Jhon Torres wrote:
Thanks!, I attached the file log
What does this command give you:
# pki securitydomain-show WARNING: UNKNOWN_ISSUER encountered on 'CN=ipa.example.test,O=EXAMPLE.TEST' indicates an unknown CA cert 'CN=Certificate Authority,O=EXAMPLE.TEST' Trust this certificate (y/N)? y Domain: IPA
CA Subsystem:
Host ID: CA ipa.example.test 443 Hostname: ipa.example.test Port: 80 Secure Port: 443 Domain Manager: TRUE
KRA Subsystem:
Host ID: KRA ipa.example.test 443 Hostname: ipa.example.test Port: 80 Secure Port: 443 Domain Manager: FALSE
It looks to me like no CA is registered within the securitydomain.
rob
El mié, 28 may 2025 a las 12:40, Rob Crittenden (<rcritten@redhat.com mailto:rcritten@redhat.com>) escribió:
John Tor via FreeIPA-users wrote: > Hi, > > I had tried many times to install free-ipa-replica, but I always have the same error at this step: > > DEBUG: NSSDatabase.get_cert(Server-Cert cert-pki-ca) begins > DEBUG: Command: certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -f /tmp/tmpxotjk756/password.txt -n Server-Cert cert-pki-ca -a > DEBUG: stdout: -1 > DEBUG: NSSDatabase: stderr: > certutil: Could not find cert: Server-Cert cert-pki-ca > : PR_FILE_NOT_FOUND_ERROR: File not found > > DEBUG: Cert not found: Server-Cert cert-pki-ca ^^ is fine and not causing any issues. > INFO: Updating /var/lib/pki/pki-tomcat/conf/serverCertNick.conf > INFO: Updating serverCertNickFile in server.xml > INFO: Joining security domain at https://master.example.com:443 > ERROR: KeyError: 'CA' For ^^ we'd need to see the full /var/log/ipareplicata-install.log to try to determine what is going on. rob > File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 594, in main > deployer.spawn() > File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 5986, in spawn > scriptlet.spawn(self) > File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 76, in spawn > deployer.setup_security_domain(subsystem) > File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 2854, in setup_security_domain > self.join_security_domain() > File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 2795, in join_security_domain > sd_subsystem = self.domain_info.subsystems['CA'] > > > Failed to configure CA instance > See the installation logs and the following files/directories for more information: > /var/log/pki/pki-tomcat > Traceback (most recent call last): > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 688, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 674, in run_step > method() > File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 685, in __spawn_instance > DogtagInstance.spawn_instance( > File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance > self.handle_setup_error(e) > File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 643, in handle_setup_error > raise RuntimeError( > RuntimeError: CA configuration failed. > > [error] RuntimeError: CA configuration failed. > [error] RuntimeError: CA configuration failed. > Removing /root/.dogtag/pki-tomcat/ca > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 219, in execute > return_value = self.run() > File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 343, in run > return cfgr.run() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run > return self.execute() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute > for rval in self._executor(): > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner > step() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next > return next(self.__gen) > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 663, in _configure > next(executor) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 526, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 523, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner > step() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next > return next(self.__gen) > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install > for unused in self._installer(self.parent): > File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 687, in main > replica_install(self) > File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 387, in decorated > func(installer) > File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1446, in install > ca.install(False, config, options, custodia=custodia) > File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 546, in install > install_step_0(standalone, replica_config, options, custodia=custodia) > File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 621, in install_step_0 > ca.configure_instance( > File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 522, in configure_instance > self.start_creation(runtime=runtime) > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 688, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 674, in run_step > method() > File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 685, in __spawn_instance > DogtagInstance.spawn_instance( > File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance > self.handle_setup_error(e) > File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 643, in handle_setup_error > raise RuntimeError( > > The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. > CA configuration failed. > The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information > > I am stuck in a loop, I tried with new server but It didn't work. I am using AlmaLinux 9.6 fully updated and the command I used was: > > ipa-replica-install --setup-dns --forwarder 1.1.1.1 --setup-ca --verbose > > The command ipa-client-install worked perfect. > > certutil -L -d sql:/var/lib/pki/pki-tomcat/conf/alias > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > ocspSigningCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > > > > I don't know what else to do :/ > > Regards >-- Jhon Albert Torres H.
Sure,
[root@server ~]# pki securitydomain-show WARNING: UNTRUSTED_ISSUER encountered on 'CN=ipa.example.test,O=EXAMPLE.TEST' indicates a non-trusted CA cert 'CN=Certificate Authority,O=EXAMPLE.TEST' Trust this certificate (y/N)? y Domain: IPA
[root@server ~]# curl -k https://ipa.example.test:443/ca/rest/securityDomain/domainInfo {"subsystemArray":[],"id":"IPA","subsystems":{}}{"subsystemArray":
[root@server ~]# pki securitydomain-show Domain: IPA
Am I missing something in the FreeIPA Master?
Thank you so much
John Tor via FreeIPA-users wrote:
Sure,
[root@server ~]# pki securitydomain-show WARNING: UNTRUSTED_ISSUER encountered on 'CN=ipa.example.test,O=EXAMPLE.TEST' indicates a non-trusted CA cert 'CN=Certificate Authority,O=EXAMPLE.TEST' Trust this certificate (y/N)? y Domain: IPA
[root@server ~]# curl -k https://ipa.example.test:443/ca/rest/securityDomain/domainInfo {"subsystemArray":[],"id":"IPA","subsystems":{}}{"subsystemArray":
[root@server ~]# pki securitydomain-show Domain: IPA
Am I missing something in the FreeIPA Master?
The PKI securitydomain seems to be missing entirely. You have a CA installed, right?
$ ipa server-role-find --status enabled
You can look in LDAP with:
$ ldapsearch -x -D 'cn=directory manager' -W -b "ou=Security Domain,o=ipaca"
I'm guessing you'll get something back but no entries like dn=<hostname> in cn=CAList,ou=Security Domain,o=ipaca
rob
[root@server ~]# ipa server-role-find --status enabled ---------------------- 2 server roles matched ---------------------- Server name: ipa.example.test Role name: CA server Role status: enabled
Server name: ipa.example.test Role name: DNS server Role status: enabled ---------------------------- Number of entries returned 2 ---------------------------- [root@server ~]# ldapsearch -x -D 'cn=directory manager' -W -b "ou=Security Domain,o=ipaca" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Security Domain,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# Security Domain, ipaca dn: ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityDomain name: IPA ou: Security Domain
# CAList, Security Domain, ipaca dn: cn=CAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: CAList
# OCSPList, Security Domain, ipaca dn: cn=OCSPList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: OCSPList
# KRAList, Security Domain, ipaca dn: cn=KRAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: KRAList
# RAList, Security Domain, ipaca dn: cn=RAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: RAList
# TKSList, Security Domain, ipaca dn: cn=TKSList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: TKSList
# TPSList, Security Domain, ipaca dn: cn=TPSList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: TPSList
# search result search: 2 result: 0 Success
# numResponses: 8 # numEntries: 7 [root@srvad01 ~]#
Try this: $ pki-server sd-subsystem-find
You should get basically nothing because we know its empty.
Populate it with your server: $ pki-server sd-subsystem-add --subsystem CA --hostname ipa.example.test --secure-port 443 "CA ipa.example.test 443"
Be sure to replace both instances of 'ipa.example.test' with your CA hostname.
Then try your replica install again.
rob
John Tor via FreeIPA-users wrote:
[root@server ~]# ipa server-role-find --status enabled
2 server roles matched
Server name: ipa.example.test Role name: CA server Role status: enabled
Server name: ipa.example.test Role name: DNS server Role status: enabled
Number of entries returned 2
[root@server ~]# ldapsearch -x -D 'cn=directory manager' -W -b "ou=Security Domain,o=ipaca" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Security Domain,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# Security Domain, ipaca dn: ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityDomain name: IPA ou: Security Domain
# CAList, Security Domain, ipaca dn: cn=CAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: CAList
# OCSPList, Security Domain, ipaca dn: cn=OCSPList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: OCSPList
# KRAList, Security Domain, ipaca dn: cn=KRAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: KRAList
# RAList, Security Domain, ipaca dn: cn=RAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: RAList
# TKSList, Security Domain, ipaca dn: cn=TKSList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: TKSList
# TPSList, Security Domain, ipaca dn: cn=TPSList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: TPSList
# search result search: 2 result: 0 Success
# numResponses: 8 # numEntries: 7 [root@srvad01 ~]#
It Works!!!
You are incredible
[root@server~]# pki-server sd-subsystem-add --subsystem CA --hostname ipa.example.test --secure-port 443 "CA ipa.example.test 443" [root@server~]# pki-server sd-subsystem-find Subsystem ID: CA ipa.example.test 443 Hostname: ipa.example.test Secure Port: 443 Domain Manager: FALSE Clone: FALSE
#ipa-replica-install --setup-dns --forwarder 1.1.1.1 --forwarder 9.9.9.9 --setup-ca --verbose Restart of ipa.service complete Created connection context.ldap2_5646545465456465 flushing ldapi://%2Frun%2Fslapd-EXAMPLE-TEST.socket from SchemaCache retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-EXAMPLE-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f4c3860e3d0> Destroyed connection context.ldap2_55656989899899
*The ipa-replica-install command was successful* Thank you, I appreciate it.
Last question, Was I doing something wrong?
Regards
El jue, 29 may 2025 a las 13:50, Rob Crittenden (rcritten@redhat.com) escribió:
Try this: $ pki-server sd-subsystem-find
You should get basically nothing because we know its empty.
Populate it with your server: $ pki-server sd-subsystem-add --subsystem CA --hostname ipa.example.test --secure-port 443 "CA ipa.example.test 443"
Be sure to replace both instances of 'ipa.example.test' with your CA hostname.
Then try your replica install again.
rob
John Tor via FreeIPA-users wrote:
[root@server ~]# ipa server-role-find --status enabled
2 server roles matched
Server name: ipa.example.test Role name: CA server Role status: enabled
Server name: ipa.example.test Role name: DNS server Role status: enabled
Number of entries returned 2
[root@server ~]# ldapsearch -x -D 'cn=directory manager' -W -b
"ou=Security Domain,o=ipaca"
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Security Domain,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# Security Domain, ipaca dn: ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityDomain name: IPA ou: Security Domain
# CAList, Security Domain, ipaca dn: cn=CAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: CAList
# OCSPList, Security Domain, ipaca dn: cn=OCSPList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: OCSPList
# KRAList, Security Domain, ipaca dn: cn=KRAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: KRAList
# RAList, Security Domain, ipaca dn: cn=RAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: RAList
# TKSList, Security Domain, ipaca dn: cn=TKSList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: TKSList
# TPSList, Security Domain, ipaca dn: cn=TPSList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: TPSList
# search result search: 2 result: 0 Success
# numResponses: 8 # numEntries: 7 [root@srvad01 ~]#
Jhon Torres wrote:
It Works!!!
You are incredible
[root@server~]# pki-server sd-subsystem-add --subsystem CA --hostname ipa.example.test --secure-port 443 "CA ipa.example.test 443" [root@server~]# pki-server sd-subsystem-find Subsystem ID: CA ipa.example.test 443 Hostname: ipa.example.test Secure Port: 443 Domain Manager: FALSE Clone: FALSE
#ipa-replica-install --setup-dns --forwarder 1.1.1.1 --forwarder 9.9.9.9 --setup-ca --verbose Restart of ipa.service complete Created connection context.ldap2_5646545465456465 flushing ldapi://%2Frun%2Fslapd-EXAMPLE-TEST.socket from SchemaCache retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-EXAMPLE-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f4c3860e3d0> Destroyed connection context.ldap2_55656989899899 *The ipa-replica-install command was successful
Thank you, I appreciate it.
Last question, Was I doing something wrong?
The issue was in the data: the removal of the securitydomain.
You might be able to look back into access logs to detect when it got removed.
You'd want to look for changes in cn=CAList,ou=Security Domain,o=ipaca
This could be difficult if not impossible to find on a long-running system where the 389-ds access log(s) have been rotated away.
So no, you didn't do anything wrong with the commands you were running.
rob
Regards
El jue, 29 may 2025 a las 13:50, Rob Crittenden (<rcritten@redhat.com mailto:rcritten@redhat.com>) escribió:
Try this: $ pki-server sd-subsystem-find You should get basically nothing because we know its empty. Populate it with your server: $ pki-server sd-subsystem-add --subsystem CA --hostname ipa.example.test --secure-port 443 "CA ipa.example.test 443" Be sure to replace both instances of 'ipa.example.test' with your CA hostname. Then try your replica install again. rob John Tor via FreeIPA-users wrote: > [root@server ~]# ipa server-role-find --status enabled > ---------------------- > 2 server roles matched > ---------------------- > Server name: ipa.example.test > Role name: CA server > Role status: enabled > > Server name: ipa.example.test > Role name: DNS server > Role status: enabled > ---------------------------- > Number of entries returned 2 > ---------------------------- > [root@server ~]# ldapsearch -x -D 'cn=directory manager' -W -b "ou=Security Domain,o=ipaca" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <ou=Security Domain,o=ipaca> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # Security Domain, ipaca > dn: ou=Security Domain,o=ipaca > objectClass: top > objectClass: pkiSecurityDomain > name: IPA > ou: Security Domain > > # CAList, Security Domain, ipaca > dn: cn=CAList,ou=Security Domain,o=ipaca > objectClass: top > objectClass: pkiSecurityGroup > cn: CAList > > # OCSPList, Security Domain, ipaca > dn: cn=OCSPList,ou=Security Domain,o=ipaca > objectClass: top > objectClass: pkiSecurityGroup > cn: OCSPList > > # KRAList, Security Domain, ipaca > dn: cn=KRAList,ou=Security Domain,o=ipaca > objectClass: top > objectClass: pkiSecurityGroup > cn: KRAList > > # RAList, Security Domain, ipaca > dn: cn=RAList,ou=Security Domain,o=ipaca > objectClass: top > objectClass: pkiSecurityGroup > cn: RAList > > # TKSList, Security Domain, ipaca > dn: cn=TKSList,ou=Security Domain,o=ipaca > objectClass: top > objectClass: pkiSecurityGroup > cn: TKSList > > # TPSList, Security Domain, ipaca > dn: cn=TPSList,ou=Security Domain,o=ipaca > objectClass: top > objectClass: pkiSecurityGroup > cn: TPSList > > # search result > search: 2 > result: 0 Success > > # numResponses: 8 > # numEntries: 7 > [root@srvad01 ~]# >-- Jhon Albert Torres H.
freeipa-users@lists.fedorahosted.org
-
Jhon Torres -
John Tor
-
Rob Crittenden