[Freeipa-users] ipa-replica-prepare Certificate issuance failed
Martin Babinsky
mbabinsk at redhat.com
Mon Jul 4 14:12:04 UTC 2016
On 07/04/2016 10:23 AM, Roderick Johnstone wrote:
> Hi
>
> I installed my first master ipa server (server1) many months ago (Redhat
> 7.1 IIRC) and made a replica server2 without problems.
>
> Now I'd like to bring online another replica (server3).
>
> All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64,
> but I get the following error when I run this on server1:
>
> server1> ipa-replica-prepare server3.example.com
>
> Directory Manager (existing master) password:
>
> Preparing replica for server3.example.com from server1.example.com
> Creating SSL certificate for the Directory Server
> Certificate issuance failed
>
>
> If I repeat this on server2, my fist replica, it succeeds.
>
> Running in debug mode on server1:
> server1> ipa-replica-prepare --debug server3.example.com
> gives a lot of output of which the following seems relevant (some info
> has been anonymised):
>
> Generating key. This may take a few moments...
>
>
> ipa: DEBUG: request POST
> https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient
> ipa: DEBUG: request body
> 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true'
>
> ipa: DEBUG: NSSConnection init server1.example.com
> ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0
> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM"
> ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> ipa: DEBUG: response status 200
> ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT',
> 'content-length': '161', 'content-type': 'application/xml', 'server':
> 'Apache-Coyote/1.1'}
> ipa: DEBUG: response body '<?xml version="1.0" encoding="UTF-8"
> standalone="no"?><XMLResponse><Status>1</Status><Error>Server Internal
> Error</Error><RequestId> 3</RequestId></XMLResponse>'
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 337, in run
> self.copy_ds_certificate()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 382, in copy_ds_certificate
> self.export_certdb("dscert", passwd_fname)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 589, in export_certdb
> db.create_server_cert(nickname, hostname, ca_db)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 337, in create_server_cert
> cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 418, in issue_server_cert
> raise RuntimeError("Certificate issuance failed")
>
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
> ipa-replica-prepare command failed, exception: RuntimeError: Certificate
> issuance failed
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
> Certificate issuance failed
>
> If its of relevance I did change the directory manager password on both
> server1 and server2 a couple of weeks ago.
>
> I'd appreciate some pointers to resolving this.
>
> Thanks
>
> Roderick Johnstone
>
Hi Roderick,
try to look in the logs of the pki-ca subsystem. They should be located
in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and
"debug" logs mainly.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list