Did you find a solution to the issue described in this thread ? I have the exact same set of circumstances/error.
On 4/3/19 7:18 PM, Alex Santizo via FreeIPA-users wrote:
Did you find a solution to the issue described in this thread ? I have the exact same set of circumstances/error.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
can you provide the version of freeipa + pki-base, the /var/log/ipareplica-install.log (or /var/log/ipareplica-ca-install.log), the content of /var/log/pki/pki-ca-spawn.$date.log and /var/log/pki/pki-tomcat/ca/debug ?
For more info on debugging CA cloning failures, please read Fraser's blog [1] as it explains the overall process and points to specific tickets.
HTH, flo
[1] https://frasertweedale.github.io/blog-redhat/posts/2018-11-30-dogtag-clone-f...
Thanks for the link, it seems based on the errors I get that I am failing at steps 6.3-4 , but without something more obvious (to me) in the logs I am unable to successfully troubleshoot it.
I am using IPA 4.6.4 and pki-base-10.5.9 .
From the server where the replica with ca install is attempted:
Ipa-ca-install log: https://paste.fedoraproject.org/paste/~WbYmKwdl5orbR7TAkNfrQ
pkpi-spawn log: https://paste.fedoraproject.org/paste/n823Eu94~EMigBMhNhPsZg
debug log: https://paste.fedoraproject.org/paste/WfbGUE4FUOTlNGgJbaFCzw
Log snippets from the IPA server with CA installed that it was initializing from: https://paste.fedoraproject.org/paste/U-P3XxKyiD0hxMqdwTgFfg
The reason I associated my issue with the original thread's issue is this piece:
[05/Apr/2019:10:48:13][http-bio-8443-exec-3]: updateNumberRange: Attempting to contact master using EE port [05/Apr/2019:10:48:13][http-bio-8443-exec-3]: ConfigurationUtils: POST https://denmgmtipa01.emspki.local:443/ca/ee/ca/updateNumberRange javax.ws.rs.NotFoundException: HTTP 404 Not Found at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:181) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:154)
-----Original Message----- From: Florence Blanc-Renaud [mailto:flo@redhat.com] Sent: Thursday, April 04, 2019 11:18 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Alex Santizo Alex.Santizo@entrustdatacard.com Subject: [EXTERNAL]Re: [Freeipa-users] Re: Creating CA replica fails
WARNING: This email originated outside of Entrust Datacard. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
On 4/3/19 7:18 PM, Alex Santizo via FreeIPA-users wrote:
Did you find a solution to the issue described in this thread ? I have the exact same set of circumstances/error.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
Hi,
can you provide the version of freeipa + pki-base, the /var/log/ipareplica-install.log (or /var/log/ipareplica-ca-install.log), the content of /var/log/pki/pki-ca-spawn.$date.log and /var/log/pki/pki-tomcat/ca/debug ?
For more info on debugging CA cloning failures, please read Fraser's blog [1] as it explains the overall process and points to specific tickets.
HTH, flo
[1] https://frasertweedale.github.io/blog-redhat/posts/2018-11-30-dogtag-clone-f...
Hi,
This issue was resolved. We had implemented a more restrictive set of ssl cipher suites on the httpd server of the IPA masters that I was trying to initialize from and that was preventing the ipa-replica-install --setup-ca (not sure what the exact component would be) from completing a handshake/CA config on the replica.
These were observed on the master's httpd error log at the same time that an ipa-replica-install setup-ca failed:
[Mon Apr 08 12:36:51.051315 2019] [:error] [pid 40464] SSL Library Error: -12286 No common encryption algorithm(s) with client [Mon Apr 08 12:36:51.068917 2019] [:error] [pid 39291] SSL Library Error: -12286 No common encryption algorithm(s) with client
For reference, this is what my IPA master's nss.conf looked like, the commented out entries are the ones that the ipa-replica-install setup-ca did not like.
#NSSCipherSuite +ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_rsa_aes_256_gcm_sha_384,+dhe_rsa_aes_128_gcm_sha_256,+dhe_dss_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_rsa_aes_256_sha_384,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha,+dhe_rsa_aes_128_sha_256,+dhe_rsa_aes_128_sha,+dhe_dss_aes_128_sha_256,+dhe_rsa_aes_256_sha_256,+dhe_dss_aes_256_sha_256,+dhe_rsa_aes_256_sha
NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,-ecdh_ecdsa_null_sha,-ecdh_ecdsa_rc4_128_sha,-ecdh_ecdsa_3des_sha,-ecdhe_ecdsa_null_sha,-ecdhe_ecdsa_rc4_128_sha,-ecdhe_ecdsa_3des_sha,-ecdh_rsa_null_sha,-ecdh_rsa_128_sha,-ecdh_rsa_3des_sha,-echde_rsa_null,-ecdhe_rsa_rc4_128_sha,-ecdhe_rsa_3des_sha
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 #NSSProtocol TLSv1.2
Thanks for taking the time to initially reply to this.
freeipa-users@lists.fedorahosted.org