[Freeipa-users] Re: ipa-setup-ca

[Vahit Tabak via FreeIPA-users]

Hi,

I had a similar issue when I installed the IPA cluster. Here is my
workaround to bypass the (y/N) prompt.
Install the replica and setup ca at the same time using the following
command.

[replica]$ kinit admin
[replica]$ echo -ne '\n' | ipa-replica-install --setup-ca
# The ipa-replica-install command was successful

--
vahit

On Mon, 25 Mar 2024 at 22:45, Omar via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Attached file here.  Thanks,
>
> //omar
>
> On Fri, Mar 22, 2024 at 4:53 AM Florence Blanc-Renaud 
> wrote:
>
>> Hi,
>>
>> you can download freeipa-healthcheck and run ipa-healthcheck command on
>> the master/replica, it would help you identify any inconsistency in the
>> configuration.
>>
>> Otherwise, we need more info to help you. It looks like the LDAP server
>> certificate on the master *ldap01*.app.uaap.maxar.com has been replaced
>> (because its subject doesn't contain ldap01 but rather CN=*ldap*.
>> app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
>> Inc,L=Herndon,ST=Virginia,C=US).
>> If you are using a custom certificate, signed by an external CA (CN=Maxar
>> DS Issuing CA East,DC=DS,DC=Maxar,DC=com), you need to add this external CA
>> to ipa by running on the master:
>> # ipa-cacert-manage install -t CT,C,C /path/to/externalCA.pem
>> and then on all the nodes enrolled into IPA:
>> # ipa-certupdate
>>
>> Those commands will download the external CA and put them in all the
>> required places.
>> flo
>>
>> On Thu, Mar 21, 2024 at 1:07 AM Omar Pagan via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.org> wrote:
>>
>>> I don't get it, the cert is valid and the master seems to be working
>>> just fine.  Any ideas as to how I need to approach this issue?  I can
>>> rebuild the replicas and get the certs updates done on each of the
>>> replicas, but I have tried that a few times and it seems to still be
>>> unhappy with it.  Thoughts?
>>> --
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>> Do not reply to spam, report it:
>>> https://pagure.io/fedora-infrastructure/new_issue
>>>
>> --
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-setup-ca

[Omar via FreeIPA-users]

Attached file here.  Thanks,

//omar

On Fri, Mar 22, 2024 at 4:53 AM Florence Blanc-Renaud 
wrote:

> Hi,
>
> you can download freeipa-healthcheck and run ipa-healthcheck command on
> the master/replica, it would help you identify any inconsistency in the
> configuration.
>
> Otherwise, we need more info to help you. It looks like the LDAP server
> certificate on the master *ldap01*.app.uaap.maxar.com has been replaced
> (because its subject doesn't contain ldap01 but rather CN=*ldap*.
> app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US).
> If you are using a custom certificate, signed by an external CA (CN=Maxar
> DS Issuing CA East,DC=DS,DC=Maxar,DC=com), you need to add this external CA
> to ipa by running on the master:
> # ipa-cacert-manage install -t CT,C,C /path/to/externalCA.pem
> and then on all the nodes enrolled into IPA:
> # ipa-certupdate
>
> Those commands will download the external CA and put them in all the
> required places.
> flo
>
> On Thu, Mar 21, 2024 at 1:07 AM Omar Pagan via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> I don't get it, the cert is valid and the master seems to be working just
>> fine.  Any ideas as to how I need to approach this issue?  I can rebuild
>> the replicas and get the certs updates done on each of the replicas, but I
>> have tried that a few times and it seems to still be unhappy with it.
>> Thoughts?
>> --
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
[
  {
"source": "ipahealthcheck.ipa.certs",
"check": "IPACAChainExpirationCheck",
"result": "WARNING",
"uuid": "86135083-ca5f-4c99-8df7-bf8dceebe32d",
"when": "20240325223300Z",
"duration": "0.038849",
"kw": {
  "path": "/etc/ipa/ca.crt",
  "key": "CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com",
  "days": 16,
  "msg": "CA '{key}' in {path} is expiring in {days} days."
}
  },
  {
"source": "ipahealthcheck.ipa.certs",
"check": "IPACAChainExpirationCheck",
"result": "WARNING",
"uuid": "4d5a5480-c224-4b4e-a198-77ed3dc4bc76",
"when": "20240325223300Z",
"duration": "0.039217",
"kw": {
  "path": "/etc/ipa/ca.crt",
  "key": "CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com",
  "days": 16,
  "msg": "CA '{key}' in {path} is expiring in {days} days."
}
  },
  {
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "99a11a04-d72d-4bfb-b657-f3e8ad560814",
"when": "20240325223300Z",
"duration": "0.022304",
"kw": {
  "msg": "Expected SRV record missing",
  "key": "_ldap._tcp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
  },
  {
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "a6a819d6-36f5-4b55-8401-f96e3dc1f81e",
"when": "20240325223300Z",
"duration": "0.023585",
"kw": {
  "msg": "Expected SRV record missing",
  "key": "_kerberos._tcp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
  },
  {
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "f285434b-22f8-498e-9f1c-d1121a654910",
"when": "20240325223300Z",
"duration": "0.024776",
"kw": {
  "msg": "Expected SRV record missing",
  "key": "_kerberos._udp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
  },
  {
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b3eadb58-8810-4449-91e6-38b5a5b4f41d",
"when": "20240325223300Z",
"duration": "0.025921",
"kw": {
  "msg": "Expected SRV record missing",
  "key": 
"_kerberos-master._tcp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
  },
  {
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "30bf299a-7a7a-420f-96d0-e529fda80b97",
"when": "20240325223300Z",
"duration": "0.027155",
"kw": {
  "msg": "Expected SRV record missing",
  "key": 
"_kerberos-master._udp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
  },
  {
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "04ba70ee-0a95-4a3e-8111-bf8349145810",
"when": "20240325223300Z",
"duration": "0.028385",
"kw": {
  "msg": "Expected SRV record missing",
  "key": 

[Freeipa-users] Re: ipa-setup-ca

[Omar Pagan via FreeIPA-users]

Hello Flo,

sorry for the delay, I ran the ipa-healthcheck and all I got was warnings.  I'm 
going to try attaching the file here.  I replaced the ldap01.app.uaap.maxar.com 
with a new one with the DN= ldap.app.uaap.maxar.com and DNS aliases for 
ldap[01..03].app.uaap.maxar.com because it made sense to me, but if that's 
wrong I can request a new cert.  Please advise.
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-setup-ca

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

you can download freeipa-healthcheck and run ipa-healthcheck command on the
master/replica, it would help you identify any inconsistency in the
configuration.

Otherwise, we need more info to help you. It looks like the LDAP server
certificate on the master *ldap01*.app.uaap.maxar.com has been replaced
(because its subject doesn't contain ldap01 but rather CN=*ldap*.
app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US).
If you are using a custom certificate, signed by an external CA (CN=Maxar
DS Issuing CA East,DC=DS,DC=Maxar,DC=com), you need to add this external CA
to ipa by running on the master:
# ipa-cacert-manage install -t CT,C,C /path/to/externalCA.pem
and then on all the nodes enrolled into IPA:
# ipa-certupdate

Those commands will download the external CA and put them in all the
required places.
flo

On Thu, Mar 21, 2024 at 1:07 AM Omar Pagan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I don't get it, the cert is valid and the master seems to be working just
> fine.  Any ideas as to how I need to approach this issue?  I can rebuild
> the replicas and get the certs updates done on each of the replicas, but I
> have tried that a few times and it seems to still be unhappy with it.
> Thoughts?
> --
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-setup-ca

[Omar Pagan via FreeIPA-users]

I don't get it, the cert is valid and the master seems to be working just fine. 
 Any ideas as to how I need to approach this issue?  I can rebuild the replicas 
and get the certs updates done on each of the replicas, but I have tried that a 
few times and it seems to still be unhappy with it.  Thoughts?
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-setup-ca

[Omar via FreeIPA-users]

Yup, here is the output:

$ ipa-ca-install
Directory Manager (existing master) password:

Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: creating certificate server db
  [2/28]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 21 seconds elapsed
Update succeeded

  [3/28]: creating ACIs for admin
  [4/28]: creating installation admin user
  [5/28]: configuring certificate server instance
*y  <--- that's me typing a Y to see if that helps*
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.

On Wed, Mar 20, 2024 at 1:33 PM Rob Crittenden  wrote:

> Omar wrote:
> > I will attach the logs today.  It's been a couple of days and the
> > installation is still at the same spot (  [5/28]: configuring
> > certificate server instance ).
> >
> > Rob, I know you mention something about waiting on a prompt (Y/N), but I
> > don't see it in any of the logs.  Thoughts?
>
> You raised this previously in the thread:
>
> > Is the installation failing because the:
> > INFO: Server certificate:
> CN=ldap.app.uaap.maxar.com 
> > ,OU=UAAP,O=Maxar
> > Technologies Inc,L=Herndon,ST=Virginia,C=US
> > WARNING: UNTRUSTED ISSUER encountered on
> > 'CN=ldap.app.uaap.maxar.com
> 
> > ,OU=UAAP,O=Maxar
> > Technologies Inc,L=Herndon,ST=Virginia,C=US'
> indicates a
> > non-trusted CA cert 'CN=Maxar DS Issuing CA
> > East,DC=DS,DC=Maxar,DC=com'
> > Trust this certificate (y/N)? SEVERE: FATAL: SSL
> alert sent:
> > BAD_CERTIFICATE
> >
> > ??  how do I pass a "Y" to this script?
> ~
>
> So you still have a certificate trust issue. I suppose you could try
> typing "y" and enter and see what happens. But the root cause is missing
> CA trust so this is just likely to fail later.
>
> rob
>
> >
> > //omar
> >
> > On Mon, Mar 18, 2024 at 4:40 PM Rob Crittenden  > > wrote:
> >
> > You can tar them up, gzip them, redact as needed and reply to the
> > thread. As long as the result is < 256k it should go through ok.
> >
> > rob
> >
> > Omar wrote:
> > > Rob & Flo,
> > >
> > > How can I send you some of the install, debug, and spawn logs?
> > >
> > > On Mon, Mar 18, 2024 at 2:27 PM Omar  > 
> > > >> wrote:
> > >
> > > Sorry for the late reply.  I'm sure the CA Certs are the
> correct
> > > ones.  I will attempt to do the replicas again and this time
> I'll
> > > trace the logs to make sure I catch the errors and update the
> > ticket.
> > >
> > > When I say "hang" I mean that it takes forever to come back
> from
> > > step 5 ([5/28]: configuring certificate server instance) and
> > then if
> > > I hit "enter" it will just drop to an error.
> > >
> > > I'll post the error when I see it again.  Thanks
> > >
> > > On Fri, Mar 15, 2024 at 1:35 PM Rob Crittenden
> > mailto:rcrit...@redhat.com>
> > > >>
> wrote:
> > >
> > > Omar via FreeIPA-users wrote:
> > > > Here is some more info:
> > > >
> > > > WARNING: The CA service is only installed on one
> server
> > > ( > > > hostname here>).
> > > > It is strongly recommended to install it on another
> > server.
> > > > Run ipa-ca-install(1) on another master to
> > accomplish this.
> > > >
> > > >
> > > > The ipa-replica-install command was successful
> > > >
> > > >
> > > > That was from the replica install, here is me installing
> the
> > > ca-cert on
> > > > the replica:
> > > >
> > > > $ ipa-cacert-manage install -t CT,C,C
> maxar-ca-chain.crt
> > > > Installing CA certificate, please wait
> > > > Verified CN=Maxar DS Issuing CA
> > East,DC=DS,DC=Maxar,DC=com
> > > > Verified CN=Maxar DS Issuing CA
> > West,DC=DS,DC=Maxar,DC=com
> > > > CA certificate successfully 

[Freeipa-users] Re: ipa-setup-ca

[Rob Crittenden via FreeIPA-users]

Omar wrote:
> I will attach the logs today.  It's been a couple of days and the
> installation is still at the same spot (  [5/28]: configuring
> certificate server instance ).
> 
> Rob, I know you mention something about waiting on a prompt (Y/N), but I
> don't see it in any of the logs.  Thoughts?

You raised this previously in the thread:

> Is the installation failing because the:
> INFO: Server certificate:
CN=ldap.app.uaap.maxar.com 
> ,OU=UAAP,O=Maxar
> Technologies Inc,L=Herndon,ST=Virginia,C=US
> WARNING: UNTRUSTED ISSUER encountered on
> 'CN=ldap.app.uaap.maxar.com

> ,OU=UAAP,O=Maxar
> Technologies Inc,L=Herndon,ST=Virginia,C=US'
indicates a
> non-trusted CA cert 'CN=Maxar DS Issuing CA
> East,DC=DS,DC=Maxar,DC=com'
> Trust this certificate (y/N)? SEVERE: FATAL: SSL
alert sent:
> BAD_CERTIFICATE
>
> ??  how do I pass a "Y" to this script?
~

So you still have a certificate trust issue. I suppose you could try
typing "y" and enter and see what happens. But the root cause is missing
CA trust so this is just likely to fail later.

rob

> 
> //omar
> 
> On Mon, Mar 18, 2024 at 4:40 PM Rob Crittenden  > wrote:
> 
> You can tar them up, gzip them, redact as needed and reply to the
> thread. As long as the result is < 256k it should go through ok.
> 
> rob
> 
> Omar wrote:
> > Rob & Flo,
> >
> > How can I send you some of the install, debug, and spawn logs?
> >
> > On Mon, Mar 18, 2024 at 2:27 PM Omar  
> > >> wrote:
> >
> >     Sorry for the late reply.  I'm sure the CA Certs are the correct
> >     ones.  I will attempt to do the replicas again and this time I'll
> >     trace the logs to make sure I catch the errors and update the
> ticket.
> >
> >     When I say "hang" I mean that it takes forever to come back from
> >     step 5 ([5/28]: configuring certificate server instance) and
> then if
> >     I hit "enter" it will just drop to an error.
> >
> >     I'll post the error when I see it again.  Thanks
> >
> >     On Fri, Mar 15, 2024 at 1:35 PM Rob Crittenden
> mailto:rcrit...@redhat.com>
> >     >> wrote:
> >
> >         Omar via FreeIPA-users wrote:
> >         > Here is some more info:
> >         >
> >         >     WARNING: The CA service is only installed on one server
> >         ( >         >     hostname here>).
> >         >     It is strongly recommended to install it on another
> server.
> >         >     Run ipa-ca-install(1) on another master to
> accomplish this.
> >         >
> >         >
> >         >     The ipa-replica-install command was successful
> >         >
> >         >
> >         > That was from the replica install, here is me installing the
> >         ca-cert on
> >         > the replica:
> >         >
> >         >     $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt
> >         >     Installing CA certificate, please wait
> >         >     Verified CN=Maxar DS Issuing CA
> East,DC=DS,DC=Maxar,DC=com
> >         >     Verified CN=Maxar DS Issuing CA
> West,DC=DS,DC=Maxar,DC=com
> >         >     CA certificate successfully installed
> >         >     The ipa-cacert-manage command was successful
> >
> >         What I don't understand is why you didn't have to install this
> >         chain in
> >         order to install the servers at all. Are you sure this is the
> >         right chain?
> >
> >         This data is replicated so it doesn't matter which server
> it is
> >         added on.
> >
> >         >
> >         > and the cacert update:
> >         >
> >         >     $ ipa-certupdate
> >         >     Systemwide CA database updated.
> >         >     Systemwide CA database updated.
> >         >     The ipa-certupdate command was successful
> >
> >         This has to be run everywhere after updating a chain.
> >
> >         >
> >         >
> >         > but when I try to run ipa-ca-install, it fails and it
> hangs here:
> >         >
> >         >     $ ipa-ca-install
> >         >     Directory Manager (existing master) password:
> >         >
> >         >
> >         >     Run connection check to master
> >         >     Connection check OK
> >         >     Configuring certificate server (pki-tomcatd). Estimated
> >         time: 3 minutes
> >      

[Freeipa-users] Re: ipa-setup-ca

[Omar via FreeIPA-users]

I will attach the logs today.  It's been a couple of days and the
installation is still at the same spot (  [5/28]: configuring certificate
server instance ).

Rob, I know you mention something about waiting on a prompt (Y/N), but I
don't see it in any of the logs.  Thoughts?

//omar

On Mon, Mar 18, 2024 at 4:40 PM Rob Crittenden  wrote:

> You can tar them up, gzip them, redact as needed and reply to the
> thread. As long as the result is < 256k it should go through ok.
>
> rob
>
> Omar wrote:
> > Rob & Flo,
> >
> > How can I send you some of the install, debug, and spawn logs?
> >
> > On Mon, Mar 18, 2024 at 2:27 PM Omar  > > wrote:
> >
> > Sorry for the late reply.  I'm sure the CA Certs are the correct
> > ones.  I will attempt to do the replicas again and this time I'll
> > trace the logs to make sure I catch the errors and update the ticket.
> >
> > When I say "hang" I mean that it takes forever to come back from
> > step 5 ([5/28]: configuring certificate server instance) and then if
> > I hit "enter" it will just drop to an error.
> >
> > I'll post the error when I see it again.  Thanks
> >
> > On Fri, Mar 15, 2024 at 1:35 PM Rob Crittenden  > > wrote:
> >
> > Omar via FreeIPA-users wrote:
> > > Here is some more info:
> > >
> > > WARNING: The CA service is only installed on one server
> > ( > > hostname here>).
> > > It is strongly recommended to install it on another server.
> > > Run ipa-ca-install(1) on another master to accomplish this.
> > >
> > >
> > > The ipa-replica-install command was successful
> > >
> > >
> > > That was from the replica install, here is me installing the
> > ca-cert on
> > > the replica:
> > >
> > > $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt
> > > Installing CA certificate, please wait
> > > Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> > > Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> > > CA certificate successfully installed
> > > The ipa-cacert-manage command was successful
> >
> > What I don't understand is why you didn't have to install this
> > chain in
> > order to install the servers at all. Are you sure this is the
> > right chain?
> >
> > This data is replicated so it doesn't matter which server it is
> > added on.
> >
> > >
> > > and the cacert update:
> > >
> > > $ ipa-certupdate
> > > Systemwide CA database updated.
> > > Systemwide CA database updated.
> > > The ipa-certupdate command was successful
> >
> > This has to be run everywhere after updating a chain.
> >
> > >
> > >
> > > but when I try to run ipa-ca-install, it fails and it hangs
> here:
> > >
> > > $ ipa-ca-install
> > > Directory Manager (existing master) password:
> > >
> > >
> > > Run connection check to master
> > > Connection check OK
> > > Configuring certificate server (pki-tomcatd). Estimated
> > time: 3 minutes
> > >   [1/28]: creating certificate server db
> > >   [2/28]: setting up initial replication
> > > Starting replication, please wait until this has completed.
> > > Update in progress, 21 seconds elapsed
> > > Update succeeded
> > >
> > >
> > >   [3/28]: creating ACIs for admin
> > >   [4/28]: creating installation admin user
> > >   [5/28]: configuring certificate server instance
> > >
> > >
> > > Thoughts?
> >
> > IPA treats PKI as a black box. Occasionally it will spit out an
> > error
> > that is useful in the install log but usually you have to pair
> > it with
> > the pki-ca-spawn log and sometimes also the ca debug log to
> > determine
> > what is going on.
> >
> > It also depends on the definition of fail and hang. You can
> > monitor the
> > pki-ca-spawn log for activity, for example, during installation.
> >
> > rob
> >
> > >
> > >
> > >
> > > On Fri, Mar 15, 2024 at 12:12 PM Omar  > 
> > > >>
> wrote:
> > >
> > > for the context:
> > > I fixed my master IPA server, with all new and valid certs
> > (server &
> > > CA chain).  I installed two replicas, both installed
> > successfully,
> > > but when I try to run the ipa-ca-install they both fail.
> >  

[Freeipa-users] Re: ipa-setup-ca

[Omar Pagan via FreeIPA-users]

I don't see that... here is where it is at the moment, and its been there for a 
long while:

[root @ ldap02] /var/log
$ ipa-ca-install
Directory Manager (existing master) password:

Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: creating certificate server db
  [2/28]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 21 seconds elapsed
Update succeeded

  [3/28]: creating ACIs for admin
  [4/28]: creating installation admin user
  [5/28]: configuring certificate server instance

Here are the last two lines in the ipareplica-ca-install.log:
2024-03-18T20:16:16Z DEBUG Starting external process
2024-03-18T20:16:16Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', 
'/tmp/tmpg317si9o', '--debug']

Here are the last lines in the pki-ca-spawn.20240318201617.log:
2024-03-18 20:17:08 INFO: Getting install token
2024-03-18 20:17:13 INFO: Using CA at https://ldap02.app.uaap.maxar.com:443
2024-03-18 20:17:13 INFO: Storing subsystem config: 
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg
2024-03-18 20:17:13 INFO: Storing registry config: 
/var/lib/pki/pki-tomcat/ca/conf/registry.cfg
2024-03-18 20:17:13 INFO: Requesting ranges from CA master
2024-03-18 20:17:13 INFO: Requesting request ID range
2024-03-18 20:17:13 DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f 
/etc/pki/pki-tomcat/password.conf -U https://ldap01.app.uaap.maxar.com:443 
ca-range-request request --install-token /tmp/tmp65f4iepa/install-token 
--output-format json --debug

I don't see where it is waiting at a prompt, can you share some thoughts as to 
where to look?  Thanks again.
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-setup-ca

[Rob Crittenden via FreeIPA-users]

You can tar them up, gzip them, redact as needed and reply to the
thread. As long as the result is < 256k it should go through ok.

rob

Omar wrote:
> Rob & Flo,
> 
> How can I send you some of the install, debug, and spawn logs?
> 
> On Mon, Mar 18, 2024 at 2:27 PM Omar  > wrote:
> 
> Sorry for the late reply.  I'm sure the CA Certs are the correct
> ones.  I will attempt to do the replicas again and this time I'll
> trace the logs to make sure I catch the errors and update the ticket.
> 
> When I say "hang" I mean that it takes forever to come back from
> step 5 ([5/28]: configuring certificate server instance) and then if
> I hit "enter" it will just drop to an error.
> 
> I'll post the error when I see it again.  Thanks
> 
> On Fri, Mar 15, 2024 at 1:35 PM Rob Crittenden  > wrote:
> 
> Omar via FreeIPA-users wrote:
> > Here is some more info:
> >
> >     WARNING: The CA service is only installed on one server
> ( >     hostname here>).
> >     It is strongly recommended to install it on another server.
> >     Run ipa-ca-install(1) on another master to accomplish this.
> >
> >
> >     The ipa-replica-install command was successful
> >
> >
> > That was from the replica install, here is me installing the
> ca-cert on
> > the replica:
> >
> >     $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt
> >     Installing CA certificate, please wait
> >     Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> >     Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> >     CA certificate successfully installed
> >     The ipa-cacert-manage command was successful
> 
> What I don't understand is why you didn't have to install this
> chain in
> order to install the servers at all. Are you sure this is the
> right chain?
> 
> This data is replicated so it doesn't matter which server it is
> added on.
> 
> >
> > and the cacert update:
> >
> >     $ ipa-certupdate
> >     Systemwide CA database updated.
> >     Systemwide CA database updated.
> >     The ipa-certupdate command was successful
> 
> This has to be run everywhere after updating a chain.
> 
> >
> >
> > but when I try to run ipa-ca-install, it fails and it hangs here:
> >
> >     $ ipa-ca-install
> >     Directory Manager (existing master) password:
> >
> >
> >     Run connection check to master
> >     Connection check OK
> >     Configuring certificate server (pki-tomcatd). Estimated
> time: 3 minutes
> >       [1/28]: creating certificate server db
> >       [2/28]: setting up initial replication
> >     Starting replication, please wait until this has completed.
> >     Update in progress, 21 seconds elapsed
> >     Update succeeded
> >
> >
> >       [3/28]: creating ACIs for admin
> >       [4/28]: creating installation admin user
> >       [5/28]: configuring certificate server instance
> >
> >
> > Thoughts?
> 
> IPA treats PKI as a black box. Occasionally it will spit out an
> error
> that is useful in the install log but usually you have to pair
> it with
> the pki-ca-spawn log and sometimes also the ca debug log to
> determine
> what is going on.
> 
> It also depends on the definition of fail and hang. You can
> monitor the
> pki-ca-spawn log for activity, for example, during installation.
> 
> rob
> 
> >
> >
> >
> > On Fri, Mar 15, 2024 at 12:12 PM Omar  
> > >> wrote:
> >
> >     for the context:
> >     I fixed my master IPA server, with all new and valid certs
> (server &
> >     CA chain).  I installed two replicas, both installed
> successfully,
> >     but when I try to run the ipa-ca-install they both fail. 
> Thoughs?
> >
> >     On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud
> >     mailto:f...@redhat.com>
> >> wrote:
> >
> >         Hi,
> >
> >         On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via
> FreeIPA-users
> >          
> >          >> wrote:
> >
>

[Freeipa-users] Re: ipa-setup-ca

[Rob Crittenden via FreeIPA-users]

It sounds like it that is y/N prompt you are seeing if it waits until
enter is pressed.

rob

Omar wrote:
> Sorry for the late reply.  I'm sure the CA Certs are the correct ones. 
> I will attempt to do the replicas again and this time I'll trace the
> logs to make sure I catch the errors and update the ticket.
> 
> When I say "hang" I mean that it takes forever to come back from step 5
> ([5/28]: configuring certificate server instance) and then if I hit
> "enter" it will just drop to an error.
> 
> I'll post the error when I see it again.  Thanks
> 
> On Fri, Mar 15, 2024 at 1:35 PM Rob Crittenden  > wrote:
> 
> Omar via FreeIPA-users wrote:
> > Here is some more info:
> >
> >     WARNING: The CA service is only installed on one server ( >     hostname here>).
> >     It is strongly recommended to install it on another server.
> >     Run ipa-ca-install(1) on another master to accomplish this.
> >
> >
> >     The ipa-replica-install command was successful
> >
> >
> > That was from the replica install, here is me installing the
> ca-cert on
> > the replica:
> >
> >     $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt
> >     Installing CA certificate, please wait
> >     Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> >     Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> >     CA certificate successfully installed
> >     The ipa-cacert-manage command was successful
> 
> What I don't understand is why you didn't have to install this chain in
> order to install the servers at all. Are you sure this is the right
> chain?
> 
> This data is replicated so it doesn't matter which server it is
> added on.
> 
> >
> > and the cacert update:
> >
> >     $ ipa-certupdate
> >     Systemwide CA database updated.
> >     Systemwide CA database updated.
> >     The ipa-certupdate command was successful
> 
> This has to be run everywhere after updating a chain.
> 
> >
> >
> > but when I try to run ipa-ca-install, it fails and it hangs here:
> >
> >     $ ipa-ca-install
> >     Directory Manager (existing master) password:
> >
> >
> >     Run connection check to master
> >     Connection check OK
> >     Configuring certificate server (pki-tomcatd). Estimated time:
> 3 minutes
> >       [1/28]: creating certificate server db
> >       [2/28]: setting up initial replication
> >     Starting replication, please wait until this has completed.
> >     Update in progress, 21 seconds elapsed
> >     Update succeeded
> >
> >
> >       [3/28]: creating ACIs for admin
> >       [4/28]: creating installation admin user
> >       [5/28]: configuring certificate server instance
> >
> >
> > Thoughts?
> 
> IPA treats PKI as a black box. Occasionally it will spit out an error
> that is useful in the install log but usually you have to pair it with
> the pki-ca-spawn log and sometimes also the ca debug log to determine
> what is going on.
> 
> It also depends on the definition of fail and hang. You can monitor the
> pki-ca-spawn log for activity, for example, during installation.
> 
> rob
> 
> >
> >
> >
> > On Fri, Mar 15, 2024 at 12:12 PM Omar  
> > >> wrote:
> >
> >     for the context:
> >     I fixed my master IPA server, with all new and valid certs
> (server &
> >     CA chain).  I installed two replicas, both installed successfully,
> >     but when I try to run the ipa-ca-install they both fail.  Thoughs?
> >
> >     On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud
> >     mailto:f...@redhat.com>  >> wrote:
> >
> >         Hi,
> >
> >         On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users
> >          
> >          >> wrote:
> >
> >             Found this in the logs:
> >
> >             INFO: Server certificate: CN=ldap.app.uaap.maxar.com
> 
> >             ,OU=UAAP,O=Maxar
> >             Technologies Inc,L=Herndon,ST=Virginia,C=US
> >             WARNING: UNTRUSTED ISSUER encountered on
> >             'CN=ldap.app.uaap.maxar.com
> 
> >             ,OU=UAAP,O=Maxar
> >             Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a
> >             non-trusted CA cert 'CN=Maxar DS Issuing CA
> >             East,DC=DS,DC=Maxar,DC=com'
> 

[Freeipa-users] Re: ipa-setup-ca

[Omar via FreeIPA-users]

Rob & Flo,

How can I send you some of the install, debug, and spawn logs?

On Mon, Mar 18, 2024 at 2:27 PM Omar  wrote:

> Sorry for the late reply.  I'm sure the CA Certs are the correct ones.  I
> will attempt to do the replicas again and this time I'll trace the logs to
> make sure I catch the errors and update the ticket.
>
> When I say "hang" I mean that it takes forever to come back from step 5
> ([5/28]: configuring certificate server instance) and then if I hit "enter"
> it will just drop to an error.
>
> I'll post the error when I see it again.  Thanks
>
> On Fri, Mar 15, 2024 at 1:35 PM Rob Crittenden 
> wrote:
>
>> Omar via FreeIPA-users wrote:
>> > Here is some more info:
>> >
>> > WARNING: The CA service is only installed on one server (> > hostname here>).
>> > It is strongly recommended to install it on another server.
>> > Run ipa-ca-install(1) on another master to accomplish this.
>> >
>> >
>> > The ipa-replica-install command was successful
>> >
>> >
>> > That was from the replica install, here is me installing the ca-cert on
>> > the replica:
>> >
>> > $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt
>> > Installing CA certificate, please wait
>> > Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
>> > Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
>> > CA certificate successfully installed
>> > The ipa-cacert-manage command was successful
>>
>> What I don't understand is why you didn't have to install this chain in
>> order to install the servers at all. Are you sure this is the right chain?
>>
>> This data is replicated so it doesn't matter which server it is added on.
>>
>> >
>> > and the cacert update:
>> >
>> > $ ipa-certupdate
>> > Systemwide CA database updated.
>> > Systemwide CA database updated.
>> > The ipa-certupdate command was successful
>>
>> This has to be run everywhere after updating a chain.
>>
>> >
>> >
>> > but when I try to run ipa-ca-install, it fails and it hangs here:
>> >
>> > $ ipa-ca-install
>> > Directory Manager (existing master) password:
>> >
>> >
>> > Run connection check to master
>> > Connection check OK
>> > Configuring certificate server (pki-tomcatd). Estimated time: 3
>> minutes
>> >   [1/28]: creating certificate server db
>> >   [2/28]: setting up initial replication
>> > Starting replication, please wait until this has completed.
>> > Update in progress, 21 seconds elapsed
>> > Update succeeded
>> >
>> >
>> >   [3/28]: creating ACIs for admin
>> >   [4/28]: creating installation admin user
>> >   [5/28]: configuring certificate server instance
>> >
>> >
>> > Thoughts?
>>
>> IPA treats PKI as a black box. Occasionally it will spit out an error
>> that is useful in the install log but usually you have to pair it with
>> the pki-ca-spawn log and sometimes also the ca debug log to determine
>> what is going on.
>>
>> It also depends on the definition of fail and hang. You can monitor the
>> pki-ca-spawn log for activity, for example, during installation.
>>
>> rob
>>
>> >
>> >
>> >
>> > On Fri, Mar 15, 2024 at 12:12 PM Omar > > > wrote:
>> >
>> > for the context:
>> > I fixed my master IPA server, with all new and valid certs (server &
>> > CA chain).  I installed two replicas, both installed successfully,
>> > but when I try to run the ipa-ca-install they both fail.  Thoughs?
>> >
>> > On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud
>> > mailto:f...@redhat.com>> wrote:
>> >
>> > Hi,
>> >
>> > On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users
>> > > > > wrote:
>> >
>> > Found this in the logs:
>> >
>> > INFO: Server certificate: CN=ldap.app.uaap.maxar.com
>> > ,OU=UAAP,O=Maxar
>> > Technologies Inc,L=Herndon,ST=Virginia,C=US
>> > WARNING: UNTRUSTED ISSUER encountered on
>> > 'CN=ldap.app.uaap.maxar.com
>> > ,OU=UAAP,O=Maxar
>> > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a
>> > non-trusted CA cert 'CN=Maxar DS Issuing CA
>> > East,DC=DS,DC=Maxar,DC=com'
>> > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
>> > BAD_CERTIFICATE
>> > javax.ws.rs .ProcessingException:
>> > RESTEASY004655: Unable to invoke request
>> > at
>> >
>>  
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
>> > at
>> >
>>  
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
>> > at
>> >
>>  
>> 

[Freeipa-users] Re: ipa-setup-ca

[Omar via FreeIPA-users]

Sorry for the late reply.  I'm sure the CA Certs are the correct ones.  I
will attempt to do the replicas again and this time I'll trace the logs to
make sure I catch the errors and update the ticket.

When I say "hang" I mean that it takes forever to come back from step 5
([5/28]: configuring certificate server instance) and then if I hit "enter"
it will just drop to an error.

I'll post the error when I see it again.  Thanks

On Fri, Mar 15, 2024 at 1:35 PM Rob Crittenden  wrote:

> Omar via FreeIPA-users wrote:
> > Here is some more info:
> >
> > WARNING: The CA service is only installed on one server ( > hostname here>).
> > It is strongly recommended to install it on another server.
> > Run ipa-ca-install(1) on another master to accomplish this.
> >
> >
> > The ipa-replica-install command was successful
> >
> >
> > That was from the replica install, here is me installing the ca-cert on
> > the replica:
> >
> > $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt
> > Installing CA certificate, please wait
> > Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> > Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> > CA certificate successfully installed
> > The ipa-cacert-manage command was successful
>
> What I don't understand is why you didn't have to install this chain in
> order to install the servers at all. Are you sure this is the right chain?
>
> This data is replicated so it doesn't matter which server it is added on.
>
> >
> > and the cacert update:
> >
> > $ ipa-certupdate
> > Systemwide CA database updated.
> > Systemwide CA database updated.
> > The ipa-certupdate command was successful
>
> This has to be run everywhere after updating a chain.
>
> >
> >
> > but when I try to run ipa-ca-install, it fails and it hangs here:
> >
> > $ ipa-ca-install
> > Directory Manager (existing master) password:
> >
> >
> > Run connection check to master
> > Connection check OK
> > Configuring certificate server (pki-tomcatd). Estimated time: 3
> minutes
> >   [1/28]: creating certificate server db
> >   [2/28]: setting up initial replication
> > Starting replication, please wait until this has completed.
> > Update in progress, 21 seconds elapsed
> > Update succeeded
> >
> >
> >   [3/28]: creating ACIs for admin
> >   [4/28]: creating installation admin user
> >   [5/28]: configuring certificate server instance
> >
> >
> > Thoughts?
>
> IPA treats PKI as a black box. Occasionally it will spit out an error
> that is useful in the install log but usually you have to pair it with
> the pki-ca-spawn log and sometimes also the ca debug log to determine
> what is going on.
>
> It also depends on the definition of fail and hang. You can monitor the
> pki-ca-spawn log for activity, for example, during installation.
>
> rob
>
> >
> >
> >
> > On Fri, Mar 15, 2024 at 12:12 PM Omar  > > wrote:
> >
> > for the context:
> > I fixed my master IPA server, with all new and valid certs (server &
> > CA chain).  I installed two replicas, both installed successfully,
> > but when I try to run the ipa-ca-install they both fail.  Thoughs?
> >
> > On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud
> > mailto:f...@redhat.com>> wrote:
> >
> > Hi,
> >
> > On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users
> >  > > wrote:
> >
> > Found this in the logs:
> >
> > INFO: Server certificate: CN=ldap.app.uaap.maxar.com
> > ,OU=UAAP,O=Maxar
> > Technologies Inc,L=Herndon,ST=Virginia,C=US
> > WARNING: UNTRUSTED ISSUER encountered on
> > 'CN=ldap.app.uaap.maxar.com
> > ,OU=UAAP,O=Maxar
> > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a
> > non-trusted CA cert 'CN=Maxar DS Issuing CA
> > East,DC=DS,DC=Maxar,DC=com'
> > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
> > BAD_CERTIFICATE
> > javax.ws.rs .ProcessingException:
> > RESTEASY004655: Unable to invoke request
> > at
> >
>  
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
> > at
> >
>  
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
> > at
> >
>  
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106)
> > at
> >
>  
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
> > at com.sun.proxy.$Proxy23.getInfo(Unknown Source)
> > at
> > 

[Freeipa-users] Re: ipa-setup-ca

[Rob Crittenden via FreeIPA-users]

Omar via FreeIPA-users wrote:
> Here is some more info:
> 
> WARNING: The CA service is only installed on one server ( hostname here>).
> It is strongly recommended to install it on another server.
> Run ipa-ca-install(1) on another master to accomplish this.
> 
> 
> The ipa-replica-install command was successful
> 
> 
> That was from the replica install, here is me installing the ca-cert on
> the replica:
> 
> $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt
> Installing CA certificate, please wait
> Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> CA certificate successfully installed
> The ipa-cacert-manage command was successful

What I don't understand is why you didn't have to install this chain in
order to install the servers at all. Are you sure this is the right chain?

This data is replicated so it doesn't matter which server it is added on.

> 
> and the cacert update:
> 
> $ ipa-certupdate
> Systemwide CA database updated.
> Systemwide CA database updated.
> The ipa-certupdate command was successful

This has to be run everywhere after updating a chain.

> 
> 
> but when I try to run ipa-ca-install, it fails and it hangs here:
> 
> $ ipa-ca-install
> Directory Manager (existing master) password:
> 
> 
> Run connection check to master
> Connection check OK
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>   [1/28]: creating certificate server db
>   [2/28]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 21 seconds elapsed
> Update succeeded
> 
> 
>   [3/28]: creating ACIs for admin
>   [4/28]: creating installation admin user
>   [5/28]: configuring certificate server instance
> 
> 
> Thoughts?

IPA treats PKI as a black box. Occasionally it will spit out an error
that is useful in the install log but usually you have to pair it with
the pki-ca-spawn log and sometimes also the ca debug log to determine
what is going on.

It also depends on the definition of fail and hang. You can monitor the
pki-ca-spawn log for activity, for example, during installation.

rob

> 
> 
> 
> On Fri, Mar 15, 2024 at 12:12 PM Omar  > wrote:
> 
> for the context:
> I fixed my master IPA server, with all new and valid certs (server &
> CA chain).  I installed two replicas, both installed successfully,
> but when I try to run the ipa-ca-install they both fail.  Thoughs?
> 
> On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud
> mailto:f...@redhat.com>> wrote:
> 
> Hi,
> 
> On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users
>  > wrote:
> 
> Found this in the logs:
> 
> INFO: Server certificate: CN=ldap.app.uaap.maxar.com
> ,OU=UAAP,O=Maxar
> Technologies Inc,L=Herndon,ST=Virginia,C=US
> WARNING: UNTRUSTED ISSUER encountered on
> 'CN=ldap.app.uaap.maxar.com
> ,OU=UAAP,O=Maxar
> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a
> non-trusted CA cert 'CN=Maxar DS Issuing CA
> East,DC=DS,DC=Maxar,DC=com'
> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
> BAD_CERTIFICATE
> javax.ws.rs .ProcessingException:
> RESTEASY004655: Unable to invoke request
>         at
> 
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
>         at
> 
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
>         at
> 
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106)
>         at
> 
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>         at com.sun.proxy.$Proxy23.getInfo(Unknown Source)
>         at
> org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43)
>         at
> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221)
>         at
> com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603)
>         at org.dogtagpki.cli.CLI.getClient(CLI.java:207)
>         at com.netscape.cmstools.ca
> 
> .CACLI.getSubsystemClient(CACLI.java:66)
>         at
> 
> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80)
>         at
> 

[Freeipa-users] Re: ipa-setup-ca

[Omar via FreeIPA-users]

Here is some more info:

WARNING: The CA service is only installed on one server ().
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.


The ipa-replica-install command was successful


That was from the replica install, here is me installing the ca-cert on the
replica:

$ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt
Installing CA certificate, please wait
Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
CA certificate successfully installed
The ipa-cacert-manage command was successful

and the cacert update:

$ ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful


but when I try to run ipa-ca-install, it fails and it hangs here:

$ ipa-ca-install
Directory Manager (existing master) password:


Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: creating certificate server db
  [2/28]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 21 seconds elapsed
Update succeeded


  [3/28]: creating ACIs for admin
  [4/28]: creating installation admin user
  [5/28]: configuring certificate server instance


Thoughts?



On Fri, Mar 15, 2024 at 12:12 PM Omar  wrote:

> for the context:
> I fixed my master IPA server, with all new and valid certs (server & CA
> chain).  I installed two replicas, both installed successfully, but when I
> try to run the ipa-ca-install they both fail.  Thoughs?
>
> On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud 
> wrote:
>
>> Hi,
>>
>> On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.org> wrote:
>>
>>> Found this in the logs:
>>>
>>> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>>> Technologies Inc,L=Herndon,ST=Virginia,C=US
>>> WARNING: UNTRUSTED ISSUER encountered on 
>>> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>>> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
>>> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com'
>>> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
>>> BAD_CERTIFICATE
>>> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke
>>> request
>>> at
>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
>>> at
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
>>> at
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106)
>>> at
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>>> at com.sun.proxy.$Proxy23.getInfo(Unknown Source)
>>> at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43)
>>> at
>>> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221)
>>> at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603)
>>> at org.dogtagpki.cli.CLI.getClient(CLI.java:207)
>>> at com.netscape.cmstools.ca
>>> .CACLI.getSubsystemClient(CACLI.java:66)
>>> at
>>> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80)
>>> at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
>>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>>> at
>>> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
>>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>>> at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665)
>>> at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701)
>>> Caused by: java.io.IOException: SocketException cannot write on socket:
>>> Failed to write to socket: (-12276) Unable to communicate securely with
>>> peer: requested domain name does not match the server's certificate.
>>> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538)
>>> at
>>> org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27)
>>> at org.apache.http.impl.io
>>> .AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160)
>>> at org.apache.http.impl.io
>>> .AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168)
>>> at
>>> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273)
>>> at
>>> org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279)
>>> at
>>> org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188)
>>> at
>>> org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241)
>>> at
>>> 

[Freeipa-users] Re: ipa-setup-ca

[Omar via FreeIPA-users]

for the context:
I fixed my master IPA server, with all new and valid certs (server & CA
chain).  I installed two replicas, both installed successfully, but when I
try to run the ipa-ca-install they both fail.  Thoughs?

On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud 
wrote:

> Hi,
>
> On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Found this in the logs:
>>
>> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US
>> WARNING: UNTRUSTED ISSUER encountered on 
>> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
>> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com'
>> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
>> BAD_CERTIFICATE
>> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
>> at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
>> at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
>> at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106)
>> at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>> at com.sun.proxy.$Proxy23.getInfo(Unknown Source)
>> at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43)
>> at
>> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221)
>> at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603)
>> at org.dogtagpki.cli.CLI.getClient(CLI.java:207)
>> at com.netscape.cmstools.ca
>> .CACLI.getSubsystemClient(CACLI.java:66)
>> at
>> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80)
>> at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>> at
>> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>> at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665)
>> at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701)
>> Caused by: java.io.IOException: SocketException cannot write on socket:
>> Failed to write to socket: (-12276) Unable to communicate securely with
>> peer: requested domain name does not match the server's certificate.
>> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538)
>> at
>> org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27)
>> at org.apache.http.impl.io
>> .AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160)
>> at org.apache.http.impl.io
>> .AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168)
>> at
>> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273)
>> at
>> org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279)
>> at
>> org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188)
>> at
>> org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241)
>> at
>> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
>> at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313)
>> ... 17 more
>> Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to write to
>> socket: (-12276) Unable to communicate securely with peer: requested domain
>> name does not match the server's certificate.
>> at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native Method)
>> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532)
>> ... 31 more
>> CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias',
>> '-f', '/etc/pki/pki-tomcat/password.conf', '-U', '
>> https://ldap01.app.uaap.maxar.com:443', 'ca-range-request', 'request',
>> '--install-token', '/tmp/tmp_nt6hud0/install-token', '--output-format',
>> 'json', '--debug']' returned non-zero exit status 255.
>>   File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", 

[Freeipa-users] Re: ipa-setup-ca

[Omar via FreeIPA-users]

Hello Flo,

I have installed the CA and also run the certupdate, but it is still not
working.  Here is the log:

2024-03-15T16:06:58Z CRITICAL Failed to configure CA instance
2024-03-15T16:06:58Z CRITICAL See the installation logs and the following
files/directories for more information:
2024-03-15T16:06:58Z CRITICAL   /var/log/pki/pki-tomcat
2024-03-15T16:06:58Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 635, in start_creation
run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 621, in run_step
method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 627, in __spawn_instance
nolog_list=nolog_list
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
line 227, in spawn_instance
self.handle_setup_error(e)
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
line 606, in handle_setup_error
) from None
RuntimeError: CA configuration failed.

2024-03-15T16:06:58Z DEBUG   [error] RuntimeError: CA configuration failed.
2024-03-15T16:06:58Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2024-03-15T16:06:58Z DEBUG   File
"/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line
781, in run_script
return_value = main_function()

  File "/sbin/ipa-ca-install", line 307, in main
install(safe_options, options)

  File "/sbin/ipa-ca-install", line 273, in install
install_replica(safe_options, options)

  File "/sbin/ipa-ca-install", line 210, in install_replica
ca.install(True, config, options, custodia=custodia)

  File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line
270, in install
install_step_0(standalone, replica_config, options, custodia=custodia)

  File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line
355, in install_step_0
pki_config_override=options.pki_config_override,

  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 501, in configure_instance
self.start_creation(runtime=runtime)

  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 635, in start_creation
run_step(full_msg, method)

  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 621, in run_step
method()

  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 627, in __spawn_instance
nolog_list=nolog_list

  File
"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
line 227, in spawn_instance
self.handle_setup_error(e)

  File
"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
line 606, in handle_setup_error
) from None

2024-03-15T16:06:58Z DEBUG The ipa-ca-install command failed, exception:
RuntimeError: CA configuration failed.

On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud 
wrote:

> Hi,
>
> On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Found this in the logs:
>>
>> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US
>> WARNING: UNTRUSTED ISSUER encountered on 
>> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
>> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
>> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com'
>> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
>> BAD_CERTIFICATE
>> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
>> at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
>> at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
>> at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106)
>> at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>> at com.sun.proxy.$Proxy23.getInfo(Unknown Source)
>> at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43)
>> at
>> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221)
>> at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603)
>> at org.dogtagpki.cli.CLI.getClient(CLI.java:207)
>> at com.netscape.cmstools.ca
>> .CACLI.getSubsystemClient(CACLI.java:66)
>> at
>> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80)
>> at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>> at
>> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
>> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
>> at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665)

[Freeipa-users] Re: ipa-setup-ca

[Pagan, Omar via FreeIPA-users]

Not sure if they did use the external CA.  How can I check?

//omar

Omar Pagan, CISSP
AAP Sr. DevOps/SysAdmin
[cid:image001.png@01DA76C3.BAE28A80]

--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-setup-ca

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Found this in the logs:
>
> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
> Technologies Inc,L=Herndon,ST=Virginia,C=US
> WARNING: UNTRUSTED ISSUER encountered on 
> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA
> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com'
> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent:
> BAD_CERTIFICATE
> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
> at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
> at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
> at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106)
> at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
> at com.sun.proxy.$Proxy23.getInfo(Unknown Source)
> at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43)
> at
> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221)
> at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603)
> at org.dogtagpki.cli.CLI.getClient(CLI.java:207)
> at com.netscape.cmstools.ca
> .CACLI.getSubsystemClient(CACLI.java:66)
> at
> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80)
> at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
> at
> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
> at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665)
> at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701)
> Caused by: java.io.IOException: SocketException cannot write on socket:
> Failed to write to socket: (-12276) Unable to communicate securely with
> peer: requested domain name does not match the server's certificate.
> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538)
> at
> org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27)
> at org.apache.http.impl.io
> .AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160)
> at org.apache.http.impl.io
> .AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168)
> at
> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273)
> at
> org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279)
> at
> org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188)
> at
> org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241)
> at
> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123)
> at
> org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684)
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486)
> at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
> at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313)
> ... 17 more
> Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to write to
> socket: (-12276) Unable to communicate securely with peer: requested domain
> name does not match the server's certificate.
> at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native Method)
> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532)
> ... 31 more
> CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias',
> '-f', '/etc/pki/pki-tomcat/password.conf', '-U', '
> https://ldap01.app.uaap.maxar.com:443', 'ca-range-request', 'request',
> '--install-token', '/tmp/tmp_nt6hud0/install-token', '--output-format',
> 'json', '--debug']' returned non-zero exit status 255.
>   File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line
> 575, in main
> scriptlet.spawn(deployer)
>   File
> "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py",
> line 586, in spawn
> subsystem.request_ranges(master_url,
> session_id=deployer.install_token.token)
>   File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line
> 1119, in request_ranges
> master_url, 

[Freeipa-users] Re: ipa-setup-ca

[Omar Pagan via FreeIPA-users]

Found this in the logs:

INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar 
Technologies Inc,L=Herndon,ST=Virginia,C=US
WARNING: UNTRUSTED ISSUER encountered on 
'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies 
Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA cert 'CN=Maxar DS 
Issuing CA East,DC=DS,DC=Maxar,DC=com'
Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE
javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
at 
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317)
at 
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
at 
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106)
at 
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy23.getInfo(Unknown Source)
at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43)
at com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221)
at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603)
at org.dogtagpki.cli.CLI.getClient(CLI.java:207)
at com.netscape.cmstools.ca.CACLI.getSubsystemClient(CACLI.java:66)
at 
com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:357)
at org.dogtagpki.cli.CLI.execute(CLI.java:357)
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
at org.dogtagpki.cli.CLI.execute(CLI.java:357)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701)
Caused by: java.io.IOException: SocketException cannot write on socket: Failed 
to write to socket: (-12276) Unable to communicate securely with peer: 
requested domain name does not match the server's certificate.
at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538)
at org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27)
at 
org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160)
at 
org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168)
at 
org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273)
at 
org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279)
at 
org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188)
at 
org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241)
at 
org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123)
at 
org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684)
at 
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486)
at 
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836)
at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at 
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313)
... 17 more
Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to write to socket: 
(-12276) Unable to communicate securely with peer: requested domain name does 
not match the server's certificate.
at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native Method)
at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532)
... 31 more
CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-f', 
'/etc/pki/pki-tomcat/password.conf', '-U', 
'https://ldap01.app.uaap.maxar.com:443', 'ca-range-request', 'request', 
'--install-token', '/tmp/tmp_nt6hud0/install-token', '--output-format', 'json', 
'--debug']' returned non-zero exit status 255.
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in 
main
scriptlet.spawn(deployer)
  File 
"/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py",
 line 586, in spawn
subsystem.request_ranges(master_url, 
session_id=deployer.install_token.token)
  File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1119, 
in request_ranges
master_url, 'request', session_id=session_id, install_token=install_token)
  File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1107, 
in request_range
output = subprocess.check_output(cmd)
  File "/usr/lib64/python3.6/subprocess.py", line 356, in 

[Freeipa-users] Re: ipa-setup-ca

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Thu, Mar 14, 2024 at 1:43 AM Omar Pagan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hey guys,
> I finished installing two replicas of my master.  Both installations of
> the replicas completed successfully, but when I try to run the ipa-setup-ca
> it is having some issues.
>
> The errors I get are:
> ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance
> ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
> the following files/directories for more information:
> ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> But I don't see any issues in the /var/log/pki/pki-tomcat, or at least I
> can't find any "CRITICAL" errors.  Please advise on how to confirm that the
> master CA is working properly and perhaps how to get the 2 replicas to also
> help with the ca role.  Thanks
>

the logs would be in /var/log/pki/pki-ca-spawn.$DATE.log and
/var/log/ipareplica-ca-install.log
The lines just above the ones you provided may also help understand in
which step the installation failed.

flo

--
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue