Bug 1403943

The SAXParseException indicates that the replica cannot parse master's response, possibly due to another error on the master, but it doesn't show the actual response (which would have helped troubleshooting). Could you attach the following files from the master?
* /var/log/pki-ca/debug
* /var/log/httpd/access_log-<YYYYMMDD>
* /var/log/httpd/error_log-<YYYYMMDD>

There's a possibility it's related to this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1400421

I suppose this scenario has been well tested in RHEL 6.8. Is it possible to retest this scenario using PKI packages from RHEL 6.8 but everything else from RHEL 6.9? Thanks.

Created attachment 1231593 [details]
pki-core-9.0.3-bz1403943.patch

Assuming the problem is the same as in bug #1400421, I created a patch to add the missing server hostname in the HTTP request header.

A test build is available here:
https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/6652/

Please retest with this build on RHEL 6.9. Thanks!

(In reply to Endi Sukma Dewata from comment #5)
> Created attachment 1231593 [details]
> pki-core-9.0.3-bz1403943.patch
> 
> Assuming the problem is the same as in bug #1400421, I created a patch to
> add the missing server hostname in the HTTP request header.
> 
> A test build is available here:
> https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/6652/
> 
> Please retest with this build on RHEL 6.9. Thanks!

Retested and i still see the same failure.

Thanks Kaleem.

Did you install the test build on both master and replica? Could you post the master's and replica's debug logs? You might need to set debug.level=0 in the CS.cfg as well. Thanks.

(In reply to Endi Sukma Dewata from comment #4)
> The SAXParseException indicates that the replica cannot parse master's
> response, possibly due to another error on the master, but it doesn't show
> the actual response (which would have helped troubleshooting). Could you
> attach the following files from the master?
> * /var/log/pki-ca/debug
> * /var/log/httpd/access_log-<YYYYMMDD>
> * /var/log/httpd/error_log-<YYYYMMDD>
> 
> There's a possibility it's related to this bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1400421
> 
> I suppose this scenario has been well tested in RHEL 6.8. Is it possible to
> retest this scenario using PKI packages from RHEL 6.8 but everything else
> from RHEL 6.9? Thanks.

Attached logs from master

Created attachment 1231726 [details]
pki_ca_debug_master

Created attachment 1231734 [details]
http_access_log

Created attachment 1231742 [details]
http_error_log

Thanks Xiyang.

According to the HTTP logs the following operations are rejected due to missing hostnames, just like in in bug #140042:

10.16.96.30 - - [13/Dec/2016:09:54:28 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 400 313
10.16.96.30 - - [13/Dec/2016:09:54:28 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 400 313

[Tue Dec 13 09:54:28 2016] [error] Hostname mgmt3.testrelm.test provided via SNI, but no hostname provided in HTTP request
[Tue Dec 13 09:54:28 2016] [error] Hostname mgmt3.testrelm.test provided via SNI, but no hostname provided in HTTP request

The test build in comment #5 was supposed to fix these issues already. Are you and Kaleem testing on the same machines? Could you confirm that the build is installed on the replica? If you're installing the replica again, please before that set debug.level=0 in /usr/share/pki/ca/conf/CS.cfg on the replica so we can get more debugging info. Thanks.

Hi Endi,I applied the patch to both server and replica but I am still seeing the same failure, with different pki-ca debug log on replica which I attached below.
And I changed debug.level=10.

Created attachment 1232212 [details]
pki_ca_debug_replica_patched

Thanks. Before the patch the execution failed in SecurityDomainPanel. After the patch it went further and failed in RestoreKeyCertPanel. The patch should have added the missing hostname for this panel too, so I think we're looking at a different issue. 

The problem is we're still not seeing the debug logs needed to investigate the problem. The logs should have shown the HTTP response that causes the SAXParseException.

Could you make sure the debug.level=0 is set in /usr/share/pki/ca/conf/CS.cfg instead of /etc/pki-ca/CS.cfg on the replica? And that has to be done before running the replica installation because it will use whatever defined in /usr/share/pki/ca/conf/CS.cfg for the whole installation. On the master it can be set in /etc/pki-ca/CS.cfg after the master installation is done (since we're not investigating master installation).

Please attach both master and replica logs. Thanks.

Thanks, I attached the logs below , pleae check

Created attachment 1232292 [details]
master_logs

Created attachment 1232293 [details]
replica_logs

Thanks for the logs. Apparently there are more locations with the same problem (missing hostname). I've created a new test build to fix that:
https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/6690/

Please retest as follows:
1. Install the test build on master and replica.
2. On the master please make sure the debug.level in /etc/pki-ca/CS.cfg (not /usr/share/pki/ca/conf/CS.cfg) is set to 0 and restart the server. The debug logs in comment #17 did not show much information.
3. On the replica there's no need to change the debug.level since I've changed the default to 0 in this test build.
4. Rerun the replica installation.

If it's still failing, please attach the new logs from master and replica. Thanks!

This patch fixs the issue：
[root@auto-hv-01-guest02 ~]# rpm -q pki-ca
pki-ca-9.0.3-51.2.el6_8.noarch

[root@auto-hv-01-guest02 ~]# ipa-replica-install -U --setup-ca --setup-dns --forwarder=$DNSFORWARD -w $ADMINPW -p $ADMINPW /opt/rhqa_ipa/replica-info-auto-hv-01-guest02.testrelm.test.gpg
Run connection check to master
Check connection from replica to remote master 'mgmt3.testrelm.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Execute check on remote master
Check connection from master to remote replica 'auto-hv-01-guest02.testrelm.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
  [4/17]: disabling nonces
  [5/17]: creating RA agent certificate database
  [6/17]: importing CA chain to RA certificate database
  [7/17]: fixing RA database permissions
  [8/17]: setting up signing cert profile
  [9/17]: set up CRL publishing
  [10/17]: set certificate subject base
  [11/17]: enabling Subject Key Identifier
  [12/17]: setting audit signing renewal to 2 years
  [13/17]: configuring certificate server to start on boot
  [14/17]: configure certmonger for renewals
  [15/17]: configure clone certificate renewals
  [16/17]: configure Server-Cert certificate renewal
  [17/17]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Restarting the directory and certificate servers
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/31]: creating directory server user
  [2/31]: creating directory server instance
  [3/31]: adding default schema
  [4/31]: enabling memberof plugin
  [5/31]: enabling winsync plugin
  [6/31]: configuring replication version plugin
  [7/31]: enabling IPA enrollment plugin
  [8/31]: enabling ldapi
  [9/31]: disabling betxn plugins
  [10/31]: configuring uniqueness plugin
  [11/31]: configuring uuid plugin
  [12/31]: configuring modrdn plugin
  [13/31]: enabling entryUSN plugin
  [14/31]: configuring lockout plugin
  [15/31]: creating indices
  [16/31]: enabling referential integrity plugin
  [17/31]: configuring ssl for ds instance
  [18/31]: configuring certmap.conf
  [19/31]: configure autobind for root
  [20/31]: configure new location for managed entries
  [21/31]: restarting directory server
  [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
  [23/31]: adding replication acis
  [24/31]: setting Auto Member configuration
  [25/31]: enabling S4U2Proxy delegation
  [26/31]: initializing group membership
  [27/31]: adding master entry
  [28/31]: configuring Posix uid/gid generation
  [29/31]: enabling compatibility plugin
  [30/31]: tuning directory server
  [31/31]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Using reverse zone 96.16.10.in-addr.arpa.
Configuring DNS (named)
  [1/8]: adding NS record to the zone
  [2/8]: setting up reverse zone
  [3/8]: setting up our own record
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: restarting named
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server

Created attachment 1232783 [details]
pki-core-9.0.3-bz1403943.patch

Thanks Xiyang!

Here is the final patch (replacing the old one). Matt, could you please take a look? Thanks!

Verified on pki-ca-9.0.3-52.el6:

[root@auto-hv-01-guest02 ~]# ipa-replica-install -U --setup-ca --setup-dns --forwarder=$DNSFORWARD -w $ADMINPW -p $ADMINPW /opt/rhqa_ipa/replica-info-auto-hv-01-guest02.testrelm.test.gpg
Run connection check to master
Check connection from replica to remote master 'mgmt3.testrelm.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Execute check on remote master
Check connection from master to remote replica 'auto-hv-01-guest02.testrelm.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
  [4/17]: disabling nonces
  [5/17]: creating RA agent certificate database
  [6/17]: importing CA chain to RA certificate database
  [7/17]: fixing RA database permissions
  [8/17]: setting up signing cert profile
  [9/17]: set up CRL publishing
  [10/17]: set certificate subject base
  [11/17]: enabling Subject Key Identifier
  [12/17]: setting audit signing renewal to 2 years
  [13/17]: configuring certificate server to start on boot
  [14/17]: configure certmonger for renewals
  [15/17]: configure clone certificate renewals
  [16/17]: configure Server-Cert certificate renewal
  [17/17]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Restarting the directory and certificate servers
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/31]: creating directory server user
  [2/31]: creating directory server instance
  [3/31]: adding default schema
  [4/31]: enabling memberof plugin
  [5/31]: enabling winsync plugin
  [6/31]: configuring replication version plugin
  [7/31]: enabling IPA enrollment plugin
  [8/31]: enabling ldapi
  [9/31]: disabling betxn plugins
  [10/31]: configuring uniqueness plugin
  [11/31]: configuring uuid plugin
  [12/31]: configuring modrdn plugin
  [13/31]: enabling entryUSN plugin
  [14/31]: configuring lockout plugin
  [15/31]: creating indices
  [16/31]: enabling referential integrity plugin
  [17/31]: configuring ssl for ds instance
  [18/31]: configuring certmap.conf
  [19/31]: configure autobind for root
  [20/31]: configure new location for managed entries
  [21/31]: restarting directory server
  [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
  [23/31]: adding replication acis
  [24/31]: setting Auto Member configuration
  [25/31]: enabling S4U2Proxy delegation
  [26/31]: initializing group membership
  [27/31]: adding master entry
  [28/31]: configuring Posix uid/gid generation
  [29/31]: enabling compatibility plugin
  [30/31]: tuning directory server
  [31/31]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Using reverse zone 96.16.10.in-addr.arpa.
Configuring DNS (named)
  [1/8]: adding NS record to the zone
  [2/8]: setting up reverse zone
  [3/8]: setting up our own record
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: restarting named
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
[root@auto-hv-01-guest02 ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

Observations:

Found that the replica installation on RHEL6.9 server fails at the below step i.e

[3/17] "configuring certificate server instanceipa: CRITICAL failed to configure ca instance Command"

Attaching the console log for reference and reopening the bug.

Tested using the below rpms on RHEL6.9

[root@replica ~]# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-51.el6.x86_64
ipa-server-3.0.0-51.el6.x86_64
sssd-krb5-common-1.13.3-52.el6.x86_64
sssd-krb5-1.13.3-52.el6.x86_64
sssd-client-1.13.3-52.el6.x86_64
sssd-ad-1.13.3-52.el6.x86_64
sssd-proxy-1.13.3-52.el6.x86_64
sssd-1.13.3-52.el6.x86_64
sssd-common-1.13.3-52.el6.x86_64
sssd-ipa-1.13.3-52.el6.x86_64
python-sssdconfig-1.13.3-52.el6.noarch
sssd-ldap-1.13.3-52.el6.x86_64
sssd-common-pac-1.13.3-52.el6.x86_64
pki-ca-9.0.3-52.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
389-ds-base-libs-1.2.11.15-88.el6.x86_64
389-ds-base-1.2.11.15-88.el6.x86_64
389-ds-base-debuginfo-1.2.11.15-85.el6.x86_64

Created attachment 1246627 [details]
Replica-Install Console Output

Created attachment 1246633 [details]
Replica install log

Sudhir, we need to see some additional logs. Could you do the following?

1. Clean up the failed replica installation or use a new machine.
2. On master set debug.level=0 in /etc/pki-ca/CS.cfg then restart the server.
3. On replica set debug.level=0 in /usr/share/pki/ca/conf/CS.cfg then start the installation.
4. Attach these log files from master:
 - /var/log/pki-ca/debug
 - /var/log/httpd/access_log-<YYYYMMDD>
 - /var/log/httpd/error_log-<YYYYMMDD>
5. Attach this log file from replica:
 - /var/log/pki-ca/debug

Thanks.

Have cleaned up the replica installation and tried the below steps.
Please find the attached debug logs for your reference.

Created attachment 1246997 [details]
httpd access log

Created attachment 1246998 [details]
httpd error log

Created attachment 1246999 [details]
pki master log

Created attachment 1247000 [details]
pki replica log

Thanks Sudhir. Could you attach /var/log/pki-ca/catalina.out from both master and replica as well? Thanks.

Created attachment 1247365 [details]
Replica catalina.out

Created attachment 1247367 [details]
Master catalina.out

Thanks for the logs. Unfortunately it's still not very clear what is causing the latest problem.

I have created a new test build that contains additional debugging logs and some possible fixes:
https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/7687/

Please rerun the test with this build on both master and replica. If it's still failing please provide the same log files like above, or provide me the access to both test machines. Thanks.

Hi Endi,
I tried with new build pki-ca-9.0.3-52.1.el6_8.noarch and attached logs.

Created attachment 1248098 [details]
pki_ca_debug.log

Created attachment 1248100 [details]
http_access_log

Created attachment 1248101 [details]
http_error_log

Created attachment 1248103 [details]
catalina.out

Created attachment 1248105 [details]
pki_ca_debug.log_replica

Created attachment 1248108 [details]
catalina.out_replica

Created attachment 1248111 [details]
replica-install.log

The problem seems to be triggered by the new HTTPD package in RHEL 6.9 which imposes more strict requirements for incoming HTTP requests (see bug #1412974). During IPA replica installation the PKI replica talks to PKI master via HTTPD proxy set up by IPA on the master. In RHEL 6.9 PKI is still using a custom (and outdated) HTTP client which sends out non-conforming HTTP requests, so the installation failed.

To fix this problem the HTTP client in PKI needs to be replaced or fixed to send the proper HTTP requests.

In the mean time the failure could be avoided by downgrading HTTPD package on the master to version 2.2.15-56.el6_8.3 (confirmed by Xiyang).

Xiyang, could you try the following test build with the latest HTTPD package on both master and replica?
https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/7777/

Thanks.

Endi,replica install successful with latest httpd and pki-core build:

On master&replica:
# rpm -qa|egrep "pki-|httpd"
pki-util-9.0.3-52.2.el6_8.noarch
pki-setup-9.0.3-52.2.el6_8.noarch
pki-selinux-9.0.3-52.2.el6_8.noarch
pki-symkey-9.0.3-52.2.el6_8.x86_64
pki-java-tools-9.0.3-52.2.el6_8.noarch
pki-common-9.0.3-52.2.el6_8.noarch
pki-ca-9.0.3-52.2.el6_8.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
httpd-tools-2.2.15-60.el6.x86_64
pki-native-tools-9.0.3-52.2.el6_8.x86_64
pki-silent-9.0.3-52.2.el6_8.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
httpd-2.2.15-60.el6.x86_64

On replica
# ipa-replica-install --setup-ca --setup-dns --forwarder=10.11.5.19 replica-info-dhcp207-171.testrelm.test.gpg
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'dhcp207-4.testrelm.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin password: 

Execute check on remote master
Check connection from master to remote replica 'dhcp207-171.testrelm.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
  [4/17]: disabling nonces
  [5/17]: creating RA agent certificate database
  [6/17]: importing CA chain to RA certificate database
  [7/17]: fixing RA database permissions
  [8/17]: setting up signing cert profile
  [9/17]: set up CRL publishing
  [10/17]: set certificate subject base
  [11/17]: enabling Subject Key Identifier
  [12/17]: setting audit signing renewal to 2 years
  [13/17]: configuring certificate server to start on boot
  [14/17]: configure certmonger for renewals
  [15/17]: configure clone certificate renewals
  [16/17]: configure Server-Cert certificate renewal
  [17/17]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Restarting the directory and certificate servers
Configuring directory server (dirsrv): Estimated time 31 minutes
  [1/31]: creating directory server user
  [2/31]: creating directory server instance
  [3/31]: adding default schema
  [4/31]: enabling memberof plugin
  [5/31]: enabling winsync plugin
  [6/31]: configuring replication version plugin
  [7/31]: enabling IPA enrollment plugin
  [8/31]: enabling ldapi
  [9/31]: disabling betxn plugins
  [10/31]: configuring uniqueness plugin
  [11/31]: configuring uuid plugin
  [12/31]: configuring modrdn plugin
  [13/31]: enabling entryUSN plugin
  [14/31]: configuring lockout plugin
  [15/31]: creating indices
  [16/31]: enabling referential integrity plugin
  [17/31]: configuring ssl for ds instance
  [18/31]: configuring certmap.conf
  [19/31]: configure autobind for root
  [20/31]: configure new location for managed entries
  [21/31]: restarting directory server
  [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [23/31]: adding replication acis
  [24/31]: setting Auto Member configuration
  [25/31]: enabling S4U2Proxy delegation
  [26/31]: initializing group membership
  [27/31]: adding master entry
  [28/31]: configuring Posix uid/gid generation
  [29/31]: enabling compatibility plugin
  [30/31]: tuning directory server
  [31/31]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 31 minutes
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Using reverse zone 207.65.10.in-addr.arpa.
Configuring DNS (named)
  [1/8]: adding NS record to the zone
  [2/8]: setting up reverse zone
  [3/8]: setting up our own record
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: restarting named
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server

Created attachment 1248634 [details]
pki-core-9.0.3-bz1403943-2.patch

Thanks, Xiyang!

The pki-core-9.0.3-bz1403943-2.patch contains the additional changes required to work with the latest HTTPD. It should be applied on top of the previous pki-core-9.0.3-bz1403943.patch which fixed the missing Host headers. Alternatively, the patches can be merged into a single file.

Verified on pki-ca-9.0.3-53.el6:
# rpm -qa|egrep "pki-|httpd|ipa-server"
pki-symkey-9.0.3-53.el6.x86_64
pki-java-tools-9.0.3-53.el6.noarch
pki-util-9.0.3-53.el6.noarch
pki-native-tools-9.0.3-53.el6.x86_64
pki-common-9.0.3-53.el6.noarch
pki-silent-9.0.3-53.el6.noarch
ipa-server-3.0.0-51.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
httpd-tools-2.2.15-60.el6.x86_64
pki-selinux-9.0.3-53.el6.noarch
pki-setup-9.0.3-53.el6.noarch
pki-ca-9.0.3-53.el6.noarch
ipa-server-selinux-3.0.0-51.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
httpd-2.2.15-60.el6.x86_64

# ipa-replica-install --setup-ca --setup-dns --forwarder=10.11.5.19 replica-info-dhcp207-171.testrelm.test.gpg
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'dhcp207-4.testrelm.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin password: 

Execute check on remote master
Check connection from master to remote replica 'dhcp207-171.testrelm.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
  [4/17]: disabling nonces
  [5/17]: creating RA agent certificate database
  [6/17]: importing CA chain to RA certificate database
  [7/17]: fixing RA database permissions
  [8/17]: setting up signing cert profile
  [9/17]: set up CRL publishing
  [10/17]: set certificate subject base
  [11/17]: enabling Subject Key Identifier
  [12/17]: setting audit signing renewal to 2 years
  [13/17]: configuring certificate server to start on boot
  [14/17]: configure certmonger for renewals
  [15/17]: configure clone certificate renewals
  [16/17]: configure Server-Cert certificate renewal
  [17/17]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Restarting the directory and certificate servers
Configuring directory server (dirsrv): Estimated time 31 minutes
  [1/31]: creating directory server user
  [2/31]: creating directory server instance
  [3/31]: adding default schema
  [4/31]: enabling memberof plugin
  [5/31]: enabling winsync plugin
  [6/31]: configuring replication version plugin
  [7/31]: enabling IPA enrollment plugin
  [8/31]: enabling ldapi
  [9/31]: disabling betxn plugins
  [10/31]: configuring uniqueness plugin
  [11/31]: configuring uuid plugin
  [12/31]: configuring modrdn plugin
  [13/31]: enabling entryUSN plugin
  [14/31]: configuring lockout plugin
  [15/31]: creating indices
  [16/31]: enabling referential integrity plugin
  [17/31]: configuring ssl for ds instance
  [18/31]: configuring certmap.conf
  [19/31]: configure autobind for root
  [20/31]: configure new location for managed entries
  [21/31]: restarting directory server
  [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [23/31]: adding replication acis
  [24/31]: setting Auto Member configuration
  [25/31]: enabling S4U2Proxy delegation
  [26/31]: initializing group membership
  [27/31]: adding master entry
  [28/31]: configuring Posix uid/gid generation
  [29/31]: enabling compatibility plugin
  [30/31]: tuning directory server
  [31/31]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 31 minutes
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Using reverse zone 207.65.10.in-addr.arpa.
Configuring DNS (named)
  [1/8]: adding NS record to the zone
  [2/8]: setting up reverse zone
  [3/8]: setting up our own record
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: restarting named
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
#

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0802.html