Frederic Ayrault wrote:
> Bonjour,
>
> Le 16/10/2023 à 21:13, Frederic Ayrault a écrit :
>> Bonsoir,
>>
>>
>> Le 13/10/2023 à 22:20, Rob Crittenden via FreeIPA-users a écrit :
>>> Frederic Ayrault via FreeIPA-users wrote:
>>>>
>>>>> Done configuring certificate server (pki-tomcatd).
>>>>> ipaclient.install.ipa_certupdate: ERROR failed to update
>>>>> LIX.POLYTECHNIQUE.FR IPA CA in /etc/httpd/alias: Command
>>>>> '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n LIX.POLYTECHNIQUE.FR
>>>>> IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero
>>>>> exit status 255
>>> I'd recommend you try this command manually to see what the whole error
>>> is. You'll need to quote the nickname 'LIX....'
>>>
>>>>>
>>>>> Your system may be partly configured.
>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>
>>>>> Resubmitting certmonger request '20231013171553' timed out, please
>>>>> check the request manually
>>>> ipa-certupdate give similar errorr
>>>>
>>> Running it manually should give more details why it failed.
>>>
>>>
>>>
>>>
>>> rob
>>>
>>
>> I got a lot of errors
>>> Oct 16 14:14:46 ipa3.lix.polytechnique.fr krb5kdc[1932](info):
>>> TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 193.55.176.91:
>>> LOOKING_UP_SERVER: authtime 0,
>>> ldap/[email protected] for
>>> ldap/[email protected], Server not found
>>> in Kerberos database
>>
>> ipa2 was the server used for ipa-replica-prepare, the is now only ipa3
>> in the ipa-replica-manage list and ipa3 is not in
>> any other ipa-replica-manage list
>>
>> I have delete
>> cn=sig/ipa2.lix.polytechnique.fr,cn=custodia,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr
>>
>> and
>> cn=enc/ipa2.lix.polytechnique.fr,cn=custodia,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr
>> from the ldap base
>> (I can not find any ipa2)
>>
>> Regards,
>>
>> Frederic
>
> I create replication between 2 servers ipa3 and ipa4, ipa-ca-install
> works, I can now see pki-tomcatd Service
> when I run ipactl status but it is STOPPED
So if I've followed this thread correctly, what you're doing is:
- Taking replica ipa3? and forcibly disconnecting it from an existing
IPA installation
- Trying to install a CA on it
Where does ipa4 come in? It's a replica if ipa3?
> And when try to start it manually ( systemctl start
> [email protected] ), I get errors
>> SEVERE: Servlet.service() for servlet [caGetStatus] in context with
>> path [/ca] threw exception
>> java.io.IOException: CS server is not ready to serve.
You need to lookin /var/log/pki/pki-tomcat/ca/debug<perhaps-date>
You need to find in that log the last time the CA started and work down
from there to find an error, or errors. The usual bottom-up approach
won't work because the CA is persistent in trying to start and will
often move past errors that may be transient.
>
> certutil -d /etc/pki/pki-tomcat/alias/ -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> auditSigningCert cert-pki-ca u,u,Pu
> Server-Cert cert-pki-ca u,u,u
> CNRS2-Standard - CNRS C,,
> LIX.POLYTECHNIQUE.FR IPA CA CT,C,C
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> CNRS2 - CNRS ,,
>
> I tried to remove CNRS certs but then ipa-ca-install fails ( IndexError:
> list index out of range )
I presume they are necessary because your existing HTTP and LDAP
certificates are essentially externally signed. So this is expected.
Well, maybe not a traceback.
rob
>
> Thank you
>
> Regards,
>
> Frederic
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
