On 01/11/2018 06:37 PM, lejeczek via FreeIPA-users wrote:
On 11/01/18 17:02, Florence Blanc-Renaud wrote:
On 01/11/2018 05:16 PM, lejeczek via FreeIPA-users wrote:
On 11/01/18 15:02, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
hi
not an python nor ipa expert here, looking at certmonger.py
what does such an error indicate? :
ipa : DEBUG certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
ipa : DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)
ipa : DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line
824, in __enable_ssl
post_command=cmd)
File
"/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py",
line 317, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed
({})".format(state))
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
ipa : DEBUG [error] RuntimeError: Certificate issuance
failed (CA_UNREACHABLE)
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
-- end
Is this about local replica candidate or remote ipa server?
getcert list may provide the host it was trying to contact.
rob
When replica candidate installation fails I get the above on that
candidate.
When after a failure, on that would-be replica I do:
$ getcert list
Number of certificates and requests being tracked: 1.
Request ID '20180111154743':
status: CA_UNREACHABLE
ca-error: Server at
It points at itself, own FQDN.
Should I be rather watching server's end?
How to troubleshoot it?
thanks,L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Hi,
thanks Flo, I tried my best to follow clues you gave and find some more,
I replied in that other topic CA_UNREACHABLE.
certmonger tries first to connect to the IPA server defined
/etc/ipa/default.conf, but if this one fails then it will try to
locate another IPA master (see the man page for ipa-submit(8),
especially the section about -h option).
During a replica installation, certmonger will send a cert_request
call to the IPA master. You should be able to find a trace in
/var/log/httpd/error_log on the master, with a line containing the
string cert_request and the call parameters.
in httpd/error_log I see:
[Thu Jan 11 17:20:53.475973 2018] [:error] [pid 2701892] ipa: INFO:
[jsonserver_kerb] host/dzien.priv.
xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: ping(): SUCCESS
[Thu Jan 11 17:20:53.527232 2018] [:error] [pid 2701893] ipa: INFO:
[jsonserver_kerb] host/dzien.priv.
xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: env((u'version',)):
SUCCESS
[Thu Jan 11 17:20:53.573580 2018] [:error] [pid 2701892] ipa: INFO:
[jsonserver_kerb] host/dzien.priv.
xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: env((u'fips_mode',)):
SUCCESS
[Thu Jan 11 17:21:04.406246 2018] [:error] [pid 2701893] ipa: INFO:
[jsonserver_kerb] ad...@private.xx.
xx.PRIVATE.xx.xx.x: ping(): SUCCESS
[Thu Jan 11 17:21:04.444042 2018] [:error] [pid 2701892] ipa: INFO:
[jsonserver_kerb] ad...@private.xx.
xx.PRIVATE.xx.xx.x: ping/1(version=u'2.228'): SUCCESS
[Thu Jan 11 17:21:04.900349 2018] [:error] [pid 2701893] ipa: INFO:
[jsonserver_kerb] ad...@private.xx.
xx.PRIVATE.xx.xx.x: server_conncheck(u'swir.priv.xx.xx.priv.xx.xx.x',
u'dzien.priv.xx.
xx.priv.xx.xx.x', version=u'2.162'): SUCCESS
[Thu Jan 11 17:21:40.832678 2018] [auth_gssapi:error] [pid 2702831]
[client 10.5.6.17:47072] NO AUTH DATA
Client did not send any authentication headers, referer:
https://swir.priv.xx.xx.priv.xx.xx.x
/ipa/xml
[Thu Jan 11 17:21:40.913393 2018] [:error] [pid 2701892] ipa: INFO:
[xmlserver]
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x:
cert_request(u'MIIEWTCCA0ECAQAwYDErMCkGA1UEChMiUFJJVkFURS5DQ05SLkNFQi5QUklWQVRFLkNBTS5BQy5VSzExMC8GA1UEAxMoZHppZW4ucHJpdmF0ZS5jY25yLmNlYi5wcml2YXRlLmNhbS5hYy51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK81UM4J4041W+ujikOQrplTcUjjmMHOWkE8YbVwjZvH2AYhP7tn+jZ7GYWZuv//j4tfFEEiIyV94hL85xjhXCwkLdR1R6CaswD1SpwOkQGOOICol1aV2tX1+o9Q3Q4gDLMBvxX3+s+l39l7dgDqj6ZaueH8E7H+W9Oj+w3+E8mR5Zy/kG6X6WNtwbqyf6fZwshRO26O4aUNlxMDpeLN5mDoRWBeeHiWoFBXwYXqysHoVLFN4urpH7wHKSEkdW7Vaj/1HXGutOV5HsaBqeGzdCiwlrBFDE9maU7HhyBxxGEit11ejGxoP2hjxyO0l0tfBuqJjBkGZDvgB3501jGgHQ8CAwEAAaCCAbIwJQYJKoZIhvcNAQkUMRgeFgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggGHBgkqhkiG9w0BCQ4xggF4MIIBdDCCAQwGA1UdEQEBAASCAQAwgf2CKGR6aWVuLnByaXZhdGUuY2Nuci5jZWIucHJpdmF0ZS5jYW0uYWMudWugYAYKKwYBBAGCNxQCA6BSDFBsZGFwL2R6aWVuLnByaXZhdGUuY2Nuci5jZWIucHJpdmF0ZS5jYW0uYWMudWtAUFJJVkFURS5DQ05SLkNFQi5QUklWQVRFLkNBTS5BQy5VS6BvBgYrBgEFAgKgZTBjoCQbIlBSSVZBVEUuQ0NOUi5DRUIuUFJJVkFURS5DQU0uQUMuVUuhOzA5oAMCAQGhMjAwGwRsZGFwGyhkemllbi5wcml2YXRlLmNjbnIuY2ViLnByaXZhdGUuY2FtLmFjLnVrMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFA1WfK69+iWx/R7b8kWpd/4M3QtrMDIGCSsGAQQBgjcUAgEBAAQiHiAAYwBhAEkAUABBAHMAZQByAHYAaQBjAGUAQwBlAHIAdDANBgkqhkiG9w0BAQsFAAOCAQEAXBhrwG29M+UEWZsWjIJWRHEQ6bAdpTWJVP7P9eXu11Krd/VrCb/qgz7/68GWkKCDpINLB8P7SGWoUwI4zjn1YJNn9jyVELryLn4MHfQ/3W3mVZcK6FPtRqmpwZ6q0TEG/ZpBftWlpI8AkhruGrx8bJ/pGo3UJgY/5QajMjsuuysvoukVxeYmQJDCH36Hdfw6+hYg3XQfmJ2WgLjnVaA0v3e9gKYf0gObwSbKF1ZqF6pVw9D9h8BgTITB8PO6aQvYCeWY6H9w/Dc3V77pPubTrScN6JJFZEyTWPK2GijpO7E+4nV5bnHNlJ4LpAZRYH0lzcVok/YNsRv8bupoFoChNQ==',
profile_id=u'caIPAserviceCert',
principal=u'ldap/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x',
add=True, version=u'2.51'): NetworkError
To have more information, you can start the master in debug mode:
- edit (or create if it does not exist) /etc/ipa/server.conf and add the
following:
[global]
debug = True
- restart httpd with
$ systemctl restart httpd
If the replica installation triggers this type of log in
/var/log/httpd/error_log:
[...date...] [:error] [pid 9337] ipa: INFO: [xmlserver]
host/vm-replica.ipadomain....@ipadomain.com:
cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert',
principal=u'ldap/replica.ipadomain....@ipadomain.com', add=True,
version=u'2.51'): NetworkError
[...date...] [:error] [pid 9337] ipa: DEBUG: response: NetworkError:
cannot connect to
'https://master.ipadomain.com:443/ca/rest/account/login': [Errno 13]
Permission denied
then the problem you are seeing is probably BZ 14852017 [RFE] If the
umask is too restrictive the installation won't work [1]
Did you install the master with a umask different from 022? In this
case, some configuration files are probably not accessible by non-root
user, and the httpd server - running as apache - cannot read files
needed to establish the secure connection to dogtag.
You can try to change the permissions for /etc/ipa/ca.crt and
/var/lib/ipa/ra-agent.{key|pem} on the master:
$ chmod 444 /etc/ipa/ca.crt
$ chmod 440 /var/lib/ipa/ra-agent.*
and re-try the replica installation.
HTH,
Flo
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1485217
dzien is a replica candidate, swir is the server.
Before I'll go after other logs, does this one above is more revealing?
Pokes eyes is that last line "NetworkError" - but does it actually say?
many thanks, L.
In turn, IPA master contacts Dogtag in order to generate the
certificate for the replica. The logs are in
/var/log/pki/pi-tomcat/ca/debug.
Can you see any cert_request log in the master? If not, then
certmonger (from the would-be replica) was not able to contact the
master. In this case I would check the output of:
$ dig -t srv _ldap._tcp.<ipa domain>
to make sure which servers certmonger tried to contact.
HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
