It sounds like it that is y/N prompt you are seeing if it waits until enter is pressed.
rob Omar wrote: > Sorry for the late reply. I'm sure the CA Certs are the correct ones. > I will attempt to do the replicas again and this time I'll trace the > logs to make sure I catch the errors and update the ticket. > > When I say "hang" I mean that it takes forever to come back from step 5 > ([5/28]: configuring certificate server instance) and then if I hit > "enter" it will just drop to an error. > > I'll post the error when I see it again. Thanks > > On Fri, Mar 15, 2024 at 1:35 PM Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Omar via FreeIPA-users wrote: > > Here is some more info: > > > > WARNING: The CA service is only installed on one server (<master > > hostname here>). > > It is strongly recommended to install it on another server. > > Run ipa-ca-install(1) on another master to accomplish this. > > > > > > The ipa-replica-install command was successful > > > > > > That was from the replica install, here is me installing the > ca-cert on > > the replica: > > > > $ ipa-cacert-manage install -t CT,C,C maxar-ca-chain.crt > > Installing CA certificate, please wait > > Verified CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com > > Verified CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com > > CA certificate successfully installed > > The ipa-cacert-manage command was successful > > What I don't understand is why you didn't have to install this chain in > order to install the servers at all. Are you sure this is the right > chain? > > This data is replicated so it doesn't matter which server it is > added on. > > > > > and the cacert update: > > > > $ ipa-certupdate > > Systemwide CA database updated. > > Systemwide CA database updated. > > The ipa-certupdate command was successful > > This has to be run everywhere after updating a chain. > > > > > > > but when I try to run ipa-ca-install, it fails and it hangs here: > > > > $ ipa-ca-install > > Directory Manager (existing master) password: > > > > > > Run connection check to master > > Connection check OK > > Configuring certificate server (pki-tomcatd). Estimated time: > 3 minutes > > [1/28]: creating certificate server db > > [2/28]: setting up initial replication > > Starting replication, please wait until this has completed. > > Update in progress, 21 seconds elapsed > > Update succeeded > > > > > > [3/28]: creating ACIs for admin > > [4/28]: creating installation admin user > > [5/28]: configuring certificate server instance > > > > > > Thoughts? > > IPA treats PKI as a black box. Occasionally it will spit out an error > that is useful in the install log but usually you have to pair it with > the pki-ca-spawn log and sometimes also the ca debug log to determine > what is going on. > > It also depends on the definition of fail and hang. You can monitor the > pki-ca-spawn log for activity, for example, during installation. > > rob > > > > > > > > > On Fri, Mar 15, 2024 at 12:12 PM Omar <usridz...@gmail.com > <mailto:usridz...@gmail.com> > > <mailto:usridz...@gmail.com <mailto:usridz...@gmail.com>>> wrote: > > > > for the context: > > I fixed my master IPA server, with all new and valid certs > (server & > > CA chain). I installed two replicas, both installed successfully, > > but when I try to run the ipa-ca-install they both fail. Thoughs? > > > > On Thu, Mar 14, 2024 at 9:28 AM Florence Blanc-Renaud > > <f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com > <mailto:f...@redhat.com>>> wrote: > > > > Hi, > > > > On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users > > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > > > Found this in the logs: > > > > INFO: Server certificate: CN=ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com> > > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar > > Technologies Inc,L=Herndon,ST=Virginia,C=US > > WARNING: UNTRUSTED ISSUER encountered on > > 'CN=ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com> > > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar > > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a > > non-trusted CA cert 'CN=Maxar DS Issuing CA > > East,DC=DS,DC=Maxar,DC=com' > > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert > sent: > > BAD_CERTIFICATE > > javax.ws.rs <http://javax.ws.rs> > <http://javax.ws.rs>.ProcessingException: > > RESTEASY004655: Unable to invoke request > > at > > > > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:317) > > at > > > > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442) > > at > > > > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:106) > > at > > > > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) > > at com.sun.proxy.$Proxy23.getInfo(Unknown Source) > > at > > > org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:43) > > at > > > com.netscape.certsrv.client.PKIClient.getInfo(PKIClient.java:221) > > at > > > com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:603) > > at org.dogtagpki.cli.CLI.getClient(CLI.java:207) > > at com.netscape.cmstools.ca > <http://com.netscape.cmstools.ca> > > > <http://com.netscape.cmstools.ca>.CACLI.getSubsystemClient(CACLI.java:66) > > at > > > > com.netscape.cmstools.range.RangeRequestCLI.execute(RangeRequestCLI.java:80) > > at > > org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) > > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > > at > > > com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79) > > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > > at > > > com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:665) > > at > > com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:701) > > Caused by: java.io.IOException: SocketException cannot > write > > on socket: Failed to write to socket: (-12276) Unable to > > communicate securely with peer: requested domain name does > > not match the server's certificate. > > at > > org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1538) > > at > > > org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:27) > > at org.apache.http.impl.io > <http://org.apache.http.impl.io> > > > > <http://org.apache.http.impl.io>.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:160) > > at org.apache.http.impl.io > <http://org.apache.http.impl.io> > > > > <http://org.apache.http.impl.io>.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:168) > > at > > > > org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:273) > > at > > > > org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:279) > > at > > > > org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:188) > > at > > > > org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:241) > > at > > > > org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123) > > at > > > > org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:684) > > at > > > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:486) > > at > > > > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836) > > at > > > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) > > at > > > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) > > at > > > > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:313) > > ... 17 more > > Caused by: org.mozilla.jss.ssl.SSLSocketException: > Failed to > > write to socket: (-12276) Unable to communicate securely > > with peer: requested domain name does not match the > server's > > certificate. > > at > org.mozilla.jss.ssl.SSLSocket.socketWrite(Native > > Method) > > at > > org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1532) > > ... 31 more > > CalledProcessError: Command '['pki', '-d', > > '/etc/pki/pki-tomcat/alias', '-f', > > '/etc/pki/pki-tomcat/password.conf', '-U', > > 'https://ldap01.app.uaap.maxar.com:443', > 'ca-range-request', > > 'request', '--install-token', > > '/tmp/tmp_nt6hud0/install-token', '--output-format', > 'json', > > '--debug']' returned non-zero exit status 255. > > File > > "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", > > line 575, in main > > scriptlet.spawn(deployer) > > File > > > > "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", > > line 586, in spawn > > subsystem.request_ranges(master_url, > > session_id=deployer.install_token.token) > > File > > > "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", > > line 1119, in request_ranges > > master_url, 'request', session_id=session_id, > > install_token=install_token) > > File > > > "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", > > line 1107, in request_range > > output = subprocess.check_output(cmd) > > File "/usr/lib64/python3.6/subprocess.py", line 356, in > > check_output > > **kwargs).stdout > > File "/usr/lib64/python3.6/subprocess.py", line 438, > in run > > output=stdout, stderr=stderr) > > > > > > 2024-03-14T00:38:53Z CRITICAL Failed to configure CA > instance > > 2024-03-14T00:38:53Z CRITICAL See the installation > logs and > > the following files/directories for more information: > > 2024-03-14T00:38:53Z CRITICAL /var/log/pki/pki-tomcat > > 2024-03-14T00:38:53Z DEBUG Traceback (most recent call > last): > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > > line 635, in start_creation > > run_step(full_msg, method) > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > > line 621, in run_step > > method() > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > > line 627, in __spawn_instance > > nolog_list=nolog_list > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > > line 227, in spawn_instance > > self.handle_setup_error(e) > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > > line 606, in handle_setup_error > > ) from None > > RuntimeError: CA configuration failed. > > > > 2024-03-14T00:38:53Z DEBUG [error] RuntimeError: CA > > configuration failed. > > 2024-03-14T00:38:53Z DEBUG Removing > /root/.dogtag/pki-tomcat/ca > > 2024-03-14T00:38:53Z DEBUG File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", > > line 781, in run_script > > return_value = main_function() > > > > File "/sbin/ipa-ca-install", line 307, in main > > install(safe_options, options) > > > > File "/sbin/ipa-ca-install", line 273, in install > > install_replica(safe_options, options) > > > > File "/sbin/ipa-ca-install", line 210, in > install_replica > > ca.install(True, config, options, custodia=custodia) > > > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", > > line 270, in install > > install_step_0(standalone, replica_config, options, > > custodia=custodia) > > > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", > > line 355, in install_step_0 > > pki_config_override=options.pki_config_override, > > > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > > line 501, in configure_instance > > self.start_creation(runtime=runtime) > > > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > > line 635, in start_creation > > run_step(full_msg, method) > > > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > > line 621, in run_step > > method() > > > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > > line 627, in __spawn_instance > > nolog_list=nolog_list > > > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > > line 227, in spawn_instance > > self.handle_setup_error(e) > > > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > > line 606, in handle_setup_error > > ) from None > > > > 2024-03-14T00:38:53Z DEBUG The ipa-ca-install command > > failed, exception: RuntimeError: CA configuration failed. > > > > Is the installation failing because the: > > INFO: Server certificate: CN=ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com> > > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar > > Technologies Inc,L=Herndon,ST=Virginia,C=US > > WARNING: UNTRUSTED ISSUER encountered on > > 'CN=ldap.app.uaap.maxar.com > <http://ldap.app.uaap.maxar.com> > > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar > > Technologies Inc,L=Herndon,ST=Virginia,C=US' indicates a > > non-trusted CA cert 'CN=Maxar DS Issuing CA > > East,DC=DS,DC=Maxar,DC=com' > > Trust this certificate (y/N)? SEVERE: FATAL: SSL alert > sent: > > BAD_CERTIFICATE > > > > ?? how do I pass a "Y" to this script? > > > > > > Not really easy to read the logs as I'm lacking the > context, but > > it looks like the CA fails to communicate with the LDAP > server. > > Did you install the first server with an externally signed > LDAP > > server certificate? If that's the case, you are probably just > > missing the external CA cert. > > Use /ipa-cacert-manage install-t CT,C,C extca.pem /on one > of the > > servers if not already done, then execute ipa-certupdate > on all > > the hosts enrolled in the domain (all servers and clients, > > including the server where you run ipa-cacert-manage). > > > > flo > > > > //omar > > -- > > _______________________________________________ > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > -- > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue