Hi Korey,

I believe that you are hitting Dogtag issue #2255 [1]. The file /tmp/ca.p12 probably doesn't contain the trust flags for some certificates.
You can check by running
pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password
and see if the output displays "Trust Flags: xxx" for all the certs.

Flo.

[1] https://fedorahosted.org/pki/ticket/2255

On 09/21/2016 05:38 PM, Korey Chapman wrote:
On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek <tkri...@redhat.com> wrote:
On 09/21/2016 02:13 AM, Korey Chapman wrote:

Hello list,

I'm currently attempting to add a second CA server to our IPA cluster (all
servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
try to setup the CA (ipa-replica-install with --setup-ca or
ipa-replica-install followed by ipa-ca-install). The only useful thing in
the logs is an error about a missing key for "trust_flags" in the pki setup.
Our infrastructure uses FreeIPA with an external CA.

Any ideas/help would be greatly appreciated. Here are the logs snips from my
most recent attempt:

Command output snip from "ipa-replica-install
/root/replica-info-auth-002.XXX.gpg --setup-ca"
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA configuration
failed


Log snip from ipareplica-install.log:

2016-09-20T23:42:27Z DEBUG Starting external process
2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpYofMPt'
2016-09-20T23:42:31Z DEBUG Process finished, return code=1
2016-09-20T23:42:31Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160920234227.log
Loading deployment configuration from /tmp/tmpYofMPt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2016-09-20T23:42:31Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Traceback (most recent call last):
  File "/bin/pki", line 254, in <module>
    cli.execute(sys.argv)
  File "/bin/pki", line 240, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
execute
    trust_flags = cert_info['trust_flags']
KeyError: 'trust_flags'


--
Korey


Hi Korey,

could you check if there is any more info in /var/log/pki/pki-ca-spawn log?

Nothing really useful I see in the spawn log:
2016-09-20 23:42:31 pkispawn    : DEBUG    ....... Error Type:
CalledProcessError
2016-09-20 23:42:31 pkispawn    : DEBUG    ....... Error Message:
Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
'/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
'/tmp/ca.p12', '--pkcs12-password-file',
'/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
exit status 1
2016-09-20 23:42:31 pkispawn    : DEBUG    .......   File
"/usr/sbin/pkispawn", line 597, in main
    rv = scriptlet.spawn(deployer)
  File 
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
line 104, in spawn
    no_user_certs=True)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
import_pkcs12
    subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)


It might also be helpful verify if correct trust flags are set in nssdb:
certutil -d /etc/pki/pki-tomcat/alias/ -L


Run on the source ipa server (current CA server):
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

XXX Certificate Authority                                     CT,c,
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u


Run on the destination ipa server:
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Finally, can you check that LDAPS is running on port 636 on the replica
where you're trying to install the CA (i.e. by nmap localhost)?

Run on the new replica:
$ nmap localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-21 15:29 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 995 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
389/tcp open  ldap
636/tcp open  ldapssl


--
Tomas Krizek




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to