When installing FreeIPA master server with externally signed CA certificate, I ran into /usr/sbin/pkispawn error on the second installation phase.
ipa-server-install -n somecorp.tld -r SOMECORP.TLD -a 12345678 -p 12345678 --mkhomedir --hostname='ipasrv2.somecorp.tld' --ip-address='192.168.145.12' --ntp-pool=ru.pool.ntp.org --no-hbac-allow --external-ca --external-ca-type=generic --subject-base='O=SOMECORP LLC' --ca-subject='CN=SOMECORP Int CA 2,O=SOMECORP LLC'
/tmp/ipasrv2-ipa.crt
/tmp/ipasrv2-chain.crt
ipa-server-install -n somecorp.tld -r SOMECORP.TLD -a 12345678 -p 12345678 --mkhomedir --hostname='ipasrv2.somecorp.tld' --ip-address='192.168.145.12' --ntp-pool=ru.pool.ntp.org --no-hbac-allow --external-cert-file=/tmp/ipasrv2-ipa.crt --external-cert-file=/tmp/ipasrv2-chain.crt
Second installation phase fails with error on step configuring certificate server instance:
configuring certificate server instance
Disabled p11-kit-proxy Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp2ss_falm'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: Server unreachable due to SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn\n request_timeout=status_request_timeout,\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 911, in wait_for_startup\n raise Exception(\'Server unreachable due to SSL error: %s\' % reason) from exc\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Second installation completes without errors.
Using FreeIPA 4.8.4 under CentOS 8.0.1905.
$ cat /etc/*release CentOS Linux release 8.0.1905 (Core) NAME="CentOS Linux" VERSION="8 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="8" PLATFORM_ID="platform:el8" PRETTY_NAME="CentOS Linux 8 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:8" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-8" CENTOS_MANTISBT_PROJECT_VERSION="8" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="8" CentOS Linux release 8.0.1905 (Core) CentOS Linux release 8.0.1905 (Core)
ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 ipa-client-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 389-ds-base-1.4.2.4-8.module_el8.2.0+366+71e3276f.x86_64 pki-ca-10.8.3-2.module_el8.2.0+371+f5726439.noarch krb5-server-1.17-18.el8.x86_64
This is an issue in Dogtag that is fixed with https://github.com/dogtagpki/pki/pull/498. It will be released as part of RHEL 8.3 update.
I'm closing this ticket because there is nothing to do on IPA side.
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.