On Wed, 2014-05-28 at 10:37 +0100, Scott Ryan wrote: > I am trying to get freeIPA up and running on a minimal CentOS6.5 installation. > i have forward and reverse DNS setup on an external DNS server - no > SELinux & no iptables (for troubleshooting) > > but keep running into the following problem during installation : > > [3/21]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW > -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig > -domain_name IPA -admin_user admin -admin_email root@localhost > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 > -agent_key_type rsa -agent_cert_subject > CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU > -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU > -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU > -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU > -external false -clone false' returned non-zero exit status 255 > Configuration of CA failed > > The installation log shows this : > > 2014-05-28T09:19:47Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' > ...skipping... > at java.net.URLClassLoader$1.run(URLClassLoader.java:358) > at java.net.URLClassLoader$1.run(URLClassLoader.java:355) > at java.security.AccessController.doPrivileged(Native Method) > at java.net.URLClassLoader.findClass(URLClassLoader.java:354) > at java.lang.ClassLoader.loadClass(ClassLoader.java:425) > at java.lang.ClassLoader.loadClass(ClassLoader.java:412) > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) > at java.lang.ClassLoader.loadClass(ClassLoader.java:358) > at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:215) > at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) > at java.security.AccessController.doPrivileged(Native Method) > at > sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) > at > sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) > at sun.security.jca.ProviderList.loadAll(ProviderList.java:281) > at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298) > at sun.security.jca.Providers.getFullProviderList(Providers.java:176) > at java.security.Security.insertProviderAt(Security.java:362) > at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:942) > at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:869) > at ComCrypto.loginDB(ComCrypto.java:420) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1145) > at ConfigureCA.main(ConfigureCA.java:1672) > Caused by: java.util.zip.ZipException: error in opening zip file > at java.util.zip.ZipFile.open(Native Method) > at java.util.zip.ZipFile.<init>(ZipFile.java:215) > at java.util.zip.ZipFile.<init>(ZipFile.java:145) > at java.util.jar.JarFile.<init>(JarFile.java:153) > at java.util.jar.JarFile.<init>(JarFile.java:90) > at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:728) > at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:591) > at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:673) > at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:666) > at java.security.AccessController.doPrivileged(Native Method) > at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:665) > at sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:836) > ... 23 more >
Thats a very interesting error. Looks like something is going on at the nss/jss level on the client side when trying to initialize the client side nss database. Can you tell me what versions you have for nss, jss, pki-common, pkisilent, pki-ca ? rpm -q nss jss pki-common pki-silent pki-ca Thanks. > 2014-05-28T09:20:15Z CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW > -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig > -domain_name IPA -admin_user admin -admin_email root@localhost > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 > -agent_key_type rsa -agent_cert_subject > CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU > -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU > -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU > -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU > -external false -clone false' returned non-zero exit status 255 > 2014-05-28T09:20:15Z INFO File > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", > line 614, in run_script > return_value = main_function() > > Any ideas would be helpful. > > Thanks _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users