On 05/02/2012 11:34 AM, Rob Crittenden wrote: > shabahang elmian wrote: >> Hello, >> I would be thankful if some one can help me to resolve the problem. > > We need to see /var/log/ipaserver-install.log and potentially > /var/log/pki-ca/debug to determine what the problem is. > > It would appear that the CA process didn't start. > > Details on your versions of ipa-server and pki-ca would be helpful too. > > rob >
https://bugzilla.redhat.com/show_bug.cgi?id=818123 Might be related. Please see comments there and requests for additional logs. >> >> Shabahang >> >> ------------------------------------------------------------------------ >> *From:* shabahang elmian <eshabah...@yahoo.com> >> *To:* Rob Crittenden <rcrit...@redhat.com> >> *Cc:* "freeipa-users@redhat.com" <freeipa-users@redhat.com> >> *Sent:* Sunday, April 29, 2012 12:21 PM >> *Subject:* Re: [Freeipa-users] Error in Installation - unable to >> create CA >> >> [2012-04-23 17:07:32] [debug] >> set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser, >> pkiuser) >> [2012-04-23 17:07:32] [debug] >> set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser) >> [2012-04-23 17:07:32] [debug] >> set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser) >> [2012-04-23 17:07:32] [debug] >> set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser) >> [2012-04-23 17:07:32] [debug] Processing PKI security modules for >> '/var/lib/pki-ca' ... >> [2012-04-23 17:07:32] [debug] Attempting to add hardware security >> modules to system if applicable ... >> [2012-04-23 17:07:32] [debug] module name: lunasa lib: >> /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! >> [2012-04-23 17:07:32] [debug] module name: nfast lib: >> /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! >> [2012-04-23 17:07:32] [debug] configuring SELinux ... >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9180. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9701. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9443. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9444. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9446. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9445. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9447. Port already defined otherwise. >> [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to >> run semanage. >> [2012-04-23 17:07:34] [debug] Running restorecon commands >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /usr/share/java/pki) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /usr/share/pki) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /var/lib/pki-ca) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /var/run/pki) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /var/log/pki-ca) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /etc/pki-ca) >> [2012-04-23 17:07:34] [debug] Installation manifest: >> /var/lib/pki-ca/install_info >> [2012-04-23 17:07:34] [debug] The following was performed: >> Installed Files: >> /etc/pki-ca/CS.cfg >> ... >> . >> . >> /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar >> Removed Items: >> /etc/pki-ca/noise >> /etc/pki-ca/pfile >> >> [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart >> pki-cad@pki-ca.service) >> [2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart >> pki-cad@pki-ca.service"), exit status=1 output="Job failed. See system >> logs and 'systemctl status' for details." >> [2012-04-23 17:07:34] [log] Configuration Wizard listening on >> https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs >> >> [2012-04-23 17:07:34] [log] After configuration, the server can be >> operated by the command: >> /bin/systemctl restart pki-cad@pki-ca.service >> [root@ipa ~]# >> >> [root@ipa system]# ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? [no]: y >> Shutting down all IPA services >> Removing IPA client configuration >> Unconfiguring ntpd >> Unconfiguring CA directory server >> [root@ipa system]# >> [root@ipa system]# >> [root@ipa system]# > /var/log/audit/audit.log >> [root@ipa system]# >> [root@ipa system]# >> [root@ipa system]# ipa-server-install --setup-dns >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> ============================================================================== >> >> This program will set up the FreeIPA Server. >> >> This includes: >> * Configure a stand-alone CA (dogtag) for certificate management >> * Configure the Network Time Daemon (ntpd) >> * Create and configure an instance of Directory Server >> * Create and configure a Kerberos Key Distribution Center (KDC) >> * Configure Apache (httpd) >> * Configure DNS (bind) >> >> To accept the default shown in brackets, press the Enter key. >> >> Existing BIND configuration detected, overwrite? [no]: y >> Enter the fully qualified domain name of the computer >> on which you're setting up server software. Using the form >> <hostname>.<domainname> >> Example: master.example.com. >> >> >> Server host name [ipa.mtnirancell.ir]: >> >> Warning: skipping DNS resolution of host ipa.mtnirancell.ir >> The domain name has been calculated based on the host name. >> >> Please confirm the domain name [mtnirancell.ir]: >> >> The kerberos protocol requires a Realm name to be defined. >> This is typically the domain name converted to uppercase. >> >> Please provide a realm name [MTNIRANCELL.IR]: >> Certain directory server operations require an administrative user. >> This user is referred to as the Directory Manager and has full access >> to the Directory for system management tasks and will be added to the >> instance of directory server created for IPA. >> The password must be at least 8 characters long. >> >> Directory Manager password: >> Password (confirm): >> >> The IPA server requires an administrative user, named 'admin'. >> This user is a regular system account used for IPA server >> administration. >> >> IPA admin password: >> Password (confirm): >> >> Do you want to configure DNS forwarders? [yes]: >> Enter the IP address of DNS forwarder to use, or press Enter to finish. >> Enter IP address for a DNS forwarder: >> No DNS forwarders configured >> Do you want to configure the reverse zone? [yes]: >> Please specify the reverse zone name [58.131.10.in-addr.arpa.]: >> Using reverse zone 58.131.10.in-addr.arpa. >> >> The IPA Master Server will be configured with: >> Hostname: ipa.mtnirancell.ir >> IP address: 10.131.58.43 >> Domain name: mtnirancell.ir >> Realm name: MTNIRANCELL.IR >> >> BIND DNS server will be configured to serve IPA domain with: >> Forwarders: No forwarders >> Reverse zone: 58.131.10.in-addr.arpa. >> >> Continue to configure the system with these values? [no]: y >> >> The following operations may take some minutes to complete. >> Please wait until the prompt is returned. >> >> Configuring ntpd >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server for the CA: Estimated time 30 minutes 30 >> seconds >> [1/3]: creating directory server user >> [2/3]: creating directory server instance >> [3/3]: restarting directory server >> done configuring pkids. >> Configuring certificate server: Estimated time 33 minutes 30 seconds >> [1/16]: creating certificate server user >> [2/16]: configuring certificate server instance >> ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl >> /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa.mtnirancell.ir' >> '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-gEoCj_' >> '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'OiqLyU0CQxx8MRRZpuGs' >> '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' >> 'root@localhost' '-admin_XXXXXXXX' XXXXXXXX '-agent_name' 'ipa-ca-agent' >> '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' >> 'CN=ipa-ca-agent,O=MTNIRANCELL.IR' '-ldap_host' 'ipa.mtnirancell.ir' >> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_XXXXXXXX' >> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >> Subsystem,O=MTNIRANCELL.IR' '-ca_ocsp_cert_subject_name' 'CN=OCSP >> Subsystem,O=MTNIRANCELL.IR' '-ca_server_cert_subject_name' >> 'CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR' >> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=MTNIRANCELL.IR' >> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=MTNIRANCELL.IR' >> '-external' 'false' '-clone' 'false'' returned non-zero exit status 255 >> Unexpected error - see ipaserver-install.log for details: >> Configuration of CA failed >> [root@ipa system]# cat /var/log/audit/audit.log >> type=SERVICE_START msg=audit(1335685711.759:154): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="ntpd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' >> type=SERVICE_START msg=audit(1335685715.634:155): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="dirsrv@PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? >> res=success' >> type=SERVICE_START msg=audit(1335685716.195:156): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="dirsrv@PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? >> res=success' >> type=SERVICE_STOP msg=audit(1335685716.195:157): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="dirsrv@PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? >> res=success' >> type=SERVICE_START msg=audit(1335685716.270:158): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="dirsrv@PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? >> res=success' >> [root@ipa system]# >> >> shabahang >> >> >> ------------------------------------------------------------------------ >> *From:* Rob Crittenden <rcrit...@redhat.com> >> *To:* shabahang elmian <eshabah...@yahoo.com> >> *Cc:* "freeipa-users@redhat.com" <freeipa-users@redhat.com> >> *Sent:* Monday, April 23, 2012 8:16 PM >> *Subject:* Re: [Freeipa-users] Error in Installation - unable to >> create CA >> >> shabahang elmian wrote: >> > Hello, >> > There is a problem on configuring FreeIPA. >> > would you please help. >> > >> > please find following : >> > >> > 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds >> > 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server >> > instance >> > 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent >> > ConfigureCA -cs_hostname ipa.mtnirancell.ir >> <http://ipa.mtnirancell.ir> -cs_port 9445 >> > -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX >> > -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin >> > -admin_email root@localhost -admin_password XXXXXXXX -agent_name >> > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >> > -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host >> > ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager >> > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size >> > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true >> > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal >> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR >> > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR >> > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR >> > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR >> > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR >> > -external false -clone false >> > 2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64 >> > >> ####################################################################### >> > CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR >> > tokenpwd:XXXXXXXX >> > ############################################# >> > Attempting to connect to: ipa.mtnirancell.ir:9445 >> > Exception in LoginPanel(): java.lang.NullPointerException >> > ERROR: ConfigureCA: LoginPanel() failure >> > ERROR: unable to create CA >> > >> ####################################################################### >> > 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send >> > Request:java.net.ConnectException: Connection refused >> > java.net <http://java.net.Co>.ConnectException: Connection refused >> > at java.net >> <http://java.net.PlainSocketImpl.so>.PlainSocketImpl.socketConnect(Native >> Method) >> > at >> > java.net >> <http://java.net.AbstractPlainSocketImpl.do>.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) >> >> > at >> > java.net >> <http://java.net.AbstractPlainSocketImpl.co>.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) >> >> > at >> > >> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) >> >> > at java.net >> <http://java.net.SocksSocketImpl.co>.SocksSocketImpl.connect(SocksSocketImpl.java:384) >> >> > at java.net >> <http://java.net.Socket.co>.Socket.connect(Socket.java:546) >> > at java.net.Socket.connect(Socket.java:495) >> > at java.net.Socket.<init>(Socket.java:392) >> > at java.net.Socket.<init>(Socket.java:235) >> > at HTTPClient.sslConnect(HTTPClient.java:326) >> > at ConfigureCA.LoginPanel(ConfigureCA.java:244) >> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >> > at ConfigureCA.main(ConfigureCA.java:1672) >> > java.lang.NullPointerException >> > at ConfigureCA.LoginPanel(ConfigureCA.java:245) >> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >> > at ConfigureCA.main(ConfigureCA.java:1672) >> > >> > 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance >> > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >> > ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR >> > -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA >> > -domain_name IPA -admin_user admin -admin_email root@localhost >> > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size >> > 2048 -agent_key_type rsa -agent_cert_subject >> > CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir >> > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password >> > XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type >> > rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX >> > -subsystem_name pki-cad -token_name internal >> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR >> > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR >> > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR >> > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR >> > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR >> > -external false -clone false' returned non-zero exit status 255 >> > 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed >> > File "/usr/sbin/ipa-server-install", line 1173, in <module> >> > rval = main() >> > >> > File "/usr/sbin/ipa-server-install", line 974, in main >> > subject_base=options.subject) >> > >> > File >> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> > line 537, in configure_instance >> > self.start_creation("Configuring certificate server", 210) >> > >> > File >> > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> > line 248, in start_creation >> > method() >> > >> > File >> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> > line 677, in __configure_instance >> > raise RuntimeError('Configuration of CA failed') >> > >> > please note : >> > >> > [root@ipa ~]# uname -a >> > Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21 >> > 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux >> > [root@ipa ~]# cat /etc/redhat-release >> > Fedora release 16 (Verne) >> > [root@ipa ~]# >> >> It would appear that the CA silent installer (pki-silent) couldn't talk >> to the CA. There are more logs in /var/log/pki-ca that may hold more >> information on why. >> >> You might also want to look for any new AVCs in >> /var/log/audit/audit.log. >> >> regards >> >> rob >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users