<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>On 09/21/2016 02:13 AM, Korey Chapman wrote:</tt><tt><br>
</tt>
<blockquote
cite="mid:CAOLtOX23k+6dVHG=rX_0W+gdydRA6R+P9YR3xh=PVT8EsmbTdQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><tt>Hello list,</tt></div>
<div><tt><br>
</tt></div>
<div><tt>I'm currently attempting to add a second CA server to
our IPA cluster (all servers Centos 7.2 with IPA 4.2.0).
However, it is failing no matter how I try to setup the CA
(ipa-replica-install with --setup-ca or ipa-replica-install
followed by ipa-ca-install). The only useful thing in the
logs is an error about a missing key for "trust_flags" in
the pki setup. Our infrastructure uses FreeIPA with an
external CA.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Any ideas/help would be greatly appreciated. Here are
the logs snips from my most recent attempt:</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Command output snip from "ipa-replica-install
/root/replica-info-auth-002.XXX.gpg --setup-ca"</tt></div>
<div><tt>Configuring certificate server (pki-tomcatd). Estimated
time: 3 minutes 30 seconds</tt></div>
<div><tt> [1/24]: creating certificate server user</tt></div>
<div><tt> [2/24]: configuring certificate server instance</tt></div>
<div><tt>ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
returned non-zero exit status 1</tt></div>
<div><tt>ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
See the installation logs and the following
files/directories for more information:</tt></div>
<div><tt>ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log</tt></div>
<div><tt>ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat</tt></div>
<div><tt> [error] RuntimeError: CA configuration failed.</tt></div>
<div><tt>Your system may be partly configured.</tt></div>
<div><tt>Run /usr/sbin/ipa-server-install --uninstall to clean
up.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>ipa.ipapython.install.cli.install_tool(Replica): ERROR
CA configuration failed</tt></div>
<div><tt><br>
</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Log snip from ipareplica-install.log:</tt></div>
<div><tt><br>
</tt></div>
<div><tt>2016-09-20T23:42:27Z DEBUG Starting external process</tt></div>
<div><tt>2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn'
'-s' 'CA' '-f' '/tmp/tmpYofMPt'</tt></div>
<div><tt>2016-09-20T23:42:31Z DEBUG Process finished, return
code=1</tt></div>
<div><tt>2016-09-20T23:42:31Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160920234227.log</tt></div>
<div><tt>Loading deployment configuration from /tmp/tmpYofMPt.</tt></div>
<div><tt>Installing CA into /var/lib/pki/pki-tomcat.</tt></div>
<div><tt>Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Installation failed.</tt></div>
<div><tt><br>
</tt></div>
<div><tt><br>
</tt></div>
<div><tt>2016-09-20T23:42:31Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being
made. Adding certificate verification is strongly advised.
See: </tt><tt><a moz-do-not-send="true"
href="https://urllib3.readthedocs.org/en/latest/security.html">https://urllib3.readthedocs.org/en/latest/security.html</a></tt></div>
<div><tt> InsecureRequestWarning)</tt></div>
<div><tt>Traceback (most recent call last):</tt></div>
<div><tt> File "/bin/pki", line 254, in <module></tt></div>
<div><tt> cli.execute(sys.argv)</tt></div>
<div><tt> File "/bin/pki", line 240, in execute</tt></div>
<div><tt> module.execute(module_args)</tt></div>
<div><tt> File
"/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line
195, in execute</tt></div>
<div><tt> module.execute(module_args)</tt></div>
<div><tt> File
"/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line
222, in execute</tt></div>
<div><tt> trust_flags = cert_info['trust_flags']</tt></div>
<div><tt>KeyError: 'trust_flags'</tt></div>
<div><tt><br>
</tt></div>
<div><tt><br>
</tt></div>
<div><tt>-- </tt><tt><br>
</tt></div>
<div class="gmail_signature"><tt>Korey</tt></div>
</div>
<tt><br>
</tt>
<fieldset class="mimeAttachmentHeader"></fieldset>
<tt><br>
</tt>
</blockquote>
<tt>Hi Korey,<br>
<br>
could you check if there is any more info in
/var/log/pki/pki-ca-spawn log? <br>
<br>
It might also be helpful verify if correct trust flags are set in
nssdb: certutil -d /etc/pki/pki-tomcat/alias/ -L<br>
<br>
Finally, can you check that LDAPS is running on port 636 on the
replica where you're trying to install the CA (i.e. by nmap
localhost)?<br>
</tt>
<pre class="moz-signature" cols="72">--
Tomas Krizek</pre>
</body>
</html>