[Freeipa-users] CA Fails to build Replica (w/External CA)
Korey Chapman
koreyc at gmail.com
Thu Sep 22 14:44:02 UTC 2016
On Thu, Sep 22, 2016 at 1:52 AM, Florence Blanc-Renaud <flo at redhat.com> wrote:
> Hi Korey,
>
> I believe that you are hitting Dogtag issue #2255 [1]. The file /tmp/ca.p12
> probably doesn't contain the trust flags for some certificates.
> You can check by running
> pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password
> and see if the output displays "Trust Flags: xxx" for all the certs.
>
> Flo.
>
> [1] https://fedorahosted.org/pki/ticket/2255
>
>
> On 09/21/2016 05:38 PM, Korey Chapman wrote:
>>
>> On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek <tkrizek at redhat.com> wrote:
>>>
>>> On 09/21/2016 02:13 AM, Korey Chapman wrote:
>>>
>>> Hello list,
>>>
>>> I'm currently attempting to add a second CA server to our IPA cluster
>>> (all
>>> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how
>>> I
>>> try to setup the CA (ipa-replica-install with --setup-ca or
>>> ipa-replica-install followed by ipa-ca-install). The only useful thing in
>>> the logs is an error about a missing key for "trust_flags" in the pki
>>> setup.
>>> Our infrastructure uses FreeIPA with an external CA.
>>>
>>> Any ideas/help would be greatly appreciated. Here are the logs snips from
>>> my
>>> most recent attempt:
>>>
>>> Command output snip from "ipa-replica-install
>>> /root/replica-info-auth-002.XXX.gpg --setup-ca"
>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>>> 30
>>> seconds
>>> [1/24]: creating certificate server user
>>> [2/24]: configuring certificate server instance
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
>>> CA
>>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
>>> returned non-zero exit status 1
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>>> installation
>>> logs and the following files/directories for more information:
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki-ca-install.log
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki/pki-tomcat
>>> [error] RuntimeError: CA configuration failed.
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR CA
>>> configuration
>>> failed
>>>
>>>
>>> Log snip from ipareplica-install.log:
>>>
>>> 2016-09-20T23:42:27Z DEBUG Starting external process
>>> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>>> '/tmp/tmpYofMPt'
>>> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
>>> 2016-09-20T23:42:31Z DEBUG stdout=Log file:
>>> /var/log/pki/pki-ca-spawn.20160920234227.log
>>> Loading deployment configuration from /tmp/tmpYofMPt.
>>> Installing CA into /var/lib/pki/pki-tomcat.
>>> Storing deployment configuration into
>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>>
>>> Installation failed.
>>>
>>>
>>> 2016-09-20T23:42:31Z DEBUG
>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
>>> certificate verification is strongly advised. See:
>>> https://urllib3.readthedocs.org/en/latest/security.html
>>> InsecureRequestWarning)
>>> Traceback (most recent call last):
>>> File "/bin/pki", line 254, in <module>
>>> cli.execute(sys.argv)
>>> File "/bin/pki", line 240, in execute
>>> module.execute(module_args)
>>> File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195,
>>> in
>>> execute
>>> module.execute(module_args)
>>> File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
>>> execute
>>> trust_flags = cert_info['trust_flags']
>>> KeyError: 'trust_flags'
>>>
>>>
>>> --
>>> Korey
>>>
>>>
>>> Hi Korey,
>>>
>>> could you check if there is any more info in /var/log/pki/pki-ca-spawn
>>> log?
>>
>>
>> Nothing really useful I see in the spawn log:
>> 2016-09-20 23:42:31 pkispawn : DEBUG ....... Error Type:
>> CalledProcessError
>> 2016-09-20 23:42:31 pkispawn : DEBUG ....... Error Message:
>> Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
>> '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
>> '/tmp/ca.p12', '--pkcs12-password-file',
>> '/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
>> exit status 1
>> 2016-09-20 23:42:31 pkispawn : DEBUG ....... File
>> "/usr/sbin/pkispawn", line 597, in main
>> rv = scriptlet.spawn(deployer)
>> File
>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
>> line 104, in spawn
>> no_user_certs=True)
>> File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
>> import_pkcs12
>> subprocess.check_call(cmd)
>> File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
>> raise CalledProcessError(retcode, cmd)
>>
>>>
>>> It might also be helpful verify if correct trust flags are set in nssdb:
>>> certutil -d /etc/pki/pki-tomcat/alias/ -L
>>>
>>
>> Run on the source ipa server (current CA server):
>> $ certutil -d /etc/pki/pki-tomcat/alias/ -L
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> XXX Certificate Authority CT,c,
>> Server-Cert cert-pki-ca u,u,u
>> auditSigningCert cert-pki-ca u,u,Pu
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> ocspSigningCert cert-pki-ca u,u,u
>> subsystemCert cert-pki-ca u,u,u
>>
>>
>> Run on the destination ipa server:
>> $ certutil -d /etc/pki/pki-tomcat/alias/ -L
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>>> Finally, can you check that LDAPS is running on port 636 on the replica
>>> where you're trying to install the CA (i.e. by nmap localhost)?
>>
>>
>> Run on the new replica:
>> $ nmap localhost
>>
>> Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-21 15:29 UTC
>> Nmap scan report for localhost (127.0.0.1)
>> Host is up (0.0000040s latency).
>> Other addresses for localhost (not scanned): 127.0.0.1
>> Not shown: 995 closed ports
>> PORT STATE SERVICE
>> 22/tcp open ssh
>> 25/tcp open smtp
>> 53/tcp open domain
>> 389/tcp open ldap
>> 636/tcp open ldapssl
>>
>>>
>>> --
>>> Tomas Krizek
>>
>>
>>
>>
>
Looks like that was it. I updated the pki-* components on the master
server and it imported fine after a fresh ipa-replica-prepare. I
didn't think to look at the master server for the source of the
problem.
Thanks Florance and Thomas!
--
Korey
More information about the Freeipa-users
mailing list