[Freeipa-users] CA installation failed on server

Mon Nov 30 12:49:31 UTC 2015

On 2015-11-30 12:51, Martin Basti wrote:
> 
> 
> On 28.11.2015 00:14, Rob Crittenden wrote:
>> Martin Štefany wrote:
>>> Hello,
>>>
>>> I remember experiencing this, but I'm not sure of solution. I think it's
>>> related to apache (httpd) and his group.
>>>
>>> My notes for IPA installation on CentOS 7.x say:
>>>
>>> # groupadd -g 48 apache
>>> # yum -y install ipa-server bind bind-dyndb-ldap
>>> # usermod -g apache apache
>>> # ipa-server-install...
>>>
>>> CentOS is somehow not creating group apache for apache user and then
>>> assuming root which is then causing problems with apache later. Pre-
>>> creating such group before installing httpd and then usermod-ing user
>>> apache might solve it.
>>>
>>> Did you get any warnings while running:
>>> # yum install -y ipa-server bind bind-dyndb-ldap ?
>>>
>>>
>>> If possible, try installation from scratch with my notes on fresh
>>> system. If not:
>>>
>>> # systemctl stop apache   # if it runs
>>> # groupadd -g 48 apache   # I use 48 as apache's UID tends to be also
>>> 48, or use 'groupadd -r apache' instead
>>> # usermod -g apache apache
>>> # ipa-server-install...
>>>
>> Sounds unlikely to me. If indeed it did happen you'd need to file a bug
>> against Apache to create its own uid/gid, which I'm pretty certain it
>> already does.
>>
>> In any case, dogtag doesn't run in Apache so it would be unlikely to
>> blow up in the CA installer.
>>
>> cating the contents of a directory into one log is not at all helpful,
>> especially given that you missed all the important bits in the
>> subdirectories beneath it. This is just a mishmash of stuff. We need to
>> see /var/log/pki/pki-tomcat/ca/debug.
>>
>> /var/log/ipaserver-install.log might also be useful to see though it
>> probably just records in a more verbose way the fact that pkispawn
>> failed.
>>
>> rob
>>
> Hello,
> 
> I see in log this error message:
> 
> 2015-11-26 08:41:53 pkidestroy  : ERROR    .......
> subprocess.CalledProcessError:  Command '['/usr/bin/sslget', '-n',
> 'subsystemCert cert-pki-ca', '-p', '272326334956', '-d',
> '/etc/pki/pki-tomcat/alias', '-e',
> 'name="/var/lib/pki/pki-tomcat"&type=CA&list=caList&host=ipa.home&sport=443&ncsport=8443&adminsport=8443&agentsport=8443&operation=remove',
> '-v', '-r', '/ca/agent/ca/updateDomainXML', 'ipa.home:443']' returned
> non-zero exit status 6!
> 
> It means that the CA has no been sucessfully uninstalled, and it can
> cause issues during installation
> PKI bug:
> https://fedorahosted.org/pki/ticket/1704
> 
> Christian may have workaround (CCed)

Hi Martin and Martin,

last week I have identified an incompatibility between Dogtag's sslget
command and Apache HTTP. sslget sends a server name indication during
the TLS/SSL handshake but doesn't send a HTTP Host header. Newer
versions of Apache HTTP don't accept requests with SNI and without HTTP
Host. You should see a HTTP/400 Bad Request in /var/log/httpd/error_log.

The simplest workaround is to bypass Apache and talk to Dogtag directly.
In order to do bypass the Apache proxy you have to log onto the server.
You also have to become root so you can access the NSS database that
contains the private key for authentication. Simply copy and paste the
sslget command from the log (everything between "Command '[" and "]'
returend non-zero exit status 6!"), remove the comma, replace
'ipa.home:443' with 'ipa.home:8443' and run the command. The command
should look like:

'/usr/bin/sslget' '-n' 'subsystemCert cert-pki-ca' ...
'/ca/agent/ca/updateDomainXML' 'ipa.home:8443'

Christian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151130/e2d0e100/attachment.sig>