[Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
lejeczek
peljasz at yahoo.co.uk
Wed May 25 18:49:09 UTC 2016
On 25/05/16 16:46, Rob Crittenden wrote:
> lejeczek wrote:
>>
>>
>> On 25/05/16 14:19, Rob Crittenden wrote:
>>> lejeczek wrote:
>>>> hi there,
>>>>
>>>> I'm trying to set up a replica with: --setup-dns
>>>> --no-forwarders
>>>> --setup-ca
>>>>
>>>> installer fails at:
>>>>
>>>> [10/23]: importing CA chain to RA certificate database
>>>> [error] RuntimeError: Unable to retrieve CA chain:
>>>> [Errno 111]
>>>> Connection refused
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> more from log:
>>>>
>>>> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA
>>>> chain to RA
>>>> certificate database
>>>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call
>>>> last):
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>
>>>> line 418, in start_creation
>>>> run_step(full_msg, method)
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>
>>>> line 408, in run_step
>>>> method()
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line
>>>> 1015, in __import_ca_chain
>>>> chain = self.__get_ca_chain()
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line
>>>> 997, in __get_ca_chain
>>>> raise RuntimeError("Unable to retrieve CA chain:
>>>> %s" % str(e))
>>>> RuntimeError: Unable to retrieve CA chain: [Errno 111]
>>>> Connection
>>>> refused
>>>>
>>>> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError:
>>>> Unable to retrieve CA
>>>> chain: [Errno 111] Connection refused
>>>> 2016-05-25T12:38:31Z DEBUG File
>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>>>> line 171, in
>>>> execute
>>>>
>>>> what might be the problem?
>>>
>>> It is failing getting the CA chain from dogtag. It uses
>>> port 8080 by
>>> default. I'd check your firewall and that the remote CA
>>> is up.
>>>
>> thanks Rob,
>> I opened 8080/tcp (it was closed) but still a failure I
>> get, different
>> error though:
>>
>> [2/23]: configuring certificate server instance
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>> Failed to
>> configure CA instance: Command ''/usr/sbin/pkispawn' '-s'
>> 'CA' '-f'
>> '/tmp/tmpY2oGh1'' returned non-zero exit status 1
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See
>> the
>> installation logs and the following files/directories for
>> more information:
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>> /var/log/pki-ca-install.log
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>> /var/log/pki/pki-tomcat
>> [error] RuntimeError: CA configuration failed.
>>
>> I noticed - /var/log/pki-ca-install.log does NOT exist
>> and log file:
>>
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>> Installation failed.
>> 2016-05-25T14:12:21Z DEBUG
>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>> I
>> nsecureRequestWarning: Unverified HTTPS request is being
>> made. Adding
>> certificate verification is s
>> trongly advised. See:
>> https://urllib3.readthedocs.org/en/latest/security.html
>> InsecureRequestWarning)
>> pkispawn : ERROR ....... server failed to restart
>>
>> 2016-05-25T14:12:21Z CRITICAL Failed to configure CA
>> instance: Command
>> ''/usr/sbin/pkispawn' '-s' '
>> CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
>> 2016-05-25T14:12:21Z CRITICAL See the installation logs
>> and the
>> following files/directories for mor
>> e information:
>
> You need to look in those files/directories for more
> details. Dogtag doesn't return much on failures and we
> display what we have but all the real meat is in those logs.
>
>> can I ask a question? - my nss.conf is pretty
>> plain-vanilla, uses :443 -
>> why does installer complain about it being used and I
>> have to change the
>> port for installer to start?
>
> Because there is no easy way to determine what is using
> that port. If it is mod_ssl or some other web server
> instead then things go sideways pretty fast.
>
but will it all not brake precisely because I have to change
port? I then take a glance and see https:/// only and
installer it not take that port into account, so how will
whole IPA work if nss listens on non-standard port?
regards
> rob
>
>>
>>> I'm surprised the port checker didn't discover this if
>>> it is a
>>> firewall issue and that would be a bug (either the port
>>> not being
>>> checked or not using the proxy).
>>>
>>> rob
>>
>
More information about the Freeipa-users
mailing list