[Freeipa-users] CA Fails to build Replica (w/External CA)

Tomas Krizek tkrizek at redhat.com
Wed Sep 21 13:47:15 UTC 2016 

On 09/21/2016 02:13 AM, Korey Chapman wrote:
> Hello list,
>
> I'm currently attempting to add a second CA server to our IPA cluster 
> (all servers Centos 7.2 with IPA 4.2.0). However, it is failing no 
> matter how I try to setup the CA (ipa-replica-install with --setup-ca 
> or ipa-replica-install followed by ipa-ca-install). The only useful 
> thing in the logs is an error about a missing key for "trust_flags" in 
> the pki setup. Our infrastructure uses FreeIPA with an external CA.
>
> Any ideas/help would be greatly appreciated. Here are the logs snips 
> from my most recent attempt:
>
> Command output snip from "ipa-replica-install 
> /root/replica-info-auth-002.XXX.gpg --setup-ca"
> Configuring certificate server (pki-tomcatd). Estimated time: 3 
> minutes 30 seconds
>   [1/24]: creating certificate server user
>   [2/24]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' 
> '/tmp/tmpYofMPt'' returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
> installation logs and the following files/directories for more 
> information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
> /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA 
> configuration failed
>
>
> Log snip from ipareplica-install.log:
>
> 2016-09-20T23:42:27Z DEBUG Starting external process
> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
> '/tmp/tmpYofMPt'
> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
> 2016-09-20T23:42:31Z DEBUG stdout=Log file: 
> /var/log/pki/pki-ca-spawn.20160920234227.log
> Loading deployment configuration from /tmp/tmpYofMPt.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into 
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2016-09-20T23:42:31Z DEBUG 
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
> certificate verification is strongly advised. See: 
> https://urllib3.readthedocs.org/en/latest/security.html
>   InsecureRequestWarning)
> Traceback (most recent call last):
>   File "/bin/pki", line 254, in <module>
>     cli.execute(sys.argv)
>   File "/bin/pki", line 240, in execute
>     module.execute(module_args)
>   File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 
> 195, in execute
>     module.execute(module_args)
>   File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, 
> in execute
>     trust_flags = cert_info['trust_flags']
> KeyError: 'trust_flags'
>
>
> -- 
> Korey
>
>
Hi Korey,

could you check if there is any more info in /var/log/pki/pki-ca-spawn log?

It might also be helpful verify if correct trust flags are set in nssdb: 
certutil -d /etc/pki/pki-tomcat/alias/ -L

Finally, can you check that LDAPS is running on port 636 on the replica 
where you're trying to install the CA (i.e. by nmap localhost)?

-- 
Tomas Krizek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160921/dea664b3/attachment.htm>

More information about the Freeipa-users mailing list