Hello team,
I have been trying to create a Docker container using Debian 10 for the FreeIPA server
installation and I am getting the following error almost at the end of the installation
after running:
ipa-server-install --no-ntp
The IPA Master Server will be configured with:
Hostname:
freeipa.test.com
IP address(es): x.x.x.x
Domain name:
test.com
Realm name:
TEST.COM
The CA will be configured with:
Subject DN: CN=Certificate
Authority,O=TEST.COM
Subject base:
O=TEST.COM
Chaining: self-signed
The interesting part is that almost finishes the installation, but fails at the end with
this. I really think is nothing related with cert as I selected self signed certificate
during the installation of the freeipa.
[11/30]: starting certificate server instance
[12/30]: configure certmonger for renewals
[13/30]: requesting RA certificate from CA
[error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at
"https://freeipa.******.com:8443/ca/agent/ca//profileProcess" replied: 1: You
did not provide a valid certificate for this operation)
Certificate issuance failed (CA_REJECTED: Server at
"https://freeipa.*****.com:8443/ca/agent/ca//profileProcess" replied: 1: You did
not provide a valid certificate for this operation)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more
information
I am not sure if there is any relation with my host file configuration, though it is
talking about the certificate in the following message.
Checking the freeipa logs I have got the following log in
/var/log/ipaserver-install.log:
File "/usr/lib/python3/dist-packages/ipaserver/install/dogtaginstance.py", line
520, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2021-04-10T17:00:51Z DEBUG The ipa-server-install command failed, exception:
RuntimeError: CA configuration failed.
2021-04-10T17:00:51Z ERROR CA configuration failed.
*************
I provide more information: I can see the following services related with this already
running:
pki-tomcatd(a)pki-tomcat.service loaded active running PKI Tomcat Server pki-tomcat
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysusers.service loaded active exited Create System Users
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in
/dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and
Directories
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
-.slice loaded active active Root Slice
system-dirsrv.slice loaded active active system-dirsrv.slice
system-getty.slice loaded active active system-getty.slice
system-modprobe.slice loaded active active system-modprobe.slice
system-pki\x2dtomcatd.slice loaded active active system-pki\x2dtomcatd.slice
system.slice loaded active active System Slice
dbus.socket loaded active running D-Bus System Message Bus Socket
systemd-initctl.socket loaded active listening initctl Compatibility Named Pipe
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
Not sure what is the issue. the /var/log/pki/pki-tomcat doesn't show much. : /
There is not much help with the logs, just trying to confirm if someone has seen
something similar.
Thank you for your help,
I'm not sure that IPA server works in Debian right now. I'd suggest
trying on a VM first, then add the complications that a container brings.
rob