[Freeipa-users] CA Fails to build Replica (w/External CA)
Tomas Krizek
tkrizek at redhat.com
Wed Sep 21 13:47:15 UTC 2016
On 09/21/2016 02:13 AM, Korey Chapman wrote:
> Hello list,
>
> I'm currently attempting to add a second CA server to our IPA cluster
> (all servers Centos 7.2 with IPA 4.2.0). However, it is failing no
> matter how I try to setup the CA (ipa-replica-install with --setup-ca
> or ipa-replica-install followed by ipa-ca-install). The only useful
> thing in the logs is an error about a missing key for "trust_flags" in
> the pki setup. Our infrastructure uses FreeIPA with an external CA.
>
> Any ideas/help would be greatly appreciated. Here are the logs snips
> from my most recent attempt:
>
> Command output snip from "ipa-replica-install
> /root/replica-info-auth-002.XXX.gpg --setup-ca"
> Configuring certificate server (pki-tomcatd). Estimated time: 3
> minutes 30 seconds
> [1/24]: creating certificate server user
> [2/24]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpYofMPt'' returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more
> information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
> [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR CA
> configuration failed
>
>
> Log snip from ipareplica-install.log:
>
> 2016-09-20T23:42:27Z DEBUG Starting external process
> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpYofMPt'
> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
> 2016-09-20T23:42:31Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160920234227.log
> Loading deployment configuration from /tmp/tmpYofMPt.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2016-09-20T23:42:31Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
> InsecureRequestWarning)
> Traceback (most recent call last):
> File "/bin/pki", line 254, in <module>
> cli.execute(sys.argv)
> File "/bin/pki", line 240, in execute
> module.execute(module_args)
> File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line
> 195, in execute
> module.execute(module_args)
> File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222,
> in execute
> trust_flags = cert_info['trust_flags']
> KeyError: 'trust_flags'
>
>
> --
> Korey
>
>
Hi Korey,
could you check if there is any more info in /var/log/pki/pki-ca-spawn log?
It might also be helpful verify if correct trust flags are set in nssdb:
certutil -d /etc/pki/pki-tomcat/alias/ -L
Finally, can you check that LDAPS is running on port 636 on the replica
where you're trying to install the CA (i.e. by nmap localhost)?
--
Tomas Krizek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160921/dea664b3/attachment.htm>
More information about the Freeipa-users
mailing list