On 01/06/2018 08:54 PM, lejeczek via FreeIPA-users wrote:


hi

I'm trying to install replica, process fails:
..
   [3/5]: creating anonymous principal
   [4/5]: starting the KDC
   [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
   [1/2]: starting kadmin
   [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
   [1/3]: configuring TLS for DS instance
   [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
..
-- end

and in intall log file:
..
2018-01-06T13:50:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -A -n PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/pwdfile.txt
2018-01-06T13:50:29Z DEBUG Process finished, return code=0
2018-01-06T13:50:29Z DEBUG stdout=
2018-01-06T13:50:29Z DEBUG stderr=
2018-01-06T13:50:30Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1) 2018-01-06T13:50:35Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1)
2018-01-06T13:50:35Z DEBUG Traxx.ck (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
     run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
     method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 824, in __enable_ssl
     post_command=cmd)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 317, in request_and_wait_for_cert
     raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)

2018-01-06T13:50:35Z DEBUG   [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-01-06T13:50:35Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
     return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run
     cfgr.run()
   File "/usr/lib/python2.7/site-
...
-- end

Would this be that new candidate's problem or some communication issues with existing server? Client installed (kind of)okey though.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

the replica installer is communicating with the local certmonger daemon to request SSL certificates. Then certmonger connects to the IPA master (httpd process), and in turn IPA master server communicates with Dogtag to request the certificate.

As you can see, there are a lot of processes involved, and the issue could come from communication issues between all of them. We need to identify which step is failing.

Can you check:
- the output of getcert list on the client? It may contain a more detailed message for the certificate issuance failure - if tomcat is running on the master? systemctl status pki-tomcatd@pki-tomcat - if the client managed to contact IPA master? Look for a line with cert_request on the master's log /var/log/httpd/error_log, and for possible error messages related. If the line is present, the client successfully sent its cert request, meaning that the communication was properly established. - if dogtag received the certificate request? IPA master is using /etc/ipa/ca.crt and /var/lib/ipa/ra-agent.{key|pem} to authenticate to Dogtag. The authentication logs in /var/log/pki/pki-tomcat/ca/debug should display something like:

[date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm: Authenticating certificate chain: [date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=DOMAIN.IPA.COM [date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm: CN=IPA RA, O=DOMAIN.IPA.COM
[date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: started
[date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: Retrieving client certificate [date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: Got client certificate

and the cert request:
[date][ajp-bio-127.0.0.1-8009-exec-4]: EnrollProfile: createRequests: begins
[date][ajp-bio-127.0.0.1-8009-exec-4]: Start parsePKCS10(): -----BEGIN CERTIFICATE REQUEST-----

The most common issues are pki-tomcatd not started because of the certificate 'subsystemCert cert-pki-ca' that expired, or communication issues between IPA server and Dogtag (the cert in /var/lib/ipa/ra-agent.{key|pem} is expired).

HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to