CA replica installation fails because the caSigningCert cert-pki-ca is imported under a different name. The issue is caused by the fact that SQL NSS DB handles duplicated certificates differently than DBM format.
See https://bugzilla.redhat.com/show_bug.cgi?id=1561730#c18
# ipa-ca-install Directory Manager (existing master) password: Run connection check to master Connection check OK Waiting for keys to appear on host: master.ipa.example, please wait until this has completed. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/24]: creating certificate server db [2/24]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [3/24]: creating installation admin user [4/24]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpgls3uefb'] returned non-zero exit status 1: 'certutil: could not find certificate named "caSigningCert cert-pki-ca": SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier.\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. Logs: 2018-04-12 10:55:50 pki.nssdb : DEBUG Command: pki -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile pkcs12-import --pkcs12-file /tmp/ca.p12 --pkcs12-password-file /tmp/tmpkt79_h7u/password.txt 2018-04-12 10:55:52 pki.nssdb : DEBUG Command: certutil -M -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n caSigningCert cert-pki-ca -t CTu,Cu,Cu 2018-04-12 10:55:52 pkispawn : DEBUG ....... Error Type: CalledProcessError 2018-04-12 10:55:52 pkispawn : DEBUG ....... Error Message: Command '['certutil', '-M', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/pfile', '-n', 'caSigningCert cert-pki-ca', '-t', 'CTu,Cu,Cu']' returned non-zero exit status 255. 2018-04-12 10:55:52 pkispawn : DEBUG ....... File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 160, in spawn trust_attributes='CTu,Cu,Cu') File "/usr/lib/python3.6/site-packages/pki/nssdb.py", line 405, in modify_cert subprocess.check_call(cmd) File "/usr/lib64/python3.6/subprocess.py", line 291, in check_call raise CalledProcessError(retcode, cmd)
No error
freeipa-server-4.6.90.pre1.dev201804101513+git8246d0cd5-0.fc28.x86_64 freeipa-client-4.6.90.pre1.dev201804101513+git8246d0cd5-0.fc28.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.0.6-2.fc28.x86_64 pki-ca-10.6.0-1.fc28.noarch krb5-server-1.16-21.fc28.x86_64
Dogtag's NSS DB on the replica:
# certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/pfile -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI IPA.EXAMPLE IPA CA CT,C,C ocspSigningCert cert-pki-ca ,, auditSigningCert cert-pki-ca ,, subsystemCert cert-pki-ca ,, # certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/pfile -K certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa e91db0933d1c775cdb1492f72f2f79c0d7827341 IPA.EXAMPLE IPA CA < 1> rsa 07cbbacc767f3637c6d50709d63d5a56b9126d2a ocspSigningCert cert-pki-ca < 2> rsa d2cb9e6fd3a70577dfdf21bca0a109579e0dfdd8 auditSigningCert cert-pki-ca < 3> rsa d93bf162f76f6615ff9ace27140db25577aba8e4 subsystemCert cert-pki-ca
NSS DB on the master:
# certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/pfile -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u transportCert cert-pki-kra u,u,u storageCert cert-pki-kra u,u,u auditSigningCert cert-pki-kra u,u,Pu # certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/pfile -K certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 1a475725cbc56f529022f068416d6bd8a5c8aac9 NSS Certificate DB:Server-Cert cert-pki-ca < 1> rsa e91db0933d1c775cdb1492f72f2f79c0d7827341 caSigningCert cert-pki-ca < 2> rsa 07cbbacc767f3637c6d50709d63d5a56b9126d2a ocspSigningCert cert-pki-ca < 3> rsa d93bf162f76f6615ff9ace27140db25577aba8e4 subsystemCert cert-pki-ca < 4> rsa d2cb9e6fd3a70577dfdf21bca0a109579e0dfdd8 auditSigningCert cert-pki-ca < 5> rsa ae3c66ea7dc8965dde85d6c76a2e5f86a2cd6023 transportCert cert-pki-kra < 6> rsa 244461a094ed05b02a6c8f351878440a23cc7ed4 storageCert cert-pki-kra < 7> rsa 7457caaaa634d5c5cf98c766cde86dc111819f35 auditSigningCert cert-pki-kra
Metadata Update from @cheimes: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1568271
master:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.