[Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
Rob Crittenden
rcritten at redhat.com
Wed May 25 15:46:44 UTC 2016
lejeczek wrote:
>
>
> On 25/05/16 14:19, Rob Crittenden wrote:
>> lejeczek wrote:
>>> hi there,
>>>
>>> I'm trying to set up a replica with: --setup-dns --no-forwarders
>>> --setup-ca
>>>
>>> installer fails at:
>>>
>>> [10/23]: importing CA chain to RA certificate database
>>> [error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
>>> Connection refused
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> more from log:
>>>
>>> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA
>>> certificate database
>>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last):
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 418, in start_creation
>>> run_step(full_msg, method)
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 408, in run_step
>>> method()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 1015, in __import_ca_chain
>>> chain = self.__get_ca_chain()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 997, in __get_ca_chain
>>> raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
>>> RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection
>>> refused
>>>
>>> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA
>>> chain: [Errno 111] Connection refused
>>> 2016-05-25T12:38:31Z DEBUG File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>>> execute
>>>
>>> what might be the problem?
>>
>> It is failing getting the CA chain from dogtag. It uses port 8080 by
>> default. I'd check your firewall and that the remote CA is up.
>>
> thanks Rob,
> I opened 8080/tcp (it was closed) but still a failure I get, different
> error though:
>
> [2/23]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpY2oGh1'' returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
> [error] RuntimeError: CA configuration failed.
>
> I noticed - /var/log/pki-ca-install.log does NOT exist
> and log file:
>
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> Installation failed.
> 2016-05-25T14:12:21Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I
> nsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is s
> trongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
> InsecureRequestWarning)
> pkispawn : ERROR ....... server failed to restart
>
> 2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command
> ''/usr/sbin/pkispawn' '-s' '
> CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
> 2016-05-25T14:12:21Z CRITICAL See the installation logs and the
> following files/directories for mor
> e information:
You need to look in those files/directories for more details. Dogtag
doesn't return much on failures and we display what we have but all the
real meat is in those logs.
> can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 -
> why does installer complain about it being used and I have to change the
> port for installer to start?
Because there is no easy way to determine what is using that port. If it
is mod_ssl or some other web server instead then things go sideways
pretty fast.
rob
>
>> I'm surprised the port checker didn't discover this if it is a
>> firewall issue and that would be a bug (either the port not being
>> checked or not using the proxy).
>>
>> rob
>
More information about the Freeipa-users
mailing list