Hi Team,
Any one faced this issue during replica installation
I have third party SSL certificate installed on master server
IPA Version:
[root@dir02-mex ~]# ipa --version
VERSION: 4.10.2, API_VERSION: 2.252
Certificate Expiry:
[root@dir02-mex ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert
cert-pki-ca' | egrep -i 'befor|after'
Not Before: Mon Apr 01 09:41:49 2024
Not After : Sun Mar 22 09:41:49 2026
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/30]: creating certificate server db
[2/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 12 seconds elapsed
Update succeeded
[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
[5/30]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more
information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
Cat /var/log/ipareplica-install.log:
DEBUG: https://dir02-mexommx.ipa.com:8443 "GET / HTTP/1.1" 302 0
DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki HTTP/1.1" 302 None
DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki/ HTTP/1.1" 200 3500
INFO: PKI server started
INFO: Waiting for CA subsystem
DEBUG: Starting new HTTPS connection (1): dir02-mexommx.ipa.com:8443
DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /ca/admin/ca/getStatus HTTP/1.1"
404 784
2024-04-01T09:41:34Z CRITICAL Failed to configure CA instance
2024-04-01T09:41:34Z CRITICAL See the installation logs and the following
files/directories for more information:
2024-04-01T09:41:34Z CRITICAL /var/log/pki/pki-tomcat
2024-04-01T09:41:34Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
672, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line
651, in __spawn_instance
DogtagInstance.spawn_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
line 227, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
line 604, in handle_setup_error
raise RuntimeError(
RuntimeError: CA configuration failed.
2024-04-01T09:41:34Z DEBUG [error] RuntimeError: CA configuration failed.
2024-04-01T09:41:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2024-04-01T09:41:34Z DEBUG File
"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344,
in run
return cfgr.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360,
in run
return self.execute()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386,
in execute
for rval in self._executor():
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425,
in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419,
in step_next
return next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 663,
in _configure
next(executor)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 526,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 523,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425,
in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419,
in step_next
return next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65,
in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py",
line 599, in main
replica_install(self)
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 401, in decorated
func(installer)
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 1345, in install
ca.install(False, config, options, custodia=custodia)
File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 354, in
install
install_step_0(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 422, in
install_step_0
ca.configure_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line
506, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
672, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line
651, in __spawn_instance
DogtagInstance.spawn_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
line 227, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
line 604, in handle_setup_error
raise RuntimeError(
2024-04-01T09:41:34Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: CA configuration failed.
2024-04-01T09:41:34Z ERROR CA configuration failed.
2024-04-01T09:41:34Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Cat /var/log/pki/pki-tomcat/ca/debug.2024-04-01.log
2024-04-01 03:41:32 [main] INFO: CMSEngine: Disabling CA subsystem
2024-04-01 03:41:32 [main] SEVERE: Unable to start CA engine: Selftest failed:
Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST
2024
Selftest failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon
Apr 01 03:41:49 CST 2024
at
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1759)
at
com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167)
at org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972)
2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: selftest failed: Invalid
certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024
java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca: NotBefore:
Mon Apr 01 03:41:49 CST 2024
at
com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:844)
at
com.netscape.cmscore.apps.CMSEngine.verifySystemCertByTag(CMSEngine.java:1895)
at
com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1823)
at
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:211)
at
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:818)
at
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1722)
at
com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167)
at org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972)
at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1223)
at
com.netscape.cmscore.apps.PKIWebListener.contextInitialized(PKIWebListener.java:43)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:149)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:139)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:696)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:690)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1889)
at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:123)
at
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:583)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1618)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:946)
at
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1396)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1386)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:919)
at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:263)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:432)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:927)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:476)
Caused by: java.security.cert.CertificateNotYetValidException: NotBefore: Mon
Apr 01 03:41:49 CST 2024
at
org.mozilla.jss.netscape.security.x509.CertificateValidity.valid(CertificateValidity.java:302)
at
org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:494)
at
org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:466)
at
com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:839)
... 54 more
2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: Disabling subsystem due
to selftest failure: Invalid certificate Server-Cert cert-pki-ca: NotBefore:
Mon Apr 01 03:41:49 CST 2024
java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca: NotBefore:
Mon Apr 01 03:41:49 CST 2024
cat /var/log/pki/pki-tomcat/ca/selftests.log:
0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] CAPresence: CA is present
0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] SystemCertsVerification:
system certs verification failure: Invalid certificate Server-Cert cert-pki-ca:
NotBefore: Fri Mar 29 03:28:37 CST 2024
0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup FAILED!
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading
all self test plugin logger parameters
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading
all self test plugin instances
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading
all self test plugin instance parameters
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading
self test plugins in on-demand order
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading
self test plugins in startup order
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: Self test
plugins have been successfully loaded!
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] CAPresence: CA is present
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SystemCertsVerification:
system certs verification failure: Invalid certificate Server-Cert cert-pki-ca:
NotBefore: Fri Mar 29 04:03:27 CST 2024
0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup FAILED!
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading
all self test plugin logger parameters
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading
all self test plugin instances
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading
all self test plugin instance parameters
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading
self test plugins in on-demand order
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading
self test plugins in startup order
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: Self test
plugins have been successfully loaded!
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] CAPresence: CA is present
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SystemCertsVerification:
system certs verification failure: Invalid certificate Server-Cert cert-pki-ca:
NotBefore: Mon Apr 01 03:41:49 CST 2024
0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup FAILED!
________________________________
DISCLAIMER: The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this message by
anyone else is unauthorized. If you are not the intended recipient, any
disclosure, copying, or distribution of the message, or any action or omission
taken by you in reliance on it, is prohibited and may be unlawful. Please
immediately contact the sender if you have received this message in error.
Further, this e-mail may contain viruses and all reasonable precaution to
minimize the risk arising there from is taken by OnMobile. OnMobile is not
liable for any damage sustained by you as a result of any virus in this e-mail.
All applicable virus checks should be carried out by you before opening this
e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
