[Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain

lejeczek peljasz at yahoo.co.uk
Wed May 25 18:49:09 UTC 2016 


On 25/05/16 16:46, Rob Crittenden wrote:
> lejeczek wrote:
>>
>>
>> On 25/05/16 14:19, Rob Crittenden wrote:
>>> lejeczek wrote:
>>>> hi there,
>>>>
>>>> I'm trying to set up a replica with: --setup-dns 
>>>> --no-forwarders
>>>> --setup-ca
>>>>
>>>> installer fails at:
>>>>
>>>>   [10/23]: importing CA chain to RA certificate database
>>>>    [error] RuntimeError: Unable to retrieve CA chain: 
>>>> [Errno 111]
>>>> Connection refused
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> more from log:
>>>>
>>>> 2016-05-25T12:38:31Z DEBUG   [10/23]: importing CA 
>>>> chain to RA
>>>> certificate database
>>>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call 
>>>> last):
>>>>    File 
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
>>>>
>>>> line 418, in start_creation
>>>>      run_step(full_msg, method)
>>>>    File 
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
>>>>
>>>> line 408, in run_step
>>>>      method()
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
>>>> line
>>>> 1015, in __import_ca_chain
>>>>      chain = self.__get_ca_chain()
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
>>>> line
>>>> 997, in __get_ca_chain
>>>>      raise RuntimeError("Unable to retrieve CA chain: 
>>>> %s" % str(e))
>>>> RuntimeError: Unable to retrieve CA chain: [Errno 111] 
>>>> Connection
>>>> refused
>>>>
>>>> 2016-05-25T12:38:31Z DEBUG   [error] RuntimeError: 
>>>> Unable to retrieve CA
>>>> chain: [Errno 111] Connection refused
>>>> 2016-05-25T12:38:31Z DEBUG   File
>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", 
>>>> line 171, in
>>>> execute
>>>>
>>>> what might be the problem?
>>>
>>> It is failing getting the CA chain from dogtag. It uses 
>>> port 8080 by
>>> default. I'd check your firewall and that the remote CA 
>>> is up.
>>>
>> thanks Rob,
>> I opened 8080/tcp (it was closed) but still a failure I 
>> get, different
>> error though:
>>
>>    [2/23]: configuring certificate server instance
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
>> Failed to
>> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 
>> 'CA' '-f'
>> '/tmp/tmpY2oGh1'' returned non-zero exit status 1
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See 
>> the
>> installation logs and the following files/directories for 
>> more information:
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>> /var/log/pki-ca-install.log
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>> /var/log/pki/pki-tomcat
>>    [error] RuntimeError: CA configuration failed.
>>
>> I noticed - /var/log/pki-ca-install.log does NOT exist
>> and log file:
>>
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>> Installation failed.
>> 2016-05-25T14:12:21Z DEBUG
>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
>> I
>> nsecureRequestWarning: Unverified HTTPS request is being 
>> made. Adding
>> certificate verification is s
>> trongly advised. See:
>> https://urllib3.readthedocs.org/en/latest/security.html
>>    InsecureRequestWarning)
>> pkispawn    : ERROR    ....... server failed to restart
>>
>> 2016-05-25T14:12:21Z CRITICAL Failed to configure CA 
>> instance: Command
>> ''/usr/sbin/pkispawn' '-s' '
>> CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
>> 2016-05-25T14:12:21Z CRITICAL See the installation logs 
>> and the
>> following files/directories for mor
>> e information:
>
> You need to look in those files/directories for more 
> details. Dogtag doesn't return much on failures and we 
> display what we have but all the real meat is in those logs.
>
>> can I ask a question? - my nss.conf is pretty 
>> plain-vanilla, uses :443 -
>> why does installer complain about it being used and I 
>> have to change the
>> port for installer to start?
>
> Because there is no easy way to determine what is using 
> that port. If it is mod_ssl or some other web server 
> instead then things go sideways pretty fast.
>
but will it all not brake precisely because I have to change 
port? I then take a glance and see https:/// only and 
installer it not take that port into account, so how will 
whole IPA work if nss listens on non-standard port?
regards
> rob
>
>>
>>> I'm surprised the port checker didn't discover this if 
>>> it is a
>>> firewall issue and that would be a bug (either the port 
>>> not being
>>> checked or not using the proxy).
>>>
>>> rob
>>
>

More information about the Freeipa-users mailing list