[Pkg-freeipa-devel] Bug#970880: Bug#970880: Bug#970880: freeipa-server: FreeIPA server installation fails with Certificate issuance failed (CA_REJECTED)
Жохов Александр
a.zhohov at crpt.ru
Wed Jan 6 10:06:27 GMT 2021
Hello.
>> 2021-01-05 01:07:32 [main] WARNING: Failed to scan
>> [file:/usr/share/java/el-api-3.0.jar] from classloader hierarchy
>> java.io.IOException:
>>
>> Caused by: java.nio.file.NoSuchFileException:
>> /usr/share/java/el-api-3.0.jar
>Figure out which jar is trying to search that and we'd at least get rid
> of this error. dogtag 10.10.2-1 at least should use the correct el-api from tomcat9 now, but there's probably some other package which still doesn't.
There was no el-api-3.0.jar on my system for some reason
I'm install libel-api-java.
And also I installed libjemalloc2 and created a link ln -s /usr/lib/x86_64-linux-gnu/ /usr/lib/x86_64-linux-gnu/dirsrv/lib, because in the log I saw a message about the absence of the /usr/lib/x86_64-linux-gnu/dirsrv/lib/libjemalloc.so.2
Now in the log / var / lib / pki / pki-tomcat / ca / logs / debug I see an error
2021-01-06 12:18:33 [http-nio-8080-exec-15] WARNING: Certificate request deferred: defer request
2021-01-06 12:18:33 [http-nio-8080-exec-15] INFO: Updating certificate request
2021-01-06 12:18:34 [https-jsse-nio-8443-exec-3] INFO: Getting SSL client certificate.
2021-01-06 12:18:34 [https-jsse-nio-8443-exec-3] SEVERE: ReviewReqServlet: You did not provide a valid certificate for this operation
You did not provide a valid certificate for this operation at com.netscape.cms.servlet.base.CMSServlet.getSSLClientCertificate(CMSServlet.java:843) at com.netscape.cms.servlet.base.CMSServlet.getSSLClientCertificate(CMSServlet.java:825) at com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1685) at com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1627) at com.netscape.cms.servlet.profile.ProfileReviewServlet.process(ProfileReviewServlet.java:120) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:494) at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834)
2021-01-06 12:18:34 [https-jsse-nio-8443-exec-3] SEVERE: Failed to authorize: You did not provide a valid certificate for this operation.
2021-01-06 12:18:34 [https-jsse-nio-8443-exec-4] INFO: DBSSession: reading cn=7,ou=ca,ou=requests,o=ipaca
2021-01-06 12:23:09 [Timer-0] INFO: SessionTimer: checking security domain sessions
Debug output
[13/30]: requesting RA certificate from CA
Starting external process
args=['/usr/bin/openssl', 'pkcs7', '-inform', 'DER', '-print_certs', '-out', '/var/lib/ipa/tmpuk9b5gsr']
Process finished, return code=0
stdout=
stderr=
Starting external process
args=['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmpaf4g9v4s', '-passin', 'file:/tmp/tmpitfnlm4x']
Process finished, return code=0
stdout=
stderr=
Starting external process
args=['/usr/bin/openssl', 'pkcs12', '-nocerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmp08qoxv6b', '-passin', 'file:/tmp/tmp_d6rjgv7', '-nodes']
Process finished, return code=0
stdout=
stderr=
certmonger request is in state dbus.String('GENERATING_KEY_PAIR', variant_level=1)
certmonger request is in state dbus.String('CA_REJECTED', variant_level=1)
Cert request 20210106091833 failed: CA_REJECTED (Server at "https://srv-freeipa01.domain.linux:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
Giving up on cert request 20210106091833
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/ipaserver/install/service.py", line 606, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3/dist-packages/ipaserver/install/service.py", line 592, in run_step
method()
File "/usr/lib/python3/dist-packages/ipaserver/install/cainstance.py", line 877, in __request_ra_certificate
reqId = certmonger.request_and_wait_for_cert(
File "/usr/lib/python3/dist-packages/ipalib/install/certmonger.py", line 409, in request_and_wait_for_cert
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "https://srv-freeipa01.domain.linux:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
[error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "https://srv-freeipa01.domain.linux:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
[error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "https://srv-freeipa01.domain.linux:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
More information about the Pkg-freeipa-devel
mailing list