On 25/05/16 20:27, Rob Crittenden wrote:
lejeczek wrote:


On 25/05/16 16:46, Rob Crittenden wrote:
lejeczek wrote:


On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,

I'm trying to set up a replica with: --setup-dns --no-forwarders
--setup-ca

installer fails at:

  [10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

more from log:

2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent call last):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
     run_step(full_msg, method)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
     method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
1015, in __import_ca_chain
     chain = self.__get_ca_chain()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection
refused

2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to
retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
171, in
execute

what might be the problem?

It is failing getting the CA chain from dogtag. It uses port 8080 by default. I'd check your firewall and that the remote CA is up.

thanks Rob,
I opened 8080/tcp (it was closed) but still a failure I get, different
error though:

   [2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpY2oGh1'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
   [error] RuntimeError: CA configuration failed.

I noticed - /var/log/pki-ca-install.log does NOT exist
and log file:

Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-05-25T14:12:21Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I nsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is s
trongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
   InsecureRequestWarning)
pkispawn    : ERROR    ....... server failed to restart

2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' '
CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
2016-05-25T14:12:21Z CRITICAL See the installation logs and the
following files/directories for mor
e information:

You need to look in those files/directories for more details. Dogtag doesn't return much on failures and we display what we have but all
the real meat is in those logs.

can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 - why does installer complain about it being used and I have to change the
port for installer to start?

Because there is no easy way to determine what is using that port. If it is mod_ssl or some other web server instead then things go sideways
pretty fast.

but will it all not brake precisely because I have to change port? I then take a glance and see https:/// only and installer it not take that port into account, so how will whole IPA work if nss listens on
non-standard port?

I'm not sure I follow. The installer will (or should) change nss.conf to listen on 443. The default is 8443.

If you take a vanilla instance and install mod_ssl and mod_nss on it then Apache will listen on ports 443 and 8443. IPA requires mod_nss to listen on 443 so the install will fail. This is what we are trying to prevent. It isn't a mod_nss or mod_ssl issue but only one thing can listen on any given port.

The installer looks at things just enough to detect that something might be wrong and it blows up so it can be manually addressed because whatever we did automatically would be wrong and potentially catastrophic for somebody's use case.


rob

when it fails with:

  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpNF7gTf'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

first - this: /var/log/pki-ca-install.log never gets created, might be bug?

second is install log:

nstalling CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2016-05-26T15:07:25Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
pkispawn    : ERROR    ....... server failed to restart

2016-05-26T15:07:25Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpNF7gTf'' returned non-zero exit status 1 2016-05-26T15:07:25Z CRITICAL See the installation logs and the following files/directories for more information:
2016-05-26T15:07:25Z CRITICAL   /var/log/pki-ca-install.log
2016-05-26T15:07:25Z CRITICAL   /var/log/pki/pki-tomcat

third is: pki-ca-spawn.%%%.log

2016-05-26 16:06:24 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2016-05-26 16:06:24 pkispawn : DEBUG ........... chown 17:17 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2016-05-26 16:06:24 pkispawn : INFO ....... executing 'certutil -N -d /tmp/tmp-LqkPbX -f /root/.dogtag/pki-tomcat/ca/password.conf' 2016-05-26 16:06:24 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2016-05-26 16:06:24 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2016-05-26 16:06:24 pkispawn : DEBUG ........... No connection - server may still be down 2016-05-26 16:06:24 pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found
...
...
 Error: Not Found
2016-05-26 16:07:25 pkispawn : ERROR ....... server failed to restart 2016-05-26 16:07:25 pkispawn : DEBUG ....... Error Type: Exception 2016-05-26 16:07:25 pkispawn : DEBUG ....... Error Message: server failed to restart 2016-05-26 16:07:25 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main
    rv = scriptlet.spawn(deployer)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 234, in spawn
    raise Exception("server failed to restart")

Is it replica's own pki-tomcatd@pki-tomcat.service that fails? If so then this makes it all strange:

systemctl status -l pki-tomcatd@pki-tomcat.service
● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2016-05-26 16:06:24 BST; 6min ago Process: 14276 ExecStartPre=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 14415 (java)
CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service └─14415 /usr/lib/jvm/jre/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start

May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM org.apache.catalina.startup.HostConfig deployDescriptor May 26 16:06:33 work5 server[14415]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 2,589 ms May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM org.apache.coyote.AbstractProtocol start May 26 16:06:33 work5 server[14415]: INFO: Starting ProtocolHandler ["http-bio-8080"] May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM org.apache.coyote.AbstractProtocol start May 26 16:06:33 work5 server[14415]: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] May 26 16:06:33 work5 server[14415]: PKIListener: org.apache.catalina.core.StandardServer[after_start] May 26 16:06:33 work5 server[14415]: PKIListener: Subsystem CA is running. May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM org.apache.catalina.startup.Catalina start May 26 16:06:33 work5 server[14415]: INFO: Server startup in 6805 ms


I really cannot find anything blatantly obvious in those logs.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to