[Freeipa-users] ipa-replica-prepare Certificate issuance failed
Rob Crittenden
rcritten at redhat.com
Fri May 4 19:18:50 UTC 2012
Chris Evich wrote:
> Hi,
>
> I've got a FreeIPA setup at home I just built the other week on Fedora
> 16. It's a very small/basic setup I'm mainly using for secure
> NFS+Kerberos and automount. Today, I updated everything and rebooted,
> and all seemed to be working okay (even /var/log/ipaupgrade.log). I'm
> now running:
>
> freeipa-python-2.1.4-7.fc16.x86_64
> freeipa-client-2.1.4-7.fc16.x86_64
> freeipa-admintools-2.1.4-7.fc16.x86_64
> freeipa-server-2.1.4-7.fc16.x86_64
> freeipa-server-selinux-2.1.4-7.fc16.x86_64
> dogtag-pki-common-theme-9.0.11-1.fc16.noarch
> dogtag-pki-ca-theme-9.0.11-1.fc16.noarch
> pki-symkey-9.0.19-1.fc16.x86_64
> pki-java-tools-9.0.19-1.fc16.noarch
> pki-setup-9.0.19-1.fc16.noarch
> pki-common-9.0.19-1.fc16.noarch
> pki-silent-9.0.19-1.fc16.noarch
> pki-util-9.0.19-1.fc16.noarch
> pki-selinux-9.0.19-1.fc16.noarch
> pki-ca-9.0.19-1.fc16.noarch
>
> I went to try and setup a replica following the docs at
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html
> and ran into a problem I can't figure out (after checking logs, list,
> google, and BZ searches):
>
> [root@<master> log]# ipa-replica-prepare <replica fqdn>
> Directory Manager (existing master) password:
>
> Preparing replica for <replica fqdn> from <master fqdn>
> Creating SSL certificate for the Directory Server
> Certificate issuance failed
>
> I just ran it again, with a tail on /var/log/pki-ca/debug and this is
> what it spat out:
>
> [04/May/2012:14:44:09][http-9444-1]: CMSServlet:service() uri =
> /ca/ee/ca/profileSubmitSSLClient
> [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
> name='cert_request_type' value='pkcs10'
> [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
> name='cert_request'
> value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n
> ...cut...
> H3dNbe4A
> '
> [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
> name='requestor_name' value='IPA Installer'
> [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
> name='xmlOutput' value='true'
> [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
> name='profileId' value='caIPAserviceCert'
> [04/May/2012:14:44:09][http-9444-1]: CMSServlet:
> caProfileSubmitSSLClient start to service.
> [04/May/2012:14:44:09][http-9444-1]: xmlOutput true
> [04/May/2012:14:44:09][http-9444-1]: Start of ProfileSubmitServlet Input
> Parameters
> [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
> Parameter cert_request_type='pkcs10'
> [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
> Parameter
> cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n
>
> ...cut...
> H3dNbe4A
> '
> [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
> Parameter requestor_name='IPA Installer'
> [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
> Parameter xmlOutput='true'
> [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
> Parameter profileId='caIPAserviceCert'
> [04/May/2012:14:44:09][http-9444-1]: End of ProfileSubmitServlet Input
> Parameters
> [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: start serving
> [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: SubId=profile
> [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: isRenewal false
> [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: profileId
> caIPAserviceCert
> [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04
> 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11
>
> Which also looks normal (to me). Though I've done nothing intentional
> with anything certificate related, again this is mainly a setup for
> kerberos. Where else can I look, or what can I run to get more clues why
> ipa-replica-prepare is failing?
I think we'll need to get more info out of dogtag. If you edit
/etc/ipa/default.conf and add debug=True, restart httpd, re-run the
replica-prepare, there should be more information on the failure in
/var/log/httpd/error_log.
rob
More information about the Freeipa-users
mailing list