Hello Flo,
I have installed the CA and also run the certupdate, but it is still not
working. Here is the log:
2024-03-15T16:06:58Z CRITICAL Failed to configure CA instance
2024-03-15T16:06:58Z CRITICAL See the installation logs and the following
files/directories for more information:
2024-03-15T16:06:58Z CRITICAL /var/log/pki/pki-tomcat
2024-03-15T16:06:58Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 627, in __spawn_instance
nolog_list=nolog_list
File
"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
line 227, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
line 606, in handle_setup_error
) from None
RuntimeError: CA configuration failed.
2024-03-15T16:06:58Z DEBUG [error] RuntimeError: CA configuration failed.
2024-03-15T16:06:58Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2024-03-15T16:06:58Z DEBUG File
"/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line
781, in run_script
return_value = main_function()
File "/sbin/ipa-ca-install", line 307, in main
install(safe_options, options)
File "/sbin/ipa-ca-install", line 273, in install
install_replica(safe_options, options)
File "/sbin/ipa-ca-install", line 210, in install_replica
ca.install(True, config, options, custodia=custodia)
File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line
270, in install
install_step_0(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line
355, in install_step_0
pki_config_override=options.pki_config_override,
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 501, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 627, in __spawn_instance
nolog_list=nolog_list
File
"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
line 227, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
line 606, in handle_setup_error
) from None
2024-03-15T16:06:58Z DEBUG The ipa-ca-install command failed, exception:
RuntimeError: CA configuration failed.
On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud <[email protected]>
wrote:
> Hi,
>
> On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users <
> [email protected]> wrote:
>
>> Found this in the logs:
>>
>> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US
>> WARNING: UNTRUSTED ISSUER encountered on
>> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
>> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com'
>> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
>> BAD_CERTIFICATE
>> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
>> at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
>> at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
>> at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106)
>> at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>> at com.sun.proxy.$Proxy23.getInfo(Unknown Source)
>> at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43)
>> at
>> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221)
>> at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603)
>> at org.dogtagpki.cli.CLI.getClient(CLI.java:207)
>> at com.netscape.cmstools.ca
>> .CACLI.getSubsystemClient(CACLI.java:66)
>> at
>> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80)
>> at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>> at
>> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>> at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665)
>> at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701)
>> Caused by: java.io.IOException: SocketException cannot write on socket:
>> Failed to write to socket: (-12276) Unable to communicate securely with
>> peer: requested domain name does not match the server's certificate.
>> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538)
>> at
>> org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27)
>> at org.apache.http.impl.io
>> .AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160)
>> at org.apache.http.impl.io
>> .AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168)
>> at
>> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273)
>> at
>> org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279)
>> at
>> org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188)
>> at
>> org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241)
>> at
>> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
>> at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313)
>> ... 17 more
>> Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to write to
>> socket: (-12276) Unable to communicate securely with peer: requested domain
>> name does not match the server's certificate.
>> at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native Method)
>> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532)
>> ... 31 more
>> CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias',
>> '-f', '/etc/pki/pki-tomcat/password.conf', '-U', '
>> https://ldap01.app.uaap.maxar.com:443', 'ca-range-request', 'request',
>> '--install-token', '/tmp/tmp_nt6hud0/install-token', '--output-format',
>> 'json', '--debug']' returned non-zero exit status 255.
>> File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line
>> 575, in main
>> scriptlet.spawn(deployer)
>> File
>> "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py",
>> line 586, in spawn
>> subsystem.request_ranges(master_url,
>> session_id=deployer.install_token.token)
>> File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line
>> 1119, in request_ranges
>> master_url, 'request', session_id=session_id,
>> install_token=install_token)
>> File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line
>> 1107, in request_range
>> output = subprocess.check_output(cmd)
>> File "/usr/lib64/python3.6/subprocess.py", line 356, in check_output
>> **kwargs).stdout
>> File "/usr/lib64/python3.6/subprocess.py", line 438, in run
>> output=stdout, stderr=stderr)
>>
>>
>> 2024-03-14T00:38:53Z CRITICAL Failed to configure CA instance
>> 2024-03-14T00:38:53Z CRITICAL See the installation logs and the following
>> files/directories for more information:
>> 2024-03-14T00:38:53Z CRITICAL /var/log/pki/pki-tomcat
>> 2024-03-14T00:38:53Z DEBUG Traceback (most recent call last):
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 635, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 621, in run_step
>> method()
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
>> 627, in __spawn_instance
>> nolog_list=nolog_list
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
>> line 227, in spawn_instance
>> self.handle_setup_error(e)
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
>> line 606, in handle_setup_error
>> ) from None
>> RuntimeError: CA configuration failed.
>>
>> 2024-03-14T00:38:53Z DEBUG [error] RuntimeError: CA configuration
>> failed.
>> 2024-03-14T00:38:53Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
>> 2024-03-14T00:38:53Z DEBUG File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line
>> 781, in run_script
>> return_value = main_function()
>>
>> File "/sbin/ipa-ca-install", line 307, in main
>> install(safe_options, options)
>>
>> File "/sbin/ipa-ca-install", line 273, in install
>> install_replica(safe_options, options)
>>
>> File "/sbin/ipa-ca-install", line 210, in install_replica
>> ca.install(True, config, options, custodia=custodia)
>>
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line
>> 270, in install
>> install_step_0(standalone, replica_config, options, custodia=custodia)
>>
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line
>> 355, in install_step_0
>> pki_config_override=options.pki_config_override,
>>
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
>> 501, in configure_instance
>> self.start_creation(runtime=runtime)
>>
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 635, in start_creation
>> run_step(full_msg, method)
>>
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 621, in run_step
>> method()
>>
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
>> 627, in __spawn_instance
>> nolog_list=nolog_list
>>
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
>> line 227, in spawn_instance
>> self.handle_setup_error(e)
>>
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
>> line 606, in handle_setup_error
>> ) from None
>>
>> 2024-03-14T00:38:53Z DEBUG The ipa-ca-install command failed, exception:
>> RuntimeError: CA configuration failed.
>>
>> Is the installation failing because the:
>> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US
>> WARNING: UNTRUSTED ISSUER encountered on
>> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
>> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com'
>> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
>> BAD_CERTIFICATE
>>
>> ?? how do I pass a "Y" to this script?
>>
>
> Not really easy to read the logs as I'm lacking the context, but it looks
> like the CA fails to communicate with the LDAP server.
> Did you install the first server with an externally signed LDAP server
> certificate? If that's the case, you are probably just missing the external
> CA cert.
> Use *ipa-cacert-manage install-t CT,C,C extca.pem *on one of the servers
> if not already done, then execute ipa-certupdate on all the hosts enrolled
> in the domain (all servers and clients, including the server where you run
> ipa-cacert-manage).
>
> flo
>
> //omar
>> --
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
>> To unsubscribe send an email to
>> [email protected]
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/[email protected]
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
