Hi all,
I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL 4.4.0.
What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this is:
1) prepare replica file on production ipa01 and copy to ipasync 2) install replica with CA on ipasync and then remove all connections to ipa01, ipa02 and ipa03 (which is the entire production infrastructure) 3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7) 4) Prepare replica file on ipasync and copy to ipa01 (a new clean installation in test that should later replace ipa01 in prod) 5) install replica with CA on ipa01 and then remove all connections to ipasync
* Right now I'm failing at the create CA phase in step 5 with:
[2/27]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned non-zero exit status 1
* I can see that it fails on the subsystem Clone URI in /var/log/ipareplica-install.log
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://ipasync.xxx.com:443 Please check the CA logs in /var/log/pki/pki-tomcat/ca. 2017-07-11T15:24:52Z DEBUG stderr=pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available
* To get more details I check the debug log for tomcat and find that it still tries to match against the old infrastructure and not the ipasync server:
# cat /var/log/pki/pki-tomcat/ca/debug ... [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa01.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa02.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa03.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration === [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://ipasync.xxx.com:443 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match available subsystems: https://ipasync.xxx.com:443
* I validate this by checking the calist in getDomainXML:
# wget --no-check-certificate https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML # cat getDomainXML | xmllint --format - ... <CAList> <CA> <DomainManager>TRUE</DomainManager> <SubsystemName>pki-cad</SubsystemName> <Clone>FALSE</Clone> <UnSecurePort>80</UnSecurePort> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa01.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa02.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa03.xxx.com</Host> </CA> <SubsystemCount>3</SubsystemCount> </CAList> ...
Why does it still have the old ipa servers and why is not ipasync included? Am I doing something wrong here, for example do I need to manually add ipasync to the pki-cad list of CAs?
Best regards,
-David
-- David Hendén ITF +46736330916 david.henden@itf.se
David Hendén via FreeIPA-users wrote:
Hi all,
I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL 4.4.0.
What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this is:
- prepare replica file on production ipa01 and copy to ipasync
- install replica with CA on ipasync and then remove all connections to ipa01, ipa02 and ipa03 (which is the entire production infrastructure)
- Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7)
- Prepare replica file on ipasync and copy to ipa01 (a new clean installation in test that should later replace ipa01 in prod)
- install replica with CA on ipa01 and then remove all connections to ipasync
Right now I'm failing at the create CA phase in step 5 with:
[2/27]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned non-zero exit status 1
- I can see that it fails on the subsystem Clone URI in /var/log/ipareplica-install.log
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://ipasync.xxx.com:443 Please check the CA logs in /var/log/pki/pki-tomcat/ca. 2017-07-11T15:24:52Z DEBUG stderr=pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available
- To get more details I check the debug log for tomcat and find that it still tries to match against the old infrastructure and not the ipasync server:
# cat /var/log/pki/pki-tomcat/ca/debug ... [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa01.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa02.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa03.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration === [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://ipasync.xxx.com:443 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match available subsystems: https://ipasync.xxx.com:443
- I validate this by checking the calist in getDomainXML:
# wget --no-check-certificate https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML # cat getDomainXML | xmllint --format - ...
<CAList> <CA> <DomainManager>TRUE</DomainManager> <SubsystemName>pki-cad</SubsystemName> <Clone>FALSE</Clone> <UnSecurePort>80</UnSecurePort> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa01.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa02.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa03.xxx.com</Host> </CA> <SubsystemCount>3</SubsystemCount> </CAList> ...
Why does it still have the old ipa servers and why is not ipasync included? Am I doing something wrong here, for example do I need to manually add ipasync to the pki-cad list of CAs?
I don't believe uninstalling an IPA master will update this list as it is maintained by dogtag and other than removing the replication agreements I'm not aware of any other notification that a server is going away.
Endi, do you know what needs to happen here?
rob
----- Original Message -----
David Hendén via FreeIPA-users wrote:
Hi all,
I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL 4.4.0.
What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this is:
- prepare replica file on production ipa01 and copy to ipasync
- install replica with CA on ipasync and then remove all connections to
ipa01, ipa02 and ipa03 (which is the entire production infrastructure) 3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7) 4) Prepare replica file on ipasync and copy to ipa01 (a new clean installation in test that should later replace ipa01 in prod) 5) install replica with CA on ipa01 and then remove all connections to ipasync
Right now I'm failing at the create CA phase in step 5 with:
[2/27]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned non-zero exit status 1
- I can see that it fails on the subsystem Clone URI in
/var/log/ipareplica-install.log
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://ipasync.xxx.com:443 Please check the CA logs in /var/log/pki/pki-tomcat/ca. 2017-07-11T15:24:52Z DEBUG stderr=pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available
- To get more details I check the debug log for tomcat and find that it
still tries to match against the old infrastructure and not the ipasync server:
# cat /var/log/pki/pki-tomcat/ca/debug ... [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa01.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa02.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa03.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration === [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://ipasync.xxx.com:443 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match available subsystems: https://ipasync.xxx.com:443
- I validate this by checking the calist in getDomainXML:
# wget --no-check-certificate https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML # cat getDomainXML | xmllint --format - ...
<CAList> <CA> <DomainManager>TRUE</DomainManager> <SubsystemName>pki-cad</SubsystemName> <Clone>FALSE</Clone> <UnSecurePort>80</UnSecurePort> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa01.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa02.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa03.xxx.com</Host> </CA> <SubsystemCount>3</SubsystemCount> </CAList> ...
Why does it still have the old ipa servers and why is not ipasync included? Am I doing something wrong here, for example do I need to manually add ipasync to the pki-cad list of CAs?
I don't believe uninstalling an IPA master will update this list as it is maintained by dogtag and other than removing the replication agreements I'm not aware of any other notification that a server is going away.
Endi, do you know what needs to happen here?
rob
Sorry, I'm not that familiar with this area.
Ade, could you take a look? Thanks.
-- Endi S. Dewata
On Thu, 2017-07-20 at 01:11 -0400, Endi Sukma Dewata wrote:
----- Original Message -----
David Hendén via FreeIPA-users wrote:
Hi all,
I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL 4.4.0.
What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this is:
1) prepare replica file on production ipa01 and copy to ipasync 2) install replica with CA on ipasync and then remove all connections to ipa01, ipa02 and ipa03 (which is the entire production infrastructure) 3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7) 4) Prepare replica file on ipasync and copy to ipa01 (a new clean installation in test that should later replace ipa01 in prod) 5) install replica with CA on ipa01 and then remove all connections to ipasync
- Right now I'm failing at the create CA phase in step 5 with:
[2/27]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned non-zero exit status 1
- I can see that it fails on the subsystem Clone URI in
/var/log/ipareplica-install.log
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://ipasync.xxx.com:443 Please check the CA logs in /var/log/pki/pki-tomcat/ca. 2017-07-11T15:24:52Z DEBUG stderr=pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available
- To get more details I check the debug log for tomcat and find
that it still tries to match against the old infrastructure and not the ipasync server:
# cat /var/log/pki/pki-tomcat/ca/debug ... [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa01.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa02.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa03.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration === [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://ipasync.xxx.com:443 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match available subsystems: https://ipasync.xxx.com:443
- I validate this by checking the calist in getDomainXML:
# wget --no-check-certificate https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML # cat getDomainXML | xmllint --format - ... <CAList> <CA> <DomainManager>TRUE</DomainManager> <SubsystemName>pki-cad</SubsystemName> <Clone>FALSE</Clone> <UnSecurePort>80</UnSecurePort> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa01.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa02.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa03.xxx.com</Host> </CA> <SubsystemCount>3</SubsystemCount> </CAList> ...
Why does it still have the old ipa servers and why is not ipasync included? Am I doing something wrong here, for example do I need to manually add ipasync to the pki-cad list of CAs?
I don't believe uninstalling an IPA master will update this list as it is maintained by dogtag and other than removing the replication agreements I'm not aware of any other notification that a server is going away.
Nice detective work!
It seems that the problem here is that ipasync should have been added to the security domain during the replication in step 2, just as ipa02 and ipa03 were also added during previous replications.
I'm not sure why that did not happen - but it would be useful to get Dogtag logs for step 2 to try to figure that out. I recall that in the past, there was a bug where the Dogtag replication installation code silently swallowed an exception at the end of the setup, resulting in the security domain not being updated. Maybe this is what is happening here.
To proceed further, you need to manually add the entry for ipasync into the security domain. It will look the same as the other entries. Make sure also to update SubsystemCount.
Endi, do you know what needs to happen here?
rob
Sorry, I'm not that familiar with this area.
Ade, could you take a look? Thanks.
-- Endi S. Dewata
freeipa-users@lists.fedorahosted.org