[Freeipa-users] CA Fails to build Replica (w/External CA)
Florence Blanc-Renaud
flo at redhat.com
Thu Sep 22 08:52:57 UTC 2016
Hi Korey,
I believe that you are hitting Dogtag issue #2255 [1]. The file
/tmp/ca.p12 probably doesn't contain the trust flags for some certificates.
You can check by running
pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password
and see if the output displays "Trust Flags: xxx" for all the certs.
Flo.
[1] https://fedorahosted.org/pki/ticket/2255
On 09/21/2016 05:38 PM, Korey Chapman wrote:
> On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek <tkrizek at redhat.com> wrote:
>> On 09/21/2016 02:13 AM, Korey Chapman wrote:
>>
>> Hello list,
>>
>> I'm currently attempting to add a second CA server to our IPA cluster (all
>> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
>> try to setup the CA (ipa-replica-install with --setup-ca or
>> ipa-replica-install followed by ipa-ca-install). The only useful thing in
>> the logs is an error about a missing key for "trust_flags" in the pki setup.
>> Our infrastructure uses FreeIPA with an external CA.
>>
>> Any ideas/help would be greatly appreciated. Here are the logs snips from my
>> most recent attempt:
>>
>> Command output snip from "ipa-replica-install
>> /root/replica-info-auth-002.XXX.gpg --setup-ca"
>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
>> seconds
>> [1/24]: creating certificate server user
>> [2/24]: configuring certificate server instance
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
>> returned non-zero exit status 1
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
>> logs and the following files/directories for more information:
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>> /var/log/pki-ca-install.log
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>> /var/log/pki/pki-tomcat
>> [error] RuntimeError: CA configuration failed.
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration
>> failed
>>
>>
>> Log snip from ipareplica-install.log:
>>
>> 2016-09-20T23:42:27Z DEBUG Starting external process
>> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>> '/tmp/tmpYofMPt'
>> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
>> 2016-09-20T23:42:31Z DEBUG stdout=Log file:
>> /var/log/pki/pki-ca-spawn.20160920234227.log
>> Loading deployment configuration from /tmp/tmpYofMPt.
>> Installing CA into /var/lib/pki/pki-tomcat.
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>
>> Installation failed.
>>
>>
>> 2016-09-20T23:42:31Z DEBUG
>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
>> certificate verification is strongly advised. See:
>> https://urllib3.readthedocs.org/en/latest/security.html
>> InsecureRequestWarning)
>> Traceback (most recent call last):
>> File "/bin/pki", line 254, in <module>
>> cli.execute(sys.argv)
>> File "/bin/pki", line 240, in execute
>> module.execute(module_args)
>> File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
>> execute
>> module.execute(module_args)
>> File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
>> execute
>> trust_flags = cert_info['trust_flags']
>> KeyError: 'trust_flags'
>>
>>
>> --
>> Korey
>>
>>
>> Hi Korey,
>>
>> could you check if there is any more info in /var/log/pki/pki-ca-spawn log?
>
> Nothing really useful I see in the spawn log:
> 2016-09-20 23:42:31 pkispawn : DEBUG ....... Error Type:
> CalledProcessError
> 2016-09-20 23:42:31 pkispawn : DEBUG ....... Error Message:
> Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
> '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
> '/tmp/ca.p12', '--pkcs12-password-file',
> '/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
> exit status 1
> 2016-09-20 23:42:31 pkispawn : DEBUG ....... File
> "/usr/sbin/pkispawn", line 597, in main
> rv = scriptlet.spawn(deployer)
> File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
> line 104, in spawn
> no_user_certs=True)
> File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
> import_pkcs12
> subprocess.check_call(cmd)
> File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
> raise CalledProcessError(retcode, cmd)
>
>>
>> It might also be helpful verify if correct trust flags are set in nssdb:
>> certutil -d /etc/pki/pki-tomcat/alias/ -L
>>
>
> Run on the source ipa server (current CA server):
> $ certutil -d /etc/pki/pki-tomcat/alias/ -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> XXX Certificate Authority CT,c,
> Server-Cert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> caSigningCert cert-pki-ca CTu,Cu,Cu
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
>
>
> Run on the destination ipa server:
> $ certutil -d /etc/pki/pki-tomcat/alias/ -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
>> Finally, can you check that LDAPS is running on port 636 on the replica
>> where you're trying to install the CA (i.e. by nmap localhost)?
>
> Run on the new replica:
> $ nmap localhost
>
> Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-21 15:29 UTC
> Nmap scan report for localhost (127.0.0.1)
> Host is up (0.0000040s latency).
> Other addresses for localhost (not scanned): 127.0.0.1
> Not shown: 995 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 25/tcp open smtp
> 53/tcp open domain
> 389/tcp open ldap
> 636/tcp open ldapssl
>
>>
>> --
>> Tomas Krizek
>
>
>
More information about the Freeipa-users
mailing list