[Freeipa-users] ipa-replica-prepare Certificate issuance failed

Roderick Johnstone rmj at ast.cam.ac.uk
Mon Jul 4 08:23:41 UTC 2016 

Hi

I installed my first master ipa server (server1) many months ago (Redhat 
7.1 IIRC) and made a replica server2 without problems.

Now I'd like to bring online another replica (server3).

All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64, 
but I get the following error when I run this on server1:

server1> ipa-replica-prepare server3.example.com

Directory Manager (existing master) password:

Preparing replica for server3.example.com from server1.example.com
Creating SSL certificate for the Directory Server
Certificate issuance failed


If I repeat this on server2, my fist replica, it succeeds.

Running in debug mode on server1:
server1> ipa-replica-prepare --debug server3.example.com
gives a lot of output of which the following seems relevant (some info 
has been anonymised):

Generating key.  This may take a few moments...


ipa: DEBUG: request POST 
https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient
ipa: DEBUG: request body 
'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true'
ipa: DEBUG: NSSConnection init server1.example.com
ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: response status 200
ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT', 
'content-length': '161', 'content-type': 'application/xml', 'server': 
'Apache-Coyote/1.1'}
ipa: DEBUG: response body '<?xml version="1.0" encoding="UTF-8" 
standalone="no"?><XMLResponse><Status>1</Status><Error>Server Internal 
Error</Error><RequestId>  3</RequestId></XMLResponse>'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
execute
     return_value = self.run()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", 
line 337, in run
     self.copy_ds_certificate()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", 
line 382, in copy_ds_certificate
     self.export_certdb("dscert", passwd_fname)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", 
line 589, in export_certdb
     db.create_server_cert(nickname, hostname, ca_db)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", 
line 337, in create_server_cert
     cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", 
line 418, in issue_server_cert
     raise RuntimeError("Certificate issuance failed")

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The 
ipa-replica-prepare command failed, exception: RuntimeError: Certificate 
issuance failed
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: 
Certificate issuance failed

If its of relevance I did change the directory manager password on both 
server1 and server2 a couple of weeks ago.

I'd appreciate some pointers to resolving this.

Thanks

Roderick Johnstone

More information about the Freeipa-users mailing list