<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <tt>On 09/21/2016 02:13 AM, Korey Chapman wrote:</tt><tt><br>
    </tt>
    <blockquote
cite="mid:CAOLtOX23k+6dVHG=rX_0W+gdydRA6R+P9YR3xh=PVT8EsmbTdQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><tt>Hello list,</tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt>I'm currently attempting to add a second CA server to
            our IPA cluster (all servers Centos 7.2 with IPA 4.2.0).
            However, it is failing no matter how I try to setup the CA
            (ipa-replica-install with --setup-ca or ipa-replica-install
            followed by ipa-ca-install). The only useful thing in the
            logs is an error about a missing key for "trust_flags" in
            the pki setup. Our infrastructure uses FreeIPA with an
            external CA.</tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt>Any ideas/help would be greatly appreciated. Here are
            the logs snips from my most recent attempt:</tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt>Command output snip from "ipa-replica-install
            /root/replica-info-auth-002.XXX.gpg --setup-ca"</tt></div>
        <div><tt>Configuring certificate server (pki-tomcatd). Estimated
            time: 3 minutes 30 seconds</tt></div>
        <div><tt>  [1/24]: creating certificate server user</tt></div>
        <div><tt>  [2/24]: configuring certificate server instance</tt></div>
        <div><tt>ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
            Failed to configure CA instance: Command
            ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
            returned non-zero exit status 1</tt></div>
        <div><tt>ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
            See the installation logs and the following
            files/directories for more information:</tt></div>
        <div><tt>ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
            /var/log/pki-ca-install.log</tt></div>
        <div><tt>ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
            /var/log/pki/pki-tomcat</tt></div>
        <div><tt>  [error] RuntimeError: CA configuration failed.</tt></div>
        <div><tt>Your system may be partly configured.</tt></div>
        <div><tt>Run /usr/sbin/ipa-server-install --uninstall to clean
            up.</tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt>ipa.ipapython.install.cli.install_tool(Replica): ERROR
               CA configuration failed</tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt>Log snip from ipareplica-install.log:</tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt>2016-09-20T23:42:27Z DEBUG Starting external process</tt></div>
        <div><tt>2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn'
            '-s' 'CA' '-f' '/tmp/tmpYofMPt'</tt></div>
        <div><tt>2016-09-20T23:42:31Z DEBUG Process finished, return
            code=1</tt></div>
        <div><tt>2016-09-20T23:42:31Z DEBUG stdout=Log file:
            /var/log/pki/pki-ca-spawn.20160920234227.log</tt></div>
        <div><tt>Loading deployment configuration from /tmp/tmpYofMPt.</tt></div>
        <div><tt>Installing CA into /var/lib/pki/pki-tomcat.</tt></div>
        <div><tt>Storing deployment configuration into
            /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.</tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt>Installation failed.</tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt>2016-09-20T23:42:31Z DEBUG
            stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
            InsecureRequestWarning: Unverified HTTPS request is being
            made. Adding certificate verification is strongly advised.
            See: </tt><tt><a moz-do-not-send="true"
              href="https://urllib3.readthedocs.org/en/latest/security.html">https://urllib3.readthedocs.org/en/latest/security.html</a></tt></div>
        <div><tt>  InsecureRequestWarning)</tt></div>
        <div><tt>Traceback (most recent call last):</tt></div>
        <div><tt>  File "/bin/pki", line 254, in <module></tt></div>
        <div><tt>    cli.execute(sys.argv)</tt></div>
        <div><tt>  File "/bin/pki", line 240, in execute</tt></div>
        <div><tt>    module.execute(module_args)</tt></div>
        <div><tt>  File
            "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line
            195, in execute</tt></div>
        <div><tt>    module.execute(module_args)</tt></div>
        <div><tt>  File
            "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line
            222, in execute</tt></div>
        <div><tt>    trust_flags = cert_info['trust_flags']</tt></div>
        <div><tt>KeyError: 'trust_flags'</tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt><br>
          </tt></div>
        <div><tt>-- </tt><tt><br>
          </tt></div>
        <div class="gmail_signature"><tt>Korey</tt></div>
      </div>
      <tt><br>
      </tt>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <tt><br>
      </tt>
    </blockquote>
    <tt>Hi Korey,<br>
      <br>
      could you check if there is any more info in
      /var/log/pki/pki-ca-spawn log? <br>
      <br>
      It might also be helpful verify if correct trust flags are set in
      nssdb: certutil -d /etc/pki/pki-tomcat/alias/ -L<br>
      <br>
      Finally, can you check that LDAPS is running on port 636 on the
      replica where you're trying to install the CA (i.e. by nmap
      localhost)?<br>
    </tt>
    <pre class="moz-signature" cols="72">-- 
Tomas Krizek</pre>
  </body>
</html>