Polavarapu Manideep Sai via FreeIPA-users wrote: > Hi Team, > > > > Any one faced this issue during replica installation > > > > I have third party SSL certificate installed on master server > > > > > > *IPA Version:* > > > > [root@dir02-mex ~]# ipa --version > > *VERSION: 4.10.2, API_VERSION: 2.252* > > > > * * > > *Certificate Expiry:* > > > > [root@dir02-mex ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n > 'Server-Cert cert-pki-ca' | egrep -i 'befor|after' > > * Not Before: Mon Apr 01 09:41:49 2024* > > * Not After : Sun Mar 22 09:41:49 2026*
The time reported by certutil is in UTC. The time in the error is reported in local time, CST. Central Standard Time? The US has been in DST for a few weeks. In CDT the cert would have been issued at 04:41:49 and with a 5hr offset to UTC would be 09:41:49 so valid. So I'd check your system clock and timezone. rob > > > > > > > > [1/4]: Generating ipa-custodia config file > > [2/4]: Generating ipa-custodia keys > > [3/4]: starting ipa-custodia > > [4/4]: configuring ipa-custodia to start on boot > > Done configuring ipa-custodia. > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > > [1/30]: creating certificate server db > > [2/30]: setting up initial replication > > Starting replication, please wait until this has completed. > > Update in progress, 12 seconds elapsed > > Update succeeded > > > > [3/30]: creating ACIs for admin > > [4/30]: creating installation admin user > > [5/30]: configuring certificate server instance > > Failed to configure CA instance > > See the installation logs and the following files/directories for more > information: > > /var/log/pki/pki-tomcat > > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > CA configuration failed. > > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > > > > > > > *Cat /var/log/ipareplica-install.log:* > > > > > > DEBUG: https://dir02-mexommx.ipa.com:8443 "GET / HTTP/1.1" 302 0 > > DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki HTTP/1.1" 302 None > > DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki/ HTTP/1.1" 200 3500 > > INFO: PKI server started > > INFO: Waiting for CA subsystem > > DEBUG: Starting new HTTPS connection (1): dir02-mexommx.ipa.com:8443 > > DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /ca/admin/ca/getStatus > HTTP/1.1" 404 784 > > > > 2024-04-01T09:41:34Z CRITICAL Failed to configure CA instance > > 2024-04-01T09:41:34Z CRITICAL See the installation logs and the > following files/directories for more information: > > 2024-04-01T09:41:34Z CRITICAL /var/log/pki/pki-tomcat > > 2024-04-01T09:41:34Z DEBUG Traceback (most recent call last): > > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", > line 686, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", > line 672, in run_step > > method() > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line > 651, in __spawn_instance > > DogtagInstance.spawn_instance( > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", > line 227, in spawn_instance > > self.handle_setup_error(e) > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", > line 604, in handle_setup_error > > raise RuntimeError( > > RuntimeError: CA configuration failed. > > > > 2024-04-01T09:41:34Z DEBUG [error] RuntimeError: CA configuration failed. > > 2024-04-01T09:41:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca > > 2024-04-01T09:41:34Z DEBUG File > "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in > execute > > return_value = self.run() > > File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line > 344, in run > > return cfgr.run() > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 360, in run > > return self.execute() > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 386, in execute > > for rval in self._executor(): > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 435, in __runner > > exc_handler(exc_info) > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 468, in _handle_execute_exception > > self._handle_exception(exc_info) > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 458, in _handle_exception > > six.reraise(*exc_info) > > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > > raise value > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 425, in __runner > > step() > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 419, in step_next > > return next(self.__gen) > > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", > line 81, in run_generator_with_yield_from > > six.reraise(*exc_info) > > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > > raise value > > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", > line 59, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 663, in _configure > > next(executor) > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 435, in __runner > > exc_handler(exc_info) > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 468, in _handle_execute_exception > > self._handle_exception(exc_info) > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 526, in _handle_exception > > self.__parent._handle_exception(exc_info) > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 458, in _handle_exception > > six.reraise(*exc_info) > > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > > raise value > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 523, in _handle_exception > > super(ComponentBase, self)._handle_exception(exc_info) > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 458, in _handle_exception > > six.reraise(*exc_info) > > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > > raise value > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 425, in __runner > > step() > > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", > line 419, in step_next > > return next(self.__gen) > > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", > line 81, in run_generator_with_yield_from > > six.reraise(*exc_info) > > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > > raise value > > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", > line 59, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", > line 65, in _install > > for unused in self._installer(self.parent): > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", > line 599, in main > > replica_install(self) > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", > line 401, in decorated > > func(installer) > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", > line 1345, in install > > ca.install(False, config, options, custodia=custodia) > > File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line > 354, in install > > install_step_0(standalone, replica_config, options, custodia=custodia) > > File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line > 422, in install_step_0 > > ca.configure_instance( > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line > 506, in configure_instance > > self.start_creation(runtime=runtime) > > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", > line 686, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", > line 672, in run_step > > method() > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line > 651, in __spawn_instance > > DogtagInstance.spawn_instance( > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", > line 227, in spawn_instance > > self.handle_setup_error(e) > > File > "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", > line 604, in handle_setup_error > > raise RuntimeError( > > > > 2024-04-01T09:41:34Z DEBUG The ipa-replica-install command failed, > exception: RuntimeError: CA configuration failed. > > 2024-04-01T09:41:34Z ERROR CA configuration failed. > > 2024-04-01T09:41:34Z ERROR The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > > > > > *Cat /var/log/pki/pki-tomcat/ca/debug.2024-04-01.log* > > > > > > > > 2024-04-01 03:41:32 [main] INFO: CMSEngine: Disabling CA subsystem > > 2024-04-01 03:41:32 [main] SEVERE: Unable to start CA engine: Selftest > failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr > 01 03:41:49 CST 2024 > > Selftest failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: > Mon Apr 01 03:41:49 CST 2024 > > at > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1759) > > at > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167) > > at > org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972) > > > > > > > > 2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: selftest failed: > Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 > 03:41:49 CST 2024 > > java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca: > NotBefore: Mon Apr 01 03:41:49 CST 2024 > > at > com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:844) > > at > com.netscape.cmscore.apps.CMSEngine.verifySystemCertByTag(CMSEngine.java:1895) > > at > com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1823) > > at > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:211) > > at > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:818) > > at > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1722) > > at > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167) > > at > org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972) > > at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1223) > > at > com.netscape.cmscore.apps.PKIWebListener.contextInitialized(PKIWebListener.java:43) > > at > org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768) > > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726) > > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) > > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:149) > > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:139) > > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:318) > > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:696) > > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696) > > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:690) > > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1889) > > at > java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) > > at > java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) > > at > org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) > > at > java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:123) > > at > org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:583) > > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473) > > at > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1618) > > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319) > > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) > > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) > > at > org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) > > at > org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:946) > > at > org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at > org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1396) > > at > org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1386) > > at > java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) > > at > org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) > > at > java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) > > at > org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:919) > > at > org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:263) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at > org.apache.catalina.core.StandardService.startInternal(StandardService.java:432) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:927) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at org.apache.catalina.startup.Catalina.start(Catalina.java:772) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) > > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.base/java.lang.reflect.Method.invoke(Method.java:568) > > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:476) > > Caused by: java.security.cert.CertificateNotYetValidException: > NotBefore: Mon Apr 01 03:41:49 CST 2024 > > at > org.mozilla.jss.netscape.security.x509.CertificateValidity.valid(CertificateValidity.java:302) > > at > org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:494) > > at > org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:466) > > at > com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:839) > > ... 54 more > > > > 2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: Disabling > subsystem due to selftest failure: Invalid certificate Server-Cert > cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024 > > java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca: > NotBefore: Mon Apr 01 03:41:49 CST 2024 > > > > > > > > > > > *cat /var/log/pki/pki-tomcat/ca/selftests.log:* > > > > 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] CAPresence: CA is > present > > 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] > SystemCertsVerification: system certs verification failure: Invalid > certificate Server-Cert cert-pki-ca: NotBefore: Fri Mar 29 03:28:37 CST 2024 > > 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] SelfTestSubsystem: > The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: > Initializing self test plugins: > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: > loading all self test plugin logger parameters > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: > loading all self test plugin instances > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: > loading all self test plugin instance parameters > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: > loading self test plugins in on-demand order > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: > loading self test plugins in startup order > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: > Self test plugins have been successfully loaded! > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] CAPresence: CA is > present > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] > SystemCertsVerification: system certs verification failure: Invalid > certificate Server-Cert cert-pki-ca: NotBefore: Fri Mar 29 04:03:27 CST 2024 > > 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: > The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: > Initializing self test plugins: > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: > loading all self test plugin logger parameters > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: > loading all self test plugin instances > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: > loading all self test plugin instance parameters > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: > loading self test plugins in on-demand order > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: > loading self test plugins in startup order > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: > Self test plugins have been successfully loaded! > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] CAPresence: CA is > present > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] > SystemCertsVerification: system certs verification failure: Invalid > certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024 > > 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: > The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > > > > > > > > > > > > > ------------------------------------------------------------------------ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to > this message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or > any action or omission taken by you in reliance on it, is prohibited and > may be unlawful. Please immediately contact the sender if you have > received this message in error. Further, this e-mail may contain viruses > and all reasonable precaution to minimize the risk arising there from is > taken by OnMobile. OnMobile is not liable for any damage sustained by > you as a result of any virus in this e-mail. All applicable virus checks > should be carried out by you before opening this e-mail or any > attachment thereto. > Thank you - OnMobile Global Limited. > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
