[Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki
Hi, I have problem with setup new replicas. I tried setup two replicas, both failed with the same error. environment: Fedora 21 packages: freeipa-server-4.1.3-2.fc21.x86_64 389-ds-base-1.3.3.8-1.fc21.x86_64 389-ds-base-libs-1.3.3.8-1.fc21.x86_64 pki-server-10.2.0-5.fc21.noarch same on server and replicas Output from ipa-replica-install: (…) Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance [3/22]: stopping certificate server instance to update CS.cfg [4/22]: backing up CS.cfg [5/22]: disabling nonces [6/22]: set up CRL publishing [7/22]: enable PKIX certificate path discovery and validation [8/22]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. >From /var/log/ipareplica.log 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted 2015-10-07T06:25:58Z DEBUG Waiting for CA to start... 2015-10-07T06:25:59Z DEBUG Starting external process 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c a/getStatus' 2015-10-07T06:25:59Z DEBUG Process finished, return code=8 2015-10-07T06:25:59Z DEBUG stdout= 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59-- https://182.example.com:8443/ca/admin/ca/getStatus Resolving 182.example.com (182.example.com)... xx.xx.xx.xx Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... connected. WARNING: cannot verify 182.example.com's certificate, issued by ‘CN=Certificate Authority,O=ecample.com’: Self-signed certificate encountered. HTTP request sent, awaiting response... HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 2923 Date: Wed, 07 Oct 2015 06:25:59 GMT Connection: close 2015-10-07 08:25:59 ERROR 500: Internal Server Error. Any idea? Best regards, Ender -- Łukasz Jaworski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki
Looks like system is missing ca cert (should it be added during ipa-replica-install?) I don't know if missing cert is main problem in my case, but I made some tests: try 1: openssl s_client -connect `hostname -f`:8443 (…) Verify return code: 19 (self signed certificate in certificate chain) try 2: openssl s_client -connect `hostname -f`:8443 -CAfile /etc/ipa/ca.crt (…) Verify return code: 0 (ok) After I've added ipa.cert into /etc/pki/tls/cert.pem cat /etc/ipa/ca.crt >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem try 3: openssl s_client -connect `hostname -f`:8443 (…) Verify return code: 0 (ok) Best regards, Ender -- Łukasz Jaworski Wiadomość napisana przez Łukasz Jaworskiw dniu 7 paź 2015, o godz. 08:35: > Hi, > > I have problem with setup new replicas. > I tried setup two replicas, both failed with the same error. > > environment: > Fedora 21 > > packages: > freeipa-server-4.1.3-2.fc21.x86_64 > 389-ds-base-1.3.3.8-1.fc21.x86_64 > 389-ds-base-libs-1.3.3.8-1.fc21.x86_64 > pki-server-10.2.0-5.fc21.noarch > > same on server and replicas > > > Output from ipa-replica-install: > (…) > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 > seconds > [1/22]: creating certificate server user > [2/22]: configuring certificate server instance > [3/22]: stopping certificate server instance to update CS.cfg > [4/22]: backing up CS.cfg > [5/22]: disabling nonces > [6/22]: set up CRL publishing > [7/22]: enable PKIX certificate path discovery and validation > [8/22]: starting certificate server instance > [error] RuntimeError: CA did not start in 300.0s > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > >> From /var/log/ipareplica.log > 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted > 2015-10-07T06:25:58Z DEBUG Waiting for CA to start... > 2015-10-07T06:25:59Z DEBUG Starting external process > 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c > a/getStatus' > 2015-10-07T06:25:59Z DEBUG Process finished, return code=8 > 2015-10-07T06:25:59Z DEBUG stdout= > 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59-- > https://182.example.com:8443/ca/admin/ca/getStatus > Resolving 182.example.com (182.example.com)... xx.xx.xx.xx > Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... > connected. > WARNING: cannot verify 182.example.com's certificate, issued by > ‘CN=Certificate Authority,O=ecample.com’: > Self-signed certificate encountered. > HTTP request sent, awaiting response... > HTTP/1.1 500 Internal Server Error > Server: Apache-Coyote/1.1 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 2923 > Date: Wed, 07 Oct 2015 06:25:59 GMT > Connection: close > 2015-10-07 08:25:59 ERROR 500: Internal Server Error. > > Any idea? > > Best regards, > Ender > > -- > Łukasz Jaworski > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki
Łukasz Jaworski wrote: > Hi, > > I have problem with setup new replicas. > I tried setup two replicas, both failed with the same error. > > environment: > Fedora 21 > > packages: > freeipa-server-4.1.3-2.fc21.x86_64 > 389-ds-base-1.3.3.8-1.fc21.x86_64 > 389-ds-base-libs-1.3.3.8-1.fc21.x86_64 > pki-server-10.2.0-5.fc21.noarch > > same on server and replicas > > > Output from ipa-replica-install: > (…) > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 > seconds > [1/22]: creating certificate server user > [2/22]: configuring certificate server instance > [3/22]: stopping certificate server instance to update CS.cfg > [4/22]: backing up CS.cfg > [5/22]: disabling nonces > [6/22]: set up CRL publishing > [7/22]: enable PKIX certificate path discovery and validation > [8/22]: starting certificate server instance > [error] RuntimeError: CA did not start in 300.0s > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > >>From /var/log/ipareplica.log > 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted > 2015-10-07T06:25:58Z DEBUG Waiting for CA to start... > 2015-10-07T06:25:59Z DEBUG Starting external process > 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c > a/getStatus' > 2015-10-07T06:25:59Z DEBUG Process finished, return code=8 > 2015-10-07T06:25:59Z DEBUG stdout= > 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59-- > https://182.example.com:8443/ca/admin/ca/getStatus > Resolving 182.example.com (182.example.com)... xx.xx.xx.xx > Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... > connected. > WARNING: cannot verify 182.example.com's certificate, issued by > ‘CN=Certificate Authority,O=ecample.com’: > Self-signed certificate encountered. > HTTP request sent, awaiting response... > HTTP/1.1 500 Internal Server Error > Server: Apache-Coyote/1.1 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 2923 > Date: Wed, 07 Oct 2015 06:25:59 GMT > Connection: close > 2015-10-07 08:25:59 ERROR 500: Internal Server Error. > > Any idea? > You'll need to check the dogtag logs for errors. Start with /var/log/pki/pki-tomcat/ca/debug rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project