Since taking over our FreeIPA environment I've been unable to create a new CA replica.
A bunch of failed attempts and upgrades over the last year and I keep running in to
issues. After my latest attempt I noticed something that I had not seen before (likely a
result of an recent upgrade) and I was wondering if this would cause a CA install to
fail.
Our env:
3 x ipa-server-3.0.0-51.el6.x86_64
3 x ipa-server-4.4.0-14.el7_3.7.x86_64
2 of the 3.x IPA servers are currently acting as CAs and I've been trying to create a
new 4.x CA replica in order to start removing the 3.x IPA servers. I've been able to
do a simple test with vanilla CentOS 6.9 and 7.3 and it seems to work fine as far as I can
tell but when I try it in our environment it fails. I noticed this error in one of the
logs and something jumped out at me that I had never seen before:
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: === Finalization ===
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Updating existing security domain
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml
from CA...
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: GET
https://ipa-master.domain.tld:443/ca/admin/ca/getDomainXML
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: status: 0
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA
<Host>ipa-master.domain.tld</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><Sec
ureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica1.domain.tld
</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</S
ecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><CA><Host>ipa-replica2.domain.tld</Host><SecurePort>443</Se
curePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><Dom
ainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>3</SubsystemCount></CAList><OCSPList><SubsystemCount>0</Subsyst
emCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSL
ist><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Cloning a domain master
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using admin
interface
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start
hostname=ipa-master.domain.tld port=443
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST
https://ipa-master.domain.tld:443/ca/admin/ca/updateDomainXML
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Unable to access admin interface:
javax.ws.rs.NotFoundException: HTTP 404 Not Found
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: Update security domain using agent
interface
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start
hostname=ipa-master.domain.tld port=443
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert
cert-pki-ca
[14/Jun/2017:06:49:44][http-bio-8443-exec-3]: ConfigurationUtils: POST
https://ipa-master.domain.tld:443/ca/agent/ca/updateDomainXML
[14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Server certificate:
[14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - subject:
CN=ipa-master.domain.tld,O=DOMAIN.US
[14/Jun/2017:06:49:45][http-bio-8443-exec-3]: - issuer: CN=Certificate
Authority,O=DOMAIN.US
[14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML:
status=1
[14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security domain: 2
java.io.IOException: Unable to update security domain: 2
The ipa-master.domain.tld is one of the current RHEL 6.9 FreeIPA 3.x servers but the other
two listed in that domainxml file one does not exist (it may have at some point been
renamed) and the other server is not a CA replica but it is a replica.
Is it possible this bad info would cause a failure when trying to create a new CA replica?
If so is it something I can try cleaning up?
Any info would be appreciated. Thanks!