Jack Eidsness
2017-05-09 20:45:06 UTC
âI'm hoping to get a lead on this issue âfrom a few months back - I work
with John. Maybe a more narrow question will get us somewhere. When
ipa-ca-install is comparing the URI in the .gpg file to the "available
subsystems", what does that mean? How do I know what the correct URLs for
my "available subsystems" actually are? I reviewed the logs, and the site &
port seem like they're probably right to me, unless they need a more
specific path or something. Maybe it could be having trouble
authenticating? I don't know why that would be.
Is it safe to decrypt the .gpg file, re-encrypt it, and try running it
again, if I knew what edits to make, to the URI?
-Jack Eidsness
with John. Maybe a more narrow question will get us somewhere. When
ipa-ca-install is comparing the URI in the .gpg file to the "available
subsystems", what does that mean? How do I know what the correct URLs for
my "available subsystems" actually are? I reviewed the logs, and the site &
port seem like they're probably right to me, unless they need a more
specific path or something. Maybe it could be having trouble
authenticating? I don't know why that would be.
Is it safe to decrypt the .gpg file, re-encrypt it, and try running it
again, if I knew what edits to make, to the URI?
-Jack Eidsness
------------------------------
- *From*: John Bowman <john bowman zayo com>
- *To*: freeipa-users redhat com
- *Subject*: [Freeipa-users] Clone URI does not match available
subsystems ?
- *Date*: Wed, 17 Aug 2016 10:41:38 -0500
------------------------------
Howdy!
Trying to figure out how to get past the error: Clone URI does not match
available subsystems when running ipa-ca-install on new ipa server.
A little background. We have 3 FreeIPA 3.0.0 servers running on RHEL
6.7. We just recently (within the last month) added a new FreeIPA 4.2
server replica running on RHEL 7.2 at a new location which will hopefully
be the start of replacing all the 3.0.0 instances.
Unfortunately during the 4.2 install the --setup-ca was failing so we
decided to install without it to make sure everything else worked. And it
did everything seems to be replicating properly and all is good.
Now its time to add the ca replication to the new server but its failing
with that error.
# ipa-ca-install --skip-conncheck /var/lib/ipa/replica-info-new-
server.example.com.gpg
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
[1/22]: creating certificate server user
[2/22]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
2016-08-17T15:25:52Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.2016
0817092533.log
Loading deployment configuration from /tmp/tmp7cBK9P.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.
Installation failed.
2016-08-17T15:25:52Z DEBUG stderr=/usr/lib/python2.7/site
Unverified HTTPS request is being made. Adding certificate verification is
strongly advised. See: https://urllib3.readthedo
cs.org/en/latest/security.h
tml
InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
400 Client Error: Bad Request
pkispawn : ERROR ....... ParseError: not well-formed (invalid
token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName"
:"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone
URI does not match available subsystems: https://master.idm
.example.com:443 <https://master.idm.example.com/>"}
2016-08-17T15:25:52Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' returned n
on-zero exit status 1
2016-08-17T15:25:52Z CRITICAL See the installation logs and the following
2016-08-17T15:25:52Z CRITICAL /var/log/pki-ca-install.log
2016-08-17T15:25:52Z CRITICAL /var/log/pki/pki-tomcat
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 622, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2016-08-17T15:25:52Z DEBUG [error] RuntimeError: CA configuration failed.
2016-08-17T15:25:52Z DEBUG File "/usr/lib/python2.7/site-packa
ges/ipaserver/install/installutils.py", line 732, in run_script
return_value = main_function()
File "/sbin/ipa-ca-install", line 202, in main
install_replica(safe_options, options, filename)
File "/sbin/ipa-ca-install", line 150, in install_replica
ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
114, in install
install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
138, in install_step_0
ra_p12=getattr(options, 'ra_p12', None))
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1545, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 488, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 622, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
****
I've tried running the pkispawn command manually by using the
# pkidestroy -s CA -i pki-tomcat
Log file: /var/log/pki/pki-ca-destroy.20160817093402.log
Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/reg
istry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/pki-tomcat.
pkidestroy : WARNING ....... this 'CA' entry will NOT be deleted from
security domain 'unknown'!
pkidestroy : ERROR ....... No security domain defined.
If this is an unconfigured instance, then that is OK.
Otherwise, manually delete the entry from the security domain master.
Uninstallation complete.
# /usr/sbin/pkispawn -s CA -f /tmp/replica_file
Log file: /var/log/pki/pki-ca-spawn.20160817093444.log
Loading deployment configuration from /tmp/replica_file.
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.
400 Client Error: Bad Request
pkispawn : ERROR ....... ParseError: not well-formed (invalid
token): line 1, column 0: {"Attributes":{"Attribute":[]}
,"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone
URI does not match available subsystems: https://master.idm
.example.com:443 <https://master.idm.example.com/>"}
Installation failed.
Any ideas on how to proceed would be much appreciated!
Thanks!
-John
- *From*: John Bowman <john bowman zayo com>
- *To*: freeipa-users redhat com
- *Subject*: [Freeipa-users] Clone URI does not match available
subsystems ?
- *Date*: Wed, 17 Aug 2016 10:41:38 -0500
------------------------------
Howdy!
Trying to figure out how to get past the error: Clone URI does not match
available subsystems when running ipa-ca-install on new ipa server.
A little background. We have 3 FreeIPA 3.0.0 servers running on RHEL
6.7. We just recently (within the last month) added a new FreeIPA 4.2
server replica running on RHEL 7.2 at a new location which will hopefully
be the start of replacing all the 3.0.0 instances.
Unfortunately during the 4.2 install the --setup-ca was failing so we
decided to install without it to make sure everything else worked. And it
did everything seems to be replicating properly and all is good.
Now its time to add the ca replication to the new server but its failing
with that error.
# ipa-ca-install --skip-conncheck /var/lib/ipa/replica-info-new-
server.example.com.gpg
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
[1/22]: creating certificate server user
[2/22]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
2016-08-17T15:25:52Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.2016
0817092533.log
Loading deployment configuration from /tmp/tmp7cBK9P.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.
Installation failed.
2016-08-17T15:25:52Z DEBUG stderr=/usr/lib/python2.7/site
Unverified HTTPS request is being made. Adding certificate verification is
strongly advised. See: https://urllib3.readthedo
cs.org/en/latest/security.h
tml
InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
400 Client Error: Bad Request
pkispawn : ERROR ....... ParseError: not well-formed (invalid
token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName"
:"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone
URI does not match available subsystems: https://master.idm
.example.com:443 <https://master.idm.example.com/>"}
2016-08-17T15:25:52Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' returned n
on-zero exit status 1
2016-08-17T15:25:52Z CRITICAL See the installation logs and the following
2016-08-17T15:25:52Z CRITICAL /var/log/pki-ca-install.log
2016-08-17T15:25:52Z CRITICAL /var/log/pki/pki-tomcat
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 622, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2016-08-17T15:25:52Z DEBUG [error] RuntimeError: CA configuration failed.
2016-08-17T15:25:52Z DEBUG File "/usr/lib/python2.7/site-packa
ges/ipaserver/install/installutils.py", line 732, in run_script
return_value = main_function()
File "/sbin/ipa-ca-install", line 202, in main
install_replica(safe_options, options, filename)
File "/sbin/ipa-ca-install", line 150, in install_replica
ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
114, in install
install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
138, in install_step_0
ra_p12=getattr(options, 'ra_p12', None))
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1545, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 488, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 622, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
****
I've tried running the pkispawn command manually by using the
# pkidestroy -s CA -i pki-tomcat
Log file: /var/log/pki/pki-ca-destroy.20160817093402.log
Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/reg
istry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/pki-tomcat.
pkidestroy : WARNING ....... this 'CA' entry will NOT be deleted from
security domain 'unknown'!
pkidestroy : ERROR ....... No security domain defined.
If this is an unconfigured instance, then that is OK.
Otherwise, manually delete the entry from the security domain master.
Uninstallation complete.
# /usr/sbin/pkispawn -s CA -f /tmp/replica_file
Log file: /var/log/pki/pki-ca-spawn.20160817093444.log
Loading deployment configuration from /tmp/replica_file.
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.
400 Client Error: Bad Request
pkispawn : ERROR ....... ParseError: not well-formed (invalid
token): line 1, column 0: {"Attributes":{"Attribute":[]}
,"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone
URI does not match available subsystems: https://master.idm
.example.com:443 <https://master.idm.example.com/>"}
Installation failed.
Any ideas on how to proceed would be much appreciated!
Thanks!
-John
--
*Jack Eidsness*
*Developer, NOPSS | Zayo Group*
13861 Sunrise Valley Dr, Herndon, VA 20171
Cell: 301.706.3912 <%28301%29%20706-3912> | ***@zayo.com
*Jack Eidsness*
*Developer, NOPSS | Zayo Group*
13861 Sunrise Valley Dr, Herndon, VA 20171
Cell: 301.706.3912 <%28301%29%20706-3912> | ***@zayo.com