Hi Korey,

I believe that you are hitting Dogtag issue #2255 [1]. The file /tmp/ca.p12 probably doesn't contain the trust flags for some certificates.
You can check by running
pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password
and see if the output displays "Trust Flags: xxx" for all the certs.


[1] https://fedorahosted.org/pki/ticket/2255

On 09/21/2016 05:38 PM, Korey Chapman wrote:
On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek <tkri...@redhat.com> wrote:
On 09/21/2016 02:13 AM, Korey Chapman wrote:

Hello list,

I'm currently attempting to add a second CA server to our IPA cluster (all
servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
try to setup the CA (ipa-replica-install with --setup-ca or
ipa-replica-install followed by ipa-ca-install). The only useful thing in
the logs is an error about a missing key for "trust_flags" in the pki setup.
Our infrastructure uses FreeIPA with an external CA.

Any ideas/help would be greatly appreciated. Here are the logs snips from my
most recent attempt:

Command output snip from "ipa-replica-install
/root/replica-info-auth-002.XXX.gpg --setup-ca"
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA configuration

Log snip from ipareplica-install.log:

2016-09-20T23:42:27Z DEBUG Starting external process
2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
2016-09-20T23:42:31Z DEBUG Process finished, return code=1
2016-09-20T23:42:31Z DEBUG stdout=Log file:
Loading deployment configuration from /tmp/tmpYofMPt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into

Installation failed.

2016-09-20T23:42:31Z DEBUG
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Traceback (most recent call last):
  File "/bin/pki", line 254, in <module>
  File "/bin/pki", line 240, in execute
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
  File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
    trust_flags = cert_info['trust_flags']
KeyError: 'trust_flags'


Hi Korey,

could you check if there is any more info in /var/log/pki/pki-ca-spawn log?

Nothing really useful I see in the spawn log:
2016-09-20 23:42:31 pkispawn    : DEBUG    ....... Error Type:
2016-09-20 23:42:31 pkispawn    : DEBUG    ....... Error Message:
Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
'/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
'/tmp/ca.p12', '--pkcs12-password-file',
'/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
exit status 1
2016-09-20 23:42:31 pkispawn    : DEBUG    .......   File
"/usr/sbin/pkispawn", line 597, in main
    rv = scriptlet.spawn(deployer)
line 104, in spawn
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)

It might also be helpful verify if correct trust flags are set in nssdb:
certutil -d /etc/pki/pki-tomcat/alias/ -L

Run on the source ipa server (current CA server):
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname                                         Trust Attributes

XXX Certificate Authority                                     CT,c,
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

Run on the destination ipa server:
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname                                         Trust Attributes

Finally, can you check that LDAPS is running on port 636 on the replica
where you're trying to install the CA (i.e. by nmap localhost)?

Run on the new replica:
$ nmap localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-21 15:29 UTC
Nmap scan report for localhost (
Host is up (0.0000040s latency).
Other addresses for localhost (not scanned):
Not shown: 995 closed ports
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
389/tcp open  ldap
636/tcp open  ldapssl

Tomas Krizek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to