[Freeipa-users] ipa-replica-install failes on setup-ca

Florence Blanc-Renaud flo at redhat.com
Tue Apr 25 08:30:14 UTC 2017 

On 04/24/2017 09:37 AM, Bjarne Blichfeldt wrote:
> We had problems with one idm replica complaining about different ldap
> database versions and at the same time errors on starting pki-tomcat. I
> decided to delete the ipa server and reinstall.
>
> The ipa server delete went without problems, but the reinstall….
>
>
>
> ipa-replica-install --setup-ca --setup-dns --forwarder 10.200.207.11
> --forwarder  10.200.206.11 --principal admin --admin-password  “secret”
>
>
>
> This fails on ca install, but without set-up ca the install was succesfull.
>
> I tried both with the server enrolled as client and with the server not
> enrolled – no difference.
>
> The installation was successful in a different envirionment but same
> software versions.
>
>
>
>
>
> server is rhel 7.3, ipa: VERSION: 4.4.0, API_VERSION: 2.213
>
>
>
> When ipa-replica-install fails  with –setup-ca  ipareplica-install.log
> shows :
>
> 2017-04-23T19:44:45Z DEBUG Starting external process
>
> 2017-04-23T19:44:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpBLQe1X
>
> 2017-04-23T19:44:46Z DEBUG Process finished, return code=1
>
> 2017-04-23T19:44:46Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20170423214445.log
>
> Loading deployment configuration from /tmp/tmpBLQe1X.
>
>
>
> 2017-04-23T19:44:46Z DEBUG stderr=Traceback (most recent call last):
>
>   File "/usr/sbin/pkispawn", line 817, in <module>
>
>     main(sys.argv)
>
>   File "/usr/sbin/pkispawn", line 501, in main
>
>     create_master_dictionary(parser)
>
>   File "/usr/sbin/pkispawn", line 641, in create_master_dictionary
>
>     parser.compose_pki_master_dictionary()
>
>   File
> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
> line 614, in compose_pki_master_dictionary
>
>     instance.load()
>
>   File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
> 595, in load
>
>     subsystem.load()
>
>   File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
> 129, in load
>
>     lines = open(self.cs_conf).read().splitlines()
>
> IOError: [Errno 2] No such file or directory:
> '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'
>
>
>
> 2017-04-23T19:44:46Z CRITICAL Failed to configure CA instance: Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpBLQe1X' returned non-zero exit status 1
>
> 2017-04-23T19:44:46Z CRITICAL See the installation logs and the
> following files/directories for more information:
>
> 2017-04-23T19:44:46Z CRITICAL   /var/log/pki/pki-tomcat
>
> 2017-04-23T19:44:46Z DEBUG Traceback (most recent call last):
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 449, in start_creation
>
>     run_step(full_msg, method)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 439, in run_step
>
>     method()
>
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 586, in __spawn_instance
>
>     DogtagInstance.spawn_instance(self, cfg_file)
>
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 181, in spawn_instance
>
>     self.handle_setup_error(e)
>
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 420, in handle_setup_error
>
>     raise RuntimeError("%s configuration failed." % self.subsystem)
>
> RuntimeError: CA configuration failed.
>
>
>
> 2017-04-23T19:44:46Z DEBUG   [error] RuntimeError: CA configuration failed.
>
> 2017-04-23T19:44:46Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
>
>     return_value = self.run()
>
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
> 318, in run
>
>     cfgr.run()
>
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 310, in run
>
>     self.execute()
>
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 332, in execute
>
>     for nothing in self._executor():
>
>
>
>
>
> Nothing in /var/log/pki/pki-tomcat.
>
>
>
> Further observations:
>
> During changing the certificate to thirdparty ssl, I got the following
> error in /var/log/httpd/error_log :
>
> [Mon Apr 24 09:03:14.267871 2017] [:error] [pid 11004] Unable to verify
> certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
> the server can start until the problem can be resolved.
>
> p11-kit: couldn't open and map file:
> /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied
>
>
>
> I changed the permission on /etc/pki/ca-trust/source/ipa.p11-kit from
> 600 to 644 and added “NSSEnforceValidCerts off” to
> /etc/httpd/conf.d/nss.conf
>
> After that ipa-certupdate succeeded.
>
>
>
> Are there any way to install the ca without reinstalling the whole
> ipa-server again?
>
>
>
>
>
>
>
> Regards
>
> Bjarne Blichfeldt.
>
>
>
>
>
Hi,

1/ you may find more information about the CA installation failure in 
/var/log/pki/pki-ca-spawn.$date.log

To enable debug logs, you can create the file /etc/ipa/server.conf:
$ cat /etc/ipa/server.conf
[global]
debug = True


2/ the error in httpd/error_log may indicate that your certificate 
expired, could you check if all the certificates are still valid?
$ sudo certutil -L -d /etc/httpd/alias/ -n Server-Cert | grep  Not
             Not Before: Thu Apr 20 15:03:40 2017
             Not After : Sun Apr 21 15:03:40 2019

3/ I recall CA install issues when an old /root/cacert.p12 was left on a 
replica between uninstall and install. Can you try to delete this file 
and re-try the ipa-replica-install?

Flo

More information about the Freeipa-users mailing list