[Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain

Rob Crittenden rcritten at redhat.com
Wed May 25 19:27:35 UTC 2016 

lejeczek wrote:
>
>
> On 25/05/16 16:46, Rob Crittenden wrote:
>> lejeczek wrote:
>>>
>>>
>>> On 25/05/16 14:19, Rob Crittenden wrote:
>>>> lejeczek wrote:
>>>>> hi there,
>>>>>
>>>>> I'm trying to set up a replica with: --setup-dns --no-forwarders
>>>>> --setup-ca
>>>>>
>>>>> installer fails at:
>>>>>
>>>>>   [10/23]: importing CA chain to RA certificate database
>>>>>    [error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
>>>>> Connection refused
>>>>> Your system may be partly configured.
>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>
>>>>> more from log:
>>>>>
>>>>> 2016-05-25T12:38:31Z DEBUG   [10/23]: importing CA chain to RA
>>>>> certificate database
>>>>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last):
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>> line 418, in start_creation
>>>>>      run_step(full_msg, method)
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>> line 408, in run_step
>>>>>      method()
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>> line
>>>>> 1015, in __import_ca_chain
>>>>>      chain = self.__get_ca_chain()
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>> line
>>>>> 997, in __get_ca_chain
>>>>>      raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
>>>>> RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection
>>>>> refused
>>>>>
>>>>> 2016-05-25T12:38:31Z DEBUG   [error] RuntimeError: Unable to
>>>>> retrieve CA
>>>>> chain: [Errno 111] Connection refused
>>>>> 2016-05-25T12:38:31Z DEBUG   File
>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>>>>> 171, in
>>>>> execute
>>>>>
>>>>> what might be the problem?
>>>>
>>>> It is failing getting the CA chain from dogtag. It uses port 8080 by
>>>> default. I'd check your firewall and that the remote CA is up.
>>>>
>>> thanks Rob,
>>> I opened 8080/tcp (it was closed) but still a failure I get, different
>>> error though:
>>>
>>>    [2/23]: configuring certificate server instance
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
>>> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
>>> '/tmp/tmpY2oGh1'' returned non-zero exit status 1
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>>> installation logs and the following files/directories for more
>>> information:
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki-ca-install.log
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki/pki-tomcat
>>>    [error] RuntimeError: CA configuration failed.
>>>
>>> I noticed - /var/log/pki-ca-install.log does NOT exist
>>> and log file:
>>>
>>> Storing deployment configuration into
>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>> Installation failed.
>>> 2016-05-25T14:12:21Z DEBUG
>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I
>>> nsecureRequestWarning: Unverified HTTPS request is being made. Adding
>>> certificate verification is s
>>> trongly advised. See:
>>> https://urllib3.readthedocs.org/en/latest/security.html
>>>    InsecureRequestWarning)
>>> pkispawn    : ERROR    ....... server failed to restart
>>>
>>> 2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command
>>> ''/usr/sbin/pkispawn' '-s' '
>>> CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
>>> 2016-05-25T14:12:21Z CRITICAL See the installation logs and the
>>> following files/directories for mor
>>> e information:
>>
>> You need to look in those files/directories for more details. Dogtag
>> doesn't return much on failures and we display what we have but all
>> the real meat is in those logs.
>>
>>> can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 -
>>> why does installer complain about it being used and I have to change the
>>> port for installer to start?
>>
>> Because there is no easy way to determine what is using that port. If
>> it is mod_ssl or some other web server instead then things go sideways
>> pretty fast.
>>
> but will it all not brake precisely because I have to change port? I
> then take a glance and see https:/// only and installer it not take that
> port into account, so how will whole IPA work if nss listens on
> non-standard port?

I'm not sure I follow. The installer will (or should) change nss.conf to 
listen on 443. The default is 8443.

If you take a vanilla instance and install mod_ssl and mod_nss on it 
then Apache will listen on ports 443 and 8443. IPA requires mod_nss to 
listen on 443 so the install will fail. This is what we are trying to 
prevent. It isn't a mod_nss or mod_ssl issue but only one thing can 
listen on any given port.

The installer looks at things just enough to detect that something might 
be wrong and it blows up so it can be manually addressed because 
whatever we did automatically would be wrong and potentially 
catastrophic for somebody's use case.


rob

More information about the Freeipa-users mailing list