We had problems with one idm replica complaining about different ldap database 
versions and at the same time errors on starting pki-tomcat. I decided to 
delete the ipa server and reinstall.
The ipa server delete went without problems, but the reinstall....


ipa-replica-install --setup-ca --setup-dns --forwarder 10.200.207.11 
--forwarder  10.200.206.11 --principal admin --admin-password  "secret"

This fails on ca install, but without set-up ca the install was succesfull.
I tried both with the server enrolled as client and with the server not 
enrolled - no difference.
The installation was successful in a different envirionment but same software 
versions.


server is rhel 7.3, ipa: VERSION: 4.4.0, API_VERSION: 2.213

When ipa-replica-install fails  with -setup-ca  ipareplica-install.log shows :
2017-04-23T19:44:45Z DEBUG Starting external process
2017-04-23T19:44:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpBLQe1X
2017-04-23T19:44:46Z DEBUG Process finished, return code=1
2017-04-23T19:44:46Z DEBUG stdout=Log file: 
/var/log/pki/pki-ca-spawn.20170423214445.log
Loading deployment configuration from /tmp/tmpBLQe1X.

2017-04-23T19:44:46Z DEBUG stderr=Traceback (most recent call last):
  File "/usr/sbin/pkispawn", line 817, in <module>
    main(sys.argv)
  File "/usr/sbin/pkispawn", line 501, in main
    create_master_dictionary(parser)
  File "/usr/sbin/pkispawn", line 641, in create_master_dictionary
    parser.compose_pki_master_dictionary()
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", 
line 614, in compose_pki_master_dictionary
    instance.load()
  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 595, in 
load
    subsystem.load()
  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 129, in 
load
    lines = open(self.cs_conf).read().splitlines()
IOError: [Errno 2] No such file or directory: 
'/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'

2017-04-23T19:44:46Z CRITICAL Failed to configure CA instance: Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpBLQe1X' returned non-zero exit status 1
2017-04-23T19:44:46Z CRITICAL See the installation logs and the following 
files/directories for more information:
2017-04-23T19:44:46Z CRITICAL   /var/log/pki/pki-tomcat
2017-04-23T19:44:46Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
449, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
439, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
586, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-04-23T19:44:46Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-04-23T19:44:46Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, 
in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, 
in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, 
in execute
    for nothing in self._executor():


Nothing in /var/log/pki/pki-tomcat.

Further observations:
During changing the certificate to thirdparty ssl, I got the following error in 
/var/log/httpd/error_log :
[Mon Apr 24 09:03:14.267871 2017] [:error] [pid 11004] Unable to verify 
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the 
server can start until the problem can be resolved.
p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: 
Permission denied

I changed the permission on /etc/pki/ca-trust/source/ipa.p11-kit from 600 to 
644 and added "NSSEnforceValidCerts off" to /etc/httpd/conf.d/nss.conf
After that ipa-certupdate succeeded.

Are there any way to install the ca without reinstalling the whole ipa-server 
again?



Regards
Bjarne Blichfeldt.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to