Reinstall IPA replica - INFO: Joining existing domain; ERROR: KeyError: 'CA'
Environment
- Red Hat Enterprise Linux 7, 8, and 9
- IPA server
Issue
When attempting to reinstall an IPA replica, the following error message keeps appearing:
2024-02-01 14:59:23 INFO: Storing subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg
2024-02-01 14:59:23 INFO: Storing registry config: /etc/pki/pki-tomcat/ca/registry.cfg
2024-02-01 14:59:23 INFO: Joining existing domain
...output omitted..
INFO: Joining existing domain
ERROR: KeyError: 'CA'
File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 588, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 125, in spawn
deployer.setup_security_domain(instance, subsystem)
File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 1474, in setup_security_domain
self.join_security_domain()
File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 1420, in join_security_domain
sd_subsystem = self.domain_info.subsystems['CA']
Resolution
- Add back the CA subsystem:
NOTE: These steps should be run on a working system.
# cat <<EOF > /tmp/securitydomain_rebuild.ldif
dn: cn=ipamaster.idm.com:443,cn=CAList,ou=Security Domain,o=ipaca
objectClass: top
objectClass: pkiSubsystem
host: ipaserver.idm.com
SecurePort: 443
SecureAgentPort: 443
SecureAdminPort: 443
SecureEEClientAuthPort: 443
UnSecurePort: 80
Clone: FALSE
SubsystemName: CA ipaserver.idm.com 8443
cn: ipaserver.idm.com:443
DomainManager: TRUE
EOF
- Then run:
# ldapmodify -D "cn=directory manager" -W -a -f /tmp/securitydomain_rebuild.ldif
- Double-check it:
# pki securitydomain-show
- If step 3 returned the correct result, try to reinstall the replica.
Root Cause
When attempting to configure a PKI clone, the replica installer needs to obtain data from the master, but the CA subsystem is absent on the master IPA server.
Diagnostic Steps
- Check IPA replica install logs:
# less /var/log/ipareplica-install.log
INFO: Joining existing domain
ERROR: KeyError: 'CA'
File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 588, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 125, in spawn
deployer.setup_security_domain(instance, subsystem)
File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 1474, in setup_security_domain
self.join_security_domain()
File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 1420, in join_security_domain
sd_subsystem = self.domain_info.subsystems['CA']
2024-02-01T12:54:29Z CRITICAL Failed to configure CA instance
2024-02-01T12:54:29Z CRITICAL See the installation logs and the following files/directories for more information:
2024-02-01T12:54:29Z CRITICAL /var/log/pki/pki-tomcat
2024-02-01T12:54:29Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
run_step(full_msg, method)
- Check the securitydomain and CA subsystem.
a) Unexpected outputs. That means the CA subsystem is absent :
[root@ipamaster ~]# pki securitydomain-show
Domain: IPA
b) Expected output:
[root@ipamaster ~]# pki securitydomain-show
Domain: IPA
CA Subsystem:
Host ID: CA ipamaster.idm.com 443
Hostname: rhel79.idm.dnsintegration.local
Port: 80
Secure Port: 443
Domain Manager: TRUE
Host ID: CA ipamaster.idm.com 443
Hostname:ipareplica3.idm.com
Port: 80
Secure Port: 443
Domain Manager: TRUE
[root@ipamaster~]# pki-server subsystem-find
-----------------
1 entries matched
-----------------
Subsystem ID: ca
Instance ID: pki-tomcat
Enabled: True
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments