Hi all,

I'm trying to setup a freeipa masterserver and a replica, on a fresh
install of CentOS 7.3

after running ipa-server-install on the master and running
ipa-client-install on the replica the ipa-replica-install command fails
to restart the directory server.

Turns out this is because the DS Certificate was never received. It
fails with status: CA_UNREACHABLE and I can't figure out why this is
failing.

Could someone give me some pointers?

on the replica:


/var/log/ipareplica-install.log
2017-02-14T12:21:20Z DEBUG certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
2017-02-14T12:21:25Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)
2017-02-14T12:21:25Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket from SchemaCache
2017-02-14T12:21:25Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x73101b8>
2017-02-14T12:21:25Z DEBUG   duration: 5 seconds
2017-02-14T12:21:25Z DEBUG   [28/44]: restarting directory server

<fails>


# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20170214122119':
    status: CA_UNREACHABLE
    ca-error: Server at https://<ipa-server>/ipa/xml failed request,
will retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Unable to communicate with CMS (503)).
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MY_REALM//pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM',nickname='Server-Cert'
    CA: IPA
    issuer:
    subject:
    expires: unknown
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes



# certutil -L -d /etc/dirsrv/slapd-MY_REALM/

Certificate Nickname                                         Trust
Attributes
                                                            
SSL,S/MIME,JAR/XPI

MY_REALM IPA CA                                          CT,C,C


# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust
Attributes
                                                            
SSL,S/MIME,JAR/XPI

cacert                                                       CTu,Cu,Cu
beta                                                         u,pu,u
alpha                                                        u,pu,u
Server-Cert                                                  u,u,u




# curl --negotiate -u : https://ipa-server/ipa/xml --referer
https://ipa-server/ipa/xml -I
HTTP/1.1 401 Unauthorized
Date: Tue, 14 Feb 2017 12:07:02 GMT
Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14
NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Negotiate
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
Last-Modified: Tue, 17 Jan 2017 17:34:23 GMT
Accept-Ranges: bytes
Content-Length: 1474
Content-Type: text/html; charset=UTF-8

HTTP/1.1 200 Success
Date: Tue, 14 Feb 2017 12:07:02 GMT
Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14
NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5
Set-Cookie: ipa_session=<snip>
WWW-Authenticate: Negotiate <snip>
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
Vary: Accept-Encoding
Content-Type: text/xml; charset=utf-8


On the ipa-server:

/var/log/pki/pki-tomcat/ca/debug


[14/Feb/2017:13:20:15][Timer-0]: SessionTimer: run()
[14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable:
getSessionIds()
[14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable:
searching ou=sessions,ou=Security Domain,o=ipaca
[14/Feb/2017:13:20:15][Timer-0]: In LdapBoundConnFactory::getConn()
[14/Feb/2017:13:20:15][Timer-0]: masterConn is connected: true
[14/Feb/2017:13:20:15][Timer-0]: getConn: conn is connected true
[14/Feb/2017:13:20:15][Timer-0]: getConn: mNumConns now 2
[14/Feb/2017:13:20:15][Timer-0]: SecurityDomainSessionTable: No active
sessions.
[14/Feb/2017:13:20:15][Timer-0]: returnConn: mNumConns now 3
[14/Feb/2017:13:25:15][Timer-0]: SessionTimer: run()
[14/Feb/2017:13:25:15][Timer-0]: LDAPSecurityDomainSessionTable:
getSessionIds()
[14/Feb/2017:13:25:15][Timer-0]: LDAPSecurityDomainSessionTable:
searching ou=sessions,ou=Security Domain,o=ipaca
[14/Feb/2017:13:25:15][Timer-0]: In LdapBoundConnFactory::getConn()
[14/Feb/2017:13:25:15][Timer-0]: masterConn is connected: true
[14/Feb/2017:13:25:15][Timer-0]: getConn: conn is connected true
[14/Feb/2017:13:25:15][Timer-0]: getConn: mNumConns now 2
[14/Feb/2017:13:25:15][Timer-0]: SecurityDomainSessionTable: No active
sessions.
[14/Feb/2017:13:25:15][Timer-0]: returnConn: mNumConns now 3


(so nothing at 13:21:14)



==> /var/log/pki/pki-tomcat/ca/selftests.log <==
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
SelfTestSubsystem:  loading all self test plugin logger parameters
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
SelfTestSubsystem:  loading all self test plugin instances
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
SelfTestSubsystem:  loading all self test plugin instance parameters
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
SelfTestSubsystem:  loading self test plugins in on-demand order
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
SelfTestSubsystem:  loading self test plugins in startup order
0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be executed at
startup:
0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]
SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [14/Feb/2017:10:20:15 CET] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
startup!


and /var/log/pki/pki-tomcat/localhost.2017-02-14.log is filled with
these exceptions that aren't pointing me to anywhere.

SEVERE: Servlet.service() for servlet [Resteasy] in context with path
[/ca] threw exception
org.jboss.resteasy.spi.UnhandledException:
org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find
MessageBodyWriter for response object of type:
com.netscape.certsrv.base.PKIException$Data of media type:
application/x-www-form-urlencoded
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at sun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)

        ...


# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20170214084423':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
    certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=MY-REALM
    subject: CN=CA Audit,O=MY-REALM
    expires: 2019-02-04 08:42:52 UTC
    key usage: digitalSignature,nonRepudiation
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170214084425':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
    certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=MY-REALM
    subject: CN=OCSP Subsystem,O=MY-REALM
    expires: 2019-02-04 08:42:48 UTC
    key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
    eku: id-kp-OCSPSigning
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170214084428':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
    certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=MY-REALM
    subject: CN=CA Subsystem,O=MY-REALM
    expires: 2019-02-04 08:42:51 UTC
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170214084431':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
    certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=MY-REALM
    subject: CN=Certificate Authority,O=MY-REALM
    expires: 2037-02-14 08:42:43 UTC
    key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170214084434':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=MY-REALM
    subject: CN=IPA RA,O=MY-REALM
    expires: 2019-02-04 08:44:09 UTC
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
    post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
    track: yes
    auto-renew: yes
Request ID '20170214084436':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
    certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-renew-agent
    issuer: CN=Certificate Authority,O=MY-REALM
    subject: CN=ipa-server,O=MY-REALM
    expires: 2019-02-04 08:42:49 UTC
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170214084646':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MY-REALM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MY-REALM/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MY-REALM',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=MY-REALM
    subject: CN=ipa-server,O=MY-REALM
    expires: 2019-02-15 08:46:45 UTC
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MY-REALM
    track: yes
    auto-renew: yes
Request ID '20170214085151':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=MY-REALM
    subject: CN=ipa-server,O=MY-REALM
    expires: 2019-02-15 08:51:50 UTC
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/libexec/ipa/certmonger/restart_httpd
    track: yes
    auto-renew: yes

# systemctl status pki-tomcatd@pki-tomcat.service
● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled;
vendor preset: disabled)
   Active: active (running) since Tue 2017-02-14 10:19:32 CET; 3h 40min ago
 Main PID: 1300 (java)
   CGroup:
/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service
           └─1300 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy-base
-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/...

Feb 14 10:19:57ipa-server server[1300]: SSLAuthenticatorWithFallback:
Creating SSL authenticator with fallback
Feb 14 10:19:57ipa-server server[1300]: SSLAuthenticatorWithFallback:
Setting container
Feb 14 10:20:07ipa-server server[1300]: SSLAuthenticatorWithFallback:
Initializing authenticators
Feb 14 10:20:07ipa-server server[1300]: SSLAuthenticatorWithFallback:
Starting authenticators
Feb 14 10:20:10ipa-server server[1300]:
CMSEngine.initializePasswordStore() begins
Feb 14 10:20:10ipa-server server[1300]:
CMSEngine.initializePasswordStore(): tag=internaldb
Feb 14 10:20:10ipa-server server[1300]:
CMSEngine.initializePasswordStore(): tag=replicationdb
Feb 14 10:20:15ipa-server server[1300]: CA is started.
Feb 14 10:20:26ipa-server server[1300]: PKIListener:
org.apache.catalina.core.StandardServer[after_start]
Feb 14 10:20:26ipa-server server[1300]: PKIListener: Subsystem CA is
running.



Regards,
Jens Timmerman



Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to