Installing the server on Debian fails while configuring the certificate server:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance [2/28]: exporting Dogtag certificate store pin [3/28]: stopping certificate server instance to update CS.cfg [4/28]: backing up CS.cfg [5/28]: disabling nonces [6/28]: set up CRL publishing [7/28]: enable PKIX certificate path discovery and validation [8/28]: starting certificate server instance [9/28]: configure certmonger for renewals [10/28]: requesting RA certificate from CA [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
systemctl status certmonger shows: "Error 77 connecting to https://foo:8443/ca/agent/ca//profileReview: Problem with the SSL CA cert (path? access rights?)."
systemctl status certmonger
and the pki-tomcat logs don't show anything alarming to me..
Debian unstable: 4.6.3-1
Ok so this error is related to not having libnsspem installed, but after installing it I get:
Error 60 connecting to https://sid1.leon:8443/ca/agent/ca//profileReview: Peer certificate cannot be authenticated with given CA certificates.
Can you should the contents of the raw failed certmonger request file in /var/lib/ipa/certmonger/requests? You can skip the contents of the certs, csr, etc.
id=20180221215228 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=FILE key_storage_location=/var/lib/ipa/ra-agent.key key_perms=0 key_pubkey=3082010A0282010100AC6740386281457B... key_pubkey_info=30820122300D06092A864886F70D01... key_generated_date=20180221215228 key_requested_count=1 key_issued_count=0 cert_storage_type=FILE cert_storage_location=/var/lib/ipa/ra-agent.pem cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject=O=LEON,CN=IPA RA template_principal=host/sid1.leon template_is_ca=0 template_ca_path_length=0 template_profile=caServerCert template_no_ocsp_check=0 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDZTCCAk0CAQAwIDENMAsGA1UECgwETEVPTjEPMA0GA1UEAxMGSVBBIFJBMIIB ... -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsZ0A4Yo... scep_tx=60284385125599101002452242483464435007338417665640849213971555576268953140332 minicert=MIIC2DCCAcACIQCFR8C4+5nAw4FJK+8earKUQzpMdtzGLzEAMrR7oQK8bDA... state=CA_UNREACHABLE autorenew=1 monitor=1 ca_name=dogtag-ipa-ca-renew-agent submitted=20180221215228 ca_cookie=state=approve&requestId=7 ca_error=Error 60 connecting to https://sid1.leon:8443/ca/agent/ca//profileReview: Peer certificate cannot be authenticated with given CA certificates. pre_certsave_command=/usr/lib/ipa/certmonger/renew_ra_cert_pre pre_certsave_uid=0 post_certsave_command=/usr/lib/ipa/certmonger/renew_ra_cert post_certsave_uid=0
ok so that error was due to the pki-tomcat nssdb being on sql, since the new libnss is using it by default. Downgrading libnss fixed that and I got a few steps further, but now got this:
2018-02-22T00:04:43Z DEBUG [13/28]: publishing the CA certificate 2018-02-22T00:04:43Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 506, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 496, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 807, in __export_ca_chain chain = self.__get_ca_chain() File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 800, in __get_ca_chain raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused
and that error is just due to a racy certserv restart, 'systemd is-active' returns way too early on Debian, where tomcat is not initialized with systemd but an initscript .. so after adding some time.sleep() it works.
feel free to close this, thanks for the debugging session on IRC!
Metadata Update from @tjaalton: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
didn't realize I can close it myself
Login to comment on this ticket.