<div dir="ltr">It should be this problem: <a href="https://fedorahosted.org/freeipa/ticket/6613">https://fedorahosted.org/freeipa/ticket/6613</a></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 14, 2017 at 1:32 PM, Jens Timmerman <span dir="ltr"><<a href="mailto:jens.timmerman@ugent.be" target="_blank">jens.timmerman@ugent.be</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
<br>
I'm trying to setup a freeipa masterserver and a replica, on a fresh<br>
install of CentOS 7.3<br>
<br>
after running ipa-server-install on the master and running<br>
ipa-client-install on the replica the ipa-replica-install command fails<br>
to restart the directory server.<br>
<br>
Turns out this is because the DS Certificate was never received. It<br>
fails with status: CA_UNREACHABLE and I can't figure out why this is<br>
failing.<br>
<br>
Could someone give me some pointers?<br>
<br>
on the replica:<br>
<br>
<br>
/var/log/ipareplica-install.<wbr>log<br>
2017-02-14T12:21:20Z DEBUG certmonger request is in state<br>
dbus.String(u'NEWLY_ADDED_<wbr>READING_KEYINFO', variant_level=1)<br>
2017-02-14T12:21:25Z DEBUG certmonger request is in state<br>
dbus.String(u'CA_UNREACHABLE', variant_level=1)<br>
2017-02-14T12:21:25Z DEBUG flushing<br>
ldapi://%2fvar%2frun%2fslapd-<wbr>MY-REALM.socket from SchemaCache<br>
2017-02-14T12:21:25Z DEBUG retrieving schema for SchemaCache<br>
url=ldapi://%2fvar%2frun%<wbr>2fslapd-MY-REALM.socket<br>
conn=<ldap.ldapobject.<wbr>SimpleLDAPObject instance at 0x73101b8><br>
2017-02-14T12:21:25Z DEBUG duration: 5 seconds<br>
2017-02-14T12:21:25Z DEBUG [28/44]: restarting directory server<br>
<br>
<fails><br>
<br>
<br>
# getcert list<br>
Number of certificates and requests being tracked: 1.<br>
Request ID '20170214122119':<br>
status: CA_UNREACHABLE<br>
ca-error: Server at https://<ipa-server>/ipa/xml failed request,<br>
will retry: 4301 (RPC failed at server. Certificate operation cannot be<br>
completed: Unable to communicate with CMS (503)).<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MY_REALM',<wbr>nickname='Server-Cert',token='<wbr>NSS<br>
Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-MY_REALM//pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MY_REALM',<wbr>nickname='Server-Cert'<br>
CA: IPA<br>
issuer:<br>
subject:<br>
expires: unknown<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
<br>
<br>
<br>
# certutil -L -d /etc/dirsrv/slapd-MY_REALM/<br>
<br>
Certificate Nickname Trust<br>
Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
MY_REALM IPA CA CT,C,C<br>
<br>
<br>
# certutil -L -d /etc/httpd/alias/<br>
<br>
Certificate Nickname Trust<br>
Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
cacert CTu,Cu,Cu<br>
beta u,pu,u<br>
alpha u,pu,u<br>
Server-Cert u,u,u<br>
<br>
<br>
<br>
<br>
# curl --negotiate -u : <a href="https://ipa-server/ipa/xml" rel="noreferrer" target="_blank">https://ipa-server/ipa/xml</a> --referer<br>
<a href="https://ipa-server/ipa/xml" rel="noreferrer" target="_blank">https://ipa-server/ipa/xml</a> -I<br>
HTTP/1.1 401 Unauthorized<br>
Date: Tue, 14 Feb 2017 12:07:02 GMT<br>
Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14<br>
NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5<br>
WWW-Authenticate: Negotiate<br>
X-Frame-Options: DENY<br>
Content-Security-Policy: frame-ancestors 'none'<br>
Last-Modified: Tue, 17 Jan 2017 17:34:23 GMT<br>
Accept-Ranges: bytes<br>
Content-Length: 1474<br>
Content-Type: text/html; charset=UTF-8<br>
<br>
HTTP/1.1 200 Success<br>
Date: Tue, 14 Feb 2017 12:07:02 GMT<br>
Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14<br>
NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5<br>
Set-Cookie: ipa_session=<snip><br>
WWW-Authenticate: Negotiate <snip><br>
X-Frame-Options: DENY<br>
Content-Security-Policy: frame-ancestors 'none'<br>
Vary: Accept-Encoding<br>
Content-Type: text/xml; charset=utf-8<br>
<br>
<br>
On the ipa-server:<br>
<br>
/var/log/pki/pki-tomcat/ca/<wbr>debug<br>
<br>
<br>
[14/Feb/2017:13:20:15][Timer-<wbr>0]: SessionTimer: run()<br>
[14/Feb/2017:13:20:15][Timer-<wbr>0]: LDAPSecurityDomainSessionTable<wbr>:<br>
getSessionIds()<br>
[14/Feb/2017:13:20:15][Timer-<wbr>0]: LDAPSecurityDomainSessionTable<wbr>:<br>
searching ou=sessions,ou=Security Domain,o=ipaca<br>
[14/Feb/2017:13:20:15][Timer-<wbr>0]: In LdapBoundConnFactory::getConn(<wbr>)<br>
[14/Feb/2017:13:20:15][Timer-<wbr>0]: masterConn is connected: true<br>
[14/Feb/2017:13:20:15][Timer-<wbr>0]: getConn: conn is connected true<br>
[14/Feb/2017:13:20:15][Timer-<wbr>0]: getConn: mNumConns now 2<br>
[14/Feb/2017:13:20:15][Timer-<wbr>0]: SecurityDomainSessionTable: No active<br>
sessions.<br>
[14/Feb/2017:13:20:15][Timer-<wbr>0]: returnConn: mNumConns now 3<br>
[14/Feb/2017:13:25:15][Timer-<wbr>0]: SessionTimer: run()<br>
[14/Feb/2017:13:25:15][Timer-<wbr>0]: LDAPSecurityDomainSessionTable<wbr>:<br>
getSessionIds()<br>
[14/Feb/2017:13:25:15][Timer-<wbr>0]: LDAPSecurityDomainSessionTable<wbr>:<br>
searching ou=sessions,ou=Security Domain,o=ipaca<br>
[14/Feb/2017:13:25:15][Timer-<wbr>0]: In LdapBoundConnFactory::getConn(<wbr>)<br>
[14/Feb/2017:13:25:15][Timer-<wbr>0]: masterConn is connected: true<br>
[14/Feb/2017:13:25:15][Timer-<wbr>0]: getConn: conn is connected true<br>
[14/Feb/2017:13:25:15][Timer-<wbr>0]: getConn: mNumConns now 2<br>
[14/Feb/2017:13:25:15][Timer-<wbr>0]: SecurityDomainSessionTable: No active<br>
sessions.<br>
[14/Feb/2017:13:25:15][Timer-<wbr>0]: returnConn: mNumConns now 3<br>
<br>
<br>
(so nothing at 13:21:14)<br>
<br>
<br>
<br>
==> /var/log/pki/pki-tomcat/ca/<wbr>selftests.log <==<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]<br>
SelfTestSubsystem: loading all self test plugin logger parameters<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]<br>
SelfTestSubsystem: loading all self test plugin instances<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]<br>
SelfTestSubsystem: loading all self test plugin instance parameters<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]<br>
SelfTestSubsystem: loading self test plugins in on-demand order<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]<br>
SelfTestSubsystem: loading self test plugins in startup order<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]<br>
SelfTestSubsystem: Self test plugins have been successfully loaded!<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]<br>
SelfTestSubsystem: Running self test plugins specified to be executed at<br>
startup:<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]<br>
CAPresence: CA is present<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]<br>
SystemCertsVerification: system certs verification success<br>
0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]<br>
SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at<br>
startup!<br>
<br>
<br>
and /var/log/pki/pki-tomcat/<wbr>localhost.2017-02-14.log is filled with<br>
these exceptions that aren't pointing me to anywhere.<br>
<br>
SEVERE: Servlet.service() for servlet [Resteasy] in context with path<br>
[/ca] threw exception<br>
org.jboss.resteasy.spi.<wbr>UnhandledException:<br>
org.jboss.resteasy.core.<wbr>NoMessageBodyWriterFoundFailur<wbr>e: Could not find<br>
MessageBodyWriter for response object of type:<br>
com.netscape.certsrv.base.<wbr>PKIException$Data of media type:<br>
application/x-www-form-<wbr>urlencoded<br>
at<br>
org.jboss.resteasy.core.<wbr>SynchronousDispatcher.<wbr>writeException(<wbr>SynchronousDispatcher.java:<wbr>157)<br>
at<br>
org.jboss.resteasy.core.<wbr>SynchronousDispatcher.invoke(<wbr>SynchronousDispatcher.java:<wbr>372)<br>
at<br>
org.jboss.resteasy.core.<wbr>SynchronousDispatcher.invoke(<wbr>SynchronousDispatcher.java:<wbr>179)<br>
at<br>
org.jboss.resteasy.plugins.<wbr>server.servlet.<wbr>ServletContainerDispatcher.<wbr>service(<wbr>ServletContainerDispatcher.<wbr>java:220)<br>
at<br>
org.jboss.resteasy.plugins.<wbr>server.servlet.<wbr>HttpServletDispatcher.service(<wbr>HttpServletDispatcher.java:56)<br>
at<br>
org.jboss.resteasy.plugins.<wbr>server.servlet.<wbr>HttpServletDispatcher.service(<wbr>HttpServletDispatcher.java:51)<br>
at javax.servlet.http.<wbr>HttpServlet.service(<wbr>HttpServlet.java:731)<br>
at sun.reflect.<wbr>GeneratedMethodAccessor42.<wbr>invoke(Unknown Source)<br>
at<br>
sun.reflect.<wbr>DelegatingMethodAccessorImpl.<wbr>invoke(<wbr>DelegatingMethodAccessorImpl.<wbr>java:43)<br>
at java.lang.reflect.Method.<wbr>invoke(Method.java:498)<br>
at<br>
org.apache.catalina.security.<wbr>SecurityUtil$1.run(<wbr>SecurityUtil.java:288)<br>
at<br>
org.apache.catalina.security.<wbr>SecurityUtil$1.run(<wbr>SecurityUtil.java:285)<br>
at java.security.<wbr>AccessController.doPrivileged(<wbr>Native Method)<br>
<br>
...<br>
<br>
<br>
# getcert list<br>
Number of certificates and requests being tracked: 8.<br>
Request ID '20170214084423':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>auditSigningCert<br>
cert-pki-ca',token='NSS Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>auditSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=MY-REALM<br>
subject: CN=CA Audit,O=MY-REALM<br>
expires: 2019-02-04 08:42:52 UTC<br>
key usage: digitalSignature,<wbr>nonRepudiation<br>
pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
"auditSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20170214084425':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>ocspSigningCert<br>
cert-pki-ca',token='NSS Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>ocspSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=MY-REALM<br>
subject: CN=OCSP Subsystem,O=MY-REALM<br>
expires: 2019-02-04 08:42:48 UTC<br>
key usage: digitalSignature,<wbr>nonRepudiation,keyCertSign,<wbr>cRLSign<br>
eku: id-kp-OCSPSigning<br>
pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
"ocspSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20170214084428':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>subsystemCert<br>
cert-pki-ca',token='NSS Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>subsystemCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=MY-REALM<br>
subject: CN=CA Subsystem,O=MY-REALM<br>
expires: 2019-02-04 08:42:51 UTC<br>
key usage:<br>
digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
"subsystemCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20170214084431':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
cert-pki-ca',token='NSS Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=MY-REALM<br>
subject: CN=Certificate Authority,O=MY-REALM<br>
expires: 2037-02-14 08:42:43 UTC<br>
key usage: digitalSignature,<wbr>nonRepudiation,keyCertSign,<wbr>cRLSign<br>
pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
"caSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20170214084434':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS<br>
Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=MY-REALM<br>
subject: CN=IPA RA,O=MY-REALM<br>
expires: 2019-02-04 08:44:09 UTC<br>
key usage:<br>
digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command: /usr/libexec/ipa/certmonger/<wbr>renew_ra_cert_pre<br>
post-save command: /usr/libexec/ipa/certmonger/<wbr>renew_ra_cert<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20170214084436':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>Server-Cert<br>
cert-pki-ca',token='NSS Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>Server-Cert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=MY-REALM<br>
subject: CN=ipa-server,O=MY-REALM<br>
expires: 2019-02-04 08:42:49 UTC<br>
key usage:<br>
digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
eku: id-kp-serverAuth<br>
pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
"Server-Cert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20170214084646':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MY-REALM',<wbr>nickname='Server-Cert',token='<wbr>NSS<br>
Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-MY-REALM/pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MY-REALM',<wbr>nickname='Server-Cert',token='<wbr>NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=MY-REALM<br>
subject: CN=ipa-server,O=MY-REALM<br>
expires: 2019-02-15 08:46:45 UTC<br>
key usage:<br>
digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command: /usr/libexec/ipa/certmonger/<wbr>restart_dirsrv MY-REALM<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20170214085151':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=MY-REALM<br>
subject: CN=ipa-server,O=MY-REALM<br>
expires: 2019-02-15 08:51:50 UTC<br>
key usage:<br>
digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command: /usr/libexec/ipa/certmonger/<wbr>restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
<br>
# systemctl status pki-tomcatd@pki-tomcat.service<br>
● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat<br>
Loaded: loaded (/lib/systemd/system/pki-<wbr>tomcatd@.service; enabled;<br>
vendor preset: disabled)<br>
Active: active (running) since Tue 2017-02-14 10:19:32 CET; 3h 40min ago<br>
Main PID: 1300 (java)<br>
CGroup:<br>
/system.slice/system-pki\<wbr>x2dtomcatd.slice/pki-tomcatd@<wbr>pki-tomcat.service<br>
└─1300 /usr/lib/jvm/jre-1.8.0-<wbr>openjdk/bin/java<br>
-DRESTEASY_LIB=/usr/share/<wbr>java/resteasy-base<br>
-Djava.library.path=/usr/<wbr>lib64/nuxwdog-jni -classpath<br>
/usr/share/tomcat/bin/<wbr>bootstrap.jar:/usr/share/<wbr>tomcat/bin/...<br>
<br>
Feb 14 10:19:57ipa-server server[1300]: SSLAuthenticatorWithFallback:<br>
Creating SSL authenticator with fallback<br>
Feb 14 10:19:57ipa-server server[1300]: SSLAuthenticatorWithFallback:<br>
Setting container<br>
Feb 14 10:20:07ipa-server server[1300]: SSLAuthenticatorWithFallback:<br>
Initializing authenticators<br>
Feb 14 10:20:07ipa-server server[1300]: SSLAuthenticatorWithFallback:<br>
Starting authenticators<br>
Feb 14 10:20:10ipa-server server[1300]:<br>
CMSEngine.<wbr>initializePasswordStore() begins<br>
Feb 14 10:20:10ipa-server server[1300]:<br>
CMSEngine.<wbr>initializePasswordStore(): tag=internaldb<br>
Feb 14 10:20:10ipa-server server[1300]:<br>
CMSEngine.<wbr>initializePasswordStore(): tag=replicationdb<br>
Feb 14 10:20:15ipa-server server[1300]: CA is started.<br>
Feb 14 10:20:26ipa-server server[1300]: PKIListener:<br>
org.apache.catalina.core.<wbr>StandardServer[after_start]<br>
Feb 14 10:20:26ipa-server server[1300]: PKIListener: Subsystem CA is<br>
running.<br>
<br>
<br>
<br>
Regards,<br>
Jens Timmerman<br>
<br>
<br>
<br>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>