[Freeipa-users] bug in pki during install of CA replica and workaround/solution
Les Stott
Less at imagine-sw.com
Wed Feb 18 07:26:40 UTC 2015
Has anyone got any ideas on the below errors I am now receiving?
Thanks in advance,
Les
> >
> > I will test this out (update to 3.7.19-260) next week as I've got a
> > few more CA replicas to setup.
> >
>
> I'm still having issues. Different one this time.
>
> As I have previously worked around the install of CA replicas in my
> production Production environment as above, I went to setup CA replication
> in DR (both environments are completely separate).
>
> Make sure I did a yum update for all packages, including selinux-policy, and
> also making sure all needed modules were loaded in httpd.conf I proceeded
> to retry installation of CA replication. However, it failed with the following:
>
> Note: sb2sys01.domain.com is the replica I am trying to install....
>
> (abbreviated below)
>
> #############################################
> Attempting to connect to: sb2sys01.domain.com:9445 Connected.
> Posting Query =
> https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7&
> op=next&xml=true&__password=XXXXXXXX&path=ca.p12
> RESPONSE STATUS: HTTP/1.1 200 OK
> RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER:
> Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri,
> 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close <?xml
> version="1.0" encoding="UTF-8"?>
> <!-- BEGIN COPYRIGHT BLOCK
>
> END COPYRIGHT BLOCK -->
> <response>
> <panel>admin/console/config/restorekeycertpanel.vm</panel>
> <res/>
> <updateStatus>failure</updateStatus>
> <password/>
> <errorString>The pkcs12 file is not correct.</errorString>
> <size>19</size>
> Error in RestoreKeyCertPanel(): updateStatus returns failure
> ERROR: ConfigureCA: RestoreKeyCertPanel() failure
> ERROR: unable to create CA
>
> ############################################
>
> In /var/log/pki-ca/catalina.out I see...
>
> CMS Warning: FAILURE: Cannot build CA chain. Error
> java.security.cert.CertificateException: Certificate is not a PKCS #11
> certificate|FAILURE: authz instance DirAclAuthz initialization failed and
> skipped, error=Property internaldb.ldapconn.port missing value| Server is
> started.
>
> Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a
> working system).
>
> grep DirAclAuthz /etc/pki-ca/CS.cfg
> authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
> authz.instance.DirAclAuthz.ldap=internaldb
> authz.instance.DirAclAuthz.pluginName=DirAclAuthz
> authz.instance.DirAclAuthz.ldap._000=##
> authz.instance.DirAclAuthz.ldap._001=## Internal Database
> authz.instance.DirAclAuthz.ldap._002=##
> authz.instance.DirAclAuthz.ldap.basedn=
> authz.instance.DirAclAuthz.ldap.maxConns=15
> authz.instance.DirAclAuthz.ldap.minConns=3
> authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
> authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
> authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP
> Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
> authz.instance.DirAclAuthz.ldap.ldapconn.host=
> authz.instance.DirAclAuthz.ldap.ldapconn.port=
> authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false
> authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false
>
> The CA cert looks ok to me on the master. It does get copied to the replica in
> /usr/share/ipa/html/ca.crt
>
> I don't see any errors in httpd error or access logs on the master or the
> intended replica.
>
> The ipa-pki-proxy.conf config has the profilesubmit section.
>
> # matches for ee port
> <LocationMatch
> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI
> nfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberR
> ange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
>
> I can confirm that pki-cad does start (but is unconfigured) and that it does
> listen on port 9445.
>
> # netstat -apn |grep 9445
> tcp 0 0 :::9445 :::* LISTEN 31264/java
> # service pki-cad status
> pki-ca (pid 31264) is running... [ OK ]
> 'pki-ca' must still be CONFIGURED!
> (see /var/log/pki-ca-install.log)
>
> I am not sure what to try next.
>
> Appreciate any help to get over this error.
>
> Thanks,
>
> Les
More information about the Freeipa-users
mailing list