[Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
lejeczek
peljasz at yahoo.co.uk
Wed May 25 14:37:49 UTC 2016
On 25/05/16 14:19, Rob Crittenden wrote:
> lejeczek wrote:
>> hi there,
>>
>> I'm trying to set up a replica with: --setup-dns
>> --no-forwarders --setup-ca
>>
>> installer fails at:
>>
>> [10/23]: importing CA chain to RA certificate database
>> [error] RuntimeError: Unable to retrieve CA chain:
>> [Errno 111]
>> Connection refused
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> more from log:
>>
>> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain
>> to RA
>> certificate database
>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call
>> last):
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>
>> line 418, in start_creation
>> run_step(full_msg, method)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>
>> line 408, in run_step
>> method()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line
>> 1015, in __import_ca_chain
>> chain = self.__get_ca_chain()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line
>> 997, in __get_ca_chain
>> raise RuntimeError("Unable to retrieve CA chain: %s"
>> % str(e))
>> RuntimeError: Unable to retrieve CA chain: [Errno 111]
>> Connection refused
>>
>> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable
>> to retrieve CA
>> chain: [Errno 111] Connection refused
>> 2016-05-25T12:38:31Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>> line 171, in
>> execute
>>
>> what might be the problem?
>
> It is failing getting the CA chain from dogtag. It uses
> port 8080 by default. I'd check your firewall and that the
> remote CA is up.
>
thanks Rob,
I opened 8080/tcp (it was closed) but still a failure I get,
different error though:
[2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed
to configure CA instance: Command ''/usr/sbin/pkispawn' '-s'
'CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See
the installation logs and the following files/directories
for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
I noticed - /var/log/pki-ca-install.log does NOT exist
and log file:
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-05-25T14:12:21Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
I
nsecureRequestWarning: Unverified HTTPS request is being
made. Adding certificate verification is s
trongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn : ERROR ....... server failed to restart
2016-05-25T14:12:21Z CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' '
CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
2016-05-25T14:12:21Z CRITICAL See the installation logs and
the following files/directories for mor
e information:
can I ask a question? - my nss.conf is pretty plain-vanilla,
uses :443 - why does installer complain about it being used
and I have to change the port for installer to start?
> I'm surprised the port checker didn't discover this if it
> is a firewall issue and that would be a bug (either the
> port not being checked or not using the proxy).
>
> rob
More information about the Freeipa-users
mailing list