Attempting to install KRA on a server that has CA, but was originally installed as CA-less fails. It seems there is an issue with the certificate (see dirsrv access log).
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/9]: configuring KRA instance Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp3CYZRR' returned non-zero exit status 1 See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed.
2017-05-03T12:50:41Z DEBUG stdout=Log file: /var/log/pki/pki-kra-spawn.20170503145041.log Loading deployment configuration from /tmp/tmp3CYZRR. ERROR: Unable to access directory server: Can't contact LDAP server 2017-05-03T12:50:41Z DEBUG stderr= 2017-05-03T12:50:41Z CRITICAL Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp3CYZRR' returned non-zero exit status 1 2017-05-03T12:50:41Z CRITICAL See the installation logs and the following files/directories for more information: 2017-05-03T12:50:41Z CRITICAL /var/log/pki/pki-tomcat 2017-05-03T12:50:41Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 289, in __spawn_instance tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 395, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: KRA configuration failed.
[03/May/2017:14:50:41.472662295 +0200] conn=26 fd=104 slot=104 SSL connection from dead::beef to dead::beef [03/May/2017:14:50:41.486067611 +0200] conn=26 op=-1 fd=104 closed - Peer does not recognize and trust the CA that issued your certificate. [03/May/2017:14:50:41.635267232 +0200] conn=24 op=1 UNBIND [03/May/2017:14:50:41.635309926 +0200] conn=24 op=1 fd=103 closed - U1
Metadata Update from @pvoborni: - Custom field rhbz adjusted to todo - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.5.1
If patch is not invasive then fix in 4.5.x if it is invasive then in 4.7
Issue happens because ipa-ca-install overwrites /etc/ipa/ca.crt with the new IPA CA instead of appending the new cert. Because of that, the CA that signed httpd and dirsrv Server-Certs is removed from /etc/ipa/ca.crt and any tool communicating via SSL with dirsrc + using /etc/ipa/ca.crt will fail to connect.
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/794
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1451712 (was: todo)
master:
d932642 ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt ipa-4-5:
653d2f4 ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.