[Pkg-freeipa-devel] Bug#898543: Bug#898543: nss-pem available

Harry Coin harrycoin at aol.com
Wed Oct 7 20:59:08 BST 2020 

On 10/7/20 2:31 PM, Timo Aaltonen wrote:
> On 7.10.2020 19.11, Harry Coin wrote:
>> On Fri, 25 Sep 2020 11:46:16 +0300 Timo Aaltonen <tjaalton at debian.org>
>> wrote:
>>>
>>> Hi,
>>>
>>> This bug shouldn't happen anymore, as nss-pem is used. There's another
>>> bug (970880) preventing server install right now though.
>>>
>>> -- 
>>> t
>>>
>>>
>>    File
>> "/usr/lib/python3/dist-packages/ipaserver/install/cainstance.py",
>> line 484, in configure_instance
>>      self.start_creation(runtime=runtime)
>>    File "/usr/lib/python3/dist-packages/ipaserver/install/service.py",
>> line 606, in start_creation
>>      run_step(full_msg, method)
>>    File "/usr/lib/python3/dist-packages/ipaserver/install/service.py",
>> line 592, in run_step
>>      method()
>>    File
>> "/usr/lib/python3/dist-packages/ipaserver/install/cainstance.py",
>> line 880, in __request_ra_certificate
>>      reqId = certmonger.request_and_wait_for_cert(
>>    File "/usr/lib/python3/dist-packages/ipalib/install/certmonger.py",
>> line 409, in request_and_wait_for_cert
>>      raise RuntimeError(
>>
>> 2020-10-07T14:45:28Z DEBUG The ipa-server-install command failed,
>> exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE:
>> Error 35 connecting to
>> https://registry1.1.quietfountain.com:8443/ca/agent/ca//profileReview:
>> SSL connect error.)
>> 2020-10-07T14:45:28Z ERROR Certificate issuance failed (CA_UNREACHABLE:
>> Error 35 connecting to
>> https://registry1.1.quietfountain.com:8443/ca/agent/ca//profileReview:
>> SSL connect error.)
>> 2020-10-07T14:45:28Z ERROR The ipa-server-install command failed. See
>> /var/log/ipaserver-install.log for more information
>>
>> ...
>>
>>   [11/30]: starting certificate server instance
>>    [12/30]: configure certmonger for renewals
>>    [13/30]: requesting RA certificate from CA
>>    [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE:
>> Error 35 connecting to
>> https://registry1.1.quietfountain.com:8443/ca/agent/ca//profileReview:
>> SSL connect error.)
>>
>> _______________________________________________
>> Pkg-freeipa-devel mailing list
>> Pkg-freeipa-devel at alioth-lists.debian.net
>> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-freeipa-devel
>>
>>
>
> No need to post it here, as I said 970880 is the other bug. Upstream
> is looking at it.
>
This was from a build on ubuntu-groovy.    I suspected the cause was a
race condition since the immediate prior step lauches over a dozen
dogtag processes that eventually all end but not before the failing step
begins and then times out.

-HC

More information about the Pkg-freeipa-devel mailing list