Omar via FreeIPA-users wrote: > Here is some more info: > > WARNING: The CA service is only installed on one server (<master > hostname here>). > It is strongly recommended to install it on another server. > Run ipa-ca-install(1) on another master to accomplish this. > > > The ipa-replica-install command was successful > > > That was from the replica install, here is me installing the ca-cert on > the replica: > > $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt > Installing CA certificate, please wait > Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com > Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com > CA certificate successfully installed > The ipa-cacert-manage command was successful
What I don't understand is why you didn't have to install this chain in order to install the servers at all. Are you sure this is the right chain? This data is replicated so it doesn't matter which server it is added on. > > and the cacert update: > > $ ipa-certupdate > Systemwide CA database updated. > Systemwide CA database updated. > The ipa-certupdate command was successful This has to be run everywhere after updating a chain. > > > but when I try to run ipa-ca-install, it fails and it hangs here: > > $ ipa-ca-install > Directory Manager (existing master) password: > > > Run connection check to master > Connection check OK > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > [1/28]: creating certificate server db > [2/28]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 21 seconds elapsed > Update succeeded > > > [3/28]: creating ACIs for admin > [4/28]: creating installation admin user > [5/28]: configuring certificate server instance > > > Thoughts? IPA treats PKI as a black box. Occasionally it will spit out an error that is useful in the install log but usually you have to pair it with the pki-ca-spawn log and sometimes also the ca debug log to determine what is going on. It also depends on the definition of fail and hang. You can monitor the pki-ca-spawn log for activity, for example, during installation. rob > > > > On Fri, Mar 15, 2024 at 12:12 PM Omar <[email protected] > <mailto:[email protected]>> wrote: > > for the context: > I fixed my master IPA server, with all new and valid certs (server & > CA chain). I installed two replicas, both installed successfully, > but when I try to run the ipa-ca-install they both fail. Thoughs? > > On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud > <[email protected] <mailto:[email protected]>> wrote: > > Hi, > > On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > Found this in the logs: > > INFO: Server certificate: CN=ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US > WARNING: UNTRUSTED ISSUER encountered on > 'CN=ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a > non-trusted CA cert 'CN=Maxar DS Issuing CA > East,DC=DS,DC=Maxar,DC=com' > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: > BAD_CERTIFICATE > javax.ws.rs <http://javax.ws.rs>.ProcessingException: > RESTEASY004655: Unable to invoke request > at > > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317) > at > > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442) > at > > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106) > at > > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) > at com.sun.proxy.$Proxy23.getInfo(Unknown Source) > at > org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43) > at > com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221) > at > com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603) > at org.dogtagpki.cli.CLI.getClient(CLI.java:207) > at com.netscape.cmstools.ca > > <http://com.netscape.cmstools.ca>.CACLI.getSubsystemClient(CACLI.java:66) > at > > com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80) > at > org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at > > com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at > com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665) > at > com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701) > Caused by: java.io.IOException: SocketException cannot write > on socket: Failed to write to socket: (-12276) Unable to > communicate securely with peer: requested domain name does > not match the server's certificate. > at > org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538) > at > org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27) > at org.apache.http.impl.io > > <http://org.apache.http.impl.io>.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160) > at org.apache.http.impl.io > > <http://org.apache.http.impl.io>.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168) > at > > org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273) > at > > org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279) > at > > org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188) > at > > org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241) > at > > org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123) > at > > org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684) > at > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486) > at > > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836) > at > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) > at > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) > at > > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313) > ... 17 more > Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to > write to socket: (-12276) Unable to communicate securely > with peer: requested domain name does not match the server's > certificate. > at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native > Method) > at > org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532) > ... 31 more > CalledProcessError: Command '['pki', '-d', > '/etc/pki/pki-tomcat/alias', '-f', > '/etc/pki/pki-tomcat/password.conf', '-U', > 'https://ldap01.app.uaap.maxar.com:443', 'ca-range-request', > 'request', '--install-token', > '/tmp/tmp_nt6hud0/install-token', '--output-format', 'json', > '--debug']' returned non-zero exit status 255. > File > "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", > line 575, in main > scriptlet.spawn(deployer) > File > > "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", > line 586, in spawn > subsystem.request_ranges(master_url, > session_id=deployer.install_token.token) > File > "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", > line 1119, in request_ranges > master_url, 'request', session_id=session_id, > install_token=install_token) > File > "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", > line 1107, in request_range > output = subprocess.check_output(cmd) > File "/usr/lib64/python3.6/subprocess.py", line 356, in > check_output > **kwargs).stdout > File "/usr/lib64/python3.6/subprocess.py", line 438, in run > output=stdout, stderr=stderr) > > > 2024-03-14T00:38:53Z CRITICAL Failed to configure CA instance > 2024-03-14T00:38:53Z CRITICAL See the installation logs and > the following files/directories for more information: > 2024-03-14T00:38:53Z CRITICAL /var/log/pki/pki-tomcat > 2024-03-14T00:38:53Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 635, in start_creation > run_step(full_msg, method) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 621, in run_step > method() > File > > "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > line 627, in __spawn_instance > nolog_list=nolog_list > File > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 227, in spawn_instance > self.handle_setup_error(e) > File > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 606, in handle_setup_error > ) from None > RuntimeError: CA configuration failed. > > 2024-03-14T00:38:53Z DEBUG [error] RuntimeError: CA > configuration failed. > 2024-03-14T00:38:53Z DEBUG Removing /root/.dogtag/pki-tomcat/ca > 2024-03-14T00:38:53Z DEBUG File > > "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", > line 781, in run_script > return_value = main_function() > > File "/sbin/ipa-ca-install", line 307, in main > install(safe_options, options) > > File "/sbin/ipa-ca-install", line 273, in install > install_replica(safe_options, options) > > File "/sbin/ipa-ca-install", line 210, in install_replica > ca.install(True, config, options, custodia=custodia) > > File > "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", > line 270, in install > install_step_0(standalone, replica_config, options, > custodia=custodia) > > File > "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", > line 355, in install_step_0 > pki_config_override=options.pki_config_override, > > File > > "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > line 501, in configure_instance > self.start_creation(runtime=runtime) > > File > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 635, in start_creation > run_step(full_msg, method) > > File > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 621, in run_step > method() > > File > > "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > line 627, in __spawn_instance > nolog_list=nolog_list > > File > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 227, in spawn_instance > self.handle_setup_error(e) > > File > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 606, in handle_setup_error > ) from None > > 2024-03-14T00:38:53Z DEBUG The ipa-ca-install command > failed, exception: RuntimeError: CA configuration failed. > > Is the installation failing because the: > INFO: Server certificate: CN=ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US > WARNING: UNTRUSTED ISSUER encountered on > 'CN=ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a > non-trusted CA cert 'CN=Maxar DS Issuing CA > East,DC=DS,DC=Maxar,DC=com' > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: > BAD_CERTIFICATE > > ?? how do I pass a "Y" to this script? > > > Not really easy to read the logs as I'm lacking the context, but > it looks like the CA fails to communicate with the LDAP server. > Did you install the first server with an externally signed LDAP > server certificate? If that's the case, you are probably just > missing the external CA cert. > Use /ipa-cacert-manage install-t CT,C,C extca.pem /on one of the > servers if not already done, then execute ipa-certupdate on all > the hosts enrolled in the domain (all servers and clients, > including the server where you run ipa-cacert-manage). > > flo > > //omar > -- > _______________________________________________ > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
