#5602 ipa-ca-install fails on replica if the master was updated from CA-less to CA-full
Closed: Fixed None Opened 8 years ago by jcholast.

If ipa-ca-install is run after ipa-replica-install was run against master (on any domain level) which has been updated from CA-less, it fails with:

  [4/23]: creating installation admin user
  [5/23]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpvzAgLI' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.

I get this pki-tomcatd warning in journalctl on the replica:

server[11870]: CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|AILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value|

And this error in /var/log/pki/pki-tomcat/ca/debug:

[25/Jan/2016:08:33:55][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info
[25/Jan/2016:08:33:55][http-bio-8443-exec-3]: ConfigurationUtils: GET https://vm-244.abc.idm.lab.eng.brq.redhat.com:443/ca/admin/ca/getDomainXML
javax.ws.rs.ProcessingException: Unable to invoke request
<very long traceback>
[25/Jan/2016:08:33:55][http-bio-8443-exec-3]: Failed to obtain security domain decriptor from security domain master: javax.ws.rs.ProcessingException: Unable to invoke request

On the master, there is no trace of the getDomainXML request.

PKi bug won't be ready in 4.2.4 timeframe, moving to 4.2.5.

PKI ticket 1742 was fixed.

Let's adjust IPA configuration according to information in the ticket.


  • 1276083 spec file: bump minimum required pki-core version


  • bd5abb4 spec file: bump minimum required pki-core version


  • c90d6cd spec file: bump minimum required pki-core version

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2.5

7 years ago

Log in to comment on this ticket.