On 10/7/20 2:31 PM, Timo Aaltonen wrote: > On 7.10.2020 19.11, Harry Coin wrote: >> On Fri, 25 Sep 2020 11:46:16 +0300 Timo Aaltonen <tjaal...@debian.org> >> wrote: >>> >>> Hi, >>> >>> This bug shouldn't happen anymore, as nss-pem is used. There's another >>> bug (970880) preventing server install right now though. >>> >>> -- >>> t >>> >>> >> File >> "/usr/lib/python3/dist-packages/ipaserver/install/cainstance.py", >> line 484, in configure_instance >> self.start_creation(runtime=runtime) >> File "/usr/lib/python3/dist-packages/ipaserver/install/service.py", >> line 606, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python3/dist-packages/ipaserver/install/service.py", >> line 592, in run_step >> method() >> File >> "/usr/lib/python3/dist-packages/ipaserver/install/cainstance.py", >> line 880, in __request_ra_certificate >> reqId = certmonger.request_and_wait_for_cert( >> File "/usr/lib/python3/dist-packages/ipalib/install/certmonger.py", >> line 409, in request_and_wait_for_cert >> raise RuntimeError( >> >> 2020-10-07T14:45:28Z DEBUG The ipa-server-install command failed, >> exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE: >> Error 35 connecting to >> https://registry1.1.quietfountain.com:8443/ca/agent/ca//profileReview: >> SSL connect error.) >> 2020-10-07T14:45:28Z ERROR Certificate issuance failed (CA_UNREACHABLE: >> Error 35 connecting to >> https://registry1.1.quietfountain.com:8443/ca/agent/ca//profileReview: >> SSL connect error.) >> 2020-10-07T14:45:28Z ERROR The ipa-server-install command failed. See >> /var/log/ipaserver-install.log for more information >> >> ... >> >> [11/30]: starting certificate server instance >> [12/30]: configure certmonger for renewals >> [13/30]: requesting RA certificate from CA >> [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: >> Error 35 connecting to >> https://registry1.1.quietfountain.com:8443/ca/agent/ca//profileReview: >> SSL connect error.) >> >> _______________________________________________ >> Pkg-freeipa-devel mailing list >> pkg-freeipa-de...@alioth-lists.debian.net >> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-freeipa-devel >> >> > > No need to post it here, as I said 970880 is the other bug. Upstream > is looking at it. > This was from a build on ubuntu-groovy. I suspected the cause was a race condition since the immediate prior step lauches over a dozen dogtag processes that eventually all end but not before the failing step begins and then times out.
-HC
