Hi Team, Any one faced this issue during replica installation
I have third party SSL certificate installed on master server IPA Version: [root@dir02-mex ~]# ipa --version VERSION: 4.10.2, API_VERSION: 2.252 Certificate Expiry: [root@dir02-mex ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca' | egrep -i 'befor|after' Not Before: Mon Apr 01 09:41:49 2024 Not After : Sun Mar 22 09:41:49 2026 [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: creating certificate server db [2/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 12 seconds elapsed Update succeeded [3/30]: creating ACIs for admin [4/30]: creating installation admin user [5/30]: configuring certificate server instance Failed to configure CA instance See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Cat /var/log/ipareplica-install.log: DEBUG: https://dir02-mexommx.ipa.com:8443 "GET / HTTP/1.1" 302 0 DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki HTTP/1.1" 302 None DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /pki/ HTTP/1.1" 200 3500 INFO: PKI server started INFO: Waiting for CA subsystem DEBUG: Starting new HTTPS connection (1): dir02-mexommx.ipa.com:8443 DEBUG: https://dir02-mexommx.ipa.com:8443 "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 2024-04-01T09:41:34Z CRITICAL Failed to configure CA instance 2024-04-01T09:41:34Z CRITICAL See the installation logs and the following files/directories for more information: 2024-04-01T09:41:34Z CRITICAL /var/log/pki/pki-tomcat 2024-04-01T09:41:34Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 651, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 604, in handle_setup_error raise RuntimeError( RuntimeError: CA configuration failed. 2024-04-01T09:41:34Z DEBUG [error] RuntimeError: CA configuration failed. 2024-04-01T09:41:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2024-04-01T09:41:34Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 663, in _configure next(executor) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 526, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 523, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 599, in main replica_install(self) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1345, in install ca.install(False, config, options, custodia=custodia) File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 354, in install install_step_0(standalone, replica_config, options, custodia=custodia) File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 422, in install_step_0 ca.configure_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 506, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 651, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 604, in handle_setup_error raise RuntimeError( 2024-04-01T09:41:34Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. 2024-04-01T09:41:34Z ERROR CA configuration failed. 2024-04-01T09:41:34Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Cat /var/log/pki/pki-tomcat/ca/debug.2024-04-01.log 2024-04-01 03:41:32 [main] INFO: CMSEngine: Disabling CA subsystem 2024-04-01 03:41:32 [main] SEVERE: Unable to start CA engine: Selftest failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024 Selftest failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024 at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1759) at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167) at org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972) 2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: selftest failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024 java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024 at com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:844) at com.netscape.cmscore.apps.CMSEngine.verifySystemCertByTag(CMSEngine.java:1895) at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1823) at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:211) at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:818) at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1722) at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1167) at org.dogtagpki.server.ca.CAEngine.startupSubsystems(CAEngine.java:972) at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1223) at com.netscape.cmscore.apps.PKIWebListener.contextInitialized(PKIWebListener.java:43) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:149) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:139) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:696) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:690) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1889) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:123) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:583) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1618) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:946) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1396) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1386) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:919) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:263) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:432) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:927) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:772) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:476) Caused by: java.security.cert.CertificateNotYetValidException: NotBefore: Mon Apr 01 03:41:49 CST 2024 at org.mozilla.jss.netscape.security.x509.CertificateValidity.valid(CertificateValidity.java:302) at org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:494) at org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:466) at com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:839) ... 54 more 2024-04-01 03:41:32 [main] SEVERE: SelfTestSubsystem: Disabling subsystem due to selftest failure: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024 java.lang.Exception: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024 cat /var/log/pki/pki-tomcat/ca/selftests.log: 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] CAPresence: CA is present 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] SystemCertsVerification: system certs verification failure: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Fri Mar 29 03:28:37 CST 2024 0.main - [29/Mar/2024:03:28:24 GMT-06:00] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading all self test plugin instances 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] CAPresence: CA is present 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SystemCertsVerification: system certs verification failure: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Fri Mar 29 04:03:27 CST 2024 0.main - [29/Mar/2024:04:03:13 GMT-06:00] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading all self test plugin instances 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] CAPresence: CA is present 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SystemCertsVerification: system certs verification failure: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024 0.main - [01/Apr/2024:03:41:32 GMT-06:00] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue