Hi, On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Found this in the logs: > > INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US > WARNING: UNTRUSTED ISSUER encountered on > 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA > cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com' > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: > BAD_CERTIFICATE > javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request > at > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317) > at > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442) > at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106) > at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) > at com.sun.proxy.$Proxy23.getInfo(Unknown Source) > at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43) > at > com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221) > at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603) > at org.dogtagpki.cli.CLI.getClient(CLI.java:207) > at com.netscape.cmstools.ca > .CACLI.getSubsystemClient(CACLI.java:66) > at > com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80) > at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at > com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665) > at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701) > Caused by: java.io.IOException: SocketException cannot write on socket: > Failed to write to socket: (-12276) Unable to communicate securely with > peer: requested domain name does not match the server's certificate. > at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538) > at > org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27) > at org.apache.http.impl.io > .AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160) > at org.apache.http.impl.io > .AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168) > at > org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273) > at > org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279) > at > org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188) > at > org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241) > at > org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123) > at > org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) > at > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313) > ... 17 more > Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to write to > socket: (-12276) Unable to communicate securely with peer: requested domain > name does not match the server's certificate. > at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native Method) > at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532) > ... 31 more > CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', > '-f', '/etc/pki/pki-tomcat/password.conf', '-U', ' > https://ldap01.app.uaap.maxar.com:443', 'ca-range-request', 'request', > '--install-token', '/tmp/tmp_nt6hud0/install-token', '--output-format', > 'json', '--debug']' returned non-zero exit status 255. > File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line > 575, in main > scriptlet.spawn(deployer) > File > "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", > line 586, in spawn > subsystem.request_ranges(master_url, > session_id=deployer.install_token.token) > File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line > 1119, in request_ranges > master_url, 'request', session_id=session_id, > install_token=install_token) > File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line > 1107, in request_range > output = subprocess.check_output(cmd) > File "/usr/lib64/python3.6/subprocess.py", line 356, in check_output > **kwargs).stdout > File "/usr/lib64/python3.6/subprocess.py", line 438, in run > output=stdout, stderr=stderr) > > > 2024-03-14T00:38:53Z CRITICAL Failed to configure CA instance > 2024-03-14T00:38:53Z CRITICAL See the installation logs and the following > files/directories for more information: > 2024-03-14T00:38:53Z CRITICAL /var/log/pki/pki-tomcat > 2024-03-14T00:38:53Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 635, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 621, in run_step > method() > File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > line 627, in __spawn_instance > nolog_list=nolog_list > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 227, in spawn_instance > self.handle_setup_error(e) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 606, in handle_setup_error > ) from None > RuntimeError: CA configuration failed. > > 2024-03-14T00:38:53Z DEBUG [error] RuntimeError: CA configuration failed. > 2024-03-14T00:38:53Z DEBUG Removing /root/.dogtag/pki-tomcat/ca > 2024-03-14T00:38:53Z DEBUG File > "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line > 781, in run_script > return_value = main_function() > > File "/sbin/ipa-ca-install", line 307, in main > install(safe_options, options) > > File "/sbin/ipa-ca-install", line 273, in install > install_replica(safe_options, options) > > File "/sbin/ipa-ca-install", line 210, in install_replica > ca.install(True, config, options, custodia=custodia) > > File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line > 270, in install > install_step_0(standalone, replica_config, options, custodia=custodia) > > File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line > 355, in install_step_0 > pki_config_override=options.pki_config_override, > > File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > line 501, in configure_instance > self.start_creation(runtime=runtime) > > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 635, in start_creation > run_step(full_msg, method) > > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 621, in run_step > method() > > File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > line 627, in __spawn_instance > nolog_list=nolog_list > > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 227, in spawn_instance > self.handle_setup_error(e) > > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 606, in handle_setup_error > ) from None > > 2024-03-14T00:38:53Z DEBUG The ipa-ca-install command failed, exception: > RuntimeError: CA configuration failed. > > Is the installation failing because the: > INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US > WARNING: UNTRUSTED ISSUER encountered on > 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA > cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com' > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: > BAD_CERTIFICATE > > ?? how do I pass a "Y" to this script? > Not really easy to read the logs as I'm lacking the context, but it looks like the CA fails to communicate with the LDAP server. Did you install the first server with an externally signed LDAP server certificate? If that's the case, you are probably just missing the external CA cert. Use *ipa-cacert-manage install-t CT,C,C extca.pem *on one of the servers if not already done, then execute ipa-certupdate on all the hosts enrolled in the domain (all servers and clients, including the server where you run ipa-cacert-manage). flo //omar > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
