On 09/21/2016 02:13 AM, Korey Chapman wrote:
Hello list,

I'm currently attempting to add a second CA server to our IPA cluster (all servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I try to setup the CA (ipa-replica-install with --setup-ca or ipa-replica-install followed by ipa-ca-install). The only useful thing in the logs is an error about a missing key for "trust_flags" in the pki setup. Our infrastructure uses FreeIPA with an external CA.

Any ideas/help would be greatly appreciated. Here are the logs snips from my most recent attempt:

Command output snip from "ipa-replica-install /root/replica-info-auth-002.XXX.gpg --setup-ca" Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed

Log snip from ipareplica-install.log:

2016-09-20T23:42:27Z DEBUG Starting external process
2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt'
2016-09-20T23:42:31Z DEBUG Process finished, return code=1
2016-09-20T23:42:31Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160920234227.log
Loading deployment configuration from /tmp/tmpYofMPt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.

2016-09-20T23:42:31Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
Traceback (most recent call last):
  File "/bin/pki", line 254, in <module>
  File "/bin/pki", line 240, in execute
File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in execute
File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in execute
    trust_flags = cert_info['trust_flags']
KeyError: 'trust_flags'


Hi Korey,

could you check if there is any more info in /var/log/pki/pki-ca-spawn log?

It might also be helpful verify if correct trust flags are set in nssdb: certutil -d /etc/pki/pki-tomcat/alias/ -L

Finally, can you check that LDAPS is running on port 636 on the replica where you're trying to install the CA (i.e. by nmap localhost)?

Tomas Krizek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to