Red Hat Bugzilla – Bug 1451712
KRA installation fails on server that was originally installed as CA-less
Last modified: 2017-08-01 05:50:15 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6925 Attempting to install KRA on a server that has CA, but was originally installed as CA-less fails. It seems there is an issue with the certificate (see dirsrv access log). ### Steps to reproduce 1. Install CA less server 2. ipa-ca-install 3. ipa-kra-install ### Output ``` Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/9]: configuring KRA instance Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp3CYZRR' returned non-zero exit status 1 See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. ``` ### Logs - /var/log/ipaserver-kra-install.log ``` 2017-05-03T12:50:41Z DEBUG stdout=Log file: /var/log/pki/pki-kra-spawn.20170503145041.log Loading deployment configuration from /tmp/tmp3CYZRR. ERROR: Unable to access directory server: Can't contact LDAP server 2017-05-03T12:50:41Z DEBUG stderr= 2017-05-03T12:50:41Z CRITICAL Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp3CYZRR' returned non-zero exit status 1 2017-05-03T12:50:41Z CRITICAL See the installation logs and the following files/directories for more information: 2017-05-03T12:50:41Z CRITICAL /var/log/pki/pki-tomcat 2017-05-03T12:50:41Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 289, in __spawn_instance tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 395, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: KRA configuration failed. ``` - /var/log/dirsrv/slapd-EXAMPLE-COM/access ``` [03/May/2017:14:50:41.472662295 +0200] conn=26 fd=104 slot=104 SSL connection from dead::beef to dead::beef [03/May/2017:14:50:41.486067611 +0200] conn=26 op=-1 fd=104 closed - Peer does not recognize and trust the CA that issued your certificate. [03/May/2017:14:50:41.635267232 +0200] conn=24 op=1 UNBIND [03/May/2017:14:50:41.635309926 +0200] conn=24 op=1 fd=103 closed - U1 ```
Fixed upstream master: https://pagure.io/freeipa/c/d93264247563937d6d8e3f030a2bffac10572612 ipa-4-5: https://pagure.io/freeipa/c/653d2f412012bcef04599b512938f06084d267b1
Created attachment 1285350 [details] kra installation logs on ca-less to ca-full setup
version: ipa-server-4.5.0-14.el7.x86_64 verified using steps provided in description. Installation logs are attached.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304