This is what I found in the selttests.log ... 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading all self test plugin instances 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SystemCertsVerification: system certs verification success 0.localhost-startStop-1 - [25/Apr/2018:18:05:04 UTC] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup!
So this looks like everything started OK. I don't see any mention of dogtag in the log. Is there a way to make sure it is actually running? Thanks, Ross ________________________________________ From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, April 25, 2018 10:00 AM To: FreeIPA users list Cc: Ross Infinger Subject: Re: [Freeipa-users] replica - install fails with CA issue Ross Infinger via FreeIPA-users wrote: > Thanks for the reply. I tried the workaround but still getting the > CA_UNREACHABLE error. The umask on the master was already at 0022. > > Is there a way to check the health of the CA master? Maybe the issue is with > the CA and not with the replica install? > > > Here is a little more information. The CA master is pci-mgmt-ipa01. the new > client to be promoted is ipa-nyc-pci02. > > On the client: > [root@ipa-nyc-pci02 ~]# getcert list > Number of certificates and requests being tracked: 1. > Request ID '20180424223129': > status: CA_UNREACHABLE > ca-error: Server at > https://urldefense.proofpoint.com/v2/url?u=https-3A__ipa-2Dnyc-2Dpci02.pci.xxxxxxx.com_ipa_xml&d=DwICaQ&c=laiMAACGcvAxeLF9-K5nZ1uCTN9kBzTH8fWOxFTVLgs&r=BQGu7HO1KZWnnHq93CzOO0obebVE6FvfNGVnSYC75ic&m=xCQpHpcrWJKUIO-6yVqlqIuLPCFlV_ZbHsaRytAynVw&s=qbZemHvnwKTlpEMIXIyClpciLEBBav0XYJhDxHlgPAA&e= > failed request, will retry: -504 (libcurl failed to execute the HTTP POST > transaction, explaining: Failed connect to > ipa-nyc-pci02.pci.xxxxxxx.com:443; Connection refused). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PCI-xxxxxxx-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PCI-xxxxxxx-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PCI-xxxxxxx-COM',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > PCI-xxxxxxx-COM > track: yes > auto-renew: yes > > On the master: > pki-tomcat is running. > > I see a cert_request in /var/log/httpd/error_log. > > [Tue Apr 24 22:31:31.490598 2018] [:error] [pid 1133] ipa: INFO: [xmlserver] > host/ipa-nyc-pci02.pci.xxxxxxx....@pci.xxxxxxx.com: > cert_request(u'MIID8jCCAtoCAQAwQjEYMBYGA1UEChMPUENJLk1BU0NPUlAuQ09NMSYwJAYDVQQDEx1pc > ... > /QLxsLD7VWO7fGuSHpGnUayuTKi1Em9BdPtMNoD75G4SJ', > profile_id=u'caIPAserviceCert', > principal=u'ldap/ipa-nyc-pci02.pci.xxxxxxx....@pci.xxxxxxx.com', add=True, > version=u'2.51'): NotFound > > > I don't see any request in /var/log/pki/pki-tomcat/ca/debug. > > Does this indicate a problem with the Dogtag server? It might. dogtag runs as a servlet within tomcat so it is very possible that tomcat is running but the servlet failed, hence the Not Found. This is typically caught by ipactl though. The typical cause for this is the selftest fails. You can check the selftest log in the same directory as debug. rob > > Thanks, > Ross > _______________________________________ > From: Ross Infinger > Sent: Tuesday, April 24, 2018 1:39 PM > To: Florence Blanc-Renaud > Subject: RE: [Freeipa-users] replica - install fails with CA issue > > Thanks for the reply. I tried the workaround but still getting the > CA_UNREACHABLE error. The umask on the master was already at 0022. > > Is there a way to check the health of the CA master? Maybe the issue is with > the CA and not with the replica install? > > > Thanks, > Ross > > From: Florence Blanc-Renaud [f...@redhat.com] > Sent: Tuesday, April 24, 2018 1:37 AM > To: FreeIPA users list > Cc: Ross Infinger > Subject: Re: [Freeipa-users] replica - install fails with CA issue > > On 04/23/2018 10:37 PM, Ross Infinger via FreeIPA-users wrote: >> I'm trying to promote a new client to a replica. I install the client >> first then run ipa-replica-install. The client install goes OK but the >> ipa-replica-install command fails with >> >> RuntimeError: Certificate issuance failed (CA_UNREACHABLE) >> >> Seems the client was able to reach the CA so I'm puzzled why the replica >> cannot. >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> > > Hi, > > other users also hit this issue #7193 [1], and the root cause was that > the root's umask on the master was too restrictive. Can you check if > it's your case? > > The workaround is to do: > chmod 644 /etc/ipa/ca.crt > chmod 440 /var/lib/ipa/ra-agent.{key|pem} > > but the best is to install the master with umask 022. > > HTH, > Flo > > [1] > https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_issue_7193&d=DwID-g&c=laiMAACGcvAxeLF9-K5nZ1uCTN9kBzTH8fWOxFTVLgs&r=BQGu7HO1KZWnnHq93CzOO0obebVE6FvfNGVnSYC75ic&m=a8hif8z7P2YL758xGO4yaROq33AOiOjrmAzs4WNaEtM&s=X9JOGxC1Dlqf_7WPi-C953HdBoN9swEyeDI7RvMDY34&e= > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
