When installing a replica against a server that was installed with an external CA, the replica installation always fails with CA_UNREACHABLE when trying to get certificates for the DS:
Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR Certificate issuance failed (CA_UNREACHABLE) ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
getcert list shows the following information:
getcert list
Request ID '20180504072406': status: CA_UNREACHABLE ca-error: Server at https://vm-137.example.com/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://vm-137.example.com/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: Failed to connect to vm-137.example.com port 443: Connection refused). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-171-014-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-171-014-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-171-014-EXAMPLE-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOM-171-014-EXAMPLE-COM track: yes auto-renew: yes
Metadata Update from @stlaz: - Issue assigned to stlaz
HTTPD error log shows possible problems
121071:tid 140487541372672] [client 2620:52:0:25aa:21a:4aff:fe23:1355:41416] AH02040: Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1) 121071:tid 140487541372672] [client 2620:52:0:25aa:21a:4aff:fe23:1355:41416] AH02261: Re-negotiation handshake failed 121071:tid 140487541372672] SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed 120353:tid 140488022312704] [remote 2620:52:0:25aa:21a:4aff:fe23:135c:57094] ipa: INFO: [xmlserver] host/vm-137.example.com@DOM-171-014.EXAMPLE.COM: cert_request('MIIEZjCCA04CAQAwZTEzMDEGA1UEChMqRE9NLTE3MS0wMTQuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMS4wLAYDVQQDEyV2b> ] [pid 120347:tid 140488936638720] AH00492: caught SIGWINCH, shutting down gracefully d 122580:tid 139685563676928] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 pid 122580:tid 139685563676928] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) 22580:tid 139685563676928] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.0h 27 Mar 2018, version currently loaded is OpenSSL 1.1.0g-fips 2 Nov 2017) - may result in undefined or erroneous behavior 22580:tid 139685563676928] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.0h 27 Mar 2018, version currently loaded is OpenSSL 1.1.0g-fips 2 Nov 2017) - may result in undefined or erroneous behavior
The problem seems to be resolvable by setting SSLVerifyDepth properly in ssl.conf.
SSLVerifyDepth
ssl.conf
I don't understand why Apache mod_ssl limits the verify depths for client certs. A value of 5 should be good enough to support even nested lightweight sub CAs.
master:
Metadata Update from @stlaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.