Chris Evich wrote:
Hi,

I've got a FreeIPA setup at home I just built the other week on Fedora
16. It's a very small/basic setup I'm mainly using for secure
NFS+Kerberos and automount. Today, I updated everything and rebooted,
and all seemed to be working okay (even /var/log/ipaupgrade.log). I'm
now running:

freeipa-python-2.1.4-7.fc16.x86_64
freeipa-client-2.1.4-7.fc16.x86_64
freeipa-admintools-2.1.4-7.fc16.x86_64
freeipa-server-2.1.4-7.fc16.x86_64
freeipa-server-selinux-2.1.4-7.fc16.x86_64
dogtag-pki-common-theme-9.0.11-1.fc16.noarch
dogtag-pki-ca-theme-9.0.11-1.fc16.noarch
pki-symkey-9.0.19-1.fc16.x86_64
pki-java-tools-9.0.19-1.fc16.noarch
pki-setup-9.0.19-1.fc16.noarch
pki-common-9.0.19-1.fc16.noarch
pki-silent-9.0.19-1.fc16.noarch
pki-util-9.0.19-1.fc16.noarch
pki-selinux-9.0.19-1.fc16.noarch
pki-ca-9.0.19-1.fc16.noarch

I went to try and setup a replica following the docs at
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html
and ran into a problem I can't figure out (after checking logs, list,
google, and BZ searches):

[root@<master> log]# ipa-replica-prepare <replica fqdn>
Directory Manager (existing master) password:

Preparing replica for <replica fqdn> from <master fqdn>
Creating SSL certificate for the Directory Server
Certificate issuance failed

I just ran it again, with a tail on /var/log/pki-ca/debug and this is
what it spat out:

[04/May/2012:14:44:09][http-9444-1]: CMSServlet:service() uri =
/ca/ee/ca/profileSubmitSSLClient
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='cert_request_type' value='pkcs10'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='cert_request'
value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n
...cut...
H3dNbe4A
'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='requestor_name' value='IPA Installer'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='xmlOutput' value='true'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param
name='profileId' value='caIPAserviceCert'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet:
caProfileSubmitSSLClient start to service.
[04/May/2012:14:44:09][http-9444-1]: xmlOutput true
[04/May/2012:14:44:09][http-9444-1]: Start of ProfileSubmitServlet Input
Parameters
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter cert_request_type='pkcs10'
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter
cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n

...cut...
H3dNbe4A
'
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter requestor_name='IPA Installer'
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter xmlOutput='true'
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input
Parameter profileId='caIPAserviceCert'
[04/May/2012:14:44:09][http-9444-1]: End of ProfileSubmitServlet Input
Parameters
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: start serving
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: SubId=profile
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: isRenewal false
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: profileId
caIPAserviceCert
[04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04
14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11

Which also looks normal (to me). Though I've done nothing intentional
with anything certificate related, again this is mainly a setup for
kerberos. Where else can I look, or what can I run to get more clues why
ipa-replica-prepare is failing?

I think we'll need to get more info out of dogtag. If you edit /etc/ipa/default.conf and add debug=True, restart httpd, re-run the replica-prepare, there should be more information on the failure in /var/log/httpd/error_log.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to