#6166 Subsequent external CA installation fails
Closed: Fixed None Opened 7 years ago by jcholast.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1341249

Created attachment 1163261
Logs from installing the external CA

Description of problem:
When trying to subsequently install an external CA on a CA-less IdM
installation, the setup fails, because the CA status can't be checked after
restarting pki-tomcatd@pki-tomcat.service.

In the ipaserver-ca-install.log logfile you can see that the URL
https://vm-01.idm.example.com:8443/ca/admin/ca/getStatus returns an 404 error
(Not found).



Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.15.x86_64



How reproducible:
Always.



Steps to Reproduce:
1. Set up an IdM master without CA
2. Run "ipa-ca-install --external-ca"
3. Submit the CSR to the external CA and copy the issued certificate + CA
certificate to the IdM host.
4. Continue with the CA Setup
  ipa-ca-install --external-cert-file=/root/vm-01.idm.example.com.crt
--external-cert-file=/root/ca.crt



Actual results:
When continuing with the second step of the CA setup, ipa-ca-install fails:
...
  [13/27]: restarting certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the
Dogtag instance.See the installation log for details.



Expected results:
ipa-ca-install should finish successfully.

master:

  • a42b456 install: fix external CA cert validation

ipa-4-3:

  • 44401d2 install: fix external CA cert validation

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.3.3

7 years ago

Login to comment on this ticket.

Metadata