Thanks! I see there are some SELinux issues for accessing /tmp/hsperfdata_root, they look strange.
But what seems even stranger is this error in /var/log/ipaserver_install.log: 2013-08-06T12:05:09Z DEBUG stderr=pkispawn : ERROR ....... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! Did you try to install IPA server before? This procedure may help to re-install: # ipa-server-install --uninstall --unattended # pkidestroy -s CA -i pki-tomcat Second command is to make sure that PKI instance is not left configured on the system. After these 2 commads, you can try to install IPA server again. If that fails again, second thing we can try is to: 1) Run the clean up commands as above again 2) Turn SELinux to permissive with "# setenforce 0" 3) Run IPA server installation again I hope that these procedures will now lead to successful installation :-) Martin On 08/06/2013 02:22 PM, NEVEU Stephane wrote: > > Hi Martin & thank you for your reply :) > > I added the update-testing repositories on fedora 19 after reading this : > http://www.redhat.com/archives/freeipa-users/2013-June/msg00099.html > But nothing changed, I also tried with selinux disabled/enabled but same > issue... > > > Here we go : > > [root@omcsvcipa01d ~]# rpm -qa freeipa-server pki-ca "java-*-openjdk-*" > java-1.7.0-openjdk-devel-1.7.0.25-2.3.12.3.fc19.x86_64 > freeipa-server-3.2.2-1.fc19.x86_64 > pki-ca-10.0.4-2.fc19.noarch > > [root@omcsvcipa01d ~]# ausearch -m AVC > ---- > time->Tue Aug 6 08:07:36 2013 > type=SYSCALL msg=audit(1375776456.741:125): arch=c000003e syscall=257 > success=no exit=-13 a0=ffffffffffffff9c a1=7fd5080076e0 a2=90800 a3=0 items=0 > ppid=1 pid=1995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" > exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java" > subj=system_u:system_r:pki_tomcat_t:s0 key=(null) > type=AVC msg=audit(1375776456.741:125): avc: denied { read } for pid=1995 > comm="java" name="hsperfdata_root" dev="vda1" ino=39527 > scontext=system_u:system_r:pki_tomcat_t:s0 > tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir > ---- > time->Tue Aug 6 08:07:36 2013 > type=SYSCALL msg=audit(1375776456.741:126): arch=c000003e syscall=2 > success=no exit=-13 a0=7fd508007700 a1=242 a2=180 a3=0 items=0 ppid=1 > pid=1995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 ses=4294967295 tty=(none) comm="java" > exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java" > subj=system_u:system_r:pki_tomcat_t:s0 key=(null) > type=AVC msg=audit(1375776456.741:126): avc: denied { write } for pid=1995 > comm="java" name="hsperfdata_root" dev="vda1" ino=39527 > scontext=system_u:system_r:pki_tomcat_t:s0 > tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir > ---- > time->Tue Aug 6 08:19:15 2013 > type=SYSCALL msg=audit(1375777155.023:174): arch=c000003e syscall=257 > success=no exit=-13 a0=ffffffffffffff9c a1=7f33540072b0 a2=90800 a3=0 items=0 > ppid=2713 pid=2734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" > exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java" > subj=system_u:system_r:pki_tomcat_t:s0 key=(null) > type=AVC msg=audit(1375777155.023:174): avc: denied { read } for pid=2734 > comm="java" name="hsperfdata_root" dev="vda1" ino=39527 > scontext=system_u:system_r:pki_tomcat_t:s0 > tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir > ---- > time->Tue Aug 6 08:19:15 2013 > type=SYSCALL msg=audit(1375777155.023:175): arch=c000003e syscall=2 > success=no exit=-13 a0=7f33540072d0 a1=242 a2=180 a3=0 items=0 ppid=2713 > pid=2734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 ses=4294967295 tty=(none) comm="java" > exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java" > subj=system_u:system_r:pki_tomcat_t:s0 key=(null) > type=AVC msg=audit(1375777155.023:175): avc: denied { write } for pid=2734 > comm="java" name="hsperfdata_root" dev="vda1" ino=39527 > scontext=system_u:system_r:pki_tomcat_t:s0 > tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir > > Errors on the ipaserver-install.log : > ... > pki_subsystem_nickname = subsystemCert cert-pki-ca > pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca > pki_ssl_server_nickname = Server-Cert cert-pki-ca > pki_audit_signing_nickname = auditSigningCert cert-pki-ca > pki_ca_signing_nickname = caSigningCert cert-pki-ca > > > 2013-08-06T12:05:08Z DEBUG Starting external process > 2013-08-06T12:05:08Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpRlQD7m > 2013-08-06T12:05:09Z DEBUG Process finished, return code=1 > 2013-08-06T12:05:09Z DEBUG stdout=Loading deployment configuration from > /tmp/tmpRlQD7m. > Installing CA into /var/lib/pki/pki-tomcat. > Installation failed. > > > 2013-08-06T12:05:09Z DEBUG stderr=pkispawn : ERROR ....... PKI > subsystem 'CA' for instance 'pki-tomcat' already exists! > > 2013-08-06T12:05:09Z CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpRlQD7m' returned non-zero exit status 1 > 2013-08-06T12:05:09Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > 616, in run_script > return_value = main_function() > > File "/sbin/ipa-server-install", line 1022, in main > dm_password, subject_base=options.subject) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 617, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 363, in start_creation > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 736, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > > 2013-08-06T12:05:09Z DEBUG The ipa-server-install command failed, exception: > RuntimeError: Configuration of CA failed > > And catalina.out : > > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'enableOCSP' to 'false' did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspResponderURL' to 'http://omcsvcipa01d.dev.cloud-omc.thales:9080/ca/ocsp' > did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a > matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspCacheSize' to '1000' did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspMinCacheEntryDuration' to '60' did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspTimeout' to '10' did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'strictCiphers' to 'false' did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching > property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ssl2Ciphers' to > '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' > did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ssl3Ciphers' to > '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' > did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'tlsCiphers' to > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' > did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' > did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a > matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not > find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching > property. > Aug 06, 2013 8:07:38 AM org.apache.tomcat.util.digester.SetPropertiesRule > begin > WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > 'xmlValidation' to 'false' did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.tomcat.util.digester.SetPropertiesRule > begin > WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > 'xmlNamespaceAware' to 'false' did not find a matching property. > Aug 06, 2013 8:07:38 AM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-bio-8080"] > Aug 06, 2013 8:07:38 AM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-bio-8443"] > JSSSocketFactory init - exception thrown:java.lang.NullPointerException > > Aug 06, 2013 8:07:38 AM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.Catalina load > INFO: Initialization processed in 1488 ms > Aug 06, 2013 8:07:38 AM org.apache.catalina.core.StandardService startInternal > INFO: Starting service Catalina > Aug 06, 2013 8:07:38 AM org.apache.catalina.core.StandardEngine startInternal > INFO: Starting Servlet Engine: Apache Tomcat/7.0.40 > Aug 06, 2013 8:07:39 AM org.apache.catalina.startup.HostConfig deployDirectory > INFO: Deploying web application directory /var/lib/pki/pki-tomcat/webapps/pki > Aug 06, 2013 8:07:41 AM org.apache.catalina.startup.HostConfig deployDirectory > INFO: Deploying web application directory /var/lib/pki/pki-tomcat/webapps/ca > SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback > SSLAuthenticatorWithFallback: Setting container > SSLAuthenticatorWithFallback: Initializing authenticators > SSLAuthenticatorWithFallback: Starting authenticators > 08:07:43,538 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) > - Unable to retrieve ServletContext: expandEntityReferences defaults to true > 08:07:43,545 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) > - Unable to retrieve ServletContext: expandEntityReferences defaults to true > CMS Warning: FAILURE: Cannot build CA chain. Error > java.security.cert.CertificateException: Certificate is not a PKCS #11 > certificate|FAILURE: authz instance DirAclAuthz initialization failed and > skipped, error=Property internaldb.ldapconn.port missing value| > Server is started. > Aug 06, 2013 8:07:44 AM org.apache.catalina.startup.HostConfig deployDirectory > INFO: Deploying web application directory /var/lib/pki/pki-tomcat/webapps/ROOT > Aug 06, 2013 8:07:45 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8080"] > Aug 06, 2013 8:07:45 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8443"] > Aug 06, 2013 8:07:45 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > Aug 06, 2013 8:07:45 AM org.apache.catalina.startup.Catalina start > INFO: Server startup in 6725 ms > Aug 06, 2013 8:19:15 AM org.apache.catalina.core.StandardServer await > INFO: A valid shutdown command was received via the shutdown port. Stopping > the Server instance. > Aug 06, 2013 8:19:15 AM org.apache.coyote.AbstractProtocol pause > INFO: Pausing ProtocolHandler ["http-bio-8080"] > Aug 06, 2013 8:19:15 AM org.apache.coyote.AbstractProtocol pause > INFO: Pausing ProtocolHandler ["http-bio-8443"] > Aug 06, 2013 8:19:15 AM org.apache.coyote.AbstractProtocol pause > INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > Aug 06, 2013 8:19:15 AM org.apache.catalina.core.StandardService stopInternal > INFO: Stopping service Catalina > > > > > > -----Message d'origine----- > De : Martin Kosek [mailto:[email protected]] > Envoyé : mardi 6 août 2013 13:48 > À : NEVEU Stephane > Cc : [email protected] > Objet : Re: [Freeipa-users] Install error pkispawn > > On 08/06/2013 10:48 AM, NEVEU Stephane wrote: >> Hi guys, >> >> New & trying to install FreeIPA-server with the online documentation on a >> fresh fedora 19... I've got this error message : >> Any idea is welcome :) >> Thank you >> ... >> Continue to configure the system with these values? [no]: yes >> >> The following operations may take some minutes to complete. >> Please wait until the prompt is returned. >> >> Configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server (dirsrv): Estimated time 1 minute >> [1/38]: creating directory server user >> [2/38]: creating directory server instance >> [3/38]: adding default schema >> [4/38]: enabling memberof plugin >> [5/38]: enabling winsync plugin >> [6/38]: configuring replication version plugin >> [7/38]: enabling IPA enrollment plugin >> [8/38]: enabling ldapi >> [9/38]: configuring uniqueness plugin >> [10/38]: configuring uuid plugin >> [11/38]: configuring modrdn plugin >> [12/38]: configuring DNS plugin >> [13/38]: enabling entryUSN plugin >> [14/38]: configuring lockout plugin >> [15/38]: creating indices >> [16/38]: enabling referential integrity plugin >> [17/38]: configuring certmap.conf >> [18/38]: configure autobind for root >> [19/38]: configure new location for managed entries >> [20/38]: configure dirsrv ccache >> [21/38]: enable SASL mapping fallback >> [22/38]: restarting directory server >> [23/38]: adding default layout >> [24/38]: adding delegation layout >> [25/38]: creating container for managed entries >> [26/38]: configuring user private groups >> [27/38]: configuring netgroups from hostgroups >> [28/38]: creating default Sudo bind user >> [29/38]: creating default Auto Member layout >> [30/38]: adding range check plugin >> [31/38]: creating default HBAC rule allow_all >> [32/38]: initializing group membership >> [33/38]: adding master entry >> [34/38]: configuring Posix uid/gid generation >> [35/38]: adding replication acis >> [36/38]: enabling compatibility plugin >> [37/38]: tuning directory server >> [38/38]: configuring directory to start on boot Done configuring >> directory server (dirsrv). >> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 >> seconds >> [1/20]: creating certificate server user >> [2/20]: configuring certificate server instance >> ipa : CRITICAL failed to configure ca instance Command >> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFi7bLc' returned non-zero exit status 1 >> Configuration of CA failed >> > > Hello Stephane, > > Thanks for contacting the list! We need to get at first more information > about the failure, i.e.: > > 1) $ rpm -qa freeipa-server pki-ca "java-*-openjdk-*" > 2) Related errors from /var/log/ipaserver-install.log > 3) Related errors from /var/log/pki/pki-tomcat/catalina.out (if any) > 4) # ausearch -m AVC > > Martin > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
