[Freeipa-users] CA Fails to build Replica (w/External CA)

Korey Chapman koreyc at gmail.com
Thu Sep 22 14:44:02 UTC 2016 

On Thu, Sep 22, 2016 at 1:52 AM, Florence Blanc-Renaud <flo at redhat.com> wrote:
> Hi Korey,
>
> I believe that you are hitting Dogtag issue #2255 [1]. The file /tmp/ca.p12
> probably doesn't contain the trust flags for some certificates.
> You can check by running
> pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password
> and see if the output displays "Trust Flags: xxx" for all the certs.
>
> Flo.
>
> [1] https://fedorahosted.org/pki/ticket/2255
>
>
> On 09/21/2016 05:38 PM, Korey Chapman wrote:
>>
>> On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek <tkrizek at redhat.com> wrote:
>>>
>>> On 09/21/2016 02:13 AM, Korey Chapman wrote:
>>>
>>> Hello list,
>>>
>>> I'm currently attempting to add a second CA server to our IPA cluster
>>> (all
>>> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how
>>> I
>>> try to setup the CA (ipa-replica-install with --setup-ca or
>>> ipa-replica-install followed by ipa-ca-install). The only useful thing in
>>> the logs is an error about a missing key for "trust_flags" in the pki
>>> setup.
>>> Our infrastructure uses FreeIPA with an external CA.
>>>
>>> Any ideas/help would be greatly appreciated. Here are the logs snips from
>>> my
>>> most recent attempt:
>>>
>>> Command output snip from "ipa-replica-install
>>> /root/replica-info-auth-002.XXX.gpg --setup-ca"
>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>>> 30
>>> seconds
>>>   [1/24]: creating certificate server user
>>>   [2/24]: configuring certificate server instance
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
>>> CA
>>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
>>> returned non-zero exit status 1
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>>> installation
>>> logs and the following files/directories for more information:
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki-ca-install.log
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki/pki-tomcat
>>>   [error] RuntimeError: CA configuration failed.
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA
>>> configuration
>>> failed
>>>
>>>
>>> Log snip from ipareplica-install.log:
>>>
>>> 2016-09-20T23:42:27Z DEBUG Starting external process
>>> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>>> '/tmp/tmpYofMPt'
>>> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
>>> 2016-09-20T23:42:31Z DEBUG stdout=Log file:
>>> /var/log/pki/pki-ca-spawn.20160920234227.log
>>> Loading deployment configuration from /tmp/tmpYofMPt.
>>> Installing CA into /var/lib/pki/pki-tomcat.
>>> Storing deployment configuration into
>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>>
>>> Installation failed.
>>>
>>>
>>> 2016-09-20T23:42:31Z DEBUG
>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
>>> certificate verification is strongly advised. See:
>>> https://urllib3.readthedocs.org/en/latest/security.html
>>>   InsecureRequestWarning)
>>> Traceback (most recent call last):
>>>   File "/bin/pki", line 254, in <module>
>>>     cli.execute(sys.argv)
>>>   File "/bin/pki", line 240, in execute
>>>     module.execute(module_args)
>>>   File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195,
>>> in
>>> execute
>>>     module.execute(module_args)
>>>   File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
>>> execute
>>>     trust_flags = cert_info['trust_flags']
>>> KeyError: 'trust_flags'
>>>
>>>
>>> --
>>> Korey
>>>
>>>
>>> Hi Korey,
>>>
>>> could you check if there is any more info in /var/log/pki/pki-ca-spawn
>>> log?
>>
>>
>> Nothing really useful I see in the spawn log:
>> 2016-09-20 23:42:31 pkispawn    : DEBUG    ....... Error Type:
>> CalledProcessError
>> 2016-09-20 23:42:31 pkispawn    : DEBUG    ....... Error Message:
>> Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
>> '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
>> '/tmp/ca.p12', '--pkcs12-password-file',
>> '/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
>> exit status 1
>> 2016-09-20 23:42:31 pkispawn    : DEBUG    .......   File
>> "/usr/sbin/pkispawn", line 597, in main
>>     rv = scriptlet.spawn(deployer)
>>   File
>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
>> line 104, in spawn
>>     no_user_certs=True)
>>   File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
>> import_pkcs12
>>     subprocess.check_call(cmd)
>>   File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
>>     raise CalledProcessError(retcode, cmd)
>>
>>>
>>> It might also be helpful verify if correct trust flags are set in nssdb:
>>> certutil -d /etc/pki/pki-tomcat/alias/ -L
>>>
>>
>> Run on the source ipa server (current CA server):
>> $ certutil -d /etc/pki/pki-tomcat/alias/ -L
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> XXX Certificate Authority                                     CT,c,
>> Server-Cert cert-pki-ca                                      u,u,u
>> auditSigningCert cert-pki-ca                                 u,u,Pu
>> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
>> ocspSigningCert cert-pki-ca                                  u,u,u
>> subsystemCert cert-pki-ca                                    u,u,u
>>
>>
>> Run on the destination ipa server:
>> $ certutil -d /etc/pki/pki-tomcat/alias/ -L
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>>> Finally, can you check that LDAPS is running on port 636 on the replica
>>> where you're trying to install the CA (i.e. by nmap localhost)?
>>
>>
>> Run on the new replica:
>> $ nmap localhost
>>
>> Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-21 15:29 UTC
>> Nmap scan report for localhost (127.0.0.1)
>> Host is up (0.0000040s latency).
>> Other addresses for localhost (not scanned): 127.0.0.1
>> Not shown: 995 closed ports
>> PORT    STATE SERVICE
>> 22/tcp  open  ssh
>> 25/tcp  open  smtp
>> 53/tcp  open  domain
>> 389/tcp open  ldap
>> 636/tcp open  ldapssl
>>
>>>
>>> --
>>> Tomas Krizek
>>
>>
>>
>>
>

Looks like that was it. I updated the pki-* components on the master
server and it imported fine after a fresh ipa-replica-prepare. I
didn't think to look at the master server for the source of the
problem.

Thanks Florance and Thomas!


-- 
Korey

More information about the Freeipa-users mailing list