[Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain

Rob Crittenden rcritten at redhat.com
Tue Jun 7 18:44:26 UTC 2016 

lejeczek wrote:
>
>
> On 25/05/16 14:19, Rob Crittenden wrote:
>> lejeczek wrote:
>>> hi there,
>>>
>>> I'm trying to set up a replica with: --setup-dns --no-forwarders
>>> --setup-ca
>>>
>>> installer fails at:
>>>
>>>   [10/23]: importing CA chain to RA certificate database
>>>    [error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
>>> Connection refused
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> more from log:
>>>
>>> 2016-05-25T12:38:31Z DEBUG   [10/23]: importing CA chain to RA
>>> certificate database
>>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last):
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 418, in start_creation
>>>      run_step(full_msg, method)
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 408, in run_step
>>>      method()
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 1015, in __import_ca_chain
>>>      chain = self.__get_ca_chain()
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 997, in __get_ca_chain
>>>      raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
>>> RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection
>>> refused
>>>
>>> 2016-05-25T12:38:31Z DEBUG   [error] RuntimeError: Unable to retrieve CA
>>> chain: [Errno 111] Connection refused
>>> 2016-05-25T12:38:31Z DEBUG   File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>>> execute
>>>
>>> what might be the problem?
>>
>> It is failing getting the CA chain from dogtag. It uses port 8080 by
>> default. I'd check your firewall and that the remote CA is up.
>>
> is 8080 needed only @installation time or all the time?
> many thanks,

I think it's just needed during install but I didn't pour over the code. 
Once up the data replicates, depending on version, on 389 or 7389 and 
all other access should be proxied through 443.

rob

More information about the Freeipa-users mailing list