[Freeipa-users] ipa-replica-install: Certificate operation cannot be completed: Unable to communicate with CMS (503)
Carlos Silva
r3pek at r3pek.org
Tue Feb 14 14:11:02 UTC 2017
It should be this problem: https://fedorahosted.org/freeipa/ticket/6613
On Tue, Feb 14, 2017 at 1:32 PM, Jens Timmerman <jens.timmerman at ugent.be>
wrote:
> Hi all,
>
>
> I'm trying to setup a freeipa masterserver and a replica, on a fresh
> install of CentOS 7.3
>
> after running ipa-server-install on the master and running
> ipa-client-install on the replica the ipa-replica-install command fails
> to restart the directory server.
>
> Turns out this is because the DS Certificate was never received. It
> fails with status: CA_UNREACHABLE and I can't figure out why this is
> failing.
>
> Could someone give me some pointers?
>
> on the replica:
>
>
> /var/log/ipareplica-install.log
> 2017-02-14T12:21:20Z DEBUG certmonger request is in state
> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
> 2017-02-14T12:21:25Z DEBUG certmonger request is in state
> dbus.String(u'CA_UNREACHABLE', variant_level=1)
> 2017-02-14T12:21:25Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket from SchemaCache
> 2017-02-14T12:21:25Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x73101b8>
> 2017-02-14T12:21:25Z DEBUG duration: 5 seconds
> 2017-02-14T12:21:25Z DEBUG [28/44]: restarting directory server
>
> <fails>
>
>
> # getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20170214122119':
> status: CA_UNREACHABLE
> ca-error: Server at https://<ipa-server>/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: Unable to communicate with CMS (503)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM',
> nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-MY_REALM//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
>
> # certutil -L -d /etc/dirsrv/slapd-MY_REALM/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> MY_REALM IPA CA CT,C,C
>
>
> # certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> cacert CTu,Cu,Cu
> beta u,pu,u
> alpha u,pu,u
> Server-Cert u,u,u
>
>
>
>
> # curl --negotiate -u : https://ipa-server/ipa/xml --referer
> https://ipa-server/ipa/xml -I
> HTTP/1.1 401 Unauthorized
> Date: Tue, 14 Feb 2017 12:07:02 GMT
> Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14
> NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5
> WWW-Authenticate: Negotiate
> X-Frame-Options: DENY
> Content-Security-Policy: frame-ancestors 'none'
> Last-Modified: Tue, 17 Jan 2017 17:34:23 GMT
> Accept-Ranges: bytes
> Content-Length: 1474
> Content-Type: text/html; charset=UTF-8
>
> HTTP/1.1 200 Success
> Date: Tue, 14 Feb 2017 12:07:02 GMT
> Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14
> NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5
> Set-Cookie: ipa_session=<snip>
> WWW-Authenticate: Negotiate <snip>
> X-Frame-Options: DENY
> Content-Security-Policy: frame-ancestors 'none'
> Vary: Accept-Encoding
> Content-Type: text/xml; charset=utf-8
>
>
> On the ipa-server:
>
> /var/log/pki/pki-tomcat/ca/debug
>
>
> [14/Feb/2017:13:20:15][Timer-0]: SessionTimer: run()
> [14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable:
> getSessionIds()
> [14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable:
> searching ou=sessions,ou=Security Domain,o=ipaca
> [14/Feb/2017:13:20:15][Timer-0]: In LdapBoundConnFactory::getConn()
> [14/Feb/2017:13:20:15][Timer-0]: masterConn is connected: true
> [14/Feb/2017:13:20:15][Timer-0]: getConn: conn is connected true
> [14/Feb/2017:13:20:15][Timer-0]: getConn: mNumConns now 2
> [14/Feb/2017:13:20:15][Timer-0]: SecurityDomainSessionTable: No active
> sessions.
> [14/Feb/2017:13:20:15][Timer-0]: returnConn: mNumConns now 3
> [14/Feb/2017:13:25:15][Timer-0]: SessionTimer: run()
> [14/Feb/2017:13:25:15][Timer-0]: LDAPSecurityDomainSessionTable:
> getSessionIds()
> [14/Feb/2017:13:25:15][Timer-0]: LDAPSecurityDomainSessionTable:
> searching ou=sessions,ou=Security Domain,o=ipaca
> [14/Feb/2017:13:25:15][Timer-0]: In LdapBoundConnFactory::getConn()
> [14/Feb/2017:13:25:15][Timer-0]: masterConn is connected: true
> [14/Feb/2017:13:25:15][Timer-0]: getConn: conn is connected true
> [14/Feb/2017:13:25:15][Timer-0]: getConn: mNumConns now 2
> [14/Feb/2017:13:25:15][Timer-0]: SecurityDomainSessionTable: No active
> sessions.
> [14/Feb/2017:13:25:15][Timer-0]: returnConn: mNumConns now 3
>
>
> (so nothing at 13:21:14)
>
>
>
> ==> /var/log/pki/pki-tomcat/ca/selftests.log <==
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
> SelfTestSubsystem: loading all self test plugin logger parameters
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
> SelfTestSubsystem: loading all self test plugin instances
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
> SelfTestSubsystem: loading all self test plugin instance parameters
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
> SelfTestSubsystem: loading self test plugins in on-demand order
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
> SelfTestSubsystem: loading self test plugins in startup order
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
> SelfTestSubsystem: Self test plugins have been successfully loaded!
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]
> SelfTestSubsystem: Running self test plugins specified to be executed at
> startup:
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]
> CAPresence: CA is present
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]
> SystemCertsVerification: system certs verification success
> 0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]
> SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
> startup!
>
>
> and /var/log/pki/pki-tomcat/localhost.2017-02-14.log is filled with
> these exceptions that aren't pointing me to anywhere.
>
> SEVERE: Servlet.service() for servlet [Resteasy] in context with path
> [/ca] threw exception
> org.jboss.resteasy.spi.UnhandledException:
> org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find
> MessageBodyWriter for response object of type:
> com.netscape.certsrv.base.PKIException$Data of media type:
> application/x-www-form-urlencoded
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(
> SynchronousDispatcher.java:157)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:372)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:179)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
> service(ServletContainerDispatcher.java:220)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
> at sun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
>
> ...
>
>
> # getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20170214084423':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MY-REALM
> subject: CN=CA Audit,O=MY-REALM
> expires: 2019-02-04 08:42:52 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214084425':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MY-REALM
> subject: CN=OCSP Subsystem,O=MY-REALM
> expires: 2019-02-04 08:42:48 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214084428':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MY-REALM
> subject: CN=CA Subsystem,O=MY-REALM
> expires: 2019-02-04 08:42:51 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214084431':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MY-REALM
> subject: CN=Certificate Authority,O=MY-REALM
> expires: 2037-02-14 08:42:43 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214084434':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MY-REALM
> subject: CN=IPA RA,O=MY-REALM
> expires: 2019-02-04 08:44:09 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20170214084436':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=MY-REALM
> subject: CN=ipa-server,O=MY-REALM
> expires: 2019-02-04 08:42:49 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214084646':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-MY-REALM',
> nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-MY-REALM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-MY-REALM',
> nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MY-REALM
> subject: CN=ipa-server,O=MY-REALM
> expires: 2019-02-15 08:46:45 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MY-REALM
> track: yes
> auto-renew: yes
> Request ID '20170214085151':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MY-REALM
> subject: CN=ipa-server,O=MY-REALM
> expires: 2019-02-15 08:51:50 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> # systemctl status pki-tomcatd at pki-tomcat.service
> ● pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
> Loaded: loaded (/lib/systemd/system/pki-tomcatd at .service; enabled;
> vendor preset: disabled)
> Active: active (running) since Tue 2017-02-14 10:19:32 CET; 3h 40min ago
> Main PID: 1300 (java)
> CGroup:
> /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd at pki-tomcat.service
> └─1300 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
> -DRESTEASY_LIB=/usr/share/java/resteasy-base
> -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/...
>
> Feb 14 10:19:57ipa-server server[1300]: SSLAuthenticatorWithFallback:
> Creating SSL authenticator with fallback
> Feb 14 10:19:57ipa-server server[1300]: SSLAuthenticatorWithFallback:
> Setting container
> Feb 14 10:20:07ipa-server server[1300]: SSLAuthenticatorWithFallback:
> Initializing authenticators
> Feb 14 10:20:07ipa-server server[1300]: SSLAuthenticatorWithFallback:
> Starting authenticators
> Feb 14 10:20:10ipa-server server[1300]:
> CMSEngine.initializePasswordStore() begins
> Feb 14 10:20:10ipa-server server[1300]:
> CMSEngine.initializePasswordStore(): tag=internaldb
> Feb 14 10:20:10ipa-server server[1300]:
> CMSEngine.initializePasswordStore(): tag=replicationdb
> Feb 14 10:20:15ipa-server server[1300]: CA is started.
> Feb 14 10:20:26ipa-server server[1300]: PKIListener:
> org.apache.catalina.core.StandardServer[after_start]
> Feb 14 10:20:26ipa-server server[1300]: PKIListener: Subsystem CA is
> running.
>
>
>
> Regards,
> Jens Timmerman
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170214/3314f068/attachment.htm>
More information about the Freeipa-users
mailing list