Here is some more info: WARNING: The CA service is only installed on one server (<master hostname here>). It is strongly recommended to install it on another server. Run ipa-ca-install(1) on another master to accomplish this.
The ipa-replica-install command was successful That was from the replica install, here is me installing the ca-cert on the replica: $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt Installing CA certificate, please wait Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com CA certificate successfully installed The ipa-cacert-manage command was successful and the cacert update: $ ipa-certupdate Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful but when I try to run ipa-ca-install, it fails and it hangs here: $ ipa-ca-install Directory Manager (existing master) password: Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: creating certificate server db [2/28]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 21 seconds elapsed Update succeeded [3/28]: creating ACIs for admin [4/28]: creating installation admin user [5/28]: configuring certificate server instance Thoughts? On Fri, Mar 15, 2024 at 12:12 PM Omar <usridz...@gmail.com> wrote: > for the context: > I fixed my master IPA server, with all new and valid certs (server & CA > chain). I installed two replicas, both installed successfully, but when I > try to run the ipa-ca-install they both fail. Thoughs? > > On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud <f...@redhat.com> > wrote: > >> Hi, >> >> On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >>> Found this in the logs: >>> >>> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar >>> Technologies Inc,L=Herndon,ST=Virginia,C=US >>> WARNING: UNTRUSTED ISSUER encountered on >>> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar >>> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA >>> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com' >>> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: >>> BAD_CERTIFICATE >>> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke >>> request >>> at >>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) >>> at com.sun.proxy.$Proxy23.getInfo(Unknown Source) >>> at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43) >>> at >>> com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221) >>> at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603) >>> at org.dogtagpki.cli.CLI.getClient(CLI.java:207) >>> at com.netscape.cmstools.ca >>> .CACLI.getSubsystemClient(CACLI.java:66) >>> at >>> com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80) >>> at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) >>> at org.dogtagpki.cli.CLI.execute(CLI.java:357) >>> at org.dogtagpki.cli.CLI.execute(CLI.java:357) >>> at >>> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79) >>> at org.dogtagpki.cli.CLI.execute(CLI.java:357) >>> at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665) >>> at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701) >>> Caused by: java.io.IOException: SocketException cannot write on socket: >>> Failed to write to socket: (-12276) Unable to communicate securely with >>> peer: requested domain name does not match the server's certificate. >>> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538) >>> at >>> org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27) >>> at org.apache.http.impl.io >>> .AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160) >>> at org.apache.http.impl.io >>> .AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168) >>> at >>> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273) >>> at >>> org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279) >>> at >>> org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188) >>> at >>> org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241) >>> at >>> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123) >>> at >>> org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684) >>> at >>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486) >>> at >>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836) >>> at >>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) >>> at >>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) >>> at >>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313) >>> ... 17 more >>> Caused by: org.mozilla.jss.ssl.SSLSocketException: Failed to write to >>> socket: (-12276) Unable to communicate securely with peer: requested domain >>> name does not match the server's certificate. >>> at org.mozilla.jss.ssl.SSLSocket.socketWrite(Native Method) >>> at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532) >>> ... 31 more >>> CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', >>> '-f', '/etc/pki/pki-tomcat/password.conf', '-U', ' >>> https://ldap01.app.uaap.maxar.com:443', 'ca-range-request', 'request', >>> '--install-token', '/tmp/tmp_nt6hud0/install-token', '--output-format', >>> 'json', '--debug']' returned non-zero exit status 255. >>> File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line >>> 575, in main >>> scriptlet.spawn(deployer) >>> File >>> "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", >>> line 586, in spawn >>> subsystem.request_ranges(master_url, >>> session_id=deployer.install_token.token) >>> File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line >>> 1119, in request_ranges >>> master_url, 'request', session_id=session_id, >>> install_token=install_token) >>> File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line >>> 1107, in request_range >>> output = subprocess.check_output(cmd) >>> File "/usr/lib64/python3.6/subprocess.py", line 356, in check_output >>> **kwargs).stdout >>> File "/usr/lib64/python3.6/subprocess.py", line 438, in run >>> output=stdout, stderr=stderr) >>> >>> >>> 2024-03-14T00:38:53Z CRITICAL Failed to configure CA instance >>> 2024-03-14T00:38:53Z CRITICAL See the installation logs and the >>> following files/directories for more information: >>> 2024-03-14T00:38:53Z CRITICAL /var/log/pki/pki-tomcat >>> 2024-03-14T00:38:53Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>> line 635, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>> line 621, in run_step >>> method() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >>> 627, in __spawn_instance >>> nolog_list=nolog_list >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >>> line 227, in spawn_instance >>> self.handle_setup_error(e) >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >>> line 606, in handle_setup_error >>> ) from None >>> RuntimeError: CA configuration failed. >>> >>> 2024-03-14T00:38:53Z DEBUG [error] RuntimeError: CA configuration >>> failed. >>> 2024-03-14T00:38:53Z DEBUG Removing /root/.dogtag/pki-tomcat/ca >>> 2024-03-14T00:38:53Z DEBUG File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line >>> 781, in run_script >>> return_value = main_function() >>> >>> File "/sbin/ipa-ca-install", line 307, in main >>> install(safe_options, options) >>> >>> File "/sbin/ipa-ca-install", line 273, in install >>> install_replica(safe_options, options) >>> >>> File "/sbin/ipa-ca-install", line 210, in install_replica >>> ca.install(True, config, options, custodia=custodia) >>> >>> File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line >>> 270, in install >>> install_step_0(standalone, replica_config, options, >>> custodia=custodia) >>> >>> File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line >>> 355, in install_step_0 >>> pki_config_override=options.pki_config_override, >>> >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >>> 501, in configure_instance >>> self.start_creation(runtime=runtime) >>> >>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>> line 635, in start_creation >>> run_step(full_msg, method) >>> >>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>> line 621, in run_step >>> method() >>> >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >>> 627, in __spawn_instance >>> nolog_list=nolog_list >>> >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >>> line 227, in spawn_instance >>> self.handle_setup_error(e) >>> >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >>> line 606, in handle_setup_error >>> ) from None >>> >>> 2024-03-14T00:38:53Z DEBUG The ipa-ca-install command failed, exception: >>> RuntimeError: CA configuration failed. >>> >>> Is the installation failing because the: >>> INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar >>> Technologies Inc,L=Herndon,ST=Virginia,C=US >>> WARNING: UNTRUSTED ISSUER encountered on >>> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar >>> Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a non-trusted CA >>> cert 'CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com' >>> Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: >>> BAD_CERTIFICATE >>> >>> ?? how do I pass a "Y" to this script? >>> >> >> Not really easy to read the logs as I'm lacking the context, but it looks >> like the CA fails to communicate with the LDAP server. >> Did you install the first server with an externally signed LDAP server >> certificate? If that's the case, you are probably just missing the external >> CA cert. >> Use *ipa-cacert-manage install-t CT,C,C extca.pem *on one of the servers >> if not already done, then execute ipa-certupdate on all the hosts enrolled >> in the domain (all servers and clients, including the server where you run >> ipa-cacert-manage). >> >> flo >> >> //omar >>> -- >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >>
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue