Hi Ross,
Could you please also provide the /var/log/pki/pki-tomcat/ca/debug log files from both master and replica?
Thanks, Fraser
On Thu, Apr 26, 2018 at 05:33:32PM +0000, Ross Infinger via FreeIPA-users wrote:
I'm installing the CA service on an existing replica with command ipa-ca-install. It fails with this error in the log:
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443
Version of both ca master and replica is 4.5.0 api version 2.228 domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks, Ross
2018-04-26T17:04:39Z DEBUG /usr/sbin/ipa-ca-install was invoked with options: {'external_cert_files': None, 'subject_base': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_subject': None, 'ca_signing_algorithm': None, 'debug': True, 'external_ca': False, 'skip_conncheck': False},None 2018-04-26T17:04:39Z DEBUG IPA version 4.5.0-22.el7.centos 2018-04-26T17:04:39Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:04:40Z DEBUG Created connection context.ldap2_75479632 2018-04-26T17:04:40Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x65e1518> 2018-04-26T17:04:40Z DEBUG Initializing principal host/ipa-nyc-pci01.pci.xxxxxx.com@PCI.XXXXXX.COM using keytab /etc/krb5.keytab 2018-04-26T17:04:40Z DEBUG using ccache /tmp/krbccsV9vse/ccache 2018-04-26T17:04:40Z DEBUG Attempt 1/1: success 2018-04-26T17:05:01Z DEBUG Starting external process 2018-04-26T17:05:01Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master pci-mgmt-ipa01.pci.xxxxxx.com --auto-master-check --realm PCI.XXXXXX.COM --hostname ipa-nyc-pci01.pci.xxxxxx.com --ca-cert-file /etc/ipa/ca.crt 2018-04-26T17:05:16Z DEBUG Process finished, return code=0 2018-04-26T17:05:16Z DEBUG stdout= 2018-04-26T17:05:16Z DEBUG stderr=Check connection from replica to remote master 'pci-mgmt-ipa01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK. Start listening on required ports for remote master check 389 tcp: Failed to bind 636 tcp: Failed to bind 88 tcp: Failed to bind 88 udp: Failed to bind 464 tcp: Failed to bind 464 udp: Failed to bind 80 tcp: Failed to bind 443 tcp: Failed to bind Get credentials to log in to remote master Check RPC connection to remote master trying https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/json [try 1]: Forwarding 'schema' to json server 'https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/json' trying https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/session/json [try 1]: Forwarding 'ping/1' to json server 'https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/session/json' Execute check on remote master [try 1]: Forwarding 'server_conncheck' to json server 'https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/session/json' Check connection from master to remote replica 'ipa-nyc-pci01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Failed to connect to port 88 udp on 192.168.100.154 Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Failed to connect to port 464 udp on 192.168.100.154 Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
2018-04-26T17:05:16Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:16Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:16Z INFO Waiting up to 300 seconds to see our keys appear on host: pci-mgmt-ipa01.pci.xxxxxx.com 2018-04-26T17:05:17Z DEBUG Starting external process 2018-04-26T17:05:17Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -N -f /tmp/tmpuXiBUA/pwdfile.txt -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:17Z DEBUG Process finished, return code=0 2018-04-26T17:05:17Z DEBUG stdout= 2018-04-26T17:05:17Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:18Z DEBUG Process finished, return code=0 2018-04-26T17:05:18Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:18Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n ocspSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:19Z DEBUG Starting external process 2018-04-26T17:05:19Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n auditSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n subsystemCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -A -n PCI.XXXXXX.COM IPA CA -t CT,C,C -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout= 2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/PKCS12Export -d /tmp/tmpuXiBUA -p /tmp/tmpuXiBUA/pwdfile.txt -w /tmp/tmpuXiBUA/crtpwfile -o /tmp/tmpp2RSQHipa/cacert.p12 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=Export complete.
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:20Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:20Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 2018-04-26T17:05:20Z DEBUG [1/25]: creating certificate server db 2018-04-26T17:05:20Z DEBUG duration: 0 seconds 2018-04-26T17:05:20Z DEBUG [2/25]: setting up initial replication 2018-04-26T17:05:20Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2018-04-26T17:05:20Z DEBUG retrieving schema for SchemaCache url=ldap://pci-mgmt-ipa01.pci.xxxxxx.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a91290> 2018-04-26T17:05:21Z DEBUG Successfully updated nsDS5ReplicaId. 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Parsing update file '/usr/share/ipa/ca-topology.uldif' 2018-04-26T17:05:31Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket from SchemaCache 2018-04-26T17:05:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a93128> 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG add: 'ipaReplTopoManagedServer' to objectclass, current value [u'top', u'nsContainer', u'ipaReplTopoManagedServer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'top', u'nsContainer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig', u'ipaReplTopoManagedServer'] 2018-04-26T17:05:31Z DEBUG add: 'o=ipaca' to ipaReplTopoManagedSuffix, current value [u'dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'dc=pci,dc=xxxxxx,dc=com', u'o=ipaca'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [(0, u'ipaReplTopoManagedSuffix', [u'o=ipaca'])] 2018-04-26T17:05:31Z DEBUG Updated 1 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com' to nsds5replicabinddngroup, current value [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG onlyifexist: set nsds5replicabinddngroup to [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG duration: 11 seconds 2018-04-26T17:05:31Z DEBUG [3/25]: creating installation admin user 2018-04-26T17:05:32Z DEBUG duration: 0 seconds 2018-04-26T17:05:32Z DEBUG [4/25]: configuring certificate server instance 2018-04-26T17:05:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Contents of pkispawn configuration file (/tmp/tmp4j_eo0): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_default_ocsp_uri = http://ipa-ca.pci.xxxxxx.com/ca/ocsp pki_client_database_dir = /var/lib/ipa/tmp-6WUlS2 pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_uid = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=PCI.XXXXXX.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_ds_ldaps_port = 636 pki_ds_secure_connection = True pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt pki_subsystem_subject_dn = cn=CA Subsystem,O=PCI.XXXXXX.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=PCI.XXXXXX.COM pki_ssl_server_subject_dn = cn=ipa-nyc-pci01.pci.xxxxxx.com,O=PCI.XXXXXX.COM pki_audit_signing_subject_dn = cn=CA Audit,O=PCI.XXXXXX.COM pki_ca_signing_subject_dn = CN=Certificate Authority,O=PCI.XXXXXX.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_pin = XXXXXXXX pki_ds_create_new_db = False pki_clone_setup_replication = False pki_clone_reindex_data = True pki_security_domain_hostname = pci-mgmt-ipa01.pci.xxxxxx.com pki_security_domain_https_port = 443 pki_security_domain_user = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://pci-mgmt-ipa01.pci.xxxxxx.com:443
2018-04-26T17:05:32Z DEBUG Starting external process 2018-04-26T17:05:32Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0 2018-04-26T17:05:51Z DEBUG Process finished, return code=1 2018-04-26T17:05:51Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20180426170532.log Loading deployment configuration from /tmp/tmp4j_eo0. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Importing certificates from /tmp/ca.p12:
4 entries found
Certificate ID: d0117023b7661532960024635e00e4c2b3a0825d Serial Number: 0x2 Nickname: ocspSigningCert cert-pki-ca Subject DN: CN=OCSP Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: d58a46d01e65d178def787ec3cea985bed61e21d Serial Number: 0x1 Nickname: caSigningCert cert-pki-ca Subject DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: CTu,Cu,Cu Has Key: true
Certificate ID: f9a212fc6707e63a027126aa1bfa43cae3d4c705 Serial Number: 0x4 Nickname: subsystemCert cert-pki-ca Subject DN: CN=CA Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: ca121feb0cbf83c7c18b34e4d7e127157e64580b Serial Number: 0x5 Nickname: auditSigningCert cert-pki-ca Subject DN: CN=CA Audit,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Import complete
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2018-04-26T17:05:51Z DEBUG stderr= 2018-04-26T17:05:51Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0' returned non-zero exit status 1 2018-04-26T17:05:51Z CRITICAL See the installation logs and the following files/directories for more information: 2018-04-26T17:05:51Z CRITICAL /var/log/pki/pki-tomcat 2018-04-26T17:05:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2018-04-26T17:05:51Z DEBUG [error] RuntimeError: CA configuration failed. 2018-04-26T17:05:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 907, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 300, in main promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 268, in promote install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 202, in install_replica ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0 use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem)
2018-04-26T17:05:51Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA configuration failed.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org