[Freeipa-users] CA_UNREACHABLE during ipa-replica-install

Jan Gardian via FreeIPA-users Thu, 19 Apr 2018 08:25:49 -0700

Hello,

We had two ipa replicas ipa1 with CA and ipa2. Those servers were onUbuntu 16.

I successfully installed ipa3 replica with CA that is running on newerversion of IPA and Centos 7. After that I stopped old ipa2 andsuccessfully installed new ipa2 with CA on Centos 7. Lastly I setup CAmaster to be new ipa2 followinghttps://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_4.0_or_laterand turned off old ipa1 server.

Problem occurred when I was installing replica with CA to new ipa1server running at Centos 7.I can successfully install ipa client and create ticket under admin userbut when trying to install replica it fails with "ERROR Certificateissuance failed (CA_UNREACHABLE)". Somehow it tries to get certificatesduring replica install from ipa1 server when it does not have yet httpdinstalled.

I thought it could be problem that certificate was primary created atold ipa1 and we have it signed by our own certificates as well so Icreated another ipa4 server on Centos 7. And again it crashed at thesame point trying to get certificate from itself when it did not havehttpd installed yet.


OS: CentOS Linux release 7.4.1708
IPA: VERSION: 4.5.0, API_VERSION: 2.228

Attached are logs from ipa client installation and ipa replicainstallation for ipa4 server.Please ask if you require any different logs. I tried also to followdebugging fromhttps://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/SZKAQDRCRGWV3ZIEJNAVRG2LHLDIS3MJ/but in my case it end earlier because it try to get certificate fromitself and does not get to master. This can be also seen in output ofcommand getcert list(in attachement).



Thank you for checking.


With kind regards,
*Ján Gardian*
Administrator

### Client install
[root@ipa4 ~]# ipa-client-install -N
Discovery was successful!
Client hostname: ipa4.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa2.example.com
BaseDN: dc=plob,dc=cz

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: enroller
Password for enrol...@example.com: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  2016-10-20 10:04:21
    Valid Until: 2036-10-20 10:04:21

    Subject:     CN=ipa1.example.com,O=Company,O=Company s.r.o,L=Brno,ST=Czech 
republic,C=CZ
    Issuer:      CN=ipa1.example.com,O=Company,O=Company s.r.o,L=Brno,ST=Czech 
republic,C=CZ
    Valid From:  2017-05-15 10:19:46
    Valid Until: 2018-05-15 10:19:46

    Subject:     E=m...@mail.com,CN=CCA2,OU=Company,O=Company 
s.r.o,L=Vienna,ST=Vienna,C=AT
    Issuer:      E=m...@mail.com,CN=CCA2,OU=Company,O=Company 
s.r.o,L=Vienna,ST=Vienna,C=AT
    Valid From:  2012-05-15 10:46:21
    Valid Until: 2022-05-13 10:46:21

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipa2.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa2.example.com/ipa/json'
trying https://ipa2.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 
'https://ipa2.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 
'https://ipa2.example.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 
'https://ipa2.example.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@ipa4 ~]# 





### Replica install
[root@ipa4 ~]# ipa-replica-install --setup-ca
Password for ad...@example.com: 
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/40]: creating directory server instance
  [2/40]: enabling ldapi
  [3/40]: configure autobind for root
  [4/40]: stopping directory server
  [5/40]: updating configuration in dse.ldif
  [6/40]: starting directory server
  [7/40]: adding default schema
  [8/40]: enabling memberof plugin
  [9/40]: enabling winsync plugin
  [10/40]: configuring replication version plugin
  [11/40]: enabling IPA enrollment plugin
  [12/40]: configuring uniqueness plugin
  [13/40]: configuring uuid plugin
  [14/40]: configuring modrdn plugin
  [15/40]: configuring DNS plugin
  [16/40]: enabling entryUSN plugin
  [17/40]: configuring lockout plugin
  [18/40]: configuring topology plugin
  [19/40]: creating indices
  [20/40]: enabling referential integrity plugin
  [21/40]: configuring certmap.conf
  [22/40]: configure new location for managed entries
  [23/40]: configure dirsrv ccache
  [24/40]: enabling SASL mapping fallback
  [25/40]: restarting directory server
  [26/40]: creating DS keytab
  [27/40]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [28/40]: adding sasl mappings to the directory
  [29/40]: updating schema
  [30/40]: setting Auto Member configuration
  [31/40]: enabling S4U2Proxy delegation
  [32/40]: initializing group membership
  [33/40]: adding master entry
  [34/40]: initializing domain level
  [35/40]: configuring Posix uid/gid generation
  [36/40]: adding replication acis
  [37/40]: activating sidgen plugin
  [38/40]: activating extdom plugin
  [39/40]: tuning directory server
  [40/40]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/5]: configuring KDC
  [2/5]: adding the password extension to the directory
  [3/5]: creating anonymous principal
  [4/5]: starting the KDC
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    
Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information






### /var/log/ipareplica-install.log
2018-04-19T14:55:55Z DEBUG   [1/3]: configuring TLS for DS instance
2018-04-19T14:55:55Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2018-04-19T14:55:55Z DEBUG Starting external process
2018-04-19T14:55:55Z DEBUG args=/usr/bin/certutil -d 
/etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM IPA CA -a -f 
/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt
2018-04-19T14:55:55Z DEBUG Process finished, return code=255
2018-04-19T14:55:55Z DEBUG stdout=
2018-04-19T14:55:55Z DEBUG stderr=certutil: Could not find cert: EXAMPLE.COM 
IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found

2018-04-19T14:55:55Z DEBUG Starting external process
2018-04-19T14:55:55Z DEBUG args=/usr/bin/certutil -d 
/etc/dirsrv/slapd-EXAMPLE-COM/ -N -f /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt 
-f /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt
2018-04-19T14:55:55Z DEBUG Process finished, return code=0
2018-04-19T14:55:55Z DEBUG stdout=
2018-04-19T14:55:55Z DEBUG stderr=
2018-04-19T14:55:55Z DEBUG Starting external process
2018-04-19T14:55:55Z DEBUG args=/usr/bin/certutil -d 
/etc/dirsrv/slapd-EXAMPLE-COM/ -A -n EXAMPLE.COM IPA CA -t CT,C,C -a -f 
/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt
2018-04-19T14:55:55Z DEBUG Process finished, return code=0
2018-04-19T14:55:55Z DEBUG stdout=
2018-04-19T14:55:55Z DEBUG stderr=
2018-04-19T14:55:55Z DEBUG Starting external process
2018-04-19T14:55:55Z DEBUG args=/usr/bin/certutil -d 
/etc/dirsrv/slapd-EXAMPLE-COM/ -A -n CN=ipa1.example.com,O=Company,O=Company 
s.r.o,L=Brno,ST=Czech republic,C=CZ -t CT,C,C -a -f 
/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt
2018-04-19T14:55:55Z DEBUG Process finished, return code=0
2018-04-19T14:55:55Z DEBUG stdout=
2018-04-19T14:55:55Z DEBUG stderr=
2018-04-19T14:55:55Z DEBUG Starting external process
2018-04-19T14:55:55Z DEBUG args=/usr/bin/certutil -d 
/etc/dirsrv/slapd-EXAMPLE-COM/ -A -n 
E=m...@mail.com,CN=CCA2,OU=Company,O=Company s.r.o,L=Vienna,ST=Vienna,C=AT -t 
CT,C,C -a -f /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt
2018-04-19T14:55:55Z DEBUG Process finished, return code=0
2018-04-19T14:55:55Z DEBUG stdout=
2018-04-19T14:55:55Z DEBUG stderr=
2018-04-19T14:55:56Z DEBUG certmonger request is in state 
dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
2018-04-19T14:56:01Z DEBUG certmonger request is in state 
dbus.String(u'CA_UNREACHABLE', variant_level=1)
2018-04-19T14:56:01Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
504, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
494, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 
824, in __enable_ssl
    post_command=cmd)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 
317, in request_and_wait_for_cert
    raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)

2018-04-19T14:56:01Z DEBUG   [error] RuntimeError: Certificate issuance failed 
(CA_UNREACHABLE)
2018-04-19T14:56:01Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, 
in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, 
in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, 
in execute
    for _nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, 
in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, 
in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, 
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, 
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, 
in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, 
in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, 
in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, 
in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, 
in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, 
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, 
in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, 
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, 
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, 
in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, 
in _install
    for _nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", 
line 617, in main
    replica_install(self)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 386, in decorated
    func(installer)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 1432, in install
    ds.enable_ssl()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 
357, in enable_ssl
    self.start_creation()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
504, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
494, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 
824, in __enable_ssl
    post_command=cmd)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 
317, in request_and_wait_for_cert
    raise RuntimeError("Certificate issuance failed ({})".format(state))

2018-04-19T14:56:01Z DEBUG The ipa-replica-install command failed, exception: 
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
2018-04-19T14:56:01Z ERROR Certificate issuance failed (CA_UNREACHABLE)
2018-04-19T14:56:01Z ERROR The ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information



### getcert list
[root@ipa4 ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20180419145555':
        status: CA_UNREACHABLE
        ca-error: Server at https://ipa4.example.com/ipa/xml failed request, 
will retry: -504 (libcurl failed to execute the HTTP POST transaction, 
explaining:  Failed connect to ipa4.example.com:443; Connection refused).
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert'
        CA: IPA
        issuer: 
        subject: 
        expires: unknown
        pre-save command: 
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
EXAMPLE-COM
        track: yes
        auto-renew: yes

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] CA_UNREACHABLE during ipa-replica-install

Reply via email to