for the context: I fixed my master IPA server, with all new and valid certs (server & CA chain). I installed two replicas, both installed successfully, but when I try to run the ipa-ca-install they both fail. Thoughs?
On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud <f...@redhat.com> wrote: > Hi, > > On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Found this in the logs: >> >> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar >> Technologies Inc,L=Herndon,ST=Virginia,C=US >> WARNING: UNTRUSTED ISSUER encountered on >> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar >> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA >> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com' >> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: >> BAD_CERTIFICATE >> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request >> at >> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317) >> at >> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442) >> at >> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106) >> at >> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) >> at com.sun.proxy.$Proxy23.getInfo(Unknown Source) >> at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43) >> at >> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221) >> at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603) >> at org.dogtagpki.cli.CLI.getClient(CLI.java:207) >> at com.netscape.cmstools.ca >> .CACLI.getSubsystemClient(CACLI.java:66) >> at >> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80) >> at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) >> at org.dogtagpki.cli.CLI.execute(CLI.java:357) >> at org.dogtagpki.cli.CLI.execute(CLI.java:357) >> at >> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79) >> at org.dogtagpki.cli.CLI.execute(CLI.java:357) >> at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665) >> at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701) >> Caused by: java.io.IOException: SocketException cannot write on socket: >> Failed to write to socket: (-12276) Unable to communicate securely with >> peer: requested domain name does not match the server's certificate. >> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538) >> at >> org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27) >> at org.apache.http.impl.io >> .AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160) >> at org.apache.http.impl.io >> .AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168) >> at >> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273) >> at >> org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279) >> at >> org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188) >> at >> org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241) >> at >> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123) >> at >> org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684) >> at >> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486) >> at >> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836) >> at >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) >> at >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) >> at >> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313) >> ... 17 more >> Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to write to >> socket: (-12276) Unable to communicate securely with peer: requested domain >> name does not match the server's certificate. >> at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native Method) >> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532) >> ... 31 more >> CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', >> '-f', '/etc/pki/pki-tomcat/password.conf', '-U', ' >> https://ldap01.app.uaap.maxar.com:443', 'ca-range-request', 'request', >> '--install-token', '/tmp/tmp_nt6hud0/install-token', '--output-format', >> 'json', '--debug']' returned non-zero exit status 255. >> File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line >> 575, in main >> scriptlet.spawn(deployer) >> File >> "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", >> line 586, in spawn >> subsystem.request_ranges(master_url, >> session_id=deployer.install_token.token) >> File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line >> 1119, in request_ranges >> master_url, 'request', session_id=session_id, >> install_token=install_token) >> File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line >> 1107, in request_range >> output = subprocess.check_output(cmd) >> File "/usr/lib64/python3.6/subprocess.py", line 356, in check_output >> **kwargs).stdout >> File "/usr/lib64/python3.6/subprocess.py", line 438, in run >> output=stdout, stderr=stderr) >> >> >> 2024-03-14T00:38:53Z CRITICAL Failed to configure CA instance >> 2024-03-14T00:38:53Z CRITICAL See the installation logs and the following >> files/directories for more information: >> 2024-03-14T00:38:53Z CRITICAL /var/log/pki/pki-tomcat >> 2024-03-14T00:38:53Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> line 635, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> line 621, in run_step >> method() >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >> 627, in __spawn_instance >> nolog_list=nolog_list >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> line 227, in spawn_instance >> self.handle_setup_error(e) >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> line 606, in handle_setup_error >> ) from None >> RuntimeError: CA configuration failed. >> >> 2024-03-14T00:38:53Z DEBUG [error] RuntimeError: CA configuration >> failed. >> 2024-03-14T00:38:53Z DEBUG Removing /root/.dogtag/pki-tomcat/ca >> 2024-03-14T00:38:53Z DEBUG File >> "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line >> 781, in run_script >> return_value = main_function() >> >> File "/sbin/ipa-ca-install", line 307, in main >> install(safe_options, options) >> >> File "/sbin/ipa-ca-install", line 273, in install >> install_replica(safe_options, options) >> >> File "/sbin/ipa-ca-install", line 210, in install_replica >> ca.install(True, config, options, custodia=custodia) >> >> File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line >> 270, in install >> install_step_0(standalone, replica_config, options, custodia=custodia) >> >> File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line >> 355, in install_step_0 >> pki_config_override=options.pki_config_override, >> >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >> 501, in configure_instance >> self.start_creation(runtime=runtime) >> >> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> line 635, in start_creation >> run_step(full_msg, method) >> >> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> line 621, in run_step >> method() >> >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >> 627, in __spawn_instance >> nolog_list=nolog_list >> >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> line 227, in spawn_instance >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> line 606, in handle_setup_error >> ) from None >> >> 2024-03-14T00:38:53Z DEBUG The ipa-ca-install command failed, exception: >> RuntimeError: CA configuration failed. >> >> Is the installation failing because the: >> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar >> Technologies Inc,L=Herndon,ST=Virginia,C=US >> WARNING: UNTRUSTED ISSUER encountered on >> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar >> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA >> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com' >> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: >> BAD_CERTIFICATE >> >> ?? how do I pass a "Y" to this script? >> > > Not really easy to read the logs as I'm lacking the context, but it looks > like the CA fails to communicate with the LDAP server. > Did you install the first server with an externally signed LDAP server > certificate? If that's the case, you are probably just missing the external > CA cert. > Use *ipa-cacert-manage install-t CT,C,C extca.pem *on one of the servers > if not already done, then execute ipa-certupdate on all the hosts enrolled > in the domain (all servers and clients, including the server where you run > ipa-cacert-manage). > > flo > > //omar >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue