On 01/06/2018 08:54 PM, lejeczek via FreeIPA-users wrote:
hi
I'm trying to install replica, process fails: .. [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. .. -- end
and in intall log file: .. 2018-01-06T13:50:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -A -n PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/pwdfile.txt 2018-01-06T13:50:29Z DEBUG Process finished, return code=0 2018-01-06T13:50:29Z DEBUG stdout= 2018-01-06T13:50:29Z DEBUG stderr= 2018-01-06T13:50:30Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1) 2018-01-06T13:50:35Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) 2018-01-06T13:50:35Z DEBUG Traxx.ck (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 824, in __enable_ssl post_command=cmd) File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 317, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
2018-01-06T13:50:35Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-01-06T13:50:35Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site- ... -- end
Would this be that new candidate's problem or some communication issues with existing server? Client installed (kind of)okey though. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
the replica installer is communicating with the local certmonger daemon to request SSL certificates. Then certmonger connects to the IPA master (httpd process), and in turn IPA master server communicates with Dogtag to request the certificate.
As you can see, there are a lot of processes involved, and the issue could come from communication issues between all of them. We need to identify which step is failing.
Can you check: - the output of getcert list on the client? It may contain a more detailed message for the certificate issuance failure - if tomcat is running on the master? systemctl status pki-tomcatd@pki-tomcat - if the client managed to contact IPA master? Look for a line with cert_request on the master's log /var/log/httpd/error_log, and for possible error messages related. If the line is present, the client successfully sent its cert request, meaning that the communication was properly established. - if dogtag received the certificate request? IPA master is using /etc/ipa/ca.crt and /var/lib/ipa/ra-agent.{key|pem} to authenticate to Dogtag. The authentication logs in /var/log/pki/pki-tomcat/ca/debug should display something like:
[date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm: Authenticating certificate chain: [date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=DOMAIN.IPA.COM [date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm: CN=IPA RA, O=DOMAIN.IPA.COM [date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: started [date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: Retrieving client certificate [date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: Got client certificate
and the cert request: [date][ajp-bio-127.0.0.1-8009-exec-4]: EnrollProfile: createRequests: begins [date][ajp-bio-127.0.0.1-8009-exec-4]: Start parsePKCS10(): -----BEGIN CERTIFICATE REQUEST-----
The most common issues are pki-tomcatd not started because of the certificate 'subsystemCert cert-pki-ca' that expired, or communication issues between IPA server and Dogtag (the cert in /var/lib/ipa/ra-agent.{key|pem} is expired).
HTH, Flo