On 04/28/2014 11:52 AM, Rob Crittenden wrote:
This did the trick. Something was hanging out on port 8443, though neither lsof nor netstat would show me what it was. I rebooted the server and then it proceeded past this without a hiccup.Bret Wortman wrote:On 04/28/2014 11:17 AM, Rob Crittenden wrote:Bret Wortman wrote:So is there a recommended way to clean it up and get it working?Re-run pkidestroy, then if the subsequent IPA install fails closely examine the logs to determine the reason. The problem in cases like this is that the first install fails and subsequent installs mask the original failure with this PKI re-install failure. robOkay, here's the log from when it starts configuring PKI: 2014-04-28T15:23:45Z DEBUG [2/22]: configuring certificate server instance 2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file (/tmp/tmpdCm6rt): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki-backup_password = XXXXXXXX pki_client_database_dir = /tmp/tmp-rVoTR2 pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca 2014-04-28T15:23:45Z DEBUG Starting external process2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt2014-04-28T15:23:45Z DEBUG Process finished, return code=1 2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from /tmp/tmpdCm6rt. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg Installation failed. 2014-04-28T15:24:46Z DEBUG stderr=pkispawn : ERROR ....... server failed to restart 2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit status 1 2014-04-28T15:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1074, in main dm_password, subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 478, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py", line 364, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') 2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed And that's the end of the log. Nothing here looks terribly informative to me, and this is what the log looks like every time I look at it.The error is different whether there is an existing PKI instance or not.The next set of logs to look at are in /var/log/pki. It says there is a startup failure so I'd start with */var/log/pki/pki-tomcat/catalina.out* . Also interesting may be the pki-ca-spawn and debug logs found within that directory structure.I'd also look for SELinux errors with ausearch -m AVC -ts recent
Thanks, Rob and everyone else for helping me navigate the logs! Bret
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
