Rob & Flo, How can I send you some of the install, debug, and spawn logs?
On Mon, Mar 18, 2024 at 2:27 PM Omar <[email protected]> wrote: > Sorry for the late reply. I'm sure the CA Certs are the correct ones. I > will attempt to do the replicas again and this time I'll trace the logs to > make sure I catch the errors and update the ticket. > > When I say "hang" I mean that it takes forever to come back from step 5 > ([5/28]: configuring certificate server instance) and then if I hit "enter" > it will just drop to an error. > > I'll post the error when I see it again. Thanks > > On Fri, Mar 15, 2024 at 1:35 PM Rob Crittenden <[email protected]> > wrote: > >> Omar via FreeIPA-users wrote: >> > Here is some more info: >> > >> > WARNING: The CA service is only installed on one server (<master >> > hostname here>). >> > It is strongly recommended to install it on another server. >> > Run ipa-ca-install(1) on another master to accomplish this. >> > >> > >> > The ipa-replica-install command was successful >> > >> > >> > That was from the replica install, here is me installing the ca-cert on >> > the replica: >> > >> > $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt >> > Installing CA certificate, please wait >> > Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com >> > Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com >> > CA certificate successfully installed >> > The ipa-cacert-manage command was successful >> >> What I don't understand is why you didn't have to install this chain in >> order to install the servers at all. Are you sure this is the right chain? >> >> This data is replicated so it doesn't matter which server it is added on. >> >> > >> > and the cacert update: >> > >> > $ ipa-certupdate >> > Systemwide CA database updated. >> > Systemwide CA database updated. >> > The ipa-certupdate command was successful >> >> This has to be run everywhere after updating a chain. >> >> > >> > >> > but when I try to run ipa-ca-install, it fails and it hangs here: >> > >> > $ ipa-ca-install >> > Directory Manager (existing master) password: >> > >> > >> > Run connection check to master >> > Connection check OK >> > Configuring certificate server (pki-tomcatd). Estimated time: 3 >> minutes >> > [1/28]: creating certificate server db >> > [2/28]: setting up initial replication >> > Starting replication, please wait until this has completed. >> > Update in progress, 21 seconds elapsed >> > Update succeeded >> > >> > >> > [3/28]: creating ACIs for admin >> > [4/28]: creating installation admin user >> > [5/28]: configuring certificate server instance >> > >> > >> > Thoughts? >> >> IPA treats PKI as a black box. Occasionally it will spit out an error >> that is useful in the install log but usually you have to pair it with >> the pki-ca-spawn log and sometimes also the ca debug log to determine >> what is going on. >> >> It also depends on the definition of fail and hang. You can monitor the >> pki-ca-spawn log for activity, for example, during installation. >> >> rob >> >> > >> > >> > >> > On Fri, Mar 15, 2024 at 12:12 PM Omar <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > for the context: >> > I fixed my master IPA server, with all new and valid certs (server & >> > CA chain). I installed two replicas, both installed successfully, >> > but when I try to run the ipa-ca-install they both fail. Thoughs? >> > >> > On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud >> > <[email protected] <mailto:[email protected]>> wrote: >> > >> > Hi, >> > >> > On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users >> > <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Found this in the logs: >> > >> > INFO: Server certificate: CN=ldap.app.uaap.maxar.com >> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar >> > Technologies Inc,L=Herndon,ST=Virginia,C=US >> > WARNING: UNTRUSTED ISSUER encountered on >> > 'CN=ldap.app.uaap.maxar.com >> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar >> > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a >> > non-trusted CA cert 'CN=Maxar DS Issuing CA >> > East,DC=DS,DC=Maxar,DC=com' >> > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: >> > BAD_CERTIFICATE >> > javax.ws.rs <http://javax.ws.rs>.ProcessingException: >> > RESTEASY004655: Unable to invoke request >> > at >> > >> >> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317) >> > at >> > >> >> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442) >> > at >> > >> >> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106) >> > at >> > >> >> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) >> > at com.sun.proxy.$Proxy23.getInfo(Unknown Source) >> > at >> > org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43) >> > at >> > >> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221) >> > at >> > >> com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603) >> > at org.dogtagpki.cli.CLI.getClient(CLI.java:207) >> > at com.netscape.cmstools.ca >> > <http://com.netscape.cmstools.ca >> >.CACLI.getSubsystemClient(CACLI.java:66) >> > at >> > >> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80) >> > at >> > org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) >> > at org.dogtagpki.cli.CLI.execute(CLI.java:357) >> > at org.dogtagpki.cli.CLI.execute(CLI.java:357) >> > at >> > >> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79) >> > at org.dogtagpki.cli.CLI.execute(CLI.java:357) >> > at >> > com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665) >> > at >> > com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701) >> > Caused by: java.io.IOException: SocketException cannot write >> > on socket: Failed to write to socket: (-12276) Unable to >> > communicate securely with peer: requested domain name does >> > not match the server's certificate. >> > at >> > org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538) >> > at >> > >> org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27) >> > at org.apache.http.impl.io >> > <http://org.apache.http.impl.io >> >.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160) >> > at org.apache.http.impl.io >> > <http://org.apache.http.impl.io >> >.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168) >> > at >> > >> >> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273) >> > at >> > >> >> org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279) >> > at >> > >> >> org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188) >> > at >> > >> >> org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241) >> > at >> > >> >> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123) >> > at >> > >> >> org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684) >> > at >> > >> >> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486) >> > at >> > >> >> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836) >> > at >> > >> >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) >> > at >> > >> >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) >> > at >> > >> >> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313) >> > ... 17 more >> > Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to >> > write to socket: (-12276) Unable to communicate securely >> > with peer: requested domain name does not match the server's >> > certificate. >> > at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native >> > Method) >> > at >> > org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532) >> > ... 31 more >> > CalledProcessError: Command '['pki', '-d', >> > '/etc/pki/pki-tomcat/alias', '-f', >> > '/etc/pki/pki-tomcat/password.conf', '-U', >> > 'https://ldap01.app.uaap.maxar.com:443', >> 'ca-range-request', >> > 'request', '--install-token', >> > '/tmp/tmp_nt6hud0/install-token', '--output-format', 'json', >> > '--debug']' returned non-zero exit status 255. >> > File >> > "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", >> > line 575, in main >> > scriptlet.spawn(deployer) >> > File >> > >> >> "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", >> > line 586, in spawn >> > subsystem.request_ranges(master_url, >> > session_id=deployer.install_token.token) >> > File >> > "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", >> > line 1119, in request_ranges >> > master_url, 'request', session_id=session_id, >> > install_token=install_token) >> > File >> > "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", >> > line 1107, in request_range >> > output = subprocess.check_output(cmd) >> > File "/usr/lib64/python3.6/subprocess.py", line 356, in >> > check_output >> > **kwargs).stdout >> > File "/usr/lib64/python3.6/subprocess.py", line 438, in >> run >> > output=stdout, stderr=stderr) >> > >> > >> > 2024-03-14T00:38:53Z CRITICAL Failed to configure CA >> instance >> > 2024-03-14T00:38:53Z CRITICAL See the installation logs and >> > the following files/directories for more information: >> > 2024-03-14T00:38:53Z CRITICAL /var/log/pki/pki-tomcat >> > 2024-03-14T00:38:53Z DEBUG Traceback (most recent call >> last): >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> > line 635, in start_creation >> > run_step(full_msg, method) >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> > line 621, in run_step >> > method() >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", >> > line 627, in __spawn_instance >> > nolog_list=nolog_list >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> > line 227, in spawn_instance >> > self.handle_setup_error(e) >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> > line 606, in handle_setup_error >> > ) from None >> > RuntimeError: CA configuration failed. >> > >> > 2024-03-14T00:38:53Z DEBUG [error] RuntimeError: CA >> > configuration failed. >> > 2024-03-14T00:38:53Z DEBUG Removing >> /root/.dogtag/pki-tomcat/ca >> > 2024-03-14T00:38:53Z DEBUG File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", >> > line 781, in run_script >> > return_value = main_function() >> > >> > File "/sbin/ipa-ca-install", line 307, in main >> > install(safe_options, options) >> > >> > File "/sbin/ipa-ca-install", line 273, in install >> > install_replica(safe_options, options) >> > >> > File "/sbin/ipa-ca-install", line 210, in install_replica >> > ca.install(True, config, options, custodia=custodia) >> > >> > File >> > "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", >> > line 270, in install >> > install_step_0(standalone, replica_config, options, >> > custodia=custodia) >> > >> > File >> > "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", >> > line 355, in install_step_0 >> > pki_config_override=options.pki_config_override, >> > >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", >> > line 501, in configure_instance >> > self.start_creation(runtime=runtime) >> > >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> > line 635, in start_creation >> > run_step(full_msg, method) >> > >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> > line 621, in run_step >> > method() >> > >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", >> > line 627, in __spawn_instance >> > nolog_list=nolog_list >> > >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> > line 227, in spawn_instance >> > self.handle_setup_error(e) >> > >> > File >> > >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> > line 606, in handle_setup_error >> > ) from None >> > >> > 2024-03-14T00:38:53Z DEBUG The ipa-ca-install command >> > failed, exception: RuntimeError: CA configuration failed. >> > >> > Is the installation failing because the: >> > INFO: Server certificate: CN=ldap.app.uaap.maxar.com >> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar >> > Technologies Inc,L=Herndon,ST=Virginia,C=US >> > WARNING: UNTRUSTED ISSUER encountered on >> > 'CN=ldap.app.uaap.maxar.com >> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar >> > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a >> > non-trusted CA cert 'CN=Maxar DS Issuing CA >> > East,DC=DS,DC=Maxar,DC=com' >> > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: >> > BAD_CERTIFICATE >> > >> > ?? how do I pass a "Y" to this script? >> > >> > >> > Not really easy to read the logs as I'm lacking the context, but >> > it looks like the CA fails to communicate with the LDAP server. >> > Did you install the first server with an externally signed LDAP >> > server certificate? If that's the case, you are probably just >> > missing the external CA cert. >> > Use /ipa-cacert-manage install-t CT,C,C extca.pem /on one of the >> > servers if not already done, then execute ipa-certupdate on all >> > the hosts enrolled in the domain (all servers and clients, >> > including the server where you run ipa-cacert-manage). >> > >> > flo >> > >> > //omar >> > -- >> > _______________________________________________ >> > FreeIPA-users mailing list -- >> > [email protected] >> > <mailto:[email protected]> >> > To unsubscribe send an email to >> > [email protected] >> > <mailto:[email protected]> >> > Fedora Code of Conduct: >> > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: >> > https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> > >> https://lists.fedorahosted.org/archives/list/[email protected] >> > Do not reply to spam, report it: >> > https://pagure.io/fedora-infrastructure/new_issue >> > >> > >> > -- >> > _______________________________________________ >> > FreeIPA-users mailing list -- [email protected] >> > To unsubscribe send an email to >> [email protected] >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > >> >>
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
