subject:"\[Freeipa\-users\] Cant setup replica \(freeipa 4.1.3\), problem with pki"

[Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki

2015-10-07 Thread Łukasz Jaworski

Hi,

I have problem with setup new replicas.
I tried setup two replicas, both failed with the same error.

environment:
Fedora 21

packages:
freeipa-server-4.1.3-2.fc21.x86_64
389-ds-base-1.3.3.8-1.fc21.x86_64
389-ds-base-libs-1.3.3.8-1.fc21.x86_64
pki-server-10.2.0-5.fc21.noarch

same on server and replicas


Output from ipa-replica-install:
(…)
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 
seconds
  [1/22]: creating certificate server user  
  [2/22]: configuring certificate server instance
  [3/22]: stopping certificate server instance to update CS.cfg
  [4/22]: backing up CS.cfg
  [5/22]: disabling nonces
  [6/22]: set up CRL publishing
  [7/22]: enable PKIX certificate path discovery and validation
  [8/22]: starting certificate server instance
  [error] RuntimeError: CA did not start in 300.0s

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

>From /var/log/ipareplica.log
2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted
2015-10-07T06:25:58Z DEBUG Waiting for CA to start...
2015-10-07T06:25:59Z DEBUG Starting external process
2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
'--no-check-certificate' 'https://182.example.com:8443/ca/admin/c
a/getStatus'
2015-10-07T06:25:59Z DEBUG Process finished, return code=8
2015-10-07T06:25:59Z DEBUG stdout=
2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59--  
https://182.example.com:8443/ca/admin/ca/getStatus
Resolving 182.example.com (182.example.com)... xx.xx.xx.xx
Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... connected.
WARNING: cannot verify 182.example.com's certificate, issued by ‘CN=Certificate 
Authority,O=ecample.com’:
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 
  HTTP/1.1 500 Internal Server Error
  Server: Apache-Coyote/1.1
  Content-Type: text/html;charset=utf-8
  Content-Language: en
  Content-Length: 2923
  Date: Wed, 07 Oct 2015 06:25:59 GMT
  Connection: close
2015-10-07 08:25:59 ERROR 500: Internal Server Error.

Any idea?

Best regards,
Ender

-- 
Łukasz Jaworski


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki

2015-10-07 Thread Łukasz Jaworski

Looks like system is missing ca cert (should it be added during 
ipa-replica-install?)
I don't know if missing cert is main problem in my case, but I made some tests:

try 1:
openssl s_client -connect `hostname -f`:8443
(…)
Verify return code: 19 (self signed certificate in certificate chain)

try 2:
openssl s_client -connect `hostname -f`:8443 -CAfile /etc/ipa/ca.crt
(…)
Verify return code: 0 (ok)


After I've added ipa.cert into /etc/pki/tls/cert.pem
cat /etc/ipa/ca.crt >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

try 3:
openssl s_client -connect `hostname -f`:8443
(…)
Verify return code: 0 (ok)


Best regards,
Ender
-- 
Łukasz Jaworski

Wiadomość napisana przez Łukasz Jaworski  w dniu 7 paź 2015, 
o godz. 08:35:

> Hi,
> 
> I have problem with setup new replicas.
> I tried setup two replicas, both failed with the same error.
> 
> environment:
> Fedora 21
> 
> packages:
> freeipa-server-4.1.3-2.fc21.x86_64
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> 389-ds-base-libs-1.3.3.8-1.fc21.x86_64
> pki-server-10.2.0-5.fc21.noarch
> 
> same on server and replicas
> 
> 
> Output from ipa-replica-install:
> (…)
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 
> seconds
>  [1/22]: creating certificate server user  
>  [2/22]: configuring certificate server instance
>  [3/22]: stopping certificate server instance to update CS.cfg
>  [4/22]: backing up CS.cfg
>  [5/22]: disabling nonces
>  [6/22]: set up CRL publishing
>  [7/22]: enable PKIX certificate path discovery and validation
>  [8/22]: starting certificate server instance
>  [error] RuntimeError: CA did not start in 300.0s
> 
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
>> From /var/log/ipareplica.log
> 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted
> 2015-10-07T06:25:58Z DEBUG Waiting for CA to start...
> 2015-10-07T06:25:59Z DEBUG Starting external process
> 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
> '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c
> a/getStatus'
> 2015-10-07T06:25:59Z DEBUG Process finished, return code=8
> 2015-10-07T06:25:59Z DEBUG stdout=
> 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59--  
> https://182.example.com:8443/ca/admin/ca/getStatus
> Resolving 182.example.com (182.example.com)... xx.xx.xx.xx
> Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... 
> connected.
> WARNING: cannot verify 182.example.com's certificate, issued by 
> ‘CN=Certificate Authority,O=ecample.com’:
>  Self-signed certificate encountered.
> HTTP request sent, awaiting response... 
>  HTTP/1.1 500 Internal Server Error
>  Server: Apache-Coyote/1.1
>  Content-Type: text/html;charset=utf-8
>  Content-Language: en
>  Content-Length: 2923
>  Date: Wed, 07 Oct 2015 06:25:59 GMT
>  Connection: close
> 2015-10-07 08:25:59 ERROR 500: Internal Server Error.
> 
> Any idea?
> 
> Best regards,
> Ender
> 
> -- 
> Łukasz Jaworski
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki

2015-10-07 Thread Rob Crittenden

Łukasz Jaworski wrote:
> Hi,
> 
> I have problem with setup new replicas.
> I tried setup two replicas, both failed with the same error.
> 
> environment:
> Fedora 21
> 
> packages:
> freeipa-server-4.1.3-2.fc21.x86_64
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> 389-ds-base-libs-1.3.3.8-1.fc21.x86_64
> pki-server-10.2.0-5.fc21.noarch
> 
> same on server and replicas
> 
> 
> Output from ipa-replica-install:
> (…)
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 
> seconds
>   [1/22]: creating certificate server user  
>   [2/22]: configuring certificate server instance
>   [3/22]: stopping certificate server instance to update CS.cfg
>   [4/22]: backing up CS.cfg
>   [5/22]: disabling nonces
>   [6/22]: set up CRL publishing
>   [7/22]: enable PKIX certificate path discovery and validation
>   [8/22]: starting certificate server instance
>   [error] RuntimeError: CA did not start in 300.0s
> 
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
>>From /var/log/ipareplica.log
> 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted
> 2015-10-07T06:25:58Z DEBUG Waiting for CA to start...
> 2015-10-07T06:25:59Z DEBUG Starting external process
> 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
> '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c
> a/getStatus'
> 2015-10-07T06:25:59Z DEBUG Process finished, return code=8
> 2015-10-07T06:25:59Z DEBUG stdout=
> 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59--  
> https://182.example.com:8443/ca/admin/ca/getStatus
> Resolving 182.example.com (182.example.com)... xx.xx.xx.xx
> Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... 
> connected.
> WARNING: cannot verify 182.example.com's certificate, issued by 
> ‘CN=Certificate Authority,O=ecample.com’:
>   Self-signed certificate encountered.
> HTTP request sent, awaiting response... 
>   HTTP/1.1 500 Internal Server Error
>   Server: Apache-Coyote/1.1
>   Content-Type: text/html;charset=utf-8
>   Content-Language: en
>   Content-Length: 2923
>   Date: Wed, 07 Oct 2015 06:25:59 GMT
>   Connection: close
> 2015-10-07 08:25:59 ERROR 500: Internal Server Error.
> 
> Any idea?
> 

You'll need to check the dogtag logs for errors. Start with
/var/log/pki/pki-tomcat/ca/debug

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki

Re: [Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki

Re: [Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki

3 matches

Site Navigation

Mail list logo

Footer information