[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

Tue, 09 Jan 2018 04:52:55 -0800 


On 08/01/18 09:36, Florence Blanc-Renaud wrote:

On 01/06/2018 08:54 PM, lejeczek via FreeIPA-users wrote:


hi

I'm trying to install replica, process fails:
..
   [3/5]: creating anonymous principal
   [4/5]: starting the KDC
   [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
   [1/2]: starting kadmin
   [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
   [1/3]: configuring TLS for DS instance

   [error] RuntimeError: Certificate issuance failed 
(CA_UNREACHABLE)

Your system may be partly configured.
..
-- end

and in intall log file:
..

2018-01-06T13:50:29Z DEBUG args=/usr/bin/certutil -d 
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -A -n 
PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA -t CT,C,C -a -f 
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/pwdfile.txt 


2018-01-06T13:50:29Z DEBUG Process finished, return code=0
2018-01-06T13:50:29Z DEBUG stdout=
2018-01-06T13:50:29Z DEBUG stderr=

2018-01-06T13:50:30Z DEBUG certmonger request is in state 
dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1)
2018-01-06T13:50:35Z DEBUG certmonger request is in state 
dbus.String(u'CA_UNREACHABLE', variant_level=1)

2018-01-06T13:50:35Z DEBUG Traxx.ck (most recent call last):

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 504, in start_creation

     run_step(full_msg, method)

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 494, in run_step

     method()

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", 
line 824, in __enable_ssl

     post_command=cmd)

   File 
"/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", 
line 317, in request_and_wait_for_cert
     raise RuntimeError("Certificate issuance failed 
({})".format(state))

RuntimeError: Certificate issuance failed (CA_UNREACHABLE)


2018-01-06T13:50:35Z DEBUG   [error] RuntimeError: 
Certificate issuance failed (CA_UNREACHABLE)
2018-01-06T13:50:35Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", 
line 172, in execute

     return_value = self.run()

   File 
"/usr/lib/python2.7/site-packages/ipapython/install/cli.py", 
line 333, in run

     cfgr.run()
   File "/usr/lib/python2.7/site-
...
-- end


Would this be that new candidate's problem or some 
communication issues with existing server? Client 
installed (kind of)okey though.

_______________________________________________

FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org


Hi,


the replica installer is communicating with the local 
certmonger daemon to request SSL certificates. Then 
certmonger connects to the IPA master (httpd process), and 
in turn IPA master server communicates with Dogtag to 
request the certificate.



As you can see, there are a lot of processes involved, and 
the issue could come from communication issues between all 
of them. We need to identify which step is failing.


Can you check:

- the output of getcert list on the client? It may contain 
a more detailed message for the certificate issuance failure


After a client successful installation, on a client:
# getcert list
Number of certificates and requests being tracked: 0.

The same on the server shows long list of:
Number of certificates and requests being tracked: 9.
...


- if tomcat is running on the master? systemctl status 
pki-tomcatd@pki-tomcat


Is running

- if the client managed to contact IPA master? Look for a 
line with cert_request on the master's log 
/var/log/httpd/error_log, and for possible error messages 
related. If the line is present, the client successfully 
sent its cert request, meaning that the communication was 
properly established.



Just after a client installation, now 
--uninstall(successful), on the server in httpd/error_log:

...

[Tue Jan 09 12:03:45.109806 2018] [auth_gssapi:error] [pid 
34824] [client 10.5.10.37:46016] NO AUTH DATA Client did not 
send any authentication headers, referer: 
https://swir.priv.xx.xx.priv.xx.xx.x/ipa/xml
[Tue Jan 09 12:03:45.771504 2018] [:error] [pid 8044] ipa: 
INFO: [xmlserver] 
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: 
host_disable(u'lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x', 
version=u'2.51'): ACIError



And I when I re-install a client, on the server in 
httpd/error_log:

...

[Tue Jan 09 12:05:37.515855 2018] [auth_gssapi:error] [pid 
8048] [client 10.5.10.37:46108] NO AUTH DATA Client did not 
send any authentication headers, referer: 
https://swir.priv.xx.xx.priv.xx.xx.x/ipa/xml
[Tue Jan 09 12:05:37.579441 2018] [:error] [pid 8043] ipa: 
INFO: Host entry for lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x 
already exists, joining may fail on the client side if not 
forced
[Tue Jan 09 12:05:37.628158 2018] [:error] [pid 8043] ipa: 
INFO: [xmlserver] ad...@private.xx.xx.private.xx.xx.x: 
join(u'lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x', 
nshardwareplatform=u'x86_64', 
nsosversion=u'3.10.0-693.11.6.el7.x86_64', version=u'2.51'): 
SUCCESS


And a client's end:
...
Joining realm failed: Host is already joined.


Use --force-join option to override the host entry on the 
server and force client enrollment.

Installation failed. Rolling back changes.

Unconfigured automount client failed: Command 
'ipa-client-automount --uninstall --debug' returned non-zero 
exit status 1

...

So, --force-join now:
...
The ipa-client-install command was successful
...

Servers's end in httpd/error_log:
...

[Tue Jan 09 12:09:36.546759 2018] [auth_gssapi:error] [pid 
8046] [client 10.5.10.37:46266] NO AUTH DATA Client did not 
send any authentication headers, referer: 
https://swir.priv.xx.xx.priv.xx.xx.x/ipa/xml
[Tue Jan 09 12:09:36.602576 2018] [:error] [pid 8044] ipa: 
INFO: Host entry for lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x 
already exists, joining may fail on the client side if not 
forced
[Tue Jan 09 12:09:36.656072 2018] [:error] [pid 8044] ipa: 
INFO: [xmlserver] ad...@private.xx.xx.private.xx.xx.x: 
join(u'lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x', 
nshardwareplatform=u'x86_64', 
nsosversion=u'3.10.0-693.11.6.el7.x86_64', version=u'2.51'): 
SUCCESS
[Tue Jan 09 12:09:39.203290 2018] [:error] [pid 8043] ipa: 
INFO: [jsonserver_kerb] 
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: 
ping(): SUCCESS
[Tue Jan 09 12:09:39.244366 2018] [:error] [pid 8044] ipa: 
INFO: [jsonserver_kerb] 
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: 
ca_is_enabled(version=u'2.107'): SUCCESS
[Tue Jan 09 12:09:40.430598 2018] [:error] [pid 8043] ipa: 
INFO: [jsonserver_kerb] 
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: 
host_mod(u'lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x', 
ipasshpubkey=(u'ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABAQDTFpZYnI+r+wM4wYPQgEIu21k6UKpkiPhgYhTlCn29GcyXNoIipnxyrV4LRVw5VULWMsuZQcxK7DB897VNkR/wm0aeOtyWYDGEqwVclhVy2yWPwnD4scltCCS2ehv20yeO0V0Uj95EMGdFOfUM3FGpFG9L/xEXlSVdC6BP/oi3DxCcGydGas6SCwmzy8av10hB+jwQXgnLeHGIo2bPZZuWwxjH2rifaoZjsOH4I/EfRkYq3Q2JsBBGAWhNhuOgxBeUIVQOvBvrMf4JeRGFHNQNsvhElxijy0Bxi2uGADisKKWzeW5vnslTNtOtFu9AwoJg52kV2HM5Wuo+crp4+zF/', 
u'ecdsa-sha2-nistp256 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFN0Gfh8oGhmjnhOqhEdK7xNPlWkoimaWdtiBwJo2+QBEQ0s6Qvjc4WPA+zCF8ELA/Lg3RHbsSjRTQc3N3jRxDA=', 
u'ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIPs2DCmihX985GR3k/Q4cHyeBVqmM72pB5zNo5fHehfG'), 
updatedns=False, version=u'2.26'): EmptyModlist


On a client again:
# getcert list
Number of certificates and requests being tracked: 0.


So there is something not right, right? Client --uninstall 
leaves stuff behind?


--- Now replica:
# ipa-replica-install
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): 
ERROR    A replication agreement for this host already 
exists. It needs to be removed.

Run this command:

    %% ipa-replica-manage del 
lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x --force
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): 
ERROR

...


But there is no such agreement the severs sais, only one 
agreement to itself. And no matter what I do I cannot get 
pass this, -replica insists and fails, unless I do on the 
client:

# ipa-server-install --uninstall

# yum remove -y `rpm -qa ipa* 389*` pki-base krb5-pkinit 
krb5-server krb5-workstation ipa-python certmonger

# yum install -y ipa-server bind bind-dyndb-ldap ipa-server-dns

Then anew client-install, then replica-install:
# ipa-replica-install

ipa         : ERROR    Reverse DNS resolution of address 
10.5.10.37 (lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x) failed. 
Clients may not function properly. Please check your DNS 
setup. (Note that this check queries IPA DNS directly and 
ignores /etc/hosts.)

...


Finally the moment -replica fails on the server in 
httpd/error_log:

...

[Tue Jan 09 12:39:15.256308 2018] [auth_gssapi:error] [pid 
8050] [client 10.5.10.37:48282] NO AUTH DATA Client did not 
send any authentication headers, referer: 
https://swir.priv.xx.xx.priv.xx.xx.x/ipa/xml
[Tue Jan 09 12:39:15.329299 2018] [:error] [pid 8044] ipa: 
INFO: [xmlserver] 
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: 
cert_request(u'MIIEejCCA2ICAQAwaDErMCkGA1UEChMiUFJJVkFURS5DQ05SLkNFQi5QUklWQVRFLkNBTS5BQy5VSzE5MDcGA1UEAxMwbHhjLWlwYTEtc3dpci5wcml2YXRlLmNjbnIuY2ViLnByaXZhdGUuY2FtLmFjLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3FdjuzlDp8Z6F5cZf/E58yATNkiFh3IwJeoZpUNmyTUzdNpUTL7rLeiEGXRsGZPBV82R78AJK0aJNidU/2cbmiOQXB8msol9SK7D0COVtaTLhBXnurvt7Mya/QT2rlvrRtklaQ3zjO9h+ogzYwKtMVwy843F+rTWSAHuuSpFwYR0u6n716q3P4QUnD+M+xWy74ir1EdotwSXbwfVzx/egOzSB3hm0O4Xjp82A8DwscV3rmLi80Q0R8LkI3s7tBbc2sCcyL/zfflc7potwAL/DYw+j8kLrWmVSgl2Qk6SlxxtmjNRd+KZumdVuy8cFHIyuNyvTRitIjhZdMSTNgsmpQIDAQABoIIByzAlBgkqhkiG9w0BCRQxGB4WAFMAZQByAHYAZQByAC0AQwBlAHIAdDCCAaAGCSqGSIb3DQEJDjGCAZEwggGNMIIBJQYDVR0RAQEABIIBGTCCARWCMGx4Yy1pcGExLXN3aXIucHJpdmF0ZS5jY25yLmNlYi5wcml2YXRlLmNhbS5hYy51a6BoBgorBgEEAYI3FAIDoFoMWGxkYXAvbHhjLWlwYTEtc3dpci5wcml2YXRlLmNjbnIuY2ViLnByaXZhdGUuY2FtLmFjLnVrQFBSSVZBVEUuQ0NOUi5DRUIuUFJJVkFURS5DQU0uQUMuVUugdwYGKwYBBQICoG0wa6AkGyJQUklWQVRFLkNDTlIuQ0VCLlBSSVZBVEUuQ0FNLkFDLlVLoUMwQaADAgEBoTowOBsEbGRhcBswbHhjLWlwYTEtc3dpci5wcml2YXRlLmNjbnIuY2ViLnByaXZhdGUuY2FtLmFjLnVrMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFKuq49asd1Mcq+MlTIawY4s0BwVMDIGCSsGAQQBgjcUAgEBAAQiHiAAYwBhAEkAUABBAHMAZQByAHYAaQBjAGUAQwBlAHIAdDANBgkqhkiG9w0BAQsFAAOCAQEABZeuyLxPx8ASsSMOQToYZKKlmI6NUopd9kFfx4GLbtR788qLCx2nIbwTpWTfpSBEDZRBo9X/7ejUZwGmjotYriM5O/Kq3o+onxj3kvv45vWd4O8ZcsoQseROeuTW0b/X3RT7riaKX6RD1J4tJrFi3g4Hz3nF0odWfLGr00TTYqeMUaCn4iwaKRjFq2bV0VZeANvF3S/rNzUfYc+DQp1qAZpdgLH2mDcYN4c8r7V+cxLblku8aOjnsmExXZRDhAOflPOz9ZtaflEhe+UwENP+nqRpjezy5FWzFwQ4P0epYnFpEeA7cagqavuKQelMge8nQc4YQtZcYO9TnbxDTAEGhw==', 
profile_id=u'caIPAserviceCert', 
principal=u'ldap/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x', 
add=True, version=u'2.51'): NetworkError




Nothing happens in that moment in 
/var/log/pki/pki-tomcat/ca/debug



Before I thought... maybe network, but now, all above I do 
is in a lxc container on that IPA server locally.
Is this IPA server somehow functional but not, 
mis-configured? (Installation of the server seemingly went okey)
I've done a few IPA setups, most of the time problem-free, 
sometimes minor problems, this is first time I'm at a loss.




- if dogtag received the certificate request? IPA master 
is using /etc/ipa/ca.crt and 
/var/lib/ipa/ra-agent.{key|pem} to authenticate to Dogtag. 
The authentication logs in 
/var/log/pki/pki-tomcat/ca/debug should display something 
like:



[date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm: 
Authenticating certificate chain:
[date][ajp-bio-127.0.0.1-8009-exec-1]: 
PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, 
O=DOMAIN.IPA.COM
[date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm:   CN=IPA 
RA, O=DOMAIN.IPA.COM
[date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: 
started
[date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: 
Retrieving client certificate
[date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: Got 
client certificate


and the cert request:

[date][ajp-bio-127.0.0.1-8009-exec-4]: EnrollProfile: 
createRequests: begins
[date][ajp-bio-127.0.0.1-8009-exec-4]: Start 
parsePKCS10(): -----BEGIN CERTIFICATE REQUEST-----



The most common issues are pki-tomcatd not started because 
of the certificate 'subsystemCert cert-pki-ca' that 
expired, or communication issues between IPA server and 
Dogtag (the cert in /var/lib/ipa/ra-agent.{key|pem} is 
expired).


HTH,
Flo


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org






















					Reply via email to