On 07/31/2017 08:44 PM, Mark Haney via FreeIPA-users wrote:
On 07/24/2017 10:25 PM, Fraser Tweedale wrote:

Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log
file (ideally the whole thing)?

Also to clarify: ``ipa-replica-install --setup-ca'' installs a new
replica including the CA role.  To install the CA role on an
existing replica use the ``ipa-ca-install'' command.

Cheers,
Fraser

Okay, I've given this another shot, I rebuilt the ipa1 server (that's the replica), built a new replica-prepare file and ran:

ipa-ca-install /var/lib/ipa/ipa1.replica.gpg (this is supposed to be correct according to the documentation.

It failed. But, now I'm getting better information. It seems that the GoDaddy SSL cert bundles are being imported, but not actually imported:

Importing certificates from /tmp/ca.p12:
---------------
7 entries found
---------------
---------------
Import complete
---------------
Imported certificates in /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

gdroot-g2 C,,
Server-Cert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
gdbundle-g2 C,,
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u

Installation failed:


Please check the CA logs in /var/log/pki/pki-tomcat/ca.

2017-07-31T18:26:05Z DEBUG stderr=certutil: Could not find cert: gdroot-g2
: PR_FILE_NOT_FOUND_ERROR: File not found
certutil: Could not find cert: gdbundle-g2
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-07-31T18:26:05Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpsfcdDm' returned non-zero exit status 1


And it blows up there. How on earth could it find, give details, import and then NOT FIND THE FILES?

I've attached the full log if anyone is interested, but this is getting annoying. I have those certificates already on the server and setup for the web interface (they are just to verify a good HTTPS connection and not really connected to anything IPA related).

Got any ideas on how to fix this/make it work like it's supposed to?




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

another user hit the same problem as you (ipa-replica-install --setup-ca fails during pkispawn and the PKI debug log shows an error related to updateNumberRange). He managed to workaround the issue by un-enrolling the failing replica and revoking all the certificates that were created during replica setup attempts (you can find the mail thread here [1]).

I still don't know what is the root cause of the issue or why the workaround succeeded, but it's worth giving it a try.

Flo

[1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/TJGJZANRCIYTGXCUEAZ3XLISNEO7QOIN/#A54XHWAG4Z6BVX62YRUQXYO5QKW4OXAZ
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to