Improve error reporting when the imported certs are invalid

[pki-bot]

This issue was migrated from Pagure Issue #3152. Originally filed by cipherboy (@cipherboy) on 2020-03-16 09:55:26:

• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1323318

---

Description of problem:

I am seeing a failure both when using --setup-ca in ipa-replica-install and running ipa-ca-install separately when --setup-ca not used.

From an ipa-ca-install:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/22]: creating certificate server user
  [2/22]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp4raVhy'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.

Then at the end of the /var/log/pki/pki-tomcat/ca/debug, I see this:

[01/Apr/2016:20:49:37][http-bio-8443-exec-3]: SystemConfigService: clone does not have all the certificates.
[01/Apr/2016:20:49:37][http-bio-8443-exec-3]: Clone does not have all the required certificates

Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7_2.12.x86_64

How reproducible: unknown

Steps to Reproduce:

1. Install IPA master
2. Install IPA replica
3. Install CA on replica using: ipa-ca-install -p Password -w Password /var/lib/ipa/replica-file.gpg

Problem was also seen with 2 steps:

1. Install IPA master
2. Install IPA replica with CA include --setup-ca in ipa-replica-install command.

Actual results: Fails as mentioned above.

Expected results: No failure and CA properly installed.

Additional info:

[pki-bot]

Comment from cipherboy (@cipherboy) at 2020-03-16 09:56:06

https://bugzilla.redhat.com/show_bug.cgi?id=1323318

[pki-bot]

Comment from cipherboy (@cipherboy) at 2020-03-16 09:56:07

Metadata Update from @cipherboy:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1323318
• Custom field type adjusted to None
• Custom field version adjusted to None