[Pkg-freeipa-devel] Bug#898543: Bug#898543: freeipa-server: requesting RA certificate from CA fails with "CA_UNREACHABLE"
Timo Aaltonen
tjaalton at debian.org
Sun May 20 15:23:30 BST 2018
On 13.05.2018 13:04, Adam Reece wrote:
> Package: freeipa-server
> Version: 4.6.3-1
> Severity: important
>
>
>
> -- System Information:
> Debian Release: 9.4
> APT prefers stable
> APT policy: (700, 'stable'), (650, 'unstable'), (500, 'stable-updates')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages freeipa-server depends on:
> ii 389-ds-base 1.3.7.10-1+b1
> ii acl 2.2.52-3+b1
> ii apache2 2.4.25-3+deb9u4
> ii certmonger 0.79.5-2
> ii custodia 0.5.0-3
> ii fonts-font-awesome 4.7.0~dfsg-3
> ii fonts-open-sans 1.11-1
> ii freeipa-admintools 4.6.3-1
> ii freeipa-client 4.6.3-1
> ii freeipa-common 4.6.3-1
> ii gssproxy 0.8.0-1
> ii krb5-admin-server 1.16-2
> ii krb5-kdc 1.16-2
> ii krb5-kdc-ldap 1.16-2
> ii krb5-otp 1.16-2
> ii krb5-pkinit 1.16-2
> ii ldap-utils 2.4.46+dfsg-5
> ii libapache2-mod-auth-gssapi 1.6.0-1
> ii libapache2-mod-lookup-identity 1.0.0-1
> ii libapache2-mod-nss 1.0.14-1+b1
> ii libapache2-mod-wsgi 4.5.17-1+b1
> ii libc6 2.27-3
> ii libcomerr2 1.44.1-2
> ii libjs-dojo-core 1.11.0+dfsg-1
> ii libjs-jquery 3.2.1-1
> ii libk5crypto3 1.16-2
> ii libkrad0 1.16-2
> ii libkrb5-3 1.16-2
> ii libldap-2.4-2 2.4.46+dfsg-5
> ii libnspr4 2:4.19-1
> ii libnss3 2:3.36.1-1
> ii libnss3-tools 2:3.36.1-1
> ii libsasl2-modules-gssapi-mit 2.1.27~101-g0780600+dfsg-3.1
> ii libssl1.1 1.1.0f-3+deb9u2
> ii libsss-nss-idmap0 1.16.1-1+b1
> ii libtalloc2 2.1.10-2
> ii libtevent0 0.9.34-1
> ii libunistring2 0.9.8-1
> ii libuuid1 2.29.2-1+deb9u1
> ii libverto1 0.2.4-2.1
> ii ntp 1:4.2.8p11+dfsg-1
> ii oddjob 0.34.3-4
> ii p11-kit 0.23.10-2
> ii pki-ca 10.5.5-1
> ii pki-kra 10.5.5-1
> ii python 2.7.13-2
> ii python-dateutil 2.6.1-1
> ii python-gssapi 1.4.1-1
> ii python-ipaserver 4.6.3-1
> ii python-ldap 3.0.0-1
> ii python-systemd 234-2
> ii samba-libs 2:4.7.4+dfsg-2
> ii slapi-nis 0.56.1-1
> ii softhsm2 2.4.0-0.1
> ii systemd-sysv 238-4
>
> Versions of packages freeipa-server recommends:
> ii freeipa-server-dns 4.6.3-1
>
> freeipa-server suggests no packages.
>
> -- Configuration Files:
> /etc/default/ipa-dnskeysyncd changed:
> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>
>
> -- no debconf information
> The server installation process will fail when a certificate is requested from the CA with error CA_UNREACHABLE.
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> [1/28]: configuring certificate server instance
> [2/28]: exporting Dogtag certificate store pin
> [3/28]: stopping certificate server instance to update CS.cfg
> [4/28]: backing up CS.cfg
> [5/28]: disabling nonces
> [6/28]: set up CRL publishing
> [7/28]: enable PKIX certificate path discovery and validation
> [8/28]: starting certificate server instance
> [9/28]: configure certmonger for renewals
> [10/28]: requesting RA certificate from CA
> [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
> ipapython.admintool: ERROR Certificate issuance failed (CA_UNREACHABLE)
> ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
You'd need nss-pem (ITP: #888820), server setup won't work without it.
--
t
More information about the Pkg-freeipa-devel
mailing list