The master was initially installed with 4.2 and was recently upgraded to 4.5. The replica
was installed with 4.5.
Thanks,
Ross
________________________________________
From: Fraser Tweedale [ftweedal(a)redhat.com]
Sent: Wednesday, April 25, 2018 6:21 PM
To: FreeIPA users list
Cc: Rob Crittenden; Ross Infinger
Subject: Re: [Freeipa-users] Re: replica - install fails with CA issue
On Thu, Apr 26, 2018 at 12:30:06AM +0000, Ross Infinger via FreeIPA-users wrote:
OK I was able to workaround this error and get a replica created.
The workaround is I ran ipa-server-upgrade on the CA master (even though master and
replica were both at 4.5) and then ran ipa-replica-install --setup-dns on the
prospective replica. It finished successfully. Whatever.
On to the next problem - installing a replica with --setup-ca ...
Thanks,
Ross
Thanks for the update Ross; I'm glad you got it working.
Interesting scenario. What is the version history of the master,
including minor updates (within a given Fedora release)?
Cheers,
Fraser
________________________________________
From: Ross Infinger
Sent: Wednesday, April 25, 2018 11:54 AM
To: Rob Crittenden; FreeIPA users list
Subject: RE: [Freeipa-users] replica - install fails with CA issue
This is what I found in the selttests.log ...
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading
all self test plugin logger parameters
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading
all self test plugin instances
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading
all self test plugin instance parameters
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading
self test plugins in on-demand order
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading
self test plugins in startup order
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SystemCertsVerification:
system certs verification success
0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: All
CRITICAL self test plugins ran SUCCESSFULLY at startup!
So this looks like everything started OK. I don't see any mention of dogtag in the
log. Is there a way to make sure it is actually running?
Thanks,
Ross
________________________________________
From: Rob Crittenden [rcritten(a)redhat.com]
Sent: Wednesday, April 25, 2018 10:00 AM
To: FreeIPA users list
Cc: Ross Infinger
Subject: Re: [Freeipa-users] replica - install fails with CA issue
Ross Infinger via FreeIPA-users wrote:
> Thanks for the reply. I tried the workaround but still getting the CA_UNREACHABLE
error. The umask on the master was already at 0022.
>
> Is there a way to check the health of the CA master? Maybe the issue is with the CA
and not with the replica install?
>
>
> Here is a little more information. The CA master is pci-mgmt-ipa01. the new client
to be promoted is ipa-nyc-pci02.
>
> On the client:
> [root@ipa-nyc-pci02 ~]# getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20180424223129':
> status: CA_UNREACHABLE
> ca-error: Server at
https://urldefense.proofpoint.com/v2/url?u=https-3A__ipa-2Dnyc-2Dpci02.pc...
failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Failed connect to ipa-nyc-pci02.pci.xxxxxxx.com:443; Connection refused).
> stuck: no
> key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PCI-xxxxxxx-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PCI-xxxxxxx-COM/pwdfile.txt'
> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PCI-xxxxxxx-COM',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
PCI-xxxxxxx-COM
> track: yes
> auto-renew: yes
>
> On the master:
> pki-tomcat is running.
>
> I see a cert_request in /var/log/httpd/error_log.
>
> [Tue Apr 24 22:31:31.490598 2018] [:error] [pid 1133] ipa: INFO: [xmlserver]
host/ipa-nyc-pci02.pci.XXXXXXX.com(a)PCI.XXXXXXX.COM:
cert_request(u'MIID8jCCAtoCAQAwQjEYMBYGA1UEChMPUENJLk1BU0NPUlAuQ09NMSYwJAYDVQQDEx1pc
> ...
> /QLxsLD7VWO7fGuSHpGnUayuTKi1Em9BdPtMNoD75G4SJ',
profile_id=u'caIPAserviceCert',
principal=u'ldap/ipa-nyc-pci02.pci.XXXXXXX.com(a)PCI.XXXXXXX.COM', add=True,
version=u'2.51'): NotFound
>
>
> I don't see any request in /var/log/pki/pki-tomcat/ca/debug.
>
> Does this indicate a problem with the Dogtag server?
It might. dogtag runs as a servlet within tomcat so it is very possible
that tomcat is running but the servlet failed, hence the Not Found. This
is typically caught by ipactl though.
The typical cause for this is the selftest fails. You can check the
selftest log in the same directory as debug.
rob
>
> Thanks,
> Ross
> _______________________________________
> From: Ross Infinger
> Sent: Tuesday, April 24, 2018 1:39 PM
> To: Florence Blanc-Renaud
> Subject: RE: [Freeipa-users] replica - install fails with CA issue
>
> Thanks for the reply. I tried the workaround but still getting the CA_UNREACHABLE
error. The umask on the master was already at 0022.
>
> Is there a way to check the health of the CA master? Maybe the issue is with the CA
and not with the replica install?
>
>
> Thanks,
> Ross
>
> From: Florence Blanc-Renaud [flo(a)redhat.com]
> Sent: Tuesday, April 24, 2018 1:37 AM
> To: FreeIPA users list
> Cc: Ross Infinger
> Subject: Re: [Freeipa-users] replica - install fails with CA issue
>
> On 04/23/2018 10:37 PM, Ross Infinger via FreeIPA-users wrote:
>> I'm trying to promote a new client to a replica. I install the client
>> first then run ipa-replica-install. The client install goes OK but the
>> ipa-replica-install command fails with
>>
>> RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
>>
>> Seems the client was able to reach the CA so I'm puzzled why the replica
>> cannot.
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>
>
> Hi,
>
> other users also hit this issue #7193 [1], and the root cause was that
> the root's umask on the master was too restrictive. Can you check if
> it's your case?
>
> The workaround is to do:
> chmod 644 /etc/ipa/ca.crt
> chmod 440 /var/lib/ipa/ra-agent.{key|pem}
>
> but the best is to install the master with umask 022.
>
> HTH,
> Flo
>
> [1]
https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_is...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org