#2424 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full
Closed: Fixed None Opened 7 years ago by edewata.

https://bugzilla.redhat.com/show_bug.cgi?id=1358752

Description of problem:
After promoting IPA server from CA-less to CA-full, ipa-ca-install fails to install CA on replica server.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install IPA server

[root@ipamaster1 ca1]# ipa-server-install --ip-address $(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) -r testrelm.test -p 'Secret123' -a 'Secret123' --setup-dns --forwarder 10.65.201.89 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin Secret123 --http-pin Secret123
  1. Install CA-less replica
[root@ipareplica1 ca1]# ipa-replica-install -U --dirsrv-cert-file=./replica.p12 --http-cert-file=./replica.p12 --dirsrv-pin Secret123 --http-pin Secret123 -P admin -w Secret123 
  1. Promote IPA server from CA-less to CA-full
[root@ipamaster1 ca1]# ipa-ca-install
  1. Try to promote IPA replica from CA-less to CA-full
[root@ipareplica1 ca1]# ipa-ca-install 
Directory Manager (existing master) password: 

Run connection check to master
Connection check OK
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/25]: creating certificate server user
  [2/25]: creating certificate server db
  [3/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [4/25]: creating installation admin user
  [5/25]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpzHP3HH' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.

Actual results:
IPA replica promotion from CA-less to CA-full fails with stack trace

Expected results:
IPA replica should be converted from CA-less to CA-full.

Additional info:

  1. Excerpt from /var/log/pki/pki-tomcat/ca/debug on replica
[21/Jul/2016:07:36:45][http-bio-8443-exec-3]: Getting install token
[21/Jul/2016:07:36:47][http-bio-8443-exec-3]: Getting domain XML
[21/Jul/2016:07:36:47][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info
[21/Jul/2016:07:36:47][http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipamaster1.testrelm.test:443/ca/admin/ca/getDomainXML
javax.ws.rs.ProcessingException: Unable to invoke request
<snip>
</snip>
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
        at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
        ... 73 more
[21/Jul/2016:07:36:47][http-bio-8443-exec-3]: Failed to obtain security domain decriptor from security domain master: javax.ws.rs.ProcessingException: Unable to invoke request

Fixed in master:

  • f726f9a668b523c4e5a9438d8ea301f4b556efd4
  • da66600e8ae07fa4169d24909c7d04ed69d2906c
  • b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56

PKI has been fixed to import the PKCS #12 generated by Custodia properly. However, to fix IPA cloning properly it looks like Custodia needs to include the 3rd-party DS/HTTP certificates into the PKCS #12 file.

Metadata Update from @edewata:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.5

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2544

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata