Re: [Freeipa-users] CA Fails to build Replica (w/External CA)
On Thu, Sep 22, 2016 at 1:52 AM, Florence Blanc-Renaudwrote: > Hi Korey, > > I believe that you are hitting Dogtag issue #2255 [1]. The file /tmp/ca.p12 > probably doesn't contain the trust flags for some certificates. > You can check by running > pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password > and see if the output displays "Trust Flags: xxx" for all the certs. > > Flo. > > [1] https://fedorahosted.org/pki/ticket/2255 > > > On 09/21/2016 05:38 PM, Korey Chapman wrote: >> >> On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek wrote: >>> >>> On 09/21/2016 02:13 AM, Korey Chapman wrote: >>> >>> Hello list, >>> >>> I'm currently attempting to add a second CA server to our IPA cluster >>> (all >>> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how >>> I >>> try to setup the CA (ipa-replica-install with --setup-ca or >>> ipa-replica-install followed by ipa-ca-install). The only useful thing in >>> the logs is an error about a missing key for "trust_flags" in the pki >>> setup. >>> Our infrastructure uses FreeIPA with an external CA. >>> >>> Any ideas/help would be greatly appreciated. Here are the logs snips from >>> my >>> most recent attempt: >>> >>> Command output snip from "ipa-replica-install >>> /root/replica-info-auth-002.XXX.gpg --setup-ca" >>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >>> 30 >>> seconds >>> [1/24]: creating certificate server user >>> [2/24]: configuring certificate server instance >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure >>> CA >>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt'' >>> returned non-zero exit status 1 >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the >>> installation >>> logs and the following files/directories for more information: >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>> /var/log/pki-ca-install.log >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>> /var/log/pki/pki-tomcat >>> [error] RuntimeError: CA configuration failed. >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA >>> configuration >>> failed >>> >>> >>> Log snip from ipareplica-install.log: >>> >>> 2016-09-20T23:42:27Z DEBUG Starting external process >>> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' >>> '/tmp/tmpYofMPt' >>> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1 >>> 2016-09-20T23:42:31Z DEBUG stdout=Log file: >>> /var/log/pki/pki-ca-spawn.20160920234227.log >>> Loading deployment configuration from /tmp/tmpYofMPt. >>> Installing CA into /var/lib/pki/pki-tomcat. >>> Storing deployment configuration into >>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>> >>> Installation failed. >>> >>> >>> 2016-09-20T23:42:31Z DEBUG >>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding >>> certificate verification is strongly advised. See: >>> https://urllib3.readthedocs.org/en/latest/security.html >>> InsecureRequestWarning) >>> Traceback (most recent call last): >>> File "/bin/pki", line 254, in >>> cli.execute(sys.argv) >>> File "/bin/pki", line 240, in execute >>> module.execute(module_args) >>> File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, >>> in >>> execute >>> module.execute(module_args) >>> File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in >>> execute >>> trust_flags = cert_info['trust_flags'] >>> KeyError: 'trust_flags' >>> >>> >>> -- >>> Korey >>> >>> >>> Hi Korey, >>> >>> could you check if there is any more info in /var/log/pki/pki-ca-spawn >>> log? >> >> >> Nothing really useful I see in the spawn log: >> 2016-09-20 23:42:31 pkispawn: DEBUG... Error Type: >> CalledProcessError >> 2016-09-20 23:42:31 pkispawn: DEBUG... Error Message: >> Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', >> '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file', >> '/tmp/ca.p12', '--pkcs12-password-file', >> '/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero >> exit status 1 >> 2016-09-20 23:42:31 pkispawn: DEBUG... File >> "/usr/sbin/pkispawn", line 597, in main >> rv = scriptlet.spawn(deployer) >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py", >> line 104, in spawn >> no_user_certs=True) >> File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in >> import_pkcs12 >> subprocess.check_call(cmd) >> File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call >> raise CalledProcessError(retcode, cmd) >> >>> >>> It might also be helpful verify if correct trust flags are set in nssdb: >>> certutil -d
Re: [Freeipa-users] CA Fails to build Replica (w/External CA)
Hi Korey, I believe that you are hitting Dogtag issue #2255 [1]. The file /tmp/ca.p12 probably doesn't contain the trust flags for some certificates. You can check by running pki pkcs12-cert-find --pkcs12-file /tmp/ca.p12 --pkcs12-password password and see if the output displays "Trust Flags: xxx" for all the certs. Flo. [1] https://fedorahosted.org/pki/ticket/2255 On 09/21/2016 05:38 PM, Korey Chapman wrote: On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizekwrote: On 09/21/2016 02:13 AM, Korey Chapman wrote: Hello list, I'm currently attempting to add a second CA server to our IPA cluster (all servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I try to setup the CA (ipa-replica-install with --setup-ca or ipa-replica-install followed by ipa-ca-install). The only useful thing in the logs is an error about a missing key for "trust_flags" in the pki setup. Our infrastructure uses FreeIPA with an external CA. Any ideas/help would be greatly appreciated. Here are the logs snips from my most recent attempt: Command output snip from "ipa-replica-install /root/replica-info-auth-002.XXX.gpg --setup-ca" Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/24]: creating certificate server user [2/24]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration failed Log snip from ipareplica-install.log: 2016-09-20T23:42:27Z DEBUG Starting external process 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt' 2016-09-20T23:42:31Z DEBUG Process finished, return code=1 2016-09-20T23:42:31Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160920234227.log Loading deployment configuration from /tmp/tmpYofMPt. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-09-20T23:42:31Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) Traceback (most recent call last): File "/bin/pki", line 254, in cli.execute(sys.argv) File "/bin/pki", line 240, in execute module.execute(module_args) File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in execute module.execute(module_args) File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in execute trust_flags = cert_info['trust_flags'] KeyError: 'trust_flags' -- Korey Hi Korey, could you check if there is any more info in /var/log/pki/pki-ca-spawn log? Nothing really useful I see in the spawn log: 2016-09-20 23:42:31 pkispawn: DEBUG... Error Type: CalledProcessError 2016-09-20 23:42:31 pkispawn: DEBUG... Error Message: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file', '/tmp/ca.p12', '--pkcs12-password-file', '/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero exit status 1 2016-09-20 23:42:31 pkispawn: DEBUG... File "/usr/sbin/pkispawn", line 597, in main rv = scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 104, in spawn no_user_certs=True) File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in import_pkcs12 subprocess.check_call(cmd) File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd) It might also be helpful verify if correct trust flags are set in nssdb: certutil -d /etc/pki/pki-tomcat/alias/ -L Run on the source ipa server (current CA server): $ certutil -d /etc/pki/pki-tomcat/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI XXX Certificate Authority CT,c, Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca
Re: [Freeipa-users] CA Fails to build Replica (w/External CA)
On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizekwrote: > On 09/21/2016 02:13 AM, Korey Chapman wrote: > > Hello list, > > I'm currently attempting to add a second CA server to our IPA cluster (all > servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I > try to setup the CA (ipa-replica-install with --setup-ca or > ipa-replica-install followed by ipa-ca-install). The only useful thing in > the logs is an error about a missing key for "trust_flags" in the pki setup. > Our infrastructure uses FreeIPA with an external CA. > > Any ideas/help would be greatly appreciated. Here are the logs snips from my > most recent attempt: > > Command output snip from "ipa-replica-install > /root/replica-info-auth-002.XXX.gpg --setup-ca" > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/24]: creating certificate server user > [2/24]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA > instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt'' > returned non-zero exit status 1 > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation > logs and the following files/directories for more information: > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki-ca-install.log > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration > failed > > > Log snip from ipareplica-install.log: > > 2016-09-20T23:42:27Z DEBUG Starting external process > 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpYofMPt' > 2016-09-20T23:42:31Z DEBUG Process finished, return code=1 > 2016-09-20T23:42:31Z DEBUG stdout=Log file: > /var/log/pki/pki-ca-spawn.20160920234227.log > Loading deployment configuration from /tmp/tmpYofMPt. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > > 2016-09-20T23:42:31Z DEBUG > stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html > InsecureRequestWarning) > Traceback (most recent call last): > File "/bin/pki", line 254, in > cli.execute(sys.argv) > File "/bin/pki", line 240, in execute > module.execute(module_args) > File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in > execute > module.execute(module_args) > File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in > execute > trust_flags = cert_info['trust_flags'] > KeyError: 'trust_flags' > > > -- > Korey > > > Hi Korey, > > could you check if there is any more info in /var/log/pki/pki-ca-spawn log? Nothing really useful I see in the spawn log: 2016-09-20 23:42:31 pkispawn: DEBUG... Error Type: CalledProcessError 2016-09-20 23:42:31 pkispawn: DEBUG... Error Message: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file', '/tmp/ca.p12', '--pkcs12-password-file', '/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero exit status 1 2016-09-20 23:42:31 pkispawn: DEBUG... File "/usr/sbin/pkispawn", line 597, in main rv = scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 104, in spawn no_user_certs=True) File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in import_pkcs12 subprocess.check_call(cmd) File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd) > > It might also be helpful verify if correct trust flags are set in nssdb: > certutil -d /etc/pki/pki-tomcat/alias/ -L > Run on the source ipa server (current CA server): $ certutil -d /etc/pki/pki-tomcat/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI XXX Certificate Authority CT,c, Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-caCTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u Run on the destination ipa server: $ certutil -d /etc/pki/pki-tomcat/alias/ -L Certificate Nickname
Re: [Freeipa-users] CA Fails to build Replica (w/External CA)
On 09/21/2016 02:13 AM, Korey Chapman wrote: Hello list, I'm currently attempting to add a second CA server to our IPA cluster (all servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I try to setup the CA (ipa-replica-install with --setup-ca or ipa-replica-install followed by ipa-ca-install). The only useful thing in the logs is an error about a missing key for "trust_flags" in the pki setup. Our infrastructure uses FreeIPA with an external CA. Any ideas/help would be greatly appreciated. Here are the logs snips from my most recent attempt: Command output snip from "ipa-replica-install /root/replica-info-auth-002.XXX.gpg --setup-ca" Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/24]: creating certificate server user [2/24]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration failed Log snip from ipareplica-install.log: 2016-09-20T23:42:27Z DEBUG Starting external process 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt' 2016-09-20T23:42:31Z DEBUG Process finished, return code=1 2016-09-20T23:42:31Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160920234227.log Loading deployment configuration from /tmp/tmpYofMPt. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-09-20T23:42:31Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) Traceback (most recent call last): File "/bin/pki", line 254, in cli.execute(sys.argv) File "/bin/pki", line 240, in execute module.execute(module_args) File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in execute module.execute(module_args) File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in execute trust_flags = cert_info['trust_flags'] KeyError: 'trust_flags' -- Korey Hi Korey, could you check if there is any more info in /var/log/pki/pki-ca-spawn log? It might also be helpful verify if correct trust flags are set in nssdb: certutil -d /etc/pki/pki-tomcat/alias/ -L Finally, can you check that LDAPS is running on port 636 on the replica where you're trying to install the CA (i.e. by nmap localhost)? -- Tomas Krizek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] CA Fails to build Replica (w/External CA)
Hello list, I'm currently attempting to add a second CA server to our IPA cluster (all servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I try to setup the CA (ipa-replica-install with --setup-ca or ipa-replica-install followed by ipa-ca-install). The only useful thing in the logs is an error about a missing key for "trust_flags" in the pki setup. Our infrastructure uses FreeIPA with an external CA. Any ideas/help would be greatly appreciated. Here are the logs snips from my most recent attempt: Command output snip from "ipa-replica-install /root/replica-info-auth-002.XXX.gpg --setup-ca" Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/24]: creating certificate server user [2/24]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration failed Log snip from ipareplica-install.log: 2016-09-20T23:42:27Z DEBUG Starting external process 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt' 2016-09-20T23:42:31Z DEBUG Process finished, return code=1 2016-09-20T23:42:31Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160920234227.log Loading deployment configuration from /tmp/tmpYofMPt. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-09-20T23:42:31Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) Traceback (most recent call last): File "/bin/pki", line 254, in cli.execute(sys.argv) File "/bin/pki", line 240, in execute module.execute(module_args) File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in execute module.execute(module_args) File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in execute trust_flags = cert_info['trust_flags'] KeyError: 'trust_flags' -- Korey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project