/var/log/pki/pki-tomcat/ca/debug does not exist,
/var/log/pki/pki-ca-spawn-*.log does not show any error, everything is as
expected. The signing cert is:
caSigningCert cert-pki-ca CTu,Cu,Cu
However, it shows it uses /etc/pki/pki-tomcat/ everywhere in the variables
and at the moment /etc/pki/pki-tomcat/ does not exist. Is it expected? Was
it there on the stage when ca-spawn was active?
On Mon, Oct 1, 2018 at 2:16 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Andrey Bondarenko via FreeIPA-users wrote:
> Hello,
>
> I have IPA cluster with several nodes and I have a problem installing
> there another replica with CA enabled. If I want to add CA role to one
> of the nodes:
>
> [root@ipa01:~] ipa-ca-install -w SECRET
> Directory Manager (existing master) password:
>
> Run connection check to master
> Connection check OK
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> [1/25]: creating certificate server db
> [2/25]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 953 seconds elapsed
> Update succeeded
>
> [3/25]: creating installation admin user
> [4/25]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command '/usr/sbin/pkispawn -s CA -f
> /mnt/tmp/tmpXXXXXX' returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more
information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
> [error] RuntimeError: CA configuration failed.
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> CA configuration failed.
>
> In the log file, the only error I see is
>
> WARNING: The 'pki_ssl_server_nickname' in [CA] has been deprecated. Use
> 'pki_sslserver_nickname' instead.
> WARNING: The 'pki_ssl_server_subject_dn' in [CA] has been deprecated.
> Use 'pki_sslserver_subject_dn' instead.
> ERROR: Unable to access security domain: 503 Server Error: Service
> Unavailable
>
> Where should I dig?
You need to look at the dogtag logs, /var/log/pki/pki-ca-spawn-*.log and
/var/log/pki/pki-tomcat/ca/debug
rob
--
With best regards,
Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B