[Freeipa-users] ipa-replica-prepare Certificate issuance failed
Chris Evich
cevich at redhat.com
Fri May 4 19:12:24 UTC 2012
Hi,
I've got a FreeIPA setup at home I just built the other week on Fedora
16. It's a very small/basic setup I'm mainly using for secure
NFS+Kerberos and automount. Today, I updated everything and rebooted,
and all seemed to be working okay (even /var/log/ipaupgrade.log). I'm
now running:
freeipa-python-2.1.4-7.fc16.x86_64
freeipa-client-2.1.4-7.fc16.x86_64
freeipa-admintools-2.1.4-7.fc16.x86_64
freeipa-server-2.1.4-7.fc16.x86_64
freeipa-server-selinux-2.1.4-7.fc16.x86_64
dogtag-pki-common-theme-9.0.11-1.fc16.noarch
dogtag-pki-ca-theme-9.0.11-1.fc16.noarch
pki-symkey-9.0.19-1.fc16.x86_64
pki-java-tools-9.0.19-1.fc16.noarch
pki-setup-9.0.19-1.fc16.noarch
pki-common-9.0.19-1.fc16.noarch
pki-silent-9.0.19-1.fc16.noarch
pki-util-9.0.19-1.fc16.noarch
pki-selinux-9.0.19-1.fc16.noarch
pki-ca-9.0.19-1.fc16.noarch
I went to try and setup a replica following the docs at
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html
and ran into a problem I can't figure out (after checking logs, list,
google, and BZ searches):
[root@<master> log]# ipa-replica-prepare <replica fqdn>
Directory Manager (existing master) password:
Preparing replica for <replica fqdn> from <master fqdn>
Creating SSL certificate for the Directory Server
Certificate issuance failed
I just ran it again, with a tail on /var/log/pki-ca/debug and this is
what it spat out:
[04/May/2012:14:44:09][http-9444-1]: CMSServlet:service() uri =
/ca/ee/ca/profileSubmitSSLClient
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='cert_request_type' value='pkcs10'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='cert_request'
value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n
...cut...
H3dNbe4A
'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='requestor_name' value='IPA Installer'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='xmlOutput' value='true'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='profileId' value='caIPAserviceCert'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet:
caProfileSubmitSSLClient start to service.
[04/May/2012:14:44:09][http-9444-1]: xmlOutput true
[04/May/2012:14:44:09][http-9444-1]: Start of ProfileSubmitServlet Input
Parameters
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter cert_request_type='pkcs10'
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter
cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n
...cut...
H3dNbe4A
'
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter requestor_name='IPA Installer'
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter xmlOutput='true'
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter profileId='caIPAserviceCert'
[04/May/2012:14:44:09][http-9444-1]: End of ProfileSubmitServlet Input
Parameters
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: start serving
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: SubId=profile
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: isRenewal false
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: profileId
caIPAserviceCert
[04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04
14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11
Which also looks normal (to me). Though I've done nothing intentional
with anything certificate related, again this is mainly a setup for
kerberos. Where else can I look, or what can I run to get more clues
why ipa-replica-prepare is failing?
Thanks.
More information about the Freeipa-users
mailing list