On 04/24/2017 09:37 AM, Bjarne Blichfeldt wrote:
We had problems with one idm replica complaining about different ldap
database versions and at the same time errors on starting pki-tomcat. I
decided to delete the ipa server and reinstall.

The ipa server delete went without problems, but the reinstall….

ipa-replica-install --setup-ca --setup-dns --forwarder
--forwarder --principal admin --admin-password  “secret”

This fails on ca install, but without set-up ca the install was succesfull.

I tried both with the server enrolled as client and with the server not
enrolled – no difference.

The installation was successful in a different envirionment but same
software versions.

server is rhel 7.3, ipa: VERSION: 4.4.0, API_VERSION: 2.213

When ipa-replica-install fails  with –setup-ca  ipareplica-install.log
shows :

2017-04-23T19:44:45Z DEBUG Starting external process

2017-04-23T19:44:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpBLQe1X

2017-04-23T19:44:46Z DEBUG Process finished, return code=1

2017-04-23T19:44:46Z DEBUG stdout=Log file:

Loading deployment configuration from /tmp/tmpBLQe1X.

2017-04-23T19:44:46Z DEBUG stderr=Traceback (most recent call last):

  File "/usr/sbin/pkispawn", line 817, in <module>


  File "/usr/sbin/pkispawn", line 501, in main


  File "/usr/sbin/pkispawn", line 641, in create_master_dictionary


line 614, in compose_pki_master_dictionary


  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
595, in load


  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
129, in load

    lines = open(self.cs_conf).read().splitlines()

IOError: [Errno 2] No such file or directory:

2017-04-23T19:44:46Z CRITICAL Failed to configure CA instance: Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpBLQe1X' returned non-zero exit status 1

2017-04-23T19:44:46Z CRITICAL See the installation logs and the
following files/directories for more information:

2017-04-23T19:44:46Z CRITICAL   /var/log/pki/pki-tomcat

2017-04-23T19:44:46Z DEBUG Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 449, in start_creation

    run_step(full_msg, method)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 439, in run_step


"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
586, in __spawn_instance

    DogtagInstance.spawn_instance(self, cfg_file)

line 181, in spawn_instance


line 420, in handle_setup_error

    raise RuntimeError("%s configuration failed." % self.subsystem)

RuntimeError: CA configuration failed.

2017-04-23T19:44:46Z DEBUG   [error] RuntimeError: CA configuration failed.

2017-04-23T19:44:46Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in

    return_value = self.run()

  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
318, in run


  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 310, in run


  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 332, in execute

    for nothing in self._executor():

Nothing in /var/log/pki/pki-tomcat.

Further observations:

During changing the certificate to thirdparty ssl, I got the following
error in /var/log/httpd/error_log :

[Mon Apr 24 09:03:14.267871 2017] [:error] [pid 11004] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.

p11-kit: couldn't open and map file:
/etc/pki/ca-trust/source/ipa.p11-kit: Permission denied

I changed the permission on /etc/pki/ca-trust/source/ipa.p11-kit from
600 to 644 and added “NSSEnforceValidCerts off” to

After that ipa-certupdate succeeded.

Are there any way to install the ca without reinstalling the whole
ipa-server again?


Bjarne Blichfeldt.


1/ you may find more information about the CA installation failure in /var/log/pki/pki-ca-spawn.$date.log

To enable debug logs, you can create the file /etc/ipa/server.conf:
$ cat /etc/ipa/server.conf
debug = True

2/ the error in httpd/error_log may indicate that your certificate expired, could you check if all the certificates are still valid?
$ sudo certutil -L -d /etc/httpd/alias/ -n Server-Cert | grep  Not
            Not Before: Thu Apr 20 15:03:40 2017
            Not After : Sun Apr 21 15:03:40 2019

3/ I recall CA install issues when an old /root/cacert.p12 was left on a replica between uninstall and install. Can you try to delete this file and re-try the ipa-replica-install?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to