[Freeipa-users] CA Fails to build Replica (w/External CA)
Korey Chapman
koreyc at gmail.com
Wed Sep 21 15:38:37 UTC 2016
On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek <tkrizek at redhat.com> wrote:
> On 09/21/2016 02:13 AM, Korey Chapman wrote:
>
> Hello list,
>
> I'm currently attempting to add a second CA server to our IPA cluster (all
> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
> try to setup the CA (ipa-replica-install with --setup-ca or
> ipa-replica-install followed by ipa-ca-install). The only useful thing in
> the logs is an error about a missing key for "trust_flags" in the pki setup.
> Our infrastructure uses FreeIPA with an external CA.
>
> Any ideas/help would be greatly appreciated. Here are the logs snips from my
> most recent attempt:
>
> Command output snip from "ipa-replica-install
> /root/replica-info-auth-002.XXX.gpg --setup-ca"
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
> [1/24]: creating certificate server user
> [2/24]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
> logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
> [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration
> failed
>
>
> Log snip from ipareplica-install.log:
>
> 2016-09-20T23:42:27Z DEBUG Starting external process
> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpYofMPt'
> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
> 2016-09-20T23:42:31Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160920234227.log
> Loading deployment configuration from /tmp/tmpYofMPt.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2016-09-20T23:42:31Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
> InsecureRequestWarning)
> Traceback (most recent call last):
> File "/bin/pki", line 254, in <module>
> cli.execute(sys.argv)
> File "/bin/pki", line 240, in execute
> module.execute(module_args)
> File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
> execute
> module.execute(module_args)
> File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
> execute
> trust_flags = cert_info['trust_flags']
> KeyError: 'trust_flags'
>
>
> --
> Korey
>
>
> Hi Korey,
>
> could you check if there is any more info in /var/log/pki/pki-ca-spawn log?
Nothing really useful I see in the spawn log:
2016-09-20 23:42:31 pkispawn : DEBUG ....... Error Type:
CalledProcessError
2016-09-20 23:42:31 pkispawn : DEBUG ....... Error Message:
Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
'/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
'/tmp/ca.p12', '--pkcs12-password-file',
'/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
exit status 1
2016-09-20 23:42:31 pkispawn : DEBUG ....... File
"/usr/sbin/pkispawn", line 597, in main
rv = scriptlet.spawn(deployer)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
line 104, in spawn
no_user_certs=True)
File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
import_pkcs12
subprocess.check_call(cmd)
File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
raise CalledProcessError(retcode, cmd)
>
> It might also be helpful verify if correct trust flags are set in nssdb:
> certutil -d /etc/pki/pki-tomcat/alias/ -L
>
Run on the source ipa server (current CA server):
$ certutil -d /etc/pki/pki-tomcat/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
XXX Certificate Authority CT,c,
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Run on the destination ipa server:
$ certutil -d /etc/pki/pki-tomcat/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
> Finally, can you check that LDAPS is running on port 636 on the replica
> where you're trying to install the CA (i.e. by nmap localhost)?
Run on the new replica:
$ nmap localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-21 15:29 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
389/tcp open ldap
636/tcp open ldapssl
>
> --
> Tomas Krizek
--
Korey
More information about the Freeipa-users
mailing list