[Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
lejeczek
peljasz at yahoo.co.uk
Thu May 26 15:15:06 UTC 2016
On 25/05/16 20:27, Rob Crittenden wrote:
> lejeczek wrote:
>>
>>
>> On 25/05/16 16:46, Rob Crittenden wrote:
>>> lejeczek wrote:
>>>>
>>>>
>>>> On 25/05/16 14:19, Rob Crittenden wrote:
>>>>> lejeczek wrote:
>>>>>> hi there,
>>>>>>
>>>>>> I'm trying to set up a replica with: --setup-dns
>>>>>> --no-forwarders
>>>>>> --setup-ca
>>>>>>
>>>>>> installer fails at:
>>>>>>
>>>>>> [10/23]: importing CA chain to RA certificate database
>>>>>> [error] RuntimeError: Unable to retrieve CA chain:
>>>>>> [Errno 111]
>>>>>> Connection refused
>>>>>> Your system may be partly configured.
>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean
>>>>>> up.
>>>>>>
>>>>>> more from log:
>>>>>>
>>>>>> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA
>>>>>> chain to RA
>>>>>> certificate database
>>>>>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent
>>>>>> call last):
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>>
>>>>>> line 418, in start_creation
>>>>>> run_step(full_msg, method)
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>>
>>>>>> line 408, in run_step
>>>>>> method()
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>>>
>>>>>> line
>>>>>> 1015, in __import_ca_chain
>>>>>> chain = self.__get_ca_chain()
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>>>
>>>>>> line
>>>>>> 997, in __get_ca_chain
>>>>>> raise RuntimeError("Unable to retrieve CA chain:
>>>>>> %s" % str(e))
>>>>>> RuntimeError: Unable to retrieve CA chain: [Errno
>>>>>> 111] Connection
>>>>>> refused
>>>>>>
>>>>>> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError:
>>>>>> Unable to
>>>>>> retrieve CA
>>>>>> chain: [Errno 111] Connection refused
>>>>>> 2016-05-25T12:38:31Z DEBUG File
>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>>>>>> line
>>>>>> 171, in
>>>>>> execute
>>>>>>
>>>>>> what might be the problem?
>>>>>
>>>>> It is failing getting the CA chain from dogtag. It
>>>>> uses port 8080 by
>>>>> default. I'd check your firewall and that the remote
>>>>> CA is up.
>>>>>
>>>> thanks Rob,
>>>> I opened 8080/tcp (it was closed) but still a failure I
>>>> get, different
>>>> error though:
>>>>
>>>> [2/23]: configuring certificate server instance
>>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>>> Failed to
>>>> configure CA instance: Command ''/usr/sbin/pkispawn'
>>>> '-s' 'CA' '-f'
>>>> '/tmp/tmpY2oGh1'' returned non-zero exit status 1
>>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>>> See the
>>>> installation logs and the following files/directories
>>>> for more
>>>> information:
>>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>>> /var/log/pki-ca-install.log
>>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>>> /var/log/pki/pki-tomcat
>>>> [error] RuntimeError: CA configuration failed.
>>>>
>>>> I noticed - /var/log/pki-ca-install.log does NOT exist
>>>> and log file:
>>>>
>>>> Storing deployment configuration into
>>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>>> Installation failed.
>>>> 2016-05-25T14:12:21Z DEBUG
>>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>>>> I
>>>> nsecureRequestWarning: Unverified HTTPS request is
>>>> being made. Adding
>>>> certificate verification is s
>>>> trongly advised. See:
>>>> https://urllib3.readthedocs.org/en/latest/security.html
>>>> InsecureRequestWarning)
>>>> pkispawn : ERROR ....... server failed to restart
>>>>
>>>> 2016-05-25T14:12:21Z CRITICAL Failed to configure CA
>>>> instance: Command
>>>> ''/usr/sbin/pkispawn' '-s' '
>>>> CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
>>>> 2016-05-25T14:12:21Z CRITICAL See the installation logs
>>>> and the
>>>> following files/directories for mor
>>>> e information:
>>>
>>> You need to look in those files/directories for more
>>> details. Dogtag
>>> doesn't return much on failures and we display what we
>>> have but all
>>> the real meat is in those logs.
>>>
>>>> can I ask a question? - my nss.conf is pretty
>>>> plain-vanilla, uses :443 -
>>>> why does installer complain about it being used and I
>>>> have to change the
>>>> port for installer to start?
>>>
>>> Because there is no easy way to determine what is using
>>> that port. If
>>> it is mod_ssl or some other web server instead then
>>> things go sideways
>>> pretty fast.
>>>
>> but will it all not brake precisely because I have to
>> change port? I
>> then take a glance and see https:/// only and installer
>> it not take that
>> port into account, so how will whole IPA work if nss
>> listens on
>> non-standard port?
>
> I'm not sure I follow. The installer will (or should)
> change nss.conf to listen on 443. The default is 8443.
>
> If you take a vanilla instance and install mod_ssl and
> mod_nss on it then Apache will listen on ports 443 and
> 8443. IPA requires mod_nss to listen on 443 so the install
> will fail. This is what we are trying to prevent. It isn't
> a mod_nss or mod_ssl issue but only one thing can listen
> on any given port.
>
> The installer looks at things just enough to detect that
> something might be wrong and it blows up so it can be
> manually addressed because whatever we did automatically
> would be wrong and potentially catastrophic for somebody's
> use case.
>
>
> rob
>
when it fails with:
[1/24]: creating certificate server user
[2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed
to configure CA instance: Command ''/usr/sbin/pkispawn' '-s'
'CA' '-f' '/tmp/tmpNF7gTf'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See
the installation logs and the following files/directories
for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
first - this: /var/log/pki-ca-install.log never gets
created, might be bug?
second is install log:
nstalling CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-05-26T15:07:25Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being
made. Adding certificate verification is strongly advised.
See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn : ERROR ....... server failed to restart
2016-05-26T15:07:25Z CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpNF7gTf'' returned non-zero exit status 1
2016-05-26T15:07:25Z CRITICAL See the installation logs and
the following files/directories for more information:
2016-05-26T15:07:25Z CRITICAL /var/log/pki-ca-install.log
2016-05-26T15:07:25Z CRITICAL /var/log/pki/pki-tomcat
third is: pki-ca-spawn.%%%.log
2016-05-26 16:06:24 pkispawn : DEBUG ........... chmod
660 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2016-05-26 16:06:24 pkispawn : DEBUG ........... chown
17:17 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2016-05-26 16:06:24 pkispawn : INFO ....... executing
'certutil -N -d /tmp/tmp-LqkPbX -f
/root/.dogtag/pki-tomcat/ca/password.conf'
2016-05-26 16:06:24 pkispawn : INFO ....... executing
'systemctl daemon-reload'
2016-05-26 16:06:24 pkispawn : INFO ....... executing
'systemctl start pki-tomcatd at pki-tomcat.service'
2016-05-26 16:06:24 pkispawn : DEBUG ........... No
connection - server may still be down
2016-05-26 16:06:24 pkispawn : DEBUG ........... No
connection - exception thrown: 404 Client Error: Not Found
...
...
Error: Not Found
2016-05-26 16:07:25 pkispawn : ERROR ....... server
failed to restart
2016-05-26 16:07:25 pkispawn : DEBUG ....... Error
Type: Exception
2016-05-26 16:07:25 pkispawn : DEBUG ....... Error
Message: server failed to restart
2016-05-26 16:07:25 pkispawn : DEBUG ....... File
"/usr/sbin/pkispawn", line 597, in main
rv = scriptlet.spawn(deployer)
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 234, in spawn
raise Exception("server failed to restart")
Is it replica's own pki-tomcatd at pki-tomcat.service that
fails? If so then this makes it all strange:
systemctl status -l pki-tomcatd at pki-tomcat.service
● pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded
(/usr/lib/systemd/system/pki-tomcatd at .service; enabled;
vendor preset: disabled)
Active: active (running) since Thu 2016-05-26 16:06:24
BST; 6min ago
Process: 14276 ExecStartPre=/usr/bin/pkidaemon start
tomcat %i (code=exited, status=0/SUCCESS)
Main PID: 14415 (java)
CGroup:
/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd at pki-tomcat.service
└─14415 /usr/lib/jvm/jre/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy-base
-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
org.apache.catalina.startup.Bootstrap start
May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM
org.apache.catalina.startup.HostConfig deployDescriptor
May 26 16:06:33 work5 server[14415]: INFO: Deployment of
configuration descriptor
/etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished
in 2,589 ms
May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM
org.apache.coyote.AbstractProtocol start
May 26 16:06:33 work5 server[14415]: INFO: Starting
ProtocolHandler ["http-bio-8080"]
May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM
org.apache.coyote.AbstractProtocol start
May 26 16:06:33 work5 server[14415]: INFO: Starting
ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
May 26 16:06:33 work5 server[14415]: PKIListener:
org.apache.catalina.core.StandardServer[after_start]
May 26 16:06:33 work5 server[14415]: PKIListener: Subsystem
CA is running.
May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM
org.apache.catalina.startup.Catalina start
May 26 16:06:33 work5 server[14415]: INFO: Server startup in
6805 ms
I really cannot find anything blatantly obvious in those logs.
More information about the Freeipa-users
mailing list