Jhon Torres wrote:
> Thanks!, I attached the file log
What does this command give you:
# pki securitydomain-show
WARNING: UNKNOWN_ISSUER encountered on
'CN=ipa.example.test,O=EXAMPLE.TEST' indicates an unknown CA cert
'CN=Certificate Authority,O=EXAMPLE.TEST'
Trust this certificate (y/N)? y
Domain: IPA
CA Subsystem:
Host ID: CA ipa.example.test 443
Hostname: ipa.example.test
Port: 80
Secure Port: 443
Domain Manager: TRUE
KRA Subsystem:
Host ID: KRA ipa.example.test 443
Hostname: ipa.example.test
Port: 80
Secure Port: 443
Domain Manager: FALSE
It looks to me like no CA is registered within the securitydomain.
rob
>
> El mié, 28 may 2025 a las 12:40, Rob Crittenden (<rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>>) escribió:
>
> John Tor via FreeIPA-users wrote:
> > Hi,
> >
> > I had tried many times to install free-ipa-replica, but I always
> have the same error at this step:
> >
> > DEBUG: NSSDatabase.get_cert(Server-Cert cert-pki-ca) begins
> > DEBUG: Command: certutil -L -d /var/lib/pki/pki-tomcat/conf/alias
> -f /tmp/tmpxotjk756/password.txt -n Server-Cert cert-pki-ca -a
> > DEBUG: stdout: -1
> > DEBUG: NSSDatabase: stderr:
> > certutil: Could not find cert: Server-Cert cert-pki-ca
> > : PR_FILE_NOT_FOUND_ERROR: File not found
> >
> > DEBUG: Cert not found: Server-Cert cert-pki-ca
>
> ^^ is fine and not causing any issues.
>
> > INFO: Updating /var/lib/pki/pki-tomcat/conf/serverCertNick.conf
> > INFO: Updating serverCertNickFile in server.xml
> > INFO: Joining security domain at https://master.example.com:443
> > ERROR: KeyError: 'CA'
>
> For ^^ we'd need to see the full /var/log/ipareplicata-install.log to
> try to determine what is going on.
>
> rob
>
> > File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py",
> line 594, in main
> > deployer.spawn()
> > File
> "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line
> 5986, in spawn
> > scriptlet.spawn(self)
> > File
>
> "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py",
> line 76, in spawn
> > deployer.setup_security_domain(subsystem)
> > File
> "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line
> 2854, in setup_security_domain
> > self.join_security_domain()
> > File
> "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line
> 2795, in join_security_domain
> > sd_subsystem = self.domain_info.subsystems['CA']
> >
> >
> > Failed to configure CA instance
> > See the installation logs and the following files/directories for
> more information:
> > /var/log/pki/pki-tomcat
> > Traceback (most recent call last):
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 688, in start_creation
> > run_step(full_msg, method)
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 674, in run_step
> > method()
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py",
> line 685, in __spawn_instance
> > DogtagInstance.spawn_instance(
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 227, in spawn_instance
> > self.handle_setup_error(e)
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 643, in handle_setup_error
> > raise RuntimeError(
> > RuntimeError: CA configuration failed.
> >
> > [error] RuntimeError: CA configuration failed.
> > [error] RuntimeError: CA configuration failed.
> > Removing /root/.dogtag/pki-tomcat/ca
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > File "/usr/lib/python3.9/site-packages/ipapython/admintool.py",
> line 219, in execute
> > return_value = self.run()
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line
> 343, in run
> > return cfgr.run()
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 360, in run
> > return self.execute()
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 386, in execute
> > for rval in self._executor():
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 435, in __runner
> > exc_handler(exc_info)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 468, in _handle_execute_exception
> > self._handle_exception(exc_info)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 458, in _handle_exception
> > six.reraise(*exc_info)
> > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> > raise value
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 425, in __runner
> > step()
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 419, in step_next
> > return next(self.__gen)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
> 81, in run_generator_with_yield_from
> > six.reraise(*exc_info)
> > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> > raise value
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
> 59, in run_generator_with_yield_from
> > value = gen.send(prev_value)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 663, in _configure
> > next(executor)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 435, in __runner
> > exc_handler(exc_info)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 468, in _handle_execute_exception
> > self._handle_exception(exc_info)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 526, in _handle_exception
> > self.__parent._handle_exception(exc_info)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 458, in _handle_exception
> > six.reraise(*exc_info)
> > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> > raise value
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 523, in _handle_exception
> > super(ComponentBase, self)._handle_exception(exc_info)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 458, in _handle_exception
> > six.reraise(*exc_info)
> > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> > raise value
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 425, in __runner
> > step()
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
> 419, in step_next
> > return next(self.__gen)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
> 81, in run_generator_with_yield_from
> > six.reraise(*exc_info)
> > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> > raise value
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
> 59, in run_generator_with_yield_from
> > value = gen.send(prev_value)
> > File
> "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line
> 65, in _install
> > for unused in self._installer(self.parent):
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py",
> line 687, in main
> > replica_install(self)
> > File
>
> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
> line 387, in decorated
> > func(installer)
> > File
>
> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
> line 1446, in install
> > ca.install(False, config, options, custodia=custodia)
> > File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py",
> line 546, in install
> > install_step_0(standalone, replica_config, options,
> custodia=custodia)
> > File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py",
> line 621, in install_step_0
> > ca.configure_instance(
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py",
> line 522, in configure_instance
> > self.start_creation(runtime=runtime)
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 688, in start_creation
> > run_step(full_msg, method)
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 674, in run_step
> > method()
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py",
> line 685, in __spawn_instance
> > DogtagInstance.spawn_instance(
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 227, in spawn_instance
> > self.handle_setup_error(e)
> > File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 643, in handle_setup_error
> > raise RuntimeError(
> >
> > The ipa-replica-install command failed, exception: RuntimeError:
> CA configuration failed.
> > CA configuration failed.
> > The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
> >
> > I am stuck in a loop, I tried with new server but It didn't work.
> I am using AlmaLinux 9.6 fully updated and the command I used was:
> >
> > ipa-replica-install --setup-dns --forwarder 1.1.1.1 --setup-ca
> --verbose
> >
> > The command ipa-client-install worked perfect.
> >
> > certutil -L -d sql:/var/lib/pki/pki-tomcat/conf/alias
> >
> > Certificate Nickname Trust
> Attributes
> >
> SSL,S/MIME,JAR/XPI
> >
> > caSigningCert cert-pki-ca CTu,Cu,Cu
> > ocspSigningCert cert-pki-ca u,u,u
> > auditSigningCert cert-pki-ca u,u,u
> > subsystemCert cert-pki-ca u,u,u
> >
> >
> >
> > I don't know what else to do :/
> >
> > Regards
> >
>
>
>
> --
> Jhon Albert Torres H.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
