
> > > > > But that would be work around, would not solve this specific
> > > > problem, it will kill it.
> > > >
> > > > I actually do have serverc and serverd. I planned to have CA
> > > > replication on at least 2 other servers, but held off on trying on
> > > > serverc due to issues with serverb.
> > > >
> > > > I'll report back what i find after regenerating the replica file and
> > > > re-trying to setup CA replication.
> > > >
> 
> After a bit of a hiatus I have revisited this issue and I still have it.
> 
> Just to re-iterate the problem...
> 
> Trying to setup a ca replica on an already installed replica fails in rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38.
> 
> /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U /var/lib/ipa/replica-info-myhost.mydomain.com.gpg
> 
> It fails showing.... "CRITICAL failed to configure ca instance"
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/16]: creating certificate server user
>   [2/16]: creating pki-ca instance
>   [3/16]: configuring certificate server instance
> 
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> It doesn't matter if I run it interactively or unattended.
> 
> I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0-37 without any issue.
> 
> The /var/log/ipareplica-ca-install.log shows the following error about White Spaces:
> 
> #############################################
> Attempting to connect to: mymaster.mydomain.com:9445
> Connected.
> Posting Query = https:// mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomainURL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=&choice=existingdomain&p=3&op=next&xml=true
> RESPONSE STATUS:  HTTP/1.1 200 OK
> RESPONSE HEADER:  Server: Apache-Coyote/1.1
> RESPONSE HEADER:  Content-Type: application/xml;charset=UTF-8
> RESPONSE HEADER:  Date: Fri, 30 Jan 2015 05:05:04 GMT
> RESPONSE HEADER:  Connection: close
> <?xml version="1.0" encoding="UTF-8"?>
> <response>
>   <panel>admin/console/config/securitydomainpanel.vm</panel>
>   <https_agent_port>443</https_agent_port>
>   <machineName>mymaster.mydomain.com</machineName>
>   <res/>
>   <cstype>CA</cstype>
>   <initCommand>/sbin/service pki-cad</initCommand>
>   <instanceId><security_domain_instance_name></instanceId>
>   <sdomainURL>https:// myhost.mydomain.com:9445</sdomainURL>
>   <sdomainName/>
>   <http_ee_port>80</http_ee_port>
>   <errorString>org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.</errorString>
> 
> The /var/log/pki-ca/debug also shows....
> 
> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating SSL Admin HTTPS . . .
> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started
> [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.
> [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS
> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase getCertChainUsingSecureAdminPort start
> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.
> [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.
> 
> When I compare those logs to the logs from the server I installed a ca-replica on successfully, the above is the point where the logs differ and it must be the source of the error.
> 
> In the log of the server that was successful it shows what should have happened...
> 
> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . .
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML parsed
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1
> [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS returns: 1
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort: status=0
> [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort: certchain=<certstring>
> 
> I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped.
> 
> Note, also, I am trying this on new servers, not the same ones used in December.
> 
> I have searched high and low on google to try and find a resolution for the White Space issue but haven't found anything that worked.
> 
> This seems like a bug to me.
> 
> Can anyone help with this please?
> 
> Thanks in advance,
> 
> Regards,
> 
> Les
> 
> 
> 
> 
> 
>

More information about the Freeipa-users mailing list