Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

2016-09-22 Thread Korey Chapman 
On Thu, Sep 22, 2016 at 1:52 AM, Florence Blanc-Renaud  wrote:
> Hi Korey,
>
> I believe that you are hitting Dogtag issue #2255 [1]. The file /tmp/ca.p12
> probably doesn't contain the trust flags for some certificates.
> You can check by running
> pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password
> and see if the output displays "Trust Flags: xxx" for all the certs.
>
> Flo.
>
> [1] https://fedorahosted.org/pki/ticket/2255
>
>
> On 09/21/2016 05:38 PM, Korey Chapman wrote:
>>
>> On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek  wrote:
>>>
>>> On 09/21/2016 02:13 AM, Korey Chapman wrote:
>>>
>>> Hello list,
>>>
>>> I'm currently attempting to add a second CA server to our IPA cluster
>>> (all
>>> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how
>>> I
>>> try to setup the CA (ipa-replica-install with --setup-ca or
>>> ipa-replica-install followed by ipa-ca-install). The only useful thing in
>>> the logs is an error about a missing key for "trust_flags" in the pki
>>> setup.
>>> Our infrastructure uses FreeIPA with an external CA.
>>>
>>> Any ideas/help would be greatly appreciated. Here are the logs snips from
>>> my
>>> most recent attempt:
>>>
>>> Command output snip from "ipa-replica-install
>>> /root/replica-info-auth-002.XXX.gpg --setup-ca"
>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>>> 30
>>> seconds
>>>   [1/24]: creating certificate server user
>>>   [2/24]: configuring certificate server instance
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
>>> CA
>>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
>>> returned non-zero exit status 1
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>>> installation
>>> logs and the following files/directories for more information:
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki-ca-install.log
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
>>> /var/log/pki/pki-tomcat
>>>   [error] RuntimeError: CA configuration failed.
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
>>> configuration
>>> failed
>>>
>>>
>>> Log snip from ipareplica-install.log:
>>>
>>> 2016-09-20T23:42:27Z DEBUG Starting external process
>>> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>>> '/tmp/tmpYofMPt'
>>> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
>>> 2016-09-20T23:42:31Z DEBUG stdout=Log file:
>>> /var/log/pki/pki-ca-spawn.20160920234227.log
>>> Loading deployment configuration from /tmp/tmpYofMPt.
>>> Installing CA into /var/lib/pki/pki-tomcat.
>>> Storing deployment configuration into
>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>>
>>> Installation failed.
>>>
>>>
>>> 2016-09-20T23:42:31Z DEBUG
>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
>>> certificate verification is strongly advised. See:
>>> https://urllib3.readthedocs.org/en/latest/security.html
>>>   InsecureRequestWarning)
>>> Traceback (most recent call last):
>>>   File "/bin/pki", line 254, in 
>>> cli.execute(sys.argv)
>>>   File "/bin/pki", line 240, in execute
>>> module.execute(module_args)
>>>   File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195,
>>> in
>>> execute
>>> module.execute(module_args)
>>>   File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
>>> execute
>>> trust_flags = cert_info['trust_flags']
>>> KeyError: 'trust_flags'
>>>
>>>
>>> --
>>> Korey
>>>
>>>
>>> Hi Korey,
>>>
>>> could you check if there is any more info in /var/log/pki/pki-ca-spawn
>>> log?
>>
>>
>> Nothing really useful I see in the spawn log:
>> 2016-09-20 23:42:31 pkispawn: DEBUG... Error Type:
>> CalledProcessError
>> 2016-09-20 23:42:31 pkispawn: DEBUG... Error Message:
>> Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
>> '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
>> '/tmp/ca.p12', '--pkcs12-password-file',
>> '/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
>> exit status 1
>> 2016-09-20 23:42:31 pkispawn: DEBUG...   File
>> "/usr/sbin/pkispawn", line 597, in main
>> rv = scriptlet.spawn(deployer)
>>   File
>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
>> line 104, in spawn
>> no_user_certs=True)
>>   File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
>> import_pkcs12
>> subprocess.check_call(cmd)
>>   File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
>> raise CalledProcessError(retcode, cmd)
>>
>>>
>>> It might also be helpful verify if correct trust flags are set in nssdb:
>>> certutil -d

Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

2016-09-22 Thread Florence Blanc-Renaud 

Hi Korey,

I believe that you are hitting Dogtag issue #2255 [1]. The file 
/tmp/ca.p12 probably doesn't contain the trust flags for some certificates.

You can check by running
pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password
and see if the output displays "Trust Flags: xxx" for all the certs.

Flo.

[1] https://fedorahosted.org/pki/ticket/2255

On 09/21/2016 05:38 PM, Korey Chapman wrote:

On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek  wrote:

On 09/21/2016 02:13 AM, Korey Chapman wrote:

Hello list,

I'm currently attempting to add a second CA server to our IPA cluster (all
servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
try to setup the CA (ipa-replica-install with --setup-ca or
ipa-replica-install followed by ipa-ca-install). The only useful thing in
the logs is an error about a missing key for "trust_flags" in the pki setup.
Our infrastructure uses FreeIPA with an external CA.

Any ideas/help would be greatly appreciated. Here are the logs snips from my
most recent attempt:

Command output snip from "ipa-replica-install
/root/replica-info-auth-002.XXX.gpg --setup-ca"
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration
failed


Log snip from ipareplica-install.log:

2016-09-20T23:42:27Z DEBUG Starting external process
2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpYofMPt'
2016-09-20T23:42:31Z DEBUG Process finished, return code=1
2016-09-20T23:42:31Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160920234227.log
Loading deployment configuration from /tmp/tmpYofMPt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2016-09-20T23:42:31Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Traceback (most recent call last):
  File "/bin/pki", line 254, in 
cli.execute(sys.argv)
  File "/bin/pki", line 240, in execute
module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
execute
module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
execute
trust_flags = cert_info['trust_flags']
KeyError: 'trust_flags'


--
Korey


Hi Korey,

could you check if there is any more info in /var/log/pki/pki-ca-spawn log?


Nothing really useful I see in the spawn log:
2016-09-20 23:42:31 pkispawn: DEBUG... Error Type:
CalledProcessError
2016-09-20 23:42:31 pkispawn: DEBUG... Error Message:
Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
'/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
'/tmp/ca.p12', '--pkcs12-password-file',
'/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
exit status 1
2016-09-20 23:42:31 pkispawn: DEBUG...   File
"/usr/sbin/pkispawn", line 597, in main
rv = scriptlet.spawn(deployer)
  File 
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
line 104, in spawn
no_user_certs=True)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
import_pkcs12
subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
raise CalledProcessError(retcode, cmd)



It might also be helpful verify if correct trust flags are set in nssdb:
certutil -d /etc/pki/pki-tomcat/alias/ -L



Run on the source ipa server (current CA server):
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

XXX Certificate Authority CT,c,
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca

Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

2016-09-21 Thread Korey Chapman 
On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek  wrote:
> On 09/21/2016 02:13 AM, Korey Chapman wrote:
>
> Hello list,
>
> I'm currently attempting to add a second CA server to our IPA cluster (all
> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
> try to setup the CA (ipa-replica-install with --setup-ca or
> ipa-replica-install followed by ipa-ca-install). The only useful thing in
> the logs is an error about a missing key for "trust_flags" in the pki setup.
> Our infrastructure uses FreeIPA with an external CA.
>
> Any ideas/help would be greatly appreciated. Here are the logs snips from my
> most recent attempt:
>
> Command output snip from "ipa-replica-install
> /root/replica-info-auth-002.XXX.gpg --setup-ca"
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/24]: creating certificate server user
>   [2/24]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
> logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration
> failed
>
>
> Log snip from ipareplica-install.log:
>
> 2016-09-20T23:42:27Z DEBUG Starting external process
> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpYofMPt'
> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
> 2016-09-20T23:42:31Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160920234227.log
> Loading deployment configuration from /tmp/tmpYofMPt.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2016-09-20T23:42:31Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
>   InsecureRequestWarning)
> Traceback (most recent call last):
>   File "/bin/pki", line 254, in 
> cli.execute(sys.argv)
>   File "/bin/pki", line 240, in execute
> module.execute(module_args)
>   File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
> execute
> module.execute(module_args)
>   File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
> execute
> trust_flags = cert_info['trust_flags']
> KeyError: 'trust_flags'
>
>
> --
> Korey
>
>
> Hi Korey,
>
> could you check if there is any more info in /var/log/pki/pki-ca-spawn log?

Nothing really useful I see in the spawn log:
2016-09-20 23:42:31 pkispawn: DEBUG... Error Type:
CalledProcessError
2016-09-20 23:42:31 pkispawn: DEBUG... Error Message:
Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
'/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
'/tmp/ca.p12', '--pkcs12-password-file',
'/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
exit status 1
2016-09-20 23:42:31 pkispawn: DEBUG...   File
"/usr/sbin/pkispawn", line 597, in main
rv = scriptlet.spawn(deployer)
  File 
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
line 104, in spawn
no_user_certs=True)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
import_pkcs12
subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
raise CalledProcessError(retcode, cmd)

>
> It might also be helpful verify if correct trust flags are set in nssdb:
> certutil -d /etc/pki/pki-tomcat/alias/ -L
>

Run on the source ipa server (current CA server):
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

XXX Certificate Authority CT,c,
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-caCTu,Cu,Cu
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u


Run on the destination ipa server:
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname

Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

2016-09-21 Thread Tomas Krizek 

On 09/21/2016 02:13 AM, Korey Chapman wrote:

Hello list,

I'm currently attempting to add a second CA server to our IPA cluster 
(all servers Centos 7.2 with IPA 4.2.0). However, it is failing no 
matter how I try to setup the CA (ipa-replica-install with --setup-ca 
or ipa-replica-install followed by ipa-ca-install). The only useful 
thing in the logs is an error about a missing key for "trust_flags" in 
the pki setup. Our infrastructure uses FreeIPA with an external CA.


Any ideas/help would be greatly appreciated. Here are the logs snips 
from my most recent attempt:


Command output snip from "ipa-replica-install 
/root/replica-info-auth-002.XXX.gpg --setup-ca"
Configuring certificate server (pki-tomcatd). Estimated time: 3 
minutes 30 seconds

  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpYofMPt'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more 
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat

  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed



Log snip from ipareplica-install.log:

2016-09-20T23:42:27Z DEBUG Starting external process
2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpYofMPt'

2016-09-20T23:42:31Z DEBUG Process finished, return code=1
2016-09-20T23:42:31Z DEBUG stdout=Log file: 
/var/log/pki/pki-ca-spawn.20160920234227.log

Loading deployment configuration from /tmp/tmpYofMPt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.


Installation failed.


2016-09-20T23:42:31Z DEBUG 
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
certificate verification is strongly advised. See: 
https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)
Traceback (most recent call last):
  File "/bin/pki", line 254, in 
cli.execute(sys.argv)
  File "/bin/pki", line 240, in execute
module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 
195, in execute

module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, 
in execute

trust_flags = cert_info['trust_flags']
KeyError: 'trust_flags'


--
Korey



Hi Korey,

could you check if there is any more info in /var/log/pki/pki-ca-spawn log?

It might also be helpful verify if correct trust flags are set in nssdb: 
certutil -d /etc/pki/pki-tomcat/alias/ -L


Finally, can you check that LDAPS is running on port 636 on the replica 
where you're trying to install the CA (i.e. by nmap localhost)?


--
Tomas Krizek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] CA Fails to build Replica (w/External CA)

2016-09-21 Thread Korey Chapman 
Hello list,

I'm currently attempting to add a second CA server to our IPA cluster (all
servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
try to setup the CA (ipa-replica-install with --setup-ca or
ipa-replica-install followed by ipa-ca-install). The only useful thing in
the logs is an error about a missing key for "trust_flags" in the pki
setup. Our infrastructure uses FreeIPA with an external CA.

Any ideas/help would be greatly appreciated. Here are the logs snips from
my most recent attempt:

Command output snip from "ipa-replica-install
/root/replica-info-auth-002.XXX.gpg --setup-ca"
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration
failed


Log snip from ipareplica-install.log:

2016-09-20T23:42:27Z DEBUG Starting external process
2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpYofMPt'
2016-09-20T23:42:31Z DEBUG Process finished, return code=1
2016-09-20T23:42:31Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160920234227.log
Loading deployment configuration from /tmp/tmpYofMPt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2016-09-20T23:42:31Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Traceback (most recent call last):
  File "/bin/pki", line 254, in 
cli.execute(sys.argv)
  File "/bin/pki", line 240, in execute
module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
execute
module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
execute
trust_flags = cert_info['trust_flags']
KeyError: 'trust_flags'


-- 
Korey
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project