On Thu, Sep 22, 2016 at 1:52 AM, Florence Blanc-Renaud <[email protected]> wrote: > Hi Korey, > > I believe that you are hitting Dogtag issue #2255 [1]. The file /tmp/ca.p12 > probably doesn't contain the trust flags for some certificates. > You can check by running > pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password > and see if the output displays "Trust Flags: xxx" for all the certs. > > Flo. > > [1] https://fedorahosted.org/pki/ticket/2255 > > > On 09/21/2016 05:38 PM, Korey Chapman wrote: >> >> On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek <[email protected]> wrote: >>> >>> On 09/21/2016 02:13 AM, Korey Chapman wrote: >>> >>> Hello list, >>> >>> I'm currently attempting to add a second CA server to our IPA cluster >>> (all >>> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how >>> I >>> try to setup the CA (ipa-replica-install with --setup-ca or >>> ipa-replica-install followed by ipa-ca-install). The only useful thing in >>> the logs is an error about a missing key for "trust_flags" in the pki >>> setup. >>> Our infrastructure uses FreeIPA with an external CA. >>> >>> Any ideas/help would be greatly appreciated. Here are the logs snips from >>> my >>> most recent attempt: >>> >>> Command output snip from "ipa-replica-install >>> /root/replica-info-auth-002.XXX.gpg --setup-ca" >>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >>> 30 >>> seconds >>> [1/24]: creating certificate server user >>> [2/24]: configuring certificate server instance >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure >>> CA >>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt'' >>> returned non-zero exit status 1 >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the >>> installation >>> logs and the following files/directories for more information: >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>> /var/log/pki-ca-install.log >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>> /var/log/pki/pki-tomcat >>> [error] RuntimeError: CA configuration failed. >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR CA >>> configuration >>> failed >>> >>> >>> Log snip from ipareplica-install.log: >>> >>> 2016-09-20T23:42:27Z DEBUG Starting external process >>> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' >>> '/tmp/tmpYofMPt' >>> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1 >>> 2016-09-20T23:42:31Z DEBUG stdout=Log file: >>> /var/log/pki/pki-ca-spawn.20160920234227.log >>> Loading deployment configuration from /tmp/tmpYofMPt. >>> Installing CA into /var/lib/pki/pki-tomcat. >>> Storing deployment configuration into >>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>> >>> Installation failed. >>> >>> >>> 2016-09-20T23:42:31Z DEBUG >>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding >>> certificate verification is strongly advised. See: >>> https://urllib3.readthedocs.org/en/latest/security.html >>> InsecureRequestWarning) >>> Traceback (most recent call last): >>> File "/bin/pki", line 254, in <module> >>> cli.execute(sys.argv) >>> File "/bin/pki", line 240, in execute >>> module.execute(module_args) >>> File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, >>> in >>> execute >>> module.execute(module_args) >>> File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in >>> execute >>> trust_flags = cert_info['trust_flags'] >>> KeyError: 'trust_flags' >>> >>> >>> -- >>> Korey >>> >>> >>> Hi Korey, >>> >>> could you check if there is any more info in /var/log/pki/pki-ca-spawn >>> log? >> >> >> Nothing really useful I see in the spawn log: >> 2016-09-20 23:42:31 pkispawn : DEBUG ....... Error Type: >> CalledProcessError >> 2016-09-20 23:42:31 pkispawn : DEBUG ....... Error Message: >> Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', >> '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file', >> '/tmp/ca.p12', '--pkcs12-password-file', >> '/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero >> exit status 1 >> 2016-09-20 23:42:31 pkispawn : DEBUG ....... File >> "/usr/sbin/pkispawn", line 597, in main >> rv = scriptlet.spawn(deployer) >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py", >> line 104, in spawn >> no_user_certs=True) >> File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in >> import_pkcs12 >> subprocess.check_call(cmd) >> File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call >> raise CalledProcessError(retcode, cmd) >> >>> >>> It might also be helpful verify if correct trust flags are set in nssdb: >>> certutil -d /etc/pki/pki-tomcat/alias/ -L >>> >> >> Run on the source ipa server (current CA server): >> $ certutil -d /etc/pki/pki-tomcat/alias/ -L >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> XXX Certificate Authority CT,c, >> Server-Cert cert-pki-ca u,u,u >> auditSigningCert cert-pki-ca u,u,Pu >> caSigningCert cert-pki-ca CTu,Cu,Cu >> ocspSigningCert cert-pki-ca u,u,u >> subsystemCert cert-pki-ca u,u,u >> >> >> Run on the destination ipa server: >> $ certutil -d /etc/pki/pki-tomcat/alias/ -L >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >>> Finally, can you check that LDAPS is running on port 636 on the replica >>> where you're trying to install the CA (i.e. by nmap localhost)? >> >> >> Run on the new replica: >> $ nmap localhost >> >> Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-21 15:29 UTC >> Nmap scan report for localhost (127.0.0.1) >> Host is up (0.0000040s latency). >> Other addresses for localhost (not scanned): 127.0.0.1 >> Not shown: 995 closed ports >> PORT STATE SERVICE >> 22/tcp open ssh >> 25/tcp open smtp >> 53/tcp open domain >> 389/tcp open ldap >> 636/tcp open ldapssl >> >>> >>> -- >>> Tomas Krizek >> >> >> >> >
Looks like that was it. I updated the pki-* components on the master server and it imported fine after a fresh ipa-replica-prepare. I didn't think to look at the master server for the source of the problem. Thanks Florance and Thomas! -- Korey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
