[Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki

Łukasz Jaworski ender at kofeina.net
Wed Oct 7 09:44:26 UTC 2015 

Looks like system is missing ca cert (should it be added during ipa-replica-install?)
I don't know if missing cert is main problem in my case, but I made some tests:

try 1:
openssl s_client -connect `hostname -f`:8443
(…)
    Verify return code: 19 (self signed certificate in certificate chain)

try 2:
openssl s_client -connect `hostname -f`:8443 -CAfile /etc/ipa/ca.crt
(…)
    Verify return code: 0 (ok)


After I've added ipa.cert into /etc/pki/tls/cert.pem
cat /etc/ipa/ca.crt >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

try 3:
openssl s_client -connect `hostname -f`:8443
(…)
    Verify return code: 0 (ok)


Best regards,
Ender
-- 
Łukasz Jaworski

Wiadomość napisana przez Łukasz Jaworski <ender at kofeina.net> w dniu 7 paź 2015, o godz. 08:35:

> Hi,
> 
> I have problem with setup new replicas.
> I tried setup two replicas, both failed with the same error.
> 
> environment:
> Fedora 21
> 
> packages:
> freeipa-server-4.1.3-2.fc21.x86_64
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> 389-ds-base-libs-1.3.3.8-1.fc21.x86_64
> pki-server-10.2.0-5.fc21.noarch
> 
> same on server and replicas
> 
> 
> Output from ipa-replica-install:
> (…)
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
>  [1/22]: creating certificate server user  
>  [2/22]: configuring certificate server instance
>  [3/22]: stopping certificate server instance to update CS.cfg
>  [4/22]: backing up CS.cfg
>  [5/22]: disabling nonces
>  [6/22]: set up CRL publishing
>  [7/22]: enable PKIX certificate path discovery and validation
>  [8/22]: starting certificate server instance
>  [error] RuntimeError: CA did not start in 300.0s
> 
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
>> From /var/log/ipareplica.log
> 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted
> 2015-10-07T06:25:58Z DEBUG Waiting for CA to start...
> 2015-10-07T06:25:59Z DEBUG Starting external process
> 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c
> a/getStatus'
> 2015-10-07T06:25:59Z DEBUG Process finished, return code=8
> 2015-10-07T06:25:59Z DEBUG stdout=
> 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59--  https://182.example.com:8443/ca/admin/ca/getStatus
> Resolving 182.example.com (182.example.com)... xx.xx.xx.xx
> Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... connected.
> WARNING: cannot verify 182.example.com's certificate, issued by ‘CN=Certificate Authority,O=ecample.com’:
>  Self-signed certificate encountered.
> HTTP request sent, awaiting response... 
>  HTTP/1.1 500 Internal Server Error
>  Server: Apache-Coyote/1.1
>  Content-Type: text/html;charset=utf-8
>  Content-Language: en
>  Content-Length: 2923
>  Date: Wed, 07 Oct 2015 06:25:59 GMT
>  Connection: close
> 2015-10-07 08:25:59 ERROR 500: Internal Server Error.
> 
> Any idea?
> 
> Best regards,
> Ender
> 
> -- 
> Łukasz Jaworski
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list