I need some information from you. Which versions of the PKI packages that you are using on the CentOS 6.6 and 7.0 machines? Could you email me the PKI CA debug logs (/var/log/pki-ca/debug or /var/log/pki/pki-tomcat/ca/debug) from both machines?

There's a possibility it may be related to this ticket:


Endi S. Dewata

On 1/13/2015 7:59 PM, Jim Richard wrote:
Carefully following the instructions here:


I have split one of my Centis 6.6 based replicas from the main cluster
of 4 IDM servers, fully disconnected it from current IDM infrastructure,
converted it to a master CA, double checked that I have no
dangling/tombstone entries pointing back to other cluster members,
ipa-replica-manage list and ipa-replica-manage list-ruv both show no
other masters, in short, made absolutely sure that this replica is now a

I then applied the schema updates via the python script per the above
referenced instructions, did “ipa-replica-prepare”, deployed a new
Centos 7 vm, yum install ipa-server there, scp’d over the replica file.

Next up, "ipa-replica-install --setup-ca”.

And that’s where the story ends…..

Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
   [1/19]: creating certificate server user
   [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpM9BzPz' returned non-zero exit status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed

I tried the workaround mentioned here:


updated /usr/share/pki/ca/conf/CS.cfg before running ipa-replica-install

But not luck.

Anybody have a clue where I should look?

From pki-ca-spawn.20150114014019.log:
2015-01-14 01:40:32 pkispawn    : ERROR    ....... Exception from Java
Configuration Servlet: Failed to obtain installation token from security

and in /var/log/pki/pki-tomcat/ca/server I have:

2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [3] [3] Cannot
build CA chain. Error java.security.cert.CertificateException:
Certificate is not a PKCS #11 certificate
2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [13] [3] authz
instance DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value

more info that might help…….

[root@sso-centos7 pki]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname                                         Trust


Server-Cert cert-pki-ca                                      CTu,Cu,Cu
Certificate Authority - PLACEIQ.NET <http://PLACEIQ.NET>

My CS.cfg is attached.

Maybe the fact that my new server is looking at the same DNS and can see
the SRV records for the current Centos 6.6/IDM 3.0 cluster is causing a
problem ??

Of course I have uninstalled and done this a zillion times:

pkidestroy -s CA -i pki-tomcat
rm -rf /var/log/pki/pki-tomcat
rm -rf /etc/sysconfig/pki-tomcat
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
rm -rf /var/lib/pki/pki-tomcat
rm -rf /etc/pki/pki-tomcat

I’m at a loss, no idea even where to look at this point.

Thanks in advance for any clues you can provide.

Jim Richard  | PlaceIQ
  Systems Administrator  |  jrich...@placeiq.com
<mailto:n...@placeiq.com>  | +1 (646) 338-8905

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to