[Freeipa-users] Re: ipa-setup-ca

[Omar via FreeIPA-users]

for the context:
I fixed my master IPA server, with all new and valid certs (server & CA
chain).  I installed two replicas, both installed successfully, but when I
try to run the ipa-ca-install they both fail.  Thoughs?

On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud <f...@redhat.com>
wrote:

> Hi,
>
> On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Found this in the logs:
>>
>> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US
>> WARNING: UNTRUSTED ISSUER encountered on 
>> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
>> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com'
>> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
>> BAD_CERTIFICATE
>> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
>>         at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
>>         at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
>>         at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106)
>>         at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>>         at com.sun.proxy.$Proxy23.getInfo(Unknown Source)
>>         at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43)
>>         at
>> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221)
>>         at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603)
>>         at org.dogtagpki.cli.CLI.getClient(CLI.java:207)
>>         at com.netscape.cmstools.ca
>> .CACLI.getSubsystemClient(CACLI.java:66)
>>         at
>> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80)
>>         at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
>>         at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>>         at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>>         at
>> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
>>         at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>>         at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665)
>>         at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701)
>> Caused by: java.io.IOException: SocketException cannot write on socket:
>> Failed to write to socket: (-12276) Unable to communicate securely with
>> peer: requested domain name does not match the server's certificate.
>>         at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538)
>>         at
>> org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27)
>>         at org.apache.http.impl.io
>> .AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160)
>>         at org.apache.http.impl.io
>> .AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168)
>>         at
>> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273)
>>         at
>> org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279)
>>         at
>> org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188)
>>         at
>> org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241)
>>         at
>> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123)
>>         at
>> org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684)
>>         at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486)
>>         at
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836)
>>         at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
>>         at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
>>         at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313)
>>         ... 17 more
>> Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to write to
>> socket: (-12276) Unable to communicate securely with peer: requested domain
>> name does not match the server's certificate.
>>         at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native Method)
>>         at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532)
>>         ... 31 more
>> CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias',
>> '-f', '/etc/pki/pki-tomcat/password.conf', '-U', '
>> https://ldap01.app.uaap.maxar.com:443', 'ca-range-request', 'request',
>> '--install-token', '/tmp/tmp_nt6hud0/install-token', '--output-format',
>> 'json', '--debug']' returned non-zero exit status 255.
>>   File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line
>> 575, in main
>>     scriptlet.spawn(deployer)
>>   File
>> "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py",
>> line 586, in spawn
>>     subsystem.request_ranges(master_url,
>> session_id=deployer.install_token.token)
>>   File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line
>> 1119, in request_ranges
>>     master_url, 'request', session_id=session_id,
>> install_token=install_token)
>>   File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line
>> 1107, in request_range
>>     output = subprocess.check_output(cmd)
>>   File "/usr/lib64/python3.6/subprocess.py", line 356, in check_output
>>     **kwargs).stdout
>>   File "/usr/lib64/python3.6/subprocess.py", line 438, in run
>>     output=stdout, stderr=stderr)
>>
>>
>> 2024-03-14T00:38:53Z CRITICAL Failed to configure CA instance
>> 2024-03-14T00:38:53Z CRITICAL See the installation logs and the following
>> files/directories for more information:
>> 2024-03-14T00:38:53Z CRITICAL   /var/log/pki/pki-tomcat
>> 2024-03-14T00:38:53Z DEBUG Traceback (most recent call last):
>>   File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 635, in start_creation
>>     run_step(full_msg, method)
>>   File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 621, in run_step
>>     method()
>>   File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
>> 627, in __spawn_instance
>>     nolog_list=nolog_list
>>   File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
>> line 227, in spawn_instance
>>     self.handle_setup_error(e)
>>   File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
>> line 606, in handle_setup_error
>>     ) from None
>> RuntimeError: CA configuration failed.
>>
>> 2024-03-14T00:38:53Z DEBUG   [error] RuntimeError: CA configuration
>> failed.
>> 2024-03-14T00:38:53Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
>> 2024-03-14T00:38:53Z DEBUG   File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line
>> 781, in run_script
>>     return_value = main_function()
>>
>>   File "/sbin/ipa-ca-install", line 307, in main
>>     install(safe_options, options)
>>
>>   File "/sbin/ipa-ca-install", line 273, in install
>>     install_replica(safe_options, options)
>>
>>   File "/sbin/ipa-ca-install", line 210, in install_replica
>>     ca.install(True, config, options, custodia=custodia)
>>
>>   File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line
>> 270, in install
>>     install_step_0(standalone, replica_config, options, custodia=custodia)
>>
>>   File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line
>> 355, in install_step_0
>>     pki_config_override=options.pki_config_override,
>>
>>   File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
>> 501, in configure_instance
>>     self.start_creation(runtime=runtime)
>>
>>   File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 635, in start_creation
>>     run_step(full_msg, method)
>>
>>   File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 621, in run_step
>>     method()
>>
>>   File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
>> 627, in __spawn_instance
>>     nolog_list=nolog_list
>>
>>   File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
>> line 227, in spawn_instance
>>     self.handle_setup_error(e)
>>
>>   File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
>> line 606, in handle_setup_error
>>     ) from None
>>
>> 2024-03-14T00:38:53Z DEBUG The ipa-ca-install command failed, exception:
>> RuntimeError: CA configuration failed.
>>
>> Is the installation failing because the:
>> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US
>> WARNING: UNTRUSTED ISSUER encountered on 
>> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
>> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com'
>> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
>> BAD_CERTIFICATE
>>
>> ??  how do I pass a "Y" to this script?
>>
>
> Not really easy to read the logs as I'm lacking the context, but it looks
> like the CA fails to communicate with the LDAP server.
> Did you install the first server with an externally signed LDAP server
> certificate? If that's the case, you are probably just missing the external
> CA cert.
> Use *ipa-cacert-manage install-t CT,C,C extca.pem *on one of the servers
> if not already done, then execute ipa-certupdate on all the hosts enrolled
> in the domain (all servers and clients, including the server where you run
> ipa-cacert-manage).
>
> flo
>
> //omar
>> --
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue