[Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain

lejeczek peljasz at yahoo.co.uk
Fri Jun 3 09:38:30 UTC 2016 


On 25/05/16 14:19, Rob Crittenden wrote:
> lejeczek wrote:
>> hi there,
>>
>> I'm trying to set up a replica with: --setup-dns 
>> --no-forwarders --setup-ca
>>
>> installer fails at:
>>
>>   [10/23]: importing CA chain to RA certificate database
>>    [error] RuntimeError: Unable to retrieve CA chain: 
>> [Errno 111]
>> Connection refused
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> more from log:
>>
>> 2016-05-25T12:38:31Z DEBUG   [10/23]: importing CA chain 
>> to RA
>> certificate database
>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call 
>> last):
>>    File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
>>
>> line 418, in start_creation
>>      run_step(full_msg, method)
>>    File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
>>
>> line 408, in run_step
>>      method()
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
>> line
>> 1015, in __import_ca_chain
>>      chain = self.__get_ca_chain()
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
>> line
>> 997, in __get_ca_chain
>>      raise RuntimeError("Unable to retrieve CA chain: %s" 
>> % str(e))
>> RuntimeError: Unable to retrieve CA chain: [Errno 111] 
>> Connection refused
>>
>> 2016-05-25T12:38:31Z DEBUG   [error] RuntimeError: Unable 
>> to retrieve CA
>> chain: [Errno 111] Connection refused
>> 2016-05-25T12:38:31Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", 
>> line 171, in
>> execute
>>
>> what might be the problem?
>
> It is failing getting the CA chain from dogtag. It uses 
> port 8080 by default. I'd check your firewall and that the 
> remote CA is up.
>
is 8080 needed only @installation time or all the time?
many thanks,
L
> I'm surprised the port checker didn't discover this if it 
> is a firewall issue and that would be a bug (either the 
> port not being checked or not using the proxy).
>
> rob

More information about the Freeipa-users mailing list