Originally opened as PKI ticket #1713 (https://fedorahosted.org/pki/ticket/1713).
ptman wrote:
I had ipa-kra-install fail with:
[1/8]: configuring KRA instance Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmp2R8wDu'' returned non-zero exit status 1
/var/log/ipaserver-kra-install.log contained:
ERROR: Unable to access directory server: Confidentiality required
which helped ab point me in the right direction. I had hardened the configuration of freeipa dirsrv by setting (at least) three things in dse.ldif:
nssldapd-allow-anonymous-access: rootdse nssldapd-minssf: 56 nssldapd-require-secure-binds: on
Reverting them to the defaults (on, 0, off) allowed ipa-kra-install to complete.
This was all done on a CentOS 7.2 (upgraded from 7.1) system.
edewata wrote:
I think this is an issue in IPA installation code. In order to use SSL connection during KRA installation the IPA installer should have created a KRA deployment descriptor with the following parameters:
pki_ds_ldaps_port=636 pki_ds_secure_connection=True pki_ds_secure_connection_ca_nickname=Directory Server CA certificate pki_ds_secure_connection_ca_pem_file=dsca.pem
See also http://pki.fedoraproject.org/wiki/Enabling_SSL_Connection_with_Internal_Database.
I've created a ticket in Dogtag's trac, https://fedorahosted.org/pki/ticket/2226
master:
ipa-4-3:
ipa-4-2:
Metadata Update from @edewata: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.