ipa-ca-install failure with very few info
by Andrey Bondarenko
Hello,
I have IPA cluster with several nodes and I have a problem installing there
another replica with CA enabled. If I want to add CA role to one of the
nodes:
[root@ipa01:~] ipa-ca-install -w SECRET
Directory Manager (existing master) password:
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/25]: creating certificate server db
[2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 953 seconds elapsed
Update succeeded
[3/25]: creating installation admin user
[4/25]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command '/usr/sbin/pkispawn -s CA -f /mnt/tmp/tmpXXXXXX'
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
In the log file, the only error I see is
WARNING: The 'pki_ssl_server_nickname' in [CA] has been deprecated. Use
'pki_sslserver_nickname' instead.
WARNING: The 'pki_ssl_server_subject_dn' in [CA] has been deprecated. Use
'pki_sslserver_subject_dn' instead.
ERROR: Unable to access security domain: 503 Server Error: Service
Unavailable
Where should I dig?
--
With best regards,
Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
5 years, 7 months
Can't install CA from replica file - Failed to import EncryptedPrivateKeyInfo to token
by H. Frenzel
Hi,
I tried to install a CA to the 2nd master a replicafile which was
created on the 1st master (with self-signed CA), with fails with:
ipa : DEBUG stderr=TokenException: Failed to import
EncryptedPrivateKeyInfo to token: (-8152) The key does not support the
requested operation.
What could be wrong here? - Please find the detailed debug log of
ipa-ca-install as attachment.
Thx & b/r
H.
5 years, 7 months