Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
lejeczek wrote:
On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns --no-forwarders
--setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1015, in __import_ca_chain
chain = self.__get_ca_chain()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection
refused
2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
what might be the problem?
It is failing getting the CA chain from dogtag. It uses port 8080 by
default. I'd check your firewall and that the remote CA is up.
is 8080 needed only @installation time or all the time?
many thanks,
I think it's just needed during install but I didn't pour over the code.
Once up the data replicates, depending on version, on 389 or 7389 and
all other access should be proxied through 443.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns
--no-forwarders --setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain:
[Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain
to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent call
last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
1015, in __import_ca_chain
chain = self.__get_ca_chain()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s"
% str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection refused
2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable
to retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 171, in
execute
what might be the problem?
It is failing getting the CA chain from dogtag. It uses
port 8080 by default. I'd check your firewall and that the
remote CA is up.
is 8080 needed only @installation time or all the time?
many thanks,
L
I'm surprised the port checker didn't discover this if it
is a firewall issue and that would be a bug (either the
port not being checked or not using the proxy).
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
On 25/05/16 20:27, Rob Crittenden wrote:
lejeczek wrote:
On 25/05/16 16:46, Rob Crittenden wrote:
lejeczek wrote:
On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns
--no-forwarders
--setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain:
[Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean
up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA
chain to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent
call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
1015, in __import_ca_chain
chain = self.__get_ca_chain()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain:
%s" % str(e))
RuntimeError: Unable to retrieve CA chain: [Errno
111] Connection
refused
2016-05-25T12:38:31Z DEBUG [error] RuntimeError:
Unable to
retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line
171, in
execute
what might be the problem?
It is failing getting the CA chain from dogtag. It
uses port 8080 by
default. I'd check your firewall and that the remote
CA is up.
thanks Rob,
I opened 8080/tcp (it was closed) but still a failure I
get, different
error though:
[2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
Failed to
configure CA instance: Command ''/usr/sbin/pkispawn'
'-s' 'CA' '-f'
'/tmp/tmpY2oGh1'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
See the
installation logs and the following files/directories
for more
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
I noticed - /var/log/pki-ca-install.log does NOT exist
and log file:
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-05-25T14:12:21Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
I
nsecureRequestWarning: Unverified HTTPS request is
being made. Adding
certificate verification is s
trongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: ERROR... server failed to restart
2016-05-25T14:12:21Z CRITICAL Failed to configure CA
instance: Command
''/usr/sbin/pkispawn' '-s' '
CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
2016-05-25T14:12:21Z CRITICAL See the installation logs
and the
following files/directories for mor
e information:
You need to look in those files/directories for more
details. Dogtag
doesn't return much on failures and we display what we
have but all
the real meat is in those logs.
can I ask a question? - my nss.conf is pretty
plain-vanilla, uses :443 -
why does installer complain about it being used and I
have to change the
port for installer to start?
Because there is no easy way to determine what is using
that port. If
it is mod_ssl or some other web server instead then
things go sideways
pretty fast.
but will it all not brake precisely because I have to
change port? I
then take a glance and see https:/// only and installer
it not take that
port into account, so how will whole IPA work if nss
listens on
non-standard port?
I'm not sure I follow. The installer will (or should)
change nss.conf to listen on 443. The default is 8443.
If you take a vanilla instance and install mod_ssl and
mod_nss on it then Apache will listen on ports 443 and
8443. IPA requires mod_nss to listen on 443 so the install
will fail. This is what we are trying to prevent. It isn't
a mod_nss or mod_ssl issue but only one thing can listen
on any given port.
The installer looks at things just enough to detect that
something might be wrong and it blows up so it can be
manually addressed because whatever we did automatically
would be wrong and potentially catastrophic for somebody's
use case.
rob
when it fails with:
[1/24]: creating certificate server user
[2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed
to configure CA instance: Command ''/usr/sbin/pkispawn' '-s'
'CA' '-f' '/tmp/tmpNF7gTf'' returned non-zero exit status 1
ipa.ipaserver.install
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
lejeczek wrote:
On 25/05/16 16:46, Rob Crittenden wrote:
lejeczek wrote:
On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns --no-forwarders
--setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
1015, in __import_ca_chain
chain = self.__get_ca_chain()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection
refused
2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to
retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
171, in
execute
what might be the problem?
It is failing getting the CA chain from dogtag. It uses port 8080 by
default. I'd check your firewall and that the remote CA is up.
thanks Rob,
I opened 8080/tcp (it was closed) but still a failure I get, different
error though:
[2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpY2oGh1'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
I noticed - /var/log/pki-ca-install.log does NOT exist
and log file:
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-05-25T14:12:21Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I
nsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is s
trongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: ERROR... server failed to restart
2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' '
CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
2016-05-25T14:12:21Z CRITICAL See the installation logs and the
following files/directories for mor
e information:
You need to look in those files/directories for more details. Dogtag
doesn't return much on failures and we display what we have but all
the real meat is in those logs.
can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 -
why does installer complain about it being used and I have to change the
port for installer to start?
Because there is no easy way to determine what is using that port. If
it is mod_ssl or some other web server instead then things go sideways
pretty fast.
but will it all not brake precisely because I have to change port? I
then take a glance and see https:/// only and installer it not take that
port into account, so how will whole IPA work if nss listens on
non-standard port?
I'm not sure I follow. The installer will (or should) change nss.conf to
listen on 443. The default is 8443.
If you take a vanilla instance and install mod_ssl and mod_nss on it
then Apache will listen on ports 443 and 8443. IPA requires mod_nss to
listen on 443 so the install will fail. This is what we are trying to
prevent. It isn't a mod_nss or mod_ssl issue but only one thing can
listen on any given port.
The installer looks at things just enough to detect that something might
be wrong and it blows up so it can be manually addressed because
whatever we did automatically would be wrong and potentially
catastrophic for somebody's use case.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
On 25/05/16 16:46, Rob Crittenden wrote:
lejeczek wrote:
On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns
--no-forwarders
--setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain:
[Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA
chain to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent call
last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
1015, in __import_ca_chain
chain = self.__get_ca_chain()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain:
%s" % str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection
refused
2016-05-25T12:38:31Z DEBUG [error] RuntimeError:
Unable to retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 171, in
execute
what might be the problem?
It is failing getting the CA chain from dogtag. It uses
port 8080 by
default. I'd check your firewall and that the remote CA
is up.
thanks Rob,
I opened 8080/tcp (it was closed) but still a failure I
get, different
error though:
[2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s'
'CA' '-f'
'/tmp/tmpY2oGh1'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See
the
installation logs and the following files/directories for
more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
I noticed - /var/log/pki-ca-install.log does NOT exist
and log file:
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-05-25T14:12:21Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
I
nsecureRequestWarning: Unverified HTTPS request is being
made. Adding
certificate verification is s
trongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: ERROR... server failed to restart
2016-05-25T14:12:21Z CRITICAL Failed to configure CA
instance: Command
''/usr/sbin/pkispawn' '-s' '
CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
2016-05-25T14:12:21Z CRITICAL See the installation logs
and the
following files/directories for mor
e information:
You need to look in those files/directories for more
details. Dogtag doesn't return much on failures and we
display what we have but all the real meat is in those logs.
can I ask a question? - my nss.conf is pretty
plain-vanilla, uses :443 -
why does installer complain about it being used and I
have to change the
port for installer to start?
Because there is no easy way to determine what is using
that port. If it is mod_ssl or some other web server
instead then things go sideways pretty fast.
but will it all not brake precisely because I have to change
port? I then take a glance and see https:/// only and
installer it not take that port into account, so how will
whole IPA work if nss listens on non-standard port?
regards
rob
I'm surprised the port checker didn't discover this if
it is a
firewall issue and that would be a bug (either the port
not being
checked or not using the proxy).
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
lejeczek wrote:
On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns --no-forwarders
--setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1015, in __import_ca_chain
chain = self.__get_ca_chain()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection
refused
2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
what might be the problem?
It is failing getting the CA chain from dogtag. It uses port 8080 by
default. I'd check your firewall and that the remote CA is up.
thanks Rob,
I opened 8080/tcp (it was closed) but still a failure I get, different
error though:
[2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpY2oGh1'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
I noticed - /var/log/pki-ca-install.log does NOT exist
and log file:
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-05-25T14:12:21Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I
nsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is s
trongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: ERROR... server failed to restart
2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' '
CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
2016-05-25T14:12:21Z CRITICAL See the installation logs and the
following files/directories for mor
e information:
You need to look in those files/directories for more details. Dogtag
doesn't return much on failures and we display what we have but all the
real meat is in those logs.
can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 -
why does installer complain about it being used and I have to change the
port for installer to start?
Because there is no easy way to determine what is using that port. If it
is mod_ssl or some other web server instead then things go sideways
pretty fast.
rob
I'm surprised the port checker didn't discover this if it is a
firewall issue and that would be a bug (either the port not being
checked or not using the proxy).
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns
--no-forwarders --setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain:
[Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain
to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent call
last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
1015, in __import_ca_chain
chain = self.__get_ca_chain()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s"
% str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection refused
2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable
to retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 171, in
execute
what might be the problem?
It is failing getting the CA chain from dogtag. It uses
port 8080 by default. I'd check your firewall and that the
remote CA is up.
thanks Rob,
I opened 8080/tcp (it was closed) but still a failure I get,
different error though:
[2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed
to configure CA instance: Command ''/usr/sbin/pkispawn' '-s'
'CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See
the installation logs and the following files/directories
for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
I noticed - /var/log/pki-ca-install.log does NOT exist
and log file:
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-05-25T14:12:21Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
I
nsecureRequestWarning: Unverified HTTPS request is being
made. Adding certificate verification is s
trongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: ERROR... server failed to restart
2016-05-25T14:12:21Z CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' '
CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
2016-05-25T14:12:21Z CRITICAL See the installation logs and
the following files/directories for mor
e information:
can I ask a question? - my nss.conf is pretty plain-vanilla,
uses :443 - why does installer complain about it being used
and I have to change the port for installer to start?
I'm surprised the port checker didn't discover this if it
is a firewall issue and that would be a bug (either the
port not being checked or not using the proxy).
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns --no-forwarders --setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1015, in __import_ca_chain
chain = self.__get_ca_chain()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
what might be the problem?
It is failing getting the CA chain from dogtag. It uses port 8080 by
default. I'd check your firewall and that the remote CA is up.
I'm surprised the port checker didn't discover this if it is a firewall
issue and that would be a bug (either the port not being checked or not
using the proxy).
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
