Dear Rob,
> Well, all IPA masters are equals more or less. It would be sort of a
> stigma to mark one as a replica forever, for the only reason that it
> wasn't installed first. This would be particularly confusing if the
> first master was removed.
A good point thanks, in which case may I suggest for clarity simply
revising my suggested name from
ipa-ca-install-replica
to
ipa-ca-install-additional-master
helping to indicate exactly what this will do, i.e. any other CA servers
will be safe and not at risk from this.
> It looks for the existence of /etc/pki/pki-tomcat/ca/CS.cfg.
Which is indeed present on our second server.
> My guess is someone tried to install a CA at some point in the past and
> it failed and they just left it. The installer is not idempotent and
> there is no CA-specific uninstall so the only way around it is to fully
> uninstall the master and try again.
Having had a look around, found the initial install from Sep 2016
(probably F24 release as I have the upgrade to F26 in there), and indeed I
did miss out --setup-ca option at the very start.
Meanwhile returning to CA on this our second server it does indeed appear
to be partially installed, URL to server:8080/ca/admin/ca/getStatus
reports
This XML file does not appear to have any style information
associated with it. The document tree is shown below.
<XMLResponse>
<State>1</State>
<Type>CA</Type>
<Status>running</Status>
<Version>10.3.5-12.fc26</Version>
</XMLResponse>
The install log file is also there, starting with:
2018-09-28T06:40:20Z DEBUG /usr/sbin/ipa-ca-install was invoked with
options: {'external_cert_files': None, 'skip_schema_check': False,
'external_ca_type': None, 'unattended': False, 'no_host_dns': False,
'ca_signing_algorithm': None, 'debug': False, 'external_ca': False,
'skip_conncheck': False},None
With highlights including
Connection from master to replica is OK.
Still goes well
Loading deployment configuration from /tmp/tmpIR6kRz.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Importing certificates from /tmp/ca.p12:
2018-09-28T06:42:47Z DEBUG stderr=
2018-09-28T06:42:47Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300
2018-09-28T06:42:49Z DEBUG Waiting until the CA is running
which seems to be the problem:
2018-09-28T06:42:54Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2018-09-28T06:42:54Z DEBUG Waiting for CA to start...
2018-09-28T06:42:55Z DEBUG request POST URL left out
2018-09-28T06:42:55Z DEBUG request body ''
2018-09-28T06:42:55Z DEBUG response status 500
and ending after five minutes of trying this with:
2018-09-28T06:47:48Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2018-09-28T06:47:48Z DEBUG Waiting for CA to start...
2018-09-28T06:47:49Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 194, in start_instance
self.start('pki-tomcat')
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 346, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 218, in start
self.wait_until_running()
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 212, in wait_until_running
raise RuntimeError('CA did not start in %ss' % timeout)
RuntimeError: CA did not start in 300.0s
2018-09-28T06:47:49Z CRITICAL Failed to restart the Dogtag instance.See the installation log for details.
2018-09-28T06:47:49Z DEBUG duration: 302 seconds
2018-09-28T06:47:49Z DEBUG [16/26]: importing CA chain to RA certificate database
2018-09-28T06:47:49Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2018-09-28T06:47:49Z DEBUG Starting external process
2018-09-28T06:47:49Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L
2018-09-28T06:47:49Z DEBUG Process finished, return code=0
2018-09-28T06:47:49Z DEBUG stdout=
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
.................. IPA CA CT,C,C
ipaCert u,u,u
Server-Cert u,u,u
2018-09-28T06:47:49Z DEBUG stderr=
2018-09-28T06:47:49Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 836, in __import_ca_chain
chain = self.__get_ca_chain()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 829, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
2018-09-28T06:47:49Z DEBUG [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
2018-09-28T06:47:49Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 808, in run_script
return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 300, in main
promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 272, in promote
install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 197, in install_replica
ca_cert_bundle=ca_data)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1393, in configure_replica
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 836, in __import_ca_chain
chain = self.__get_ca_chain()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 829, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
2018-09-28T06:47:49Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
A couple of questions:
+ Is there any way now to recover from this set back on our second server
without risking the single CA server and get it fully operational?
+ The third server, also F26, does not appear to have ever had CA
installed
ls -la /etc/pki/pki-tomcat/
ls: cannot access '/etc/pki/pki-tomcat/': No such file or directory
But as the second server failed to install, would it be safe to try here
on the third, again without risking the single CA server?
+ Or is there a better way forward to getting more CA servers operational
before going on to attempt an upgrade, say to F28 then to F30 across all
the servers?
Thanks
Best wishes
Stuart