I had ipa-kra-install fail with:
[1/8]: configuring KRA instance Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmp2R8wDu'' returned non-zero exit status 1
/var/log/ipaserver-kra-install.log contained:
ERROR: Unable to access directory server: Confidentiality required
which helped ab point me in the right direction. I had hardened the configuration of freeipa dirsrv by setting (at least) three things in dse.ldif:
nssldapd-allow-anonymous-access: rootdse nssldapd-minssf: 56 nssldapd-require-secure-binds: on
Reverting them to the defaults (on, 0, off) allowed ipa-kra-install to complete.
This was all done on a CentOS 7.2 (upgraded from 7.1) system.
I think this is an issue in IPA installation code. In order to use SSL connection during KRA installation the IPA installer should have created a KRA deployment descriptor with the following parameters:
pki_ds_ldaps_port=636 pki_ds_secure_connection=True pki_ds_secure_connection_ca_nickname=Directory Server CA certificate pki_ds_secure_connection_ca_pem_file=dsca.pem
See also http://pki.fedoraproject.org/wiki/Enabling_SSL_Connection_with_Internal_Database.
I opened IPA ticket #5570 (https://fedorahosted.org/freeipa/ticket/5570) for this issue.
Metadata Update from @ptman: - Issue set to the milestone: 10.3.0
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2272
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.