On 09/21/2016 02:13 AM, Korey Chapman wrote:
Hello list,
I'm currently attempting to add a second CA server to our IPA cluster
(all servers Centos 7.2 with IPA 4.2.0). However, it is failing no
matter how I try to setup the CA (ipa-replica-install with --setup-ca
or ipa-replica-install followed by ipa-ca-install). The only useful
thing in the logs is an error about a missing key for "trust_flags" in
the pki setup. Our infrastructure uses FreeIPA with an external CA.
Any ideas/help would be greatly appreciated. Here are the logs snips
from my most recent attempt:
Command output snip from "ipa-replica-install
/root/replica-info-auth-002.XXX.gpg --setup-ca"
Configuring certificate server (pki-tomcatd). Estimated time: 3
minutes 30 seconds
[1/24]: creating certificate server user
[2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpYofMPt'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR CA
configuration failed
Log snip from ipareplica-install.log:
2016-09-20T23:42:27Z DEBUG Starting external process
2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpYofMPt'
2016-09-20T23:42:31Z DEBUG Process finished, return code=1
2016-09-20T23:42:31Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160920234227.log
Loading deployment configuration from /tmp/tmpYofMPt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-09-20T23:42:31Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
Traceback (most recent call last):
File "/bin/pki", line 254, in <module>
cli.execute(sys.argv)
File "/bin/pki", line 240, in execute
module.execute(module_args)
File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line
195, in execute
module.execute(module_args)
File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222,
in execute
trust_flags = cert_info['trust_flags']
KeyError: 'trust_flags'
--
Korey
Hi Korey,
could you check if there is any more info in /var/log/pki/pki-ca-spawn log?
It might also be helpful verify if correct trust flags are set in nssdb:
certutil -d /etc/pki/pki-tomcat/alias/ -L
Finally, can you check that LDAPS is running on port 636 on the replica
where you're trying to install the CA (i.e. by nmap localhost)?
--
Tomas Krizek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project