[Freeipa-users] CA Fails to build Replica (w/External CA)

Korey Chapman koreyc at gmail.com
Wed Sep 21 15:38:37 UTC 2016 

On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek <tkrizek at redhat.com> wrote:
> On 09/21/2016 02:13 AM, Korey Chapman wrote:
>
> Hello list,
>
> I'm currently attempting to add a second CA server to our IPA cluster (all
> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
> try to setup the CA (ipa-replica-install with --setup-ca or
> ipa-replica-install followed by ipa-ca-install). The only useful thing in
> the logs is an error about a missing key for "trust_flags" in the pki setup.
> Our infrastructure uses FreeIPA with an external CA.
>
> Any ideas/help would be greatly appreciated. Here are the logs snips from my
> most recent attempt:
>
> Command output snip from "ipa-replica-install
> /root/replica-info-auth-002.XXX.gpg --setup-ca"
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/24]: creating certificate server user
>   [2/24]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
> logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA configuration
> failed
>
>
> Log snip from ipareplica-install.log:
>
> 2016-09-20T23:42:27Z DEBUG Starting external process
> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpYofMPt'
> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
> 2016-09-20T23:42:31Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160920234227.log
> Loading deployment configuration from /tmp/tmpYofMPt.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2016-09-20T23:42:31Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
>   InsecureRequestWarning)
> Traceback (most recent call last):
>   File "/bin/pki", line 254, in <module>
>     cli.execute(sys.argv)
>   File "/bin/pki", line 240, in execute
>     module.execute(module_args)
>   File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
> execute
>     module.execute(module_args)
>   File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
> execute
>     trust_flags = cert_info['trust_flags']
> KeyError: 'trust_flags'
>
>
> --
> Korey
>
>
> Hi Korey,
>
> could you check if there is any more info in /var/log/pki/pki-ca-spawn log?

Nothing really useful I see in the spawn log:
2016-09-20 23:42:31 pkispawn    : DEBUG    ....... Error Type:
CalledProcessError
2016-09-20 23:42:31 pkispawn    : DEBUG    ....... Error Message:
Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
'/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
'/tmp/ca.p12', '--pkcs12-password-file',
'/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
exit status 1
2016-09-20 23:42:31 pkispawn    : DEBUG    .......   File
"/usr/sbin/pkispawn", line 597, in main
    rv = scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
line 104, in spawn
    no_user_certs=True)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
import_pkcs12
    subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)

>
> It might also be helpful verify if correct trust flags are set in nssdb:
> certutil -d /etc/pki/pki-tomcat/alias/ -L
>

Run on the source ipa server (current CA server):
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

XXX Certificate Authority                                     CT,c,
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u


Run on the destination ipa server:
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

> Finally, can you check that LDAPS is running on port 636 on the replica
> where you're trying to install the CA (i.e. by nmap localhost)?

Run on the new replica:
$ nmap localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-21 15:29 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 995 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
389/tcp open  ldap
636/tcp open  ldapssl

>
> --
> Tomas Krizek



-- 
Korey

More information about the Freeipa-users mailing list