https://bugzilla.redhat.com/show_bug.cgi?id=1358752
Description of problem: After promoting IPA server from CA-less to CA-full, ipa-ca-install fails to install CA on replica server.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce: 1. Install IPA server
[root@ipamaster1 ca1]# ipa-server-install --ip-address $(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) -r testrelm.test -p 'Secret123' -a 'Secret123' --setup-dns --forwarder 10.65.201.89 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin Secret123 --http-pin Secret123
[root@ipareplica1 ca1]# ipa-replica-install -U --dirsrv-cert-file=./replica.p12 --http-cert-file=./replica.p12 --dirsrv-pin Secret123 --http-pin Secret123 -P admin -w Secret123
[root@ipamaster1 ca1]# ipa-ca-install
[root@ipareplica1 ca1]# ipa-ca-install Directory Manager (existing master) password: Run connection check to master Connection check OK /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/25]: creating certificate server user [2/25]: creating certificate server db [3/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [4/25]: creating installation admin user [5/25]: setting up certificate server ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpzHP3HH' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed.
Actual results: IPA replica promotion from CA-less to CA-full fails with stack trace
Expected results: IPA replica should be converted from CA-less to CA-full.
Additional info:
[21/Jul/2016:07:36:45][http-bio-8443-exec-3]: Getting install token [21/Jul/2016:07:36:47][http-bio-8443-exec-3]: Getting domain XML [21/Jul/2016:07:36:47][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [21/Jul/2016:07:36:47][http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipamaster1.testrelm.test:443/ca/admin/ca/getDomainXML javax.ws.rs.ProcessingException: Unable to invoke request <snip> </snip> at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283) ... 73 more [21/Jul/2016:07:36:47][http-bio-8443-exec-3]: Failed to obtain security domain decriptor from security domain master: javax.ws.rs.ProcessingException: Unable to invoke request
Fixed in master:
PKI has been fixed to import the PKCS #12 generated by Custodia properly. However, to fix IPA cloning properly it looks like Custodia needs to include the 3rd-party DS/HTTP certificates into the PKCS #12 file.
Metadata Update from @edewata: - Issue assigned to edewata - Issue set to the milestone: 10.3.5
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2544
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.