On 08/01/18 09:36, Florence Blanc-Renaud wrote:
On 01/06/2018 08:54 PM, lejeczek via FreeIPA-users wrote:
hi
I'm trying to install replica, process fails:
..
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed
(CA_UNREACHABLE)
Your system may be partly configured.
..
-- end
and in intall log file:
..
2018-01-06T13:50:29Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -A -n
PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA -t CT,C,C -a -f
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/pwdfile.txt
2018-01-06T13:50:29Z DEBUG Process finished, return code=0
2018-01-06T13:50:29Z DEBUG stdout=
2018-01-06T13:50:29Z DEBUG stderr=
2018-01-06T13:50:30Z DEBUG certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1)
2018-01-06T13:50:35Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)
2018-01-06T13:50:35Z DEBUG Traxx.ck (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 824, in __enable_ssl
post_command=cmd)
File
"/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py",
line 317, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed
({})".format(state))
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
2018-01-06T13:50:35Z DEBUG [error] RuntimeError:
Certificate issuance failed (CA_UNREACHABLE)
2018-01-06T13:50:35Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 172, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 333, in run
cfgr.run()
File "/usr/lib/python2.7/site-
...
-- end
Would this be that new candidate's problem or some
communication issues with existing server? Client
installed (kind of)okey though.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Hi,
the replica installer is communicating with the local
certmonger daemon to request SSL certificates. Then
certmonger connects to the IPA master (httpd process), and
in turn IPA master server communicates with Dogtag to
request the certificate.
As you can see, there are a lot of processes involved, and
the issue could come from communication issues between all
of them. We need to identify which step is failing.
Can you check:
- the output of getcert list on the client? It may contain
a more detailed message for the certificate issuance failure
After a client successful installation, on a client:
# getcert list
Number of certificates and requests being tracked: 0.
The same on the server shows long list of:
Number of certificates and requests being tracked: 9.
...
- if tomcat is running on the master? systemctl status
pki-tomcatd@pki-tomcat
Is running
- if the client managed to contact IPA master? Look for a
line with cert_request on the master's log
/var/log/httpd/error_log, and for possible error messages
related. If the line is present, the client successfully
sent its cert request, meaning that the communication was
properly established.
Just after a client installation, now
--uninstall(successful), on the server in httpd/error_log:
...
[Tue Jan 09 12:03:45.109806 2018] [auth_gssapi:error] [pid
34824] [client 10.5.10.37:46016] NO AUTH DATA Client did not
send any authentication headers, referer:
https://swir.priv.xx.xx.priv.xx.xx.x/ipa/xml
[Tue Jan 09 12:03:45.771504 2018] [:error] [pid 8044] ipa:
INFO: [xmlserver]
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x:
host_disable(u'lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x',
version=u'2.51'): ACIError
And I when I re-install a client, on the server in
httpd/error_log:
...
[Tue Jan 09 12:05:37.515855 2018] [auth_gssapi:error] [pid
8048] [client 10.5.10.37:46108] NO AUTH DATA Client did not
send any authentication headers, referer:
https://swir.priv.xx.xx.priv.xx.xx.x/ipa/xml
[Tue Jan 09 12:05:37.579441 2018] [:error] [pid 8043] ipa:
INFO: Host entry for lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x
already exists, joining may fail on the client side if not
forced
[Tue Jan 09 12:05:37.628158 2018] [:error] [pid 8043] ipa:
INFO: [xmlserver] ad...@private.xx.xx.private.xx.xx.x:
join(u'lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x',
nshardwareplatform=u'x86_64',
nsosversion=u'3.10.0-693.11.6.el7.x86_64', version=u'2.51'):
SUCCESS
And a client's end:
...
Joining realm failed: Host is already joined.
Use --force-join option to override the host entry on the
server and force client enrollment.
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command
'ipa-client-automount --uninstall --debug' returned non-zero
exit status 1
...
So, --force-join now:
...
The ipa-client-install command was successful
...
Servers's end in httpd/error_log:
...
[Tue Jan 09 12:09:36.546759 2018] [auth_gssapi:error] [pid
8046] [client 10.5.10.37:46266] NO AUTH DATA Client did not
send any authentication headers, referer:
https://swir.priv.xx.xx.priv.xx.xx.x/ipa/xml
[Tue Jan 09 12:09:36.602576 2018] [:error] [pid 8044] ipa:
INFO: Host entry for lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x
already exists, joining may fail on the client side if not
forced
[Tue Jan 09 12:09:36.656072 2018] [:error] [pid 8044] ipa:
INFO: [xmlserver] ad...@private.xx.xx.private.xx.xx.x:
join(u'lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x',
nshardwareplatform=u'x86_64',
nsosversion=u'3.10.0-693.11.6.el7.x86_64', version=u'2.51'):
SUCCESS
[Tue Jan 09 12:09:39.203290 2018] [:error] [pid 8043] ipa:
INFO: [jsonserver_kerb]
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x:
ping(): SUCCESS
[Tue Jan 09 12:09:39.244366 2018] [:error] [pid 8044] ipa:
INFO: [jsonserver_kerb]
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x:
ca_is_enabled(version=u'2.107'): SUCCESS
[Tue Jan 09 12:09:40.430598 2018] [:error] [pid 8043] ipa:
INFO: [jsonserver_kerb]
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x:
host_mod(u'lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x',
ipasshpubkey=(u'ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDTFpZYnI+r+wM4wYPQgEIu21k6UKpkiPhgYhTlCn29GcyXNoIipnxyrV4LRVw5VULWMsuZQcxK7DB897VNkR/wm0aeOtyWYDGEqwVclhVy2yWPwnD4scltCCS2ehv20yeO0V0Uj95EMGdFOfUM3FGpFG9L/xEXlSVdC6BP/oi3DxCcGydGas6SCwmzy8av10hB+jwQXgnLeHGIo2bPZZuWwxjH2rifaoZjsOH4I/EfRkYq3Q2JsBBGAWhNhuOgxBeUIVQOvBvrMf4JeRGFHNQNsvhElxijy0Bxi2uGADisKKWzeW5vnslTNtOtFu9AwoJg52kV2HM5Wuo+crp4+zF/',
u'ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFN0Gfh8oGhmjnhOqhEdK7xNPlWkoimaWdtiBwJo2+QBEQ0s6Qvjc4WPA+zCF8ELA/Lg3RHbsSjRTQc3N3jRxDA=',
u'ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIPs2DCmihX985GR3k/Q4cHyeBVqmM72pB5zNo5fHehfG'),
updatedns=False, version=u'2.26'): EmptyModlist
On a client again:
# getcert list
Number of certificates and requests being tracked: 0.
So there is something not right, right? Client --uninstall
leaves stuff behind?
--- Now replica:
# ipa-replica-install
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR A replication agreement for this host already
exists. It needs to be removed.
Run this command:
%% ipa-replica-manage del
lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x --force
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR
...
But there is no such agreement the severs sais, only one
agreement to itself. And no matter what I do I cannot get
pass this, -replica insists and fails, unless I do on the
client:
# ipa-server-install --uninstall
# yum remove -y `rpm -qa ipa* 389*` pki-base krb5-pkinit
krb5-server krb5-workstation ipa-python certmonger
# yum install -y ipa-server bind bind-dyndb-ldap ipa-server-dns
Then anew client-install, then replica-install:
# ipa-replica-install
ipa : ERROR Reverse DNS resolution of address
10.5.10.37 (lxc-ipa1-swir.priv.xx.xx.priv.xx.xx.x) failed.
Clients may not function properly. Please check your DNS
setup. (Note that this check queries IPA DNS directly and
ignores /etc/hosts.)
...
Finally the moment -replica fails on the server in
httpd/error_log:
...
[Tue Jan 09 12:39:15.256308 2018] [auth_gssapi:error] [pid
8050] [client 10.5.10.37:48282] NO AUTH DATA Client did not
send any authentication headers, referer:
https://swir.priv.xx.xx.priv.xx.xx.x/ipa/xml
[Tue Jan 09 12:39:15.329299 2018] [:error] [pid 8044] ipa:
INFO: [xmlserver]
host/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x:
cert_request(u'MIIEejCCA2ICAQAwaDErMCkGA1UEChMiUFJJVkFURS5DQ05SLkNFQi5QUklWQVRFLkNBTS5BQy5VSzE5MDcGA1UEAxMwbHhjLWlwYTEtc3dpci5wcml2YXRlLmNjbnIuY2ViLnByaXZhdGUuY2FtLmFjLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3FdjuzlDp8Z6F5cZf/E58yATNkiFh3IwJeoZpUNmyTUzdNpUTL7rLeiEGXRsGZPBV82R78AJK0aJNidU/2cbmiOQXB8msol9SK7D0COVtaTLhBXnurvt7Mya/QT2rlvrRtklaQ3zjO9h+ogzYwKtMVwy843F+rTWSAHuuSpFwYR0u6n716q3P4QUnD+M+xWy74ir1EdotwSXbwfVzx/egOzSB3hm0O4Xjp82A8DwscV3rmLi80Q0R8LkI3s7tBbc2sCcyL/zfflc7potwAL/DYw+j8kLrWmVSgl2Qk6SlxxtmjNRd+KZumdVuy8cFHIyuNyvTRitIjhZdMSTNgsmpQIDAQABoIIByzAlBgkqhkiG9w0BCRQxGB4WAFMAZQByAHYAZQByAC0AQwBlAHIAdDCCAaAGCSqGSIb3DQEJDjGCAZEwggGNMIIBJQYDVR0RAQEABIIBGTCCARWCMGx4Yy1pcGExLXN3aXIucHJpdmF0ZS5jY25yLmNlYi5wcml2YXRlLmNhbS5hYy51a6BoBgorBgEEAYI3FAIDoFoMWGxkYXAvbHhjLWlwYTEtc3dpci5wcml2YXRlLmNjbnIuY2ViLnByaXZhdGUuY2FtLmFjLnVrQFBSSVZBVEUuQ0NOUi5DRUIuUFJJVkFURS5DQU0uQUMuVUugdwYGKwYBBQICoG0wa6AkGyJQUklWQVRFLkNDTlIuQ0VCLlBSSVZBVEUuQ0FNLkFDLlVLoUMwQaADAgEBoTowOBsEbGRhcBswbHhjLWlwYTEtc3dpci5wcml2YXRlLmNjbnIuY2ViLnByaXZhdGUuY2FtLmFjLnVrMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFKuq49asd1Mcq+MlTIawY4s0BwVMDIGCSsGAQQBgjcUAgEBAAQiHiAAYwBhAEkAUABBAHMAZQByAHYAaQBjAGUAQwBlAHIAdDANBgkqhkiG9w0BAQsFAAOCAQEABZeuyLxPx8ASsSMOQToYZKKlmI6NUopd9kFfx4GLbtR788qLCx2nIbwTpWTfpSBEDZRBo9X/7ejUZwGmjotYriM5O/Kq3o+onxj3kvv45vWd4O8ZcsoQseROeuTW0b/X3RT7riaKX6RD1J4tJrFi3g4Hz3nF0odWfLGr00TTYqeMUaCn4iwaKRjFq2bV0VZeANvF3S/rNzUfYc+DQp1qAZpdgLH2mDcYN4c8r7V+cxLblku8aOjnsmExXZRDhAOflPOz9ZtaflEhe+UwENP+nqRpjezy5FWzFwQ4P0epYnFpEeA7cagqavuKQelMge8nQc4YQtZcYO9TnbxDTAEGhw==',
profile_id=u'caIPAserviceCert',
principal=u'ldap/lxc-ipa1-swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x',
add=True, version=u'2.51'): NetworkError
Nothing happens in that moment in
/var/log/pki/pki-tomcat/ca/debug
Before I thought... maybe network, but now, all above I do
is in a lxc container on that IPA server locally.
Is this IPA server somehow functional but not,
mis-configured? (Installation of the server seemingly went okey)
I've done a few IPA setups, most of the time problem-free,
sometimes minor problems, this is first time I'm at a loss.
- if dogtag received the certificate request? IPA master
is using /etc/ipa/ca.crt and
/var/lib/ipa/ra-agent.{key|pem} to authenticate to Dogtag.
The authentication logs in
/var/log/pki/pki-tomcat/ca/debug should display something
like:
[date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm:
Authenticating certificate chain:
[date][ajp-bio-127.0.0.1-8009-exec-1]:
PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA,
O=DOMAIN.IPA.COM
[date][ajp-bio-127.0.0.1-8009-exec-1]: PKIRealm: CN=IPA
RA, O=DOMAIN.IPA.COM
[date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth:
started
[date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth:
Retrieving client certificate
[date][ajp-bio-127.0.0.1-8009-exec-1]: CertUserDBAuth: Got
client certificate
and the cert request:
[date][ajp-bio-127.0.0.1-8009-exec-4]: EnrollProfile:
createRequests: begins
[date][ajp-bio-127.0.0.1-8009-exec-4]: Start
parsePKCS10(): -----BEGIN CERTIFICATE REQUEST-----
The most common issues are pki-tomcatd not started because
of the certificate 'subsystemCert cert-pki-ca' that
expired, or communication issues between IPA server and
Dogtag (the cert in /var/lib/ipa/ra-agent.{key|pem} is
expired).
HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org