dogtagpki

Clone
Source Code
GIT

#2336 Improve error reporting when the imported certs are invalid
Closed: migrated 3 years ago by dmoluguw. Opened 7 years ago by spoore.

Closed: migrated
Reopen Issue

I am seeing a failure both when using --setup-ca in ipa-replica-install and
running ipa-ca-install separately when --setup-ca not used.

From an ipa-ca-install:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
[1/22]: creating certificate server user
[2/22]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command /usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp4raVhy
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.

Then at the end of the /var/log/pki/pki-tomcat/ca/debug, I see this:

[01/Apr/2016:20:49:37]http-bio-8443-exec-3: SystemConfigService: clone does
not have all the certificates.
[01/Apr/2016:20:49:37]http-bio-8443-exec-3: Clone does not have all the
required certificates

Steps to Reproduce:

1.  Install IPA master
2.  Install IPA replica
3.  Install CA on replica using:
ipa-ca-install -p Password -w Password /var/lib/ipa/replica-file.gpg

Problem was also seen with 2 steps:
1.  Install IPA master
2.  Install IPA replica with CA
include --setup-ca in ipa-replica-install command.

Actual results:

Fails as mentioned above.

Expected results:

No failure and CA properly installed.

Additional info:

While this particular problem might be caused by environment issue, invalid certificate could happen due to various reasons (e.g. expired certificate, future certificate validity, missing extension). To help troubleshooting the installation code should be fixed to show which specific certificate is missing/invalid.

Per CS/DS Meeting of 05/23/2016: 10.4

Per Offline Triage of 11/30/2016-12/01/2016: 10.4 - major

Metadata Update from @spoore:
- Issue set to the milestone: 10.4
7 years ago

Metadata Update from @mharmsen:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue priority set to: 2 (was: 3)
7 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5 (was: 10.4)
7 years ago

Metadata Update from @mharmsen:
- Issue priority set to: major (was: critical)
6 years ago

[20171025] - Offline Triage ==> 10.6

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.6 (was: 10.5)
6 years ago

Per 10.5.x/10.6 Triage: 10.6

mharmsen: improve error reporting

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2456

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
major
None
None
defect
''
None
None
None
''
IPA
''
None
None
None
None
''
General
''
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.