Looks like system is missing ca cert (should it be added during
ipa-replica-install?)
I don't know if missing cert is main problem in my case, but I made some tests:
try 1:
openssl s_client -connect `hostname -f`:8443
(…)
Verify return code: 19 (self signed certificate in certificate chain)
try 2:
openssl s_client -connect `hostname -f`:8443 -CAfile /etc/ipa/ca.crt
(…)
Verify return code: 0 (ok)
After I've added ipa.cert into /etc/pki/tls/cert.pem
cat /etc/ipa/ca.crt >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
try 3:
openssl s_client -connect `hostname -f`:8443
(…)
Verify return code: 0 (ok)
Best regards,
Ender
--
Łukasz Jaworski
Wiadomość napisana przez Łukasz Jaworski w dniu 7 paź 2015,
o godz. 08:35:
> Hi,
>
> I have problem with setup new replicas.
> I tried setup two replicas, both failed with the same error.
>
> environment:
> Fedora 21
>
> packages:
> freeipa-server-4.1.3-2.fc21.x86_64
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> 389-ds-base-libs-1.3.3.8-1.fc21.x86_64
> pki-server-10.2.0-5.fc21.noarch
>
> same on server and replicas
>
>
> Output from ipa-replica-install:
> (…)
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
> seconds
> [1/22]: creating certificate server user
> [2/22]: configuring certificate server instance
> [3/22]: stopping certificate server instance to update CS.cfg
> [4/22]: backing up CS.cfg
> [5/22]: disabling nonces
> [6/22]: set up CRL publishing
> [7/22]: enable PKIX certificate path discovery and validation
> [8/22]: starting certificate server instance
> [error] RuntimeError: CA did not start in 300.0s
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>> From /var/log/ipareplica.log
> 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted
> 2015-10-07T06:25:58Z DEBUG Waiting for CA to start...
> 2015-10-07T06:25:59Z DEBUG Starting external process
> 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c
> a/getStatus'
> 2015-10-07T06:25:59Z DEBUG Process finished, return code=8
> 2015-10-07T06:25:59Z DEBUG stdout=
> 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59--
> https://182.example.com:8443/ca/admin/ca/getStatus
> Resolving 182.example.com (182.example.com)... xx.xx.xx.xx
> Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443...
> connected.
> WARNING: cannot verify 182.example.com's certificate, issued by
> ‘CN=Certificate Authority,O=ecample.com’:
> Self-signed certificate encountered.
> HTTP request sent, awaiting response...
> HTTP/1.1 500 Internal Server Error
> Server: Apache-Coyote/1.1
> Content-Type: text/html;charset=utf-8
> Content-Language: en
> Content-Length: 2923
> Date: Wed, 07 Oct 2015 06:25:59 GMT
> Connection: close
> 2015-10-07 08:25:59 ERROR 500: Internal Server Error.
>
> Any idea?
>
> Best regards,
> Ender
>
> --
> Łukasz Jaworski
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project