New pki-ca (pki-ca-10.0.2-2) replica install tries to access /ca/rest/securityDomain/domainInfo on master. When it cannot access it, pkispawn called by ipa-ca-install or ipa-replica-install --setup-ca crashes:
/ca/rest/securityDomain/domainInfo
pkispawn
ipa-ca-install
ipa-replica-install --setup-ca
2013-05-03T10:17:14Z DEBUG Starting external process 2013-05-03T10:17:14Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpWKzhTa 2013-05-03T10:17:15Z DEBUG Process finished, return code=1 2013-05-03T10:17:15Z DEBUG stdout=Loading deployment configuration from /tmp/tmpWKzhTa. ERROR: Unable to access security domain: 404 Client Error: Not Found 2013-05-03T10:17:15Z DEBUG stderr=
Access log on master server with failed request:
10.16.78.24 - - [03/May/2013:10:31:44 -0400] "GET /ca/rest/securityDomain/domainInfo HTTP/1.1" 404 231
We need to make this REST URI accessible in /etc/httpd/conf.d/ipa-pki-proxy.conf to make FreeIPA replica CA installation working again. As Ade advised, the URI should be added to the following stanza:
/etc/httpd/conf.d/ipa-pki-proxy.conf
... # matches for admin port and installer <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/ admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/ installToken"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:8009 ProxyPassReverse ajp://localhost:8009 </LocationMatch> ...
This is a regression in new fg18/f19 dogtag. pki-ca team plans to add some fallback when the URL is not available to address old installations, but we need to add this URI at least for new installs. Moving to appropriate milestone.
Some of the URLs have changed/been updated in dogtag 10. I am pasting a modified proxy config with the new URLs added.
This is only needed on new servers. We are adding fullback code, so that old servers will still work as expected. The dogtag build with that code will be pki-core-10.0.2-3.
# matches for ee port <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:8009 ProxyPassReverse ajp://localhost:8009 </LocationMatch> # matches for admin port and installer <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:8009 ProxyPassReverse ajp://localhost:8009 </LocationMatch> # matches for agent port and eeca port <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require ProxyPassMatch ajp://localhost:8009 ProxyPassReverse ajp://localhost:8009 </LocationMatch>
attachment freeipa-mkosek-403-update-pki-proxy-configuration.patch
Patch freeipa-mkosek-403-update-pki-proxy-configuration.patch sent for review
master: 77e4f44[[BR]] ipa-3-1: 1b1218f
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/04-05 (GA)
Login to comment on this ticket.